THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Running Tuscany with Java 2 Security Enabled
Overview of Java 2 Security
Apache Tuscany promotes the Java 2 security model by allowing one to run Service Component Architecture (SCA) applications in a secured environment. By default, with Java 2 security disabled, Java application code and the Tuscany code base run in an unsecure environment with no security manager. This gives the Java application access to all system resources. The application may read and write all system properties, open and read any system files, and do all sorts of unprotected actions. All Tuscany code will run unhindered in this environment. And all malicious Tuscany users will also run unhindered in this environment.
With Java 2 security enabled, the user contribution to the SCA domain has very tight security restrictions. This ensures that the user SCA application does not introduce mischevious code (for instance with a user-provided custom classloader) or perform unprotected investigations (such as when a user-provided application starts snooping around the file system looking for interesting files.) With proper security policies, the Tuscany runtime can perform these sensitive operations because it is part of the runtime and is given permission to perform these privileged actions. The Tuscany runtime acts as a proxy and performs sensitive operations on behalf of the user application.
The purpose of this article is to show how one can run Apache Tuscany and SCA applications in various environments while enabling Java 2 security and ensuring the application is running in a secured environment. Tuscany users and deployers and administrators should read this article while more in-depth runtime developers should also proceed onto the associated article Security Aware Programming in Tuscany.
Enabling Java 2 Security from a Command Line
The most basic way to run Tuscany applications is from a command line window or shell. You may enable security in this environment by running your Tuscany application with the java.exe -Djava.security.manager option on the command line. This enabled the default Java security manager which delegates access control decisions to java.security.AccessController. The AccessController determines access authority for your Java code by consulting the permissions in a java.security.Policy class usually specified in the default security.policy file.
There is only one Policy object installed into a Java runtime at any given time. The default behavior for Java is to load the authorization data from one or more security policy files, but Tuscany users may add to or replace the policy by running with additional policy information on the command line. For instance "-Djava.security.manager -Djava.security.policy=tuscany.policy" will add the permissions in the tuscany.policy file to the default Java permissions. If you specify "-Djava.security.policy==tuscany.policy" you replace the default policy with those specified in the Tuscany policy file. When Tuscany is run by an application server (whether it be WebSphere, Geronimo, or other), the policy of the server will form the starting point for Tuscany's security policy.
Each policy file will contain a list of grant statements. A grant tells the runtime where the code came from (a URL specifying the code base), who signed the code (a list of signer certificates), and what permissions are given. The permissions can be read write permissions to the file system, access to system properties, or class loading privileges.
An example of a granting all permission to an unsigned Tuscany code base is given here:
security.policy example
grant codeBase "file:$/{{user.home}}/tuscany/java/sca/-" {
permission java.security.AllPermission;
};
This example grant statement is quite a broad bludgeon. Namely it says that all Tuscany code has been granted all permissions. This is not much different that running without a security manager. In practice, a user policy will want much finer-grained permissions towards the Tuscany code and allow only specific pieces of the code to have privileged access. Additional information on Java application security is given at
Java Security.