We use System.getProperties because we do a lot of lookups. Couldn't you just check if the getProperties is being called from within OpenWebBeansConfiguration and allow read/write for it?
And from my personal experience with the Java SystemManager: I know 2 banks which used all this crap in the early 2000s. Then came .NET which was faster. Then they dropped the SecurityManager and realized that they gained 3-times the performance from just doing that... But there are certainly scenarios where it is useful (3rd party WAR hosting). LieGrue, strub >________________________________ > From: Gernot <[email protected]> >To: [email protected] >Sent: Wednesday, November 23, 2011 10:54 AM >Subject: Re: PropertyPermission - Security Manager > > >Thank you for answering. > >Why don't you use System.getProperty()? - and everthing works fine with "read" >permission. >I do not see any need to iterate over all possible properties set in the JVM >in OWB. > >We've enabled SecurityManager for 10 years and we are running internally built >applications but also lots of externally built applications (about 50 tomcats, >with up to 20 applications each). So we have the need to separate application. >And all libraries we used supports SecurityManager stuff well. >If you only deploy own applications - do you really now them all exactly? ;-) >- it is at least another boundary for intruders and a additional limitation of >configurations errors. > >Gernot > > >2011/11/22 Mark Struberg <[email protected]> > > >> >>Hi Gernot! >> >>I fear there is nothing we can do against this in OWB. The Javadoc of >>System#getProperties says that checkPropertiesAccess is used [1]. >> >>> This method is used by the getProperties and >>> setProperties methods of class System. >>> This method calls checkPermission with the >>> PropertyPermission("*", "read,write") permission. >> >> >>Btw, if you don't plan to execute foreign wars on your box, then enabling the >>SecurityManager will just cause unnecessary pain and performance decrease. >>This stuff originally got invented solely for sandboxing Java applets in >>browsers and later got abused for EE Server security in big data centers to >>keep externally built applications under control But i's really not of much >>use if you know the software you like to run on your boxes. >> >> >>LieGrue, >>strub >> >>[1] >>http://download.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess%28%29 >> >> >> >>>________________________________ >>> From: Gernot <[email protected]> >>>To: [email protected] >>>Sent: Tuesday, November 22, 2011 5:10 PM >>>Subject: PropertyPermission - Security Manager >>> >>> >>>I like to run my JSF2/CODI/OWB app in Tomcat 7 with security manager >>>enabled, then I get an error (stacktrace see below) that >>>java.util.PropertyPermission * read,write is missing. "read" permission is >>>OK, but I'm wondering OWB needs WRITE permission?! >>> >>>Why? What does it write? >>> >>>In my opinion it seems not to be ok that webapplications require property >>>write permissions, because this will have side effects to other applications >>>installed in the same tomcat!! >>> >>>How can I prevent OWB to force property write permissions. >>> >>>Thx >>>gernot >>> >>> >>>org.apache.catalina.core.StandardContext listenerStart >>>SEVERE: Error configuring application listener of class >>>org.apache.webbeans.servlet.WebBeansConfigurationListener >>>java.security.AccessControlException: access denied >>>(java.util.PropertyPermission * read,write) >>> at >>>java.security.AccessControlContext.checkPermission(AccessControlContext.java:374) >>> at >>>java.security.AccessController.checkPermission(AccessController.java:546) >>> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) >>> at >>>java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252) >>> at java.lang.System.getProperties(System.java:580) >>> at >>>org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:235) >>> at >>>org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:231) >>> at java.security.AccessController.doPrivileged(Native Method) >>> at >>>org.apache.webbeans.config.OpenWebBeansConfiguration.doPrivilegedGetSystemProperties(OpenWebBeansConfiguration.java:229) >>> at >>>org.apache.webbeans.config.OpenWebBeansConfiguration.loadFromSystemProperties(OpenWebBeansConfiguration.java:167) >>> at >>>org.apache.webbeans.config.OpenWebBeansConfiguration.<init>(OpenWebBeansConfiguration.java:156) >>> at >>>org.apache.webbeans.config.WebBeansContext.<init>(WebBeansContext.java:98) >>> at >>>org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:58) >>> at >>>org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:30) >>> at >>>org.apache.webbeans.config.WebBeansFinder.getSingletonInstance(WebBeansFinder.java:51) >>> at >>>org.apache.webbeans.config.WebBeansContext.getInstance(WebBeansContext.java:163) >>> at >>>org.apache.webbeans.servlet.WebBeansConfigurationListener.<init>(WebBeansConfigurationListener.java:69) >>> >>> >>> >> > > >
