(a) Isn't it the same, if you use 'System.getProperty("x")' or
'p=System.getProperties();p.get("x")' ?
(b) application runs after adding a new protection domain
grant codeBase
"file:${catalina.base}/work/Catalina/localhost/xxxxx/WEB-INF/lib/openwebbeans-impl-1.1.1.jar"
{
permission java.util.PropertyPermission "*", "read,write";
};
gernot
2011/11/23 Mark Struberg <[email protected]>
>
> We use System.getProperties because we do a lot of lookups.
> Couldn't you just check if the getProperties is being called from within
> OpenWebBeansConfiguration and allow read/write for it?
>
>
> And from my personal experience with the Java SystemManager: I know 2 banks
> which used all this crap in the early 2000s. Then came .NET which was faster.
> Then they dropped the SecurityManager and realized that they gained 3-times
> the performance from just doing that...
>
> But there are certainly scenarios where it is useful (3rd party WAR hosting).
>
>
> LieGrue,
> strub
>
> >________________________________
> > From: Gernot <[email protected]>
> >To: [email protected]
> >Sent: Wednesday, November 23, 2011 10:54 AM
> >Subject: Re: PropertyPermission - Security Manager
> >
> >
> >Thank you for answering.
> >
> >Why don't you use System.getProperty()? - and everthing works fine with
> >"read" permission.
> >I do not see any need to iterate over all possible properties set in the JVM
> >in OWB.
> >
> >We've enabled SecurityManager for 10 years and we are running internally
> >built applications but also lots of externally built applications (about 50
> >tomcats, with up to 20 applications each). So we have the need to separate
> >application. And all libraries we used supports SecurityManager stuff well.
> >If you only deploy own applications - do you really now them all exactly?
> >;-) - it is at least another boundary for intruders and a additional
> >limitation of configurations errors.
> >
> >Gernot
> >
> >
> >2011/11/22 Mark Struberg <[email protected]>
> >
> >
> >>
> >>Hi Gernot!
> >>
> >>I fear there is nothing we can do against this in OWB. The Javadoc of
> >>System#getProperties says that checkPropertiesAccess is used [1].
> >>
> >>> This method is used by the getProperties and
> >>> setProperties methods of class System.
> >>> This method calls checkPermission with the
> >>> PropertyPermission("*", "read,write") permission.
> >>
> >>
> >>Btw, if you don't plan to execute foreign wars on your box, then enabling
> >>the SecurityManager will just cause unnecessary pain and performance
> >>decrease. This stuff originally got invented solely for sandboxing Java
> >>applets in browsers and later got abused for EE Server security in big data
> >>centers to keep externally built applications under control But i's really
> >>not of much use if you know the software you like to run on your boxes.
> >>
> >>
> >>LieGrue,
> >>strub
> >>
> >>[1]
> >>http://download.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess%28%29
> >>
> >>
> >>
> >>>________________________________
> >>> From: Gernot <[email protected]>
> >>>To: [email protected]
> >>>Sent: Tuesday, November 22, 2011 5:10 PM
> >>>Subject: PropertyPermission - Security Manager
> >>>
> >>>
> >>>I like to run my JSF2/CODI/OWB app in Tomcat 7 with security manager
> >>>enabled, then I get an error (stacktrace see below) that
> >>>java.util.PropertyPermission * read,write is missing. "read" permission is
> >>>OK, but I'm wondering OWB needs WRITE permission?!
> >>>
> >>>Why? What does it write?
> >>>
> >>>In my opinion it seems not to be ok that webapplications require property
> >>>write permissions, because this will have side effects to other
> >>>applications installed in the same tomcat!!
> >>>
> >>>How can I prevent OWB to force property write permissions.
> >>>
> >>>Thx
> >>>gernot
> >>>
> >>>
> >>>org.apache.catalina.core.StandardContext listenerStart
> >>>SEVERE: Error configuring application listener of class
> >>>org.apache.webbeans.servlet.WebBeansConfigurationListener
> >>>java.security.AccessControlException: access denied
> >>>(java.util.PropertyPermission * read,write)
> >>> at
> >>>java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
> >>> at
> >>>java.security.AccessController.checkPermission(AccessController.java:546)
> >>> at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> >>> at
> >>>java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252)
> >>> at java.lang.System.getProperties(System.java:580)
> >>> at
> >>>org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:235)
> >>> at
> >>>org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:231)
> >>> at java.security.AccessController.doPrivileged(Native Method)
> >>> at
> >>>org.apache.webbeans.config.OpenWebBeansConfiguration.doPrivilegedGetSystemProperties(OpenWebBeansConfiguration.java:229)
> >>> at
> >>>org.apache.webbeans.config.OpenWebBeansConfiguration.loadFromSystemProperties(OpenWebBeansConfiguration.java:167)
> >>> at
> >>>org.apache.webbeans.config.OpenWebBeansConfiguration.<init>(OpenWebBeansConfiguration.java:156)
> >>> at
> >>>org.apache.webbeans.config.WebBeansContext.<init>(WebBeansContext.java:98)
> >>> at
> >>>org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:58)
> >>> at
> >>>org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:30)
> >>> at
> >>>org.apache.webbeans.config.WebBeansFinder.getSingletonInstance(WebBeansFinder.java:51)
> >>> at
> >>>org.apache.webbeans.config.WebBeansContext.getInstance(WebBeansContext.java:163)
> >>> at
> >>>org.apache.webbeans.servlet.WebBeansConfigurationListener.<init>(WebBeansConfigurationListener.java:69)
> >>>
> >>>
> >>>
> >>
> >
> >
> >
