Hi Gernot! Thanks for the update! The information about the grant is a very valuable information for other users!
The main reason why we use getProperties is that this is much easier to debug and extend. But you know, quite a few things happen because they work well enough. And the difference is really subtle in this case. LieGrue, strub ----- Original Message ----- > From: Gernot <[email protected]> > To: [email protected] > Cc: > Sent: Wednesday, November 23, 2011 4:47 PM > Subject: Re: PropertyPermission - Security Manager > >( a) Isn't it the same, if you use > 'System.getProperty("x")' or > 'p=System.getProperties();p.get("x")' ? > > (b) application runs after adding a new protection domain > grant codeBase > "file:${catalina.base}/work/Catalina/localhost/xxxxx/WEB-INF/lib/openwebbeans-impl-1.1.1.jar" > { > permission java.util.PropertyPermission "*", > "read,write"; > }; > > gernot > > 2011/11/23 Mark Struberg <[email protected]> >> >> We use System.getProperties because we do a lot of lookups. >> Couldn't you just check if the getProperties is being called from > within OpenWebBeansConfiguration and allow read/write for it? >> >> >> And from my personal experience with the Java SystemManager: I know 2 banks > which used all this crap in the early 2000s. Then came .NET which was faster. > Then they dropped the SecurityManager and realized that they gained 3-times > the > performance from just doing that... >> >> But there are certainly scenarios where it is useful (3rd party WAR > hosting). >> >> >> LieGrue, >> strub >> >> >________________________________ >> > From: Gernot <[email protected]> >> >To: [email protected] >> >Sent: Wednesday, November 23, 2011 10:54 AM >> >Subject: Re: PropertyPermission - Security Manager >> > >> > >> >Thank you for answering. >> > >> >Why don't you use System.getProperty()? - and everthing works fine > with "read" permission. >> >I do not see any need to iterate over all possible properties set in > the JVM in OWB. >> > >> >We've enabled SecurityManager for 10 years and we are running > internally built applications but also lots of externally built applications > (about 50 tomcats, with up to 20 applications each). So we have the need to > separate application. And all libraries we used supports SecurityManager > stuff > well. >> >If you only deploy own applications - do you really now them all > exactly? ;-) - it is at least another boundary for intruders and a additional > limitation of configurations errors. >> > >> >Gernot >> > >> > >> >2011/11/22 Mark Struberg <[email protected]> >> > >> > >> >> >> >>Hi Gernot! >> >> >> >>I fear there is nothing we can do against this in OWB. The Javadoc > of System#getProperties says that checkPropertiesAccess is used [1]. >> >> >> >>> This method is used by the getProperties and >> >>> setProperties methods of class System. >> >>> This method calls checkPermission with the >> >>> PropertyPermission("*", "read,write") > permission. >> >> >> >> >> >>Btw, if you don't plan to execute foreign wars on your box, > then enabling the SecurityManager will just cause unnecessary pain and > performance decrease. This stuff originally got invented solely for > sandboxing > Java applets in browsers and later got abused for EE Server security in big > data > centers to keep externally built applications under control But i's really > not of much use if you know the software you like to run on your boxes. >> >> >> >> >> >>LieGrue, >> >>strub >> >> >> >>[1] > http://download.oracle.com/javase/1.4.2/docs/api/java/lang/SecurityManager.html#checkPropertiesAccess%28%29 >> >> >> >> >> >> >> >>>________________________________ >> >>> From: Gernot <[email protected]> >> >>>To: [email protected] >> >>>Sent: Tuesday, November 22, 2011 5:10 PM >> >>>Subject: PropertyPermission - Security Manager >> >>> >> >>> >> >>>I like to run my JSF2/CODI/OWB app in Tomcat 7 with security > manager enabled, then I get an error (stacktrace see below) that > java.util.PropertyPermission * read,write is missing. "read" > permission is OK, but I'm wondering OWB needs WRITE permission?! >> >>> >> >>>Why? What does it write? >> >>> >> >>>In my opinion it seems not to be ok that webapplications > require property write permissions, because this will have side effects to > other > applications installed in the same tomcat!! >> >>> >> >>>How can I prevent OWB to force property write permissions. >> >>> >> >>>Thx >> >>>gernot >> >>> >> >>> >> >>>org.apache.catalina.core.StandardContext listenerStart >> >>>SEVERE: Error configuring application listener of class > org.apache.webbeans.servlet.WebBeansConfigurationListener >> >>>java.security.AccessControlException: access denied > (java.util.PropertyPermission * read,write) >> >>> at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:374) >> >>> at > java.security.AccessController.checkPermission(AccessController.java:546) >> >>> at > java.lang.SecurityManager.checkPermission(SecurityManager.java:532) >> >>> at > java.lang.SecurityManager.checkPropertiesAccess(SecurityManager.java:1252) >> >>> at java.lang.System.getProperties(System.java:580) >> >>> at > org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:235) >> >>> at > org.apache.webbeans.config.OpenWebBeansConfiguration$1.run(OpenWebBeansConfiguration.java:231) >> >>> at java.security.AccessController.doPrivileged(Native > Method) >> >>> at > org.apache.webbeans.config.OpenWebBeansConfiguration.doPrivilegedGetSystemProperties(OpenWebBeansConfiguration.java:229) >> >>> at > org.apache.webbeans.config.OpenWebBeansConfiguration.loadFromSystemProperties(OpenWebBeansConfiguration.java:167) >> >>> at > org.apache.webbeans.config.OpenWebBeansConfiguration.<init>(OpenWebBeansConfiguration.java:156) >> >>> at > org.apache.webbeans.config.WebBeansContext.<init>(WebBeansContext.java:98) >> >>> at > org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:58) >> >>> at > org.apache.webbeans.corespi.DefaultSingletonService.get(DefaultSingletonService.java:30) >> >>> at > org.apache.webbeans.config.WebBeansFinder.getSingletonInstance(WebBeansFinder.java:51) >> >>> at > org.apache.webbeans.config.WebBeansContext.getInstance(WebBeansContext.java:163) >> >>> at > org.apache.webbeans.servlet.WebBeansConfigurationListener.<init>(WebBeansConfigurationListener.java:69) >> >>> >> >>> >> >>> >> >> >> > >> > >> > >
