ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Discovering a Java Application's Security Requirements
Pages: 1, 2

A More Complex Example: Profiling a Tomcat Web Application

With that simple example behind us, let us examine a nontrivial use of ProfilingSecurityManager: profiling a Tomcat web application. Tomcat can be made to run under the default Java security manager by passing the -security option to the standard startup script:



$ $CATALINA_HOME/bin/startup.sh -security

Passing the -security option to startup.sh leads to the calling of $CATALINA_HOME/bin/catalina.sh with the same -security option. $CATALINA_HOME/bin/catalina.sh is the script that actually calls java to run the Tomcat bootstrap class org.apache.catalina.startup.Bootstrap, and furthermore in this case subject to the default policy specified in $CATALINA_HOME/conf/catalina.policy. If we leave the invocation at that Tomcat will run under the default Java security manager subject to the default shipped policy. But we need to do a bit more work to profile Tomcat and the webapps it may contain. To profile the webapp using ProfilingSecurityManager, we must develop a new Tomcat startup script. The new startup script is a temporary device, and will be used only for profiling, then discarded.

Make a backup copy of $CATALINA_HOME/bin/catalina.sh. Insert the shell command set -x in $CATALINA_HOME/bin/catalina.sh near the top of the script, and start Tomcat. Save the displayed shell executed command to a file that will hold the temporary startup script. Stop Tomcat, and edit the temporary script, specifying ProfilingSecurityManager as the security manager and modifying the classpath to locate it.

Under Tomcat 5.5.17 under Linux, here is what the temporary startup script looks like before we edit it for purposes of using ProfilingSecurityManager, with a bit of tweaking and formatting

#!/bin/sh
log=$CATALINA_HOME/logs/catalina.out

/java/jdk/jdk1.5.0_06/bin/java \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=/home/tomcat/tomcat/conf/logging.properties \
-Djava.endorsed.dirs=/home/tomcat/tomcat/common/endorsed \
-classpath :/home/tomcat/tomcat/bin/bootstrap.jar:\
/home/tomcat/tomcat/bin/commons-logging-api.jar \
-Djava.security.manager \
-Djava.security.policy==/home/tomcat/tomcat/conf/catalina.policy \
-Dcatalina.base=/home/tomcat/tomcat \
-Dcatalina.home=/home/tomcat/tomcat \
-Djava.io.tmpdir=/home/tomcat/tomcat/temp \
org.apache.catalina.startup.Bootstrap start >> $log \
2>&1 &

After editing for purposes of using ProfilingSecurityManager, the startup script looks like this:

#!/bin/sh
log=$CATALINA_HOME/logs/catalina.out
PATHTOPSM=$HOME/lib/psm.jar  # make sure the profiler jar file is here

/java/jdk/jdk1.5.0_06/bin/java \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Djava.util.logging.config.file=/home/tomcat/tomcat/conf/logging.properties \
-Djava.endorsed.dirs=/home/tomcat/tomcat/common/endorsed \
-classpath $PATHTOPSM:/home/tomcat/tomcat/bin/bootstrap.jar:\
/home/tomcat/tomcat/bin/commons-logging-api.jar \
-Djava.security.manager=secmgr.manager.ProfilingSecurityManager \
-Djava.security.policy==/home/tomcat/tomcat/conf/catalina.policy \
-Dcatalina.base=/home/tomcat/tomcat \
-Dcatalina.home=/home/tomcat/tomcat \
-Djava.io.tmpdir=/home/tomcat/tomcat/temp \
org.apache.catalina.startup.Bootstrap start >> $log \
2>&1 &

The two scripts differ in that the new temporary version

  1. augments the classpath to point to where the ProfilingSecurityManager class resides, namely in $HOME/lib/psm.jar
  2. specifies ProfilingSecurityManager as the security manager in the -Djava.security.manager parameter

Now we can start profiling. Start Tomcat with the temporary startup script. Put the web applications of interest through their paces by forcing them to cover code that would be covered in a production scenario. Code-covering the web applications is admittedly a tall order, and may only be partially achievable. Stop Tomcat, and run $CATALINA_HOME/logs/catalina.out through parsecodebase.pl, as shown below, with the processed rules saved to policy.txt.

$ parsecodebase.pl < $CATALINA_HOME/logs/catalina.out > policy.txt

Listing 9. Processing the rules generated by Tomcat and any executed web applications contained by it.

Be aware that ProfilingSecurityManager can only generate rules for code executed during profiling. It does not examine bytecode in class files, probing all code branches that can in theory be reached during an arbitrary runtime instance. Such bytecode analysis could be an area of future work, and would complement, but not replace, the runtime analysis done by ProfilingSecurityManager.

An examination of the policy file $CATALINA_HOME/conf/catalina.policy that ships with Tomcat reveals that Tomcat ("Catalina") system codebases are granted all platform permissions. ProfilingSecurityManager, in fact, will discover these same rules for Tomcat system classes, but will specify them in a fine-grain fashion. The rules ProfilingSecurityManager discovers about Tomcat system classes should be manually pruned from policy.txt.

The rules that remain in policy.txt after pruning Tomcat system rules are the starting point for our production security policy. These rules represent our web application's security requirements. Each of these rules should be examined carefully to understand what it does and to confirm that it is consistent with our application's goals. When we are confident we have a good draft policy, make a backup copy of $CATALINA_HOME/conf/catalina.policy, and incorporate the new draft rules from policy.txt into it. Then revert back to the original Tomcat startup script with the -security option set, and continue testing.

Conclusion

Running our applications under a Java security manager can increase the robustness of our code. And while getting the security policy right will be challenging, doing so provides peace of mind that our code is running subject to security constraints we prescribe. ProfilingSecurityManager can help us get that policy right by giving us full visibility into the set of resources to which the application has requested access.

Resources

Mark Petrovic is a technologist and software developer.


Return to ONJava.com.