Discovering a Java Application's Security Requirements
Pages: 1, 2
A More Complex Example: Profiling a Tomcat Web Application
With that simple example behind us, let us examine a nontrivial use of
ProfilingSecurityManager: profiling a Tomcat web application. Tomcat can be made to run under the default Java security manager by passing the
-security option to the standard startup script:
$ $CATALINA_HOME/bin/startup.sh -security
-security option to
startup.sh leads to the calling of $CATALINA_HOME/bin/catalina.sh with the same
-security option. $CATALINA_HOME/bin/catalina.sh is the script that actually calls
java to run the Tomcat bootstrap class
org.apache.catalina.startup.Bootstrap, and furthermore in this case subject to the default policy specified in $CATALINA_HOME/conf/catalina.policy. If we leave the invocation at that Tomcat will run under the default Java security manager subject to the default shipped policy. But we need to do a bit more work to profile Tomcat and the webapps it may contain. To profile the webapp using
ProfilingSecurityManager, we must develop a new Tomcat startup script. The new startup script is a temporary device, and will be used only for profiling, then discarded.
Make a backup copy of $CATALINA_HOME/bin/catalina.sh. Insert the shell command
set -x in $CATALINA_HOME/bin/catalina.sh near the top of the script, and start Tomcat. Save the displayed shell executed command to a file that will hold the temporary startup script. Stop Tomcat, and edit the temporary script, specifying
ProfilingSecurityManager as the security manager and modifying the classpath to locate it.
Under Tomcat 5.5.17 under Linux, here is what the temporary startup script looks like before we edit it for purposes of using
ProfilingSecurityManager, with a bit of tweaking and formatting
#!/bin/sh log=$CATALINA_HOME/logs/catalina.out /java/jdk/jdk1.5.0_06/bin/java \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.util.logging.config.file=/home/tomcat/tomcat/conf/logging.properties \ -Djava.endorsed.dirs=/home/tomcat/tomcat/common/endorsed \ -classpath :/home/tomcat/tomcat/bin/bootstrap.jar:\ /home/tomcat/tomcat/bin/commons-logging-api.jar \ -Djava.security.manager \ -Djava.security.policy==/home/tomcat/tomcat/conf/catalina.policy \ -Dcatalina.base=/home/tomcat/tomcat \ -Dcatalina.home=/home/tomcat/tomcat \ -Djava.io.tmpdir=/home/tomcat/tomcat/temp \ org.apache.catalina.startup.Bootstrap start >> $log \ 2>&1 &
After editing for purposes of using
ProfilingSecurityManager, the startup script looks like this:
#!/bin/sh log=$CATALINA_HOME/logs/catalina.out PATHTOPSM=$HOME/lib/psm.jar # make sure the profiler jar file is here /java/jdk/jdk1.5.0_06/bin/java \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \ -Djava.util.logging.config.file=/home/tomcat/tomcat/conf/logging.properties \ -Djava.endorsed.dirs=/home/tomcat/tomcat/common/endorsed \ -classpath $PATHTOPSM:/home/tomcat/tomcat/bin/bootstrap.jar:\ /home/tomcat/tomcat/bin/commons-logging-api.jar \ -Djava.security.manager=secmgr.manager.ProfilingSecurityManager \ -Djava.security.policy==/home/tomcat/tomcat/conf/catalina.policy \ -Dcatalina.base=/home/tomcat/tomcat \ -Dcatalina.home=/home/tomcat/tomcat \ -Djava.io.tmpdir=/home/tomcat/tomcat/temp \ org.apache.catalina.startup.Bootstrap start >> $log \ 2>&1 &
The two scripts differ in that the new temporary version
- augments the classpath to point to where the
ProfilingSecurityManagerclass resides, namely in $HOME/lib/psm.jar
ProfilingSecurityManageras the security manager in the
Now we can start profiling. Start Tomcat with the temporary startup script. Put the web applications of interest through their paces by forcing them to cover code that would be covered in a production scenario. Code-covering the web applications is admittedly a tall order, and may only be partially achievable. Stop Tomcat, and run $CATALINA_HOME/logs/catalina.out through
parsecodebase.pl, as shown below, with the processed rules saved to policy.txt.
$ parsecodebase.pl < $CATALINA_HOME/logs/catalina.out > policy.txt
Listing 9. Processing the rules generated by Tomcat and any executed web applications contained by it.
Be aware that
ProfilingSecurityManager can only generate rules for code executed during profiling. It does not examine bytecode in class files, probing all code branches that can in theory be reached during an arbitrary runtime instance. Such bytecode analysis could be an area of future work, and would complement, but not replace, the runtime analysis done by
An examination of the policy file $CATALINA_HOME/conf/catalina.policy that ships with Tomcat reveals that Tomcat ("Catalina") system codebases are granted all platform permissions.
ProfilingSecurityManager, in fact, will discover these same rules for Tomcat system classes, but will specify them in a fine-grain fashion. The rules
ProfilingSecurityManager discovers about Tomcat system classes should be manually pruned from policy.txt.
The rules that remain in policy.txt after pruning Tomcat system rules are the starting point for our production security policy. These rules represent our web application's security requirements. Each of these rules should be examined carefully to understand what it does and to confirm that it is consistent with our application's goals. When we are confident we have a good draft policy, make a backup copy of $CATALINA_HOME/conf/catalina.policy, and incorporate the new draft rules from policy.txt into it. Then revert back to the original Tomcat startup script with the
-security option set, and continue testing.
Running our applications under a Java security manager can increase the robustness of our code. And while getting the security policy right will be challenging, doing so provides peace of mind that our code is running subject to security constraints we prescribe.
ProfilingSecurityManager can help us get that policy right by giving us full visibility into the set of resources to which the application has requested access.
- Sample code for this article, including
- Subverting Java Access Protection for Unit Testing discussing Java reflection basics
- Tomcat: The Definitive Guide with additional details on Tomcat security
- Java Permissions list
- Java security architecture documentation
Mark Petrovic is a technologist and software developer.
Return to ONJava.com.