The Java Security Manager

The Security Manager

The following Custom Security Manager will be used:

package com.tm.sm;

public class TMSecurityManager extends SecurityManager
{
public TMSecurityManager()
{
super();
}
public void checkExit(int c)
{
super.checkExit(c);
throw new SecurityException(“Permission Denied:” + c);
}
public void checkPermission( RuntimePermission p,
Object c)
throws NullPointerException, SecurityException
{
super.checkPermission(p, c);
if( p instanceof RuntimePermission && c == new RuntimePermission(“setSecurityManager”))
{
throw new SecurityException(“Permission Denied: ” + p + ” ” + c);
}
}
public void checkExec(String c)
{
super.checkExec(c);
throw new SecurityException(“Permission Denied: ” + c);
}
}

Notice, that this class extends java.lang.SecurityManager.

Also, the checkExit(int) method has been overridden and now throws a security exception in all cases. This prevents anyone from calling System.exit(). This means the only way the JVM can exit is if all non-daemon Java threads have exited. I haven’t found another way of accomplishing this.

The checkPermission() method has also been overriden in TMSecurityManager; it first calls calls the super class to provide for all default behavior. Then, it expictly denies permission to set a new Security Manager class.

Finally, TMSecurityManager, explictly denies permission to execute all external programs by overriding checkExec(). It may be desirable to create custom permissions objects that allow the ability to execute certain programs.

The Default java.policy File:

This series of tests used the following $JRE_HOME/jre/lib/security/java.policy file. There is only one modified line; the line granting permission for all code to establish listening end points above port 1024 has been removed.

// Standard extensions get all permissions by default

grant codeBase “file:${{java.ext.dirs}}/*” {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See “http://java.sun.com/notes” for more information.
permission java.lang.RuntimePermission “stopThread”;

// allows anyone to listen on un-privileged ports
//permission java.net.SocketPermission “localhost:1024-“, “listen”;

// “standard” properies that can be read by anyone

permission java.util.PropertyPermission “java.version”, “read”;
permission java.util.PropertyPermission “java.vendor”, “read”;
permission java.util.PropertyPermission “java.vendor.url”, “read”;
permission java.util.PropertyPermission “java.class.version”, “read”;
permission java.util.PropertyPermission “os.name”, “read”;
permission java.util.PropertyPermission “os.version”, “read”;
permission java.util.PropertyPermission “os.arch”, “read”;
permission java.util.PropertyPermission “file.separator”, “read”;
permission java.util.PropertyPermission “path.separator”, “read”;
permission java.util.PropertyPermission “line.separator”, “read”;
permission java.util.PropertyPermission “java.specification.version”, “read”;
permission java.util.PropertyPermission “java.specification.vendor”, “read”;
permission java.util.PropertyPermission “java.specification.name”, “read”;
permission java.util.PropertyPermission “java.vm.specification.version”, “read”;
permission java.util.PropertyPermission “java.vm.specification.vendor”, “read”;
permission java.util.PropertyPermission “java.vm.specification.name”, “read”;
permission java.util.PropertyPermission “java.vm.version”, “read”;
permission java.util.PropertyPermission “java.vm.vendor”, “read”;
permission java.util.PropertyPermission “java.vm.name”, “read”;
};

Custom java.policy File:

The following Custom Java Policy was used while performing these tests.

grant codeBase “file://${privledged.jar.path}” {
permission java.lang.RuntimePermission “setSecurityManager”;
permission java.lang.RuntimePermission “createSecurityManager”;
};

This grants permissions to the test tool to create and set a custom Security Manager. Note, privledged.jar.path is a System Property that is set on the command line; so, -Dprivledged.jar.path=path_to_jar_file is passed into the JVM at the command line.

Another approach to setting the Custom Security Manager is to use: -Djava.security.manager=com.tm.sm.TMSecurityManager. This will have the same effect as explictly calling System.setSecurityManager( new com.tm.sm.TMSecurityManager()), but doesn’t require granting permissions to a subset of code to allocate the custom Security Manager. This would probably be the required approach, if the JVM being secured ran a third-party application without source code.

Establish TCP listening endpoint above port 1023

The following code snippet will establish a listening end point on port 5000 on localhost:

try {
System.out.println(“TCPServerTest starting”);
ServerSocket ss = new ServerSocket(port);
while(true)
{
Socket s = ss.accept();
OutputStream os = s.getOutputStream();
OutputStreamWriter osw = new OutputStreamWriter(os);
BufferedWriter bw = new BufferedWriter(osw);
bw.write(“ack from server\n”);
bw.flush();
bw.close();
osw.close();
os.close();
s.close();
}
} catch(Exception e) {
e.printStackTrace();
}

Ordinarily, this snippet of code would result in the JVM listening for incoming connections on localhost:5000 and this thread waiting in an accept() call for an incoming connection. However, if the following line is removed from the default java.policy file:

permission java.net.SocketPermission “localhost:1024-“, “listen”;

Then, this code will fail with the following SecurityException:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost:5000 listen,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1120)
at java.net.ServerSocket.bind(ServerSocket.java:318)
at java.net.ServerSocket.(ServerSocket.java:185)
at java.net.ServerSocket.(ServerSocket.java:97)
at com.tm.tests.TCPServerTest.test(TCPServerTest.java:21)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:23)

which results in the ServerSocket(5000) method call in the code snippet failing.

This is the first SecurityException shown; so, it makes sense to cover how to grant the permission that is needed. The default Security Policy file grants all code permisison to establish listening endpoints above port 1023; however, we may want to be more selective than that. Maybe only the com.tm.testTool package and its supporting classes in the com.tm.tests package should be able to establish a listening endpoint.

To accomplish this, the entire code base, which presumably is stored in a set of well-defined jar files, would be granted the permission that is listed above. To avoid any further exceptions being thrown, every class listed in the stack trace above must be granted the ‘java.net.SocketPermission “localhost: 1024-“, “listen”‘ permission. The bottom two classes, com.tm.testTool.SecurityTest and com.tm.tests.TCPServerTest would be covered by a grant that add to the custom Security Policy such as:

grant code “file://{some.jar.path}” {
permission java.net.SocketPermission “localhost:1024-“, “listen”;
};

The rest of the classes are part of the Java Standard Edition networking packages. These packages are granted all permissions by default. Likewise, the java extension libraries, javax.*, are granted all permissions in the default Security Policy.

TCP Client connection to remote host:port

The next test attempts to establish a TCP connection to a remote endpoint using the following code:

String host=”localhost”;
int port = 5000;
try {
Socket s = new Socket(host,port);
s.close();
} catch(Exception e) {
e.printStackTrace();
}

When this code runs with the custom Security Manager and Security Policy described earlier, the following Exception is thrown:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContxt.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
at java.net.InetAddress.getAllByName0(InetAddress.java:1134)
at java.net.InetAddress.getAllByName(InetAddress.java:1072)
at java.net.InetAddress.getAllByName(InetAddress.java:1008)
at java.net.InetAddress.getByName(InetAddress.java:958)
at java.net.InetSocketAddress.(InetSocketAddress.java:124)
at java.net.Socket.(Socket.java:180)
at com.tm.tests.TCPClientTest.test(TCPClientTest.java:20)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:70)

If we were to globally grant everything the ‘java.net.SocketPermission “*”, “resolve”‘ permission. Then, the same piece of code would produce the following exception:

java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:5000 connect,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1034)
at java.net.Socket.connect(Socket.java:514)
at java.net.Socket.connect(Socket.java:470)
at java.net.Socket.(Socket.java:367)
at java.net.Socket.(Socket.java:180)
at com.tm.tests.TCPClientTest.test(TCPClientTest.java:20)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:70)

Notice, it was able to resolve localhost this time. But, still wasn’t allowed to open a socket connection.

UDP Client

In this test, the following code snippet is used to attempt to send UDP Datagram:

int port = 5000;
String host = “localhost”;
try {
System.out.println(“UDPClientTest starting”);
DatagramSocket socket = new DatagramSocket(port, new InetSocketAddress(host,port).getAddress());
byte[] buf = new byte[BUF_LENGTH];
//Initialize buffer here…
DatagramPacket packet = new DatagramPacket(buf, buf.length);
socket.send(packet);
} catch (Exception e) {
e.printStackTrace();
}

Upon running this code, the following AccessControlException is generated:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkConnect(SecurityManager.java:1031)
at java.net.InetAddress.getAllByName0(InetAddress.java:1134)
at java.net.InetAddress.getAllByName(InetAddress.java:1072)
at java.net.InetAddress.getAllByName(InetAddress.java:1008)
at java.net.InetAddress.getByName(InetAddress.java:958)
at java.net.InetSocketAddress.(InetSocketAddress.java:124)
at com.tm.tests.UDPClientTest.test(UDPClientTest.java:21)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:86)

UDP Server

The following code snippet attempts to establish a listening endpoint for incoming datagrams:

int port = 5000;
try {
System.out.println(“UDPServerTest starting”);
DatagramSocket socket = new DatagramSocket(port);
byte[] buf = new byte[256];
DatagramPacket packet = new DatagramPacket(buf, buf.length);
socket.receive(packet);
} catch (Exception e) {
e.printStackTrace();
}

Running this code produces the following Exception:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost:5000 listen,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1120)
at java.net.DatagramSocket.bind(DatagramSocket.java:365)
at java.net.DatagramSocket.(DatagramSocket.java:210)
at java.net.DatagramSocket.(DatagramSocket.java:261)
at java.net.DatagramSocket.(DatagramSocket.java:234)
at com.tm.tests.UDPServerTest.test(UDPServerTest.java:19)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:77)

Multicast Datagram Send

The following code snippet will attempt to send a multicast message:

int port = 5000;
String address = “224.0.0.1”;
try {
System.out.println(“MulticastSendTest”);
MulticastSocket s = new MulticastSocket(port);
s.joinGroup(InetAddress.getByName(address));
byte buf[] = new byte[BUF_SIZE];
for(int i = 0; i<BUF_SIZE; ++i)
{
buf[i]=”;
}
DatagramPacket packet = new DatagramPacket(buf, buf.length);
System.out.write(packet.getData(),0,packet.getLength());
s.leaveGroup(InetAddress.getByName(address));
s.close();
} catch(Exception e) {
e.printStackTrace();
}

Running this code produces the following Exception:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost:5000 listen,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1120)
at java.net.DatagramSocket.bind(DatagramSocket.java:365)
at java.net.MulticastSocket.(MulticastSocket.java:147)
at java.net.MulticastSocket.(MulticastSocket.java:112)
at com.tm.tests.MulticastSendTest.test(MulticastSendTest.java:20)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:93)

Multicast Datagram Recieve

The following code snippet will attempt to send a Multicast datagram:

String address=”224.0.0.1″;
int port = 5000;
public void test()
{
try
{
System.out.println(“MulticastRecvTest running”);
MulticastSocket s = new MulticastSocket(port);
s.joinGroup(InetAddress.getByName(address));
byte buf[] = new byte[BUF_SIZE];
for(int i = 0; i<BUF_SIZE; ++i)
{
buf[i]=”;
}
DatagramPacket packet = new DatagramPacket(buf, buf.length);
s.receive(packet);
System.out.write(packet.getData(),0,packet.getLength());
s.leaveGroup(InetAddress.getByName(address));
s.close();
} catch(Exception e) {
e.printStackTrace();
}

Running this code in a JVM running our Security Manager will produce the following Exception:

java.security.AccessControlException: access denied (java.net.SocketPermission localhost:5000 listen,resolve)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkListen(SecurityManager.java:1120)
at java.net.DatagramSocket.bind(DatagramSocket.java:365)
at java.net.MulticastSocket.(MulticastSocket.java:147)
at java.net.MulticastSocket.(MulticastSocket.java:112)
at com.tm.tests.MulticastRecvTest.test(MulticastRecvTest.java:21)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:99)

Calling System.exit()

The following code snipet will cause the JVM to exit:

try
{
System.out.println(“Calling System.exit()”);
System.exit(-1);
}
catch(Exception e)
{
e.printStackTrace();
}

Attempting to run this code, produces the following exception:

java.lang.SecurityException: Permission Denied: -1
at com.tm.sm.TMSecurityManager.checkExit(TMSecurityManager.java:48)
at java.lang.Runtime.exit(Runtime.java:88)
at java.lang.System.exit(System.java:869)
at com.tm.tests.ExitTest.test(ExitTest.java:10)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:28)

Calling System.gc()

Any developer can call System.gc() on a JVM to force the Virtual Machine to attempt to do a Garbage Collection. The key part of that sentence is “attempt” to do a garbage collection. There is no guarentee that the JVM will reclaim any memory.

From a middleware administrator perspective, it is desirable to limit the ability of developers ability to force garbage collections. In theory, the JVM should always be tuned for well-performing garbage collection. Typically, spending the time to find the optimal combination of heap size, generation size, garbage collection algorithm, and heap is impratical, but an 80-20 rule applies. You can spend short period of time getting eighty percent of the way there, but the last twenty would be unproductively prohibitive (in most business settings). Situations where this state cannot be reached are rare, but not impossible.

But, most of the time, if a developer is calling System.gc(), it is due to a lack of experience tuning garbage collection algorithms or laziness. So, one may wish to limit the ability to call System.gc(). Unfortunately, the SecurityManager doesn’t have a permission that can handle this.

However, most of the major JVM vendors provide a command line flag that will disable explicity garbage collection. This mechanism can be used to achieve the desired result; even if a develop calls System.gc(), it has no effect on the garbage collection sub-system.

In a Sun JVM, the ” -XX:+DisableExplicitGC” will disable calls to System.gc(); in an IBM JVM, “-Xdisableexplicitgc” will do the same.

In experiments for this article, time statistics gathered for the execution time of System.gc() showed the method taking ~15ms without the “-XX:+DisableExplicitGC” flag and ~0ms with the flag. This demonstrates the gc() method is not activiating the garbage collector.

So, we’ve achieved the desired behavior of disabling a developers ability programatically trigger garbage collections.

Calling System.setProperty()

The following code snippet attempts to overwrite the file.encoding System Property with an invalid character set name:

try {
System.out.println(“SetSystemPropertyTest starting”);
System.setProperty(“file.encoding”, “thinkmiddleware”);
System.out.println(“file.encoding: ” + System.getProperty(“file.encoding”));
} catch (Exception e) {
e.printStackTrace();
}

Running this code in our JVM produces the following Exception:

java.security.AccessControlException: access denied (java.util.PropertyPermission file.encoding write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.System.setProperty(System.java:699)
at com.tm.tests.SetSystemPropertyTest.test(SetSystemPropertyTest.java:12)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:49)

So, it is no longer possible to modify System Properties such as file.encoding, which are very important to the correct function of Java code. I once spent several weeks tracking down a production issue that involved a developer modifying this parameter. It allowed their application to function properly, but other applications deployed to the same J2EE container began having problems. So, I have found it desirable to disallow run-time access of this parameter and most other System Properties.

It is also advisable to explictly set file.encoding at the command line, “-Dfile.encoding=ISO-8859-1”, to ensure the correct encoding table is being used.

There are numerous System Properties. The configuration being used disables write permissions for all of them. Depending on the application and environment, it may be necessary for the application to modify some system properties.

Calling System.getSystemProperty()

In a similar fashion, the following code will read the file.encoding property:

try {
System.out.println(“Read file.encoding property.”);
String property = System.getProperty(“file.encoding”);
System.out.println(“file.encoding: ” + property);
} catch (Exception e) {
e.printStackTrace();
}

Running this in our JVM will produce the following Exception:

java.security.AccessControlException: access denied (java.util.PropertyPermission file.encoding read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
at java.lang.System.getProperty(System.java:628)
at com.tm.tests.GetSystemPropertyTest.test(GetSystemPropertyTest.java:11)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:56)

The configuration used here disables read access to many of the system properties. This will probably be overly restrictive for many real-world applications.

Calling System.setSecurityManager()

The following code attempts to create and set a foreign Security Manager. This means a Security Manager other than our com.tm.sm.TMSecurityManager.

BadSecurityManager s = new BadSecurityManager();
try {
System.out.println(“SetSecurityManagerTest starting.”);
System.setSecurityManager(s);
} catch (Exception e) {
e.printStackTrace();
}

When executed, the above code receives the following Exception:

java.security.AccessControlException: access denied (java.lang.RuntimePermission createSecurityManager)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.(SecurityManager.java:282)
at com.tm.tests.BadSecurityManager.(HostileSecurityManager.java:5)
at com.tm.tests.SetSecurityManagerTest.test(SetSecurityManagerTest.java:10)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:21)

So, it is not possible to allocate and set a new Security Manager, which is what we wanted to accomplish.

In order for the Test Tool to initially set the Security Manager, the custom Security Policy has to grant the permissions

java.lang.RuntimePermission “setSecurityManager”;
java.lang.RuntimePermission “createSecurityManager”;

must be granted to all classes mentioned in the above stack trace.

Opening and reading from a file

The following code will attempt to open and read the file “/bin/ls”:

String path=”/bin/ls”;
try
{
System.out.println(“ReadFileTest starting”);
FileInputStream fis = new FileInputStream(path);
InputStreamReader isr = new InputStreamReader(fis);
BufferedReader br = new BufferedReader(isr);
String line = null;
while( (line = br.readLine()) != null)
{
System.out.println(line);
}
br.close();
isr.close();
fis.close();
}
catch(Exception e)
{
e.printStackTrace();
}

Running this piece of code produces the following Exception:

java.security.AccessControlException: access denied (java.io.FilePermission /bin/ls read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.FileInputStream.(FileInputStream.java:100)
at java.io.FileInputStream.(FileInputStream.java:66)
at com.tm.tests.ReadFileTest.test(ReadFileTest.java:20)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:113)

Opening and writing to a file

The following code will attempt to open and write to “/tmp/tester”:

String path = “/tmp/tester”;
try
{
System.out.println(“WriteFileTest starting”);
FileOutputStream fos = new FileOutputStream(path);
OutputStreamWriter osw = new OutputStreamWriter(fos);
BufferedWriter bw = new BufferedWriter(osw);
String line = null;
osw.write(“tester”,0,6);
bw.close();
osw.close();
fos.close();
}
catch(Exception e)
{
e.printStackTrace();
}
}

Running this code in our JVM produces the following Exception:

java.security.AccessControlException: access denied (java.io.FilePermission /tmp/tester write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:264)
at java.security.AccessController.checkPermission(AccessController.java:427)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkWrite(SecurityManager.java:962)
at java.io.FileOutputStream.(FileOutputStream.java:169)
at java.io.FileOutputStream.(FileOutputStream.java:70)
at com.tm.tests.WriteFileTest.test(WriteFileTest.java:20)
at com.tm.testTool.SecurityTest.main(SecurityTest.java:119)

Troubleshooting Permissions

Debugging permissions with the Security Manager is greatly simplified by adding:

-Djava.security.debug=all

This logs detailed information about permissions that are granted and activities surounding the Security Manager.

More information can be found here.

Closing Thoughts

This article has given an example of a custom Security Manager and Security Policy. It has shown several tests demonstrating various restrictions on Java application code.

Running the Java Security Manager has a significant performance penalty. This will be a factor in chosing to use it.

A J2EE Container such as Websphere ships with a custom Security Manager that greatly expands the capabilities and configuration options available. In a future article, we’ll explore this feature.

References