summaryrefslogtreecommitdiffstats
path: root/site/trunk/site-publish/running-tuscany-with-java-2-security-enabled.html
blob: 01e32c98bf876975316e81c27c021ba5088593f9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
<!--

    Licensed to the Apache Software Foundation (ASF) under one or more
    contributor license agreements.  See the NOTICE file distributed with
    this work for additional information regarding copyright ownership.
    The ASF licenses this file to You under the Apache License, Version 2.0
    (the "License"); you may not use this file except in compliance with
    the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE- 2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-->


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML>
    <HEAD>
		<!-- generateKeywords macro -->
	    <META name="description" content="Apache Tuscany">
        <META name="keywords" content="apache, apache tuscany, tuscany, service, services, fabric, soa, service oriented architecture,  sca, service component architecture, das, sdo, csa, ruby, opensource">
		<!-- generateKeywords macro end -->
		
        <LINK type="text/css" rel="stylesheet" href="http://tuscany.apache.org/stylesheets/default.css">
        <LINK rel="SHORTCUT ICON" href="https://cwiki.apache.org/confluence/display/TUSCANY/$images/favicon.ico">   
        <TITLE>Apache Tuscany : Running Tuscany with Java 2 Security Enabled</TITLE>
    <META http-equiv="Content-Type" content="text/html;charset=UTF-8"></HEAD>
    
    <BODY onload="init()">
        <!-- topNav macro -->
		<TABLE valign="top" border="0" cellspacing="0" cellpadding="0" width="100%" background="http://tuscany.apache.org/images/TuscanyLogoNEW_Text_120px_bg.jpg">
			<TR>
				<TD valing="top" align="left">
					<A href="https://cwiki.apache.org/confluence/pages/viewpage.action?spaceKey=TUSCANY&title=$siteroot"><IMG src="http://tuscany.apache.org/images/TuscanyLogoNEW_Text_120px_bg.jpg" height="91" width="25" border="0"></A>
				</TD>
				<TD>
					<A href="http://tuscany.apache.org/"><IMG src="http://tuscany.apache.org/images/TuscanyLogo.jpg" border="0"></A>
				</TD>
				
				<TD width="100%">
					&nbsp;
				</TD>

				<!-- Adds the edit page link to the top banner-->
				<TD valign="bottom">
					<DIV style="padding: 2px 10px; margin: 0px;">
						<A href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=92356">
						<IMG src="http://tuscany.apache.org/images/notep_16.gif" height="16" width="16" border="0" align="absmiddle" title="Edit Page"></A>
					</DIV>
				</TD>

			</TR>
		</TABLE>
        <!-- topNav macro end -->

		<!-- breadCrumbs macro -->
		<TABLE border="0" cellpadding="2" cellspacing="0" width="100%">
			<TR class="topBar">
				<TD align="left" valign="middle" class="topBarDiv" nowrap="true" width="100%">
					&nbsp;<A href="home.html" title="Apache Tuscany">Apache Tuscany</A>&nbsp;&gt;&nbsp;<A href="home.html" title="Home">Home</A>&nbsp;&gt;&nbsp;<A href="sca-overview.html" title="SCA Overview">SCA Overview</A>&nbsp;&gt;&nbsp;<A href="sca-java.html" title="SCA Java">SCA Java</A>&nbsp;&gt;&nbsp;<A href="java-sca-documentation-menu.html" title="Java SCA Documentation Menu">Java SCA Documentation Menu</A>&nbsp;&gt;&nbsp;<A href="" title="Running Tuscany with Java 2 Security Enabled">Running Tuscany with Java 2 Security Enabled</A>
				</TD>
				
				<TD align="right" valign="middle" class="topBarDiv" align="left" nowrap="true">
				<A href="http://mail-archives.apache.org/mod_mbox/tuscany-user">User List</A> | <A href="http://mail-archives.apache.org/mod_mbox/tuscany-dev">Dev List</A> | <A href="http://issues.apache.org/jira/browse/Tuscany">Issue Tracker</A>&nbsp;&nbsp;
				</TD>
			</TR>
		</TABLE>
		<!-- breadCrumbs macro end -->


        <TABLE border="0" cellpadding="0" width="100%" bgcolor="#FFFFFF">
            <TR>
                <TD align="left" valign="top">

					<!-- pageContent macro -->
					<DIV id="PageContent">
												
						<DIV class="pagecontent">
							<DIV class="wiki-content">
								<H1><A name="RunningTuscanywithJava2SecurityEnabled-RunningTuscanywithJava2SecurityEnabled"></A>Running Tuscany with Java 2 Security Enabled</H1>
<P><FONT color="blue"> <BR>
<A href="http://vcasmo.com/video/beckerdo/2750" class="external-link" rel="nofollow"><B>Java Security</B></A> is available in Video, use tuscany passcode</FONT> </P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-OverviewofJava2Security"></A>Overview of Java 2 Security</H2>

<P><B>Apache Tuscany</B> promotes the Java 2 security model by allowing one to run Service Component Architecture (SCA) applications in a secured environment. By default, with Java 2 security disabled, Java application code and the Tuscany runtime code base run in an unsecure environment with no security manager. This gives the Java application and Tuscany runtime access to all system resources. The application may read and write all system properties, open and read any system files, and do all sorts of unprotected actions. All Tuscany code will run unhindered in this environment. And all malicious Tuscany users will also run unhindered in this environment.</P>

<P>With Java 2 security enabled, the user contribution to the SCA domain has very tight security restrictions. This ensures that the user SCA application does not introduce mischevious code (for instance with a user-provided custom classloader) or perform unprotected investigations (such as when a user-provided application starts snooping around the file system looking for interesting files.) The Tuscany runtime is also forced to abide by these tight security resitrictions, but the runtime has been fitted and tested with privileged code to check for proper access permissions before performing any sensitive operations. Because of this privileged code which obeys the Java 2 security architecture, the Tuscany runtime acts as a proxy and performs sensitive operations on behalf of the user application.</P>

<P>The purpose of this article is to show how one can run Apache Tuscany and SCA applications in various environments while enabling Java 2 security and ensuring the application is running in a secured environment. Tuscany users and deployers and administrators should read this article. More in-depth runtime developers should also proceed onto the associated article <A href="security-aware-programming-in-tuscany.html" title="Security Aware Programming in Tuscany">Security Aware Programming in Tuscany</A>.</P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-EnablingJava2SecurityfromaCommandLine"></A>Enabling Java 2 Security from a Command Line</H2>

<P>The most basic way to run Tuscany applications is from a command line window or shell. You may enable security in this environment by running your Tuscany application with the java.exe <TT>-Djava.security.manager</TT> option on the command line. This enables the default Java security manager which delegates access control decisions to <TT>java.security.AccessController</TT>. The <TT>AccessController</TT> determines access authority for your Java code by consulting the permissions in a <TT>java.security.Policy</TT> class usually specified in the default <TT>security.policy</TT> file.</P>

<P>There is only one <TT>Policy object</TT> installed into a Java runtime at any given time. The default behavior for Java is to  load the authorization data from one or more security policy files, but Tuscany users may add to or replace the policy by running with additional policy information on the command line. For instance <TT>&quot;-Djava.security.manager -Djava.security.policy=tuscany.policy&quot;</TT> will add the permissions in the tuscany.policy file to the default Java permissions. If you specify <TT>&quot;-Djava.security.policy==tuscany.policy&quot;</TT> you replace the default policy with those specified in the Tuscany policy file. The format of the java.security.policy is a URL, which can contain any of the legal URL protocols such as file: or http: protocol.</P>

<P>Each policy file will contain a list of grant statements. A grant tells the runtime where the code came from (a URL specifying the code base), who signed the code (a list of signer certificates), and what permissions are given. The permissions can be read write permissions to the file system, access to system properties, or class loading privileges.<BR>
An example of a granting all permission to an unsigned Tuscany code base is given here:</P>
<DIV class="code panel" style="border-style: solid;border-width: 1px;"><DIV class="codeHeader panelHeader" style="border-bottom-width: 1px;border-bottom-style: solid;"><B>security.policy example</B></DIV><DIV class="codeContent panelContent">
<PRE class="code-java">
grant codeBase <SPAN class="code-quote">&quot;file:$/{{user.home}}/tuscany/java/sca/-&quot;</SPAN> {
  permission java.security.AllPermission;
};
</PRE>
</DIV></DIV>
<P>This example grant statement is quite a broad bludgeon. Namely it says that all Tuscany code has been granted all permissions. This seems like this is not very secure as it provides all permissions to Tuscany, however, it is still a step up from running with no security policy. In this case Tuscany is provided with privileged access, while user application are not. In practice, a user policy might want much finer-grained permissions towards the Tuscany code and allow only specific pieces of the code to have privileged access. An example <A href="running-tuscany-with-java-2-security-enabled.data/tuscany.policy">tuscany.policy</A> is attached to this article.</P>

<P>Notice that the URL in this example supports the substitution of system properties. You can also provide other property names such as tuscany.home or whatever property you provide to the command line. Additionally you may end the URL with '*' which includes all JARs and class files in the current location or '-' which includes all JAR and class file recursively below this location. Additional information on Java application security architecture and features is given at <A href="http://java.sun.com/javase/6/docs/technotes/guides/security/overview/jsoverview.html" class="external-link" rel="nofollow">Java Security</A>.</P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-EnablingJava2SecurityUsingMaven"></A>Enabling Java 2 Security Using Maven</H2>

<P>JIRA TUSCANY-2339 allows <B>Maven</B> to run all Tuscany itests and vtests with Java 2 security enabled.  To run this Maven profile, you must provide a tuscany.policy file in your java.home /lib/security directory (default location) or provide a tuscany.policy.file property to provide a local file URL, or copy the contents of tuscany.policy to another policy file. As the tuscany.policy file is written, you must have system properties tuscany.home and maven.repos defined, or you must hard code the location of these code bases.</P>

<P>Run the Tuscany test profile with Maven by naming the security profile name explicitly or my providing a tuscany.policy.file property:</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
mvn test -P security
</PRE>
</DIV></DIV>

<P>or</P>

<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
mvn <SPAN class="code-quote">&quot;-Dtuscany.policy.file=file:<SPAN class="code-comment">///e:/tuscany.policy&quot;</SPAN></SPAN>
</PRE>
</DIV></DIV>

<P>Here is the addition to the pom.xml file to run with security. You may uncomment or add other modules to perform tests.</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
        &lt;profile&gt;
            &lt;id&gt;security&lt;/id&gt;
            &lt;modules&gt;
                &lt;!-- &lt;module&gt;demos&lt;/module&gt; --&gt;
                &lt;module&gt;itest&lt;/module&gt;
                &lt;module&gt;vtest&lt;/module&gt;
            &lt;/modules&gt;
            &lt;activation&gt;
                &lt;property&gt;
                    &lt;name&gt;tuscany.policy.file&lt;/name&gt;
                &lt;/property&gt;
            &lt;/activation&gt;
            &lt;properties&gt;
                &lt;tuscany.policy.file&gt;&lt;Your tuscany.policy file location&gt;&lt;/tuscany.policy.file&gt;
            &lt;/properties&gt;
            &lt;build&gt;
                &lt;plugins&gt;
                    &lt;plugin&gt;
                        &lt;groupId&gt;org.apache.maven.plugins&lt;/groupId&gt;
                        &lt;artifactId&gt;maven-surefire-plugin&lt;/artifactId&gt;
                        &lt;version&gt;2.3.1&lt;/version&gt;
                        &lt;configuration&gt;
                            &lt;includes&gt;
                                &lt;include&gt;**/*TestCase.java&lt;/include&gt;
                            &lt;/includes&gt;
                            &lt;reportFormat&gt;brief&lt;/reportFormat&gt;
                            &lt;useFile&gt;<SPAN class="code-keyword">false</SPAN>&lt;/useFile&gt;
                            &lt;forkMode&gt;once&lt;/forkMode&gt;
                            &lt;!-- Place tuscany.policy in your Java home security directory. Alternatively, hardcode the file location here. --&gt;
                            &lt;argLine&gt;-Djava.security.manager -Djava.security.policy=${tuscany.policy.file}
                               -Dpolicy.allowSystemProperty=<SPAN class="code-keyword">true</SPAN> -Djava.security.debug=policy&lt;/argLine&gt;
                        &lt;/configuration&gt;
                    &lt;/plugin&gt;
                &lt;/plugins&gt;         
            &lt;/build&gt;
        &lt;/profile&gt;
</PRE>
</DIV></DIV>

<P>One gotcha in this environment is that the security profile adds a bit more memory requirements for the test run. You may need to increase the Java heap max size <TT>-Xmx1024m</TT> or increase the Maven <TT>MAVEN_OPTS=-XX:MaxPermSize=512m</TT> if you see memory related errors when you run in this environment.</P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-EnablingJava2SecurityinEclipse"></A>Enabling Java 2 Security in Eclipse</H2>

<P>Many users import Tuscany projects into <B>Eclipse</B> or other Integrated Development Environment and run or develop applications in this type of environment. Whether you are running your own SCA application, or one of the many Tuscany samples or demos, the process for running with Java 2 security enabled is the same. Your application or sample has build and runtime dependencies on the Tuscany code, and the application is run with a security profile.</P>

<P>Eclipse provides a run dialog that determines how a project is run. For instance, many Tuscany samples are run as Java applications. The Tuscany samples also provide many test cases that may be run in a JUnit test suite. In either case, you specify Java 2 security options in a similar way. You create a 'run' configuration for your type of code (Java application, Java applet, JUnit test case, etc.). The run dialog has a 'Arguments' tab where you can provide Java Virtual Machine options. You provide the Java 2 security options in the 'Program Arguments' text box.</P>

<P>An example of this configuration is shown here:<BR>
<SPAN class="image-wrap" style=""><IMG src="running-tuscany-with-java-2-security-enabled.data/EclipseAppConfig.png" style="border: 0px solid black"></SPAN></P>

<P>There are two small gotchas to be aware of in this environment. Once again the location of the policy file is a URL. If you specify the policy with no file or http prefix, the default location will be location of the project in the workspace. So in this example, a simple <B>-Djava.security.policy=tuscany.policy</B> requires a tuscany policy file in the sample-calculator project in your Eclipse workspace. Since this is URL, you can put the policy file anywhere in your file system. Secondly, some of the Tuscany demos and samples use privileged code (such as load classes dynamically, read system properties, read the file system, or connect to various server sockets). These example do this to demonstrate various SCA features. However, these applications may throw a security exception because they are given proper access. In this case you may want to add access for Eclipse or application code. An example is given here:</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
grant codeBase <SPAN class="code-quote">&quot;file:${eclipse.home}/-&quot;</SPAN> {
  permission java.net.SocketPermission <SPAN class="code-quote">&quot;127.0.0.1:*&quot;</SPAN>, <SPAN class="code-quote">&quot;connect,accept,resolve&quot;</SPAN>;
  permission java.io.FilePermission <SPAN class="code-quote">&quot;&lt;&lt;ALL FILES&gt;&gt;&quot;</SPAN>, <SPAN class="code-quote">&quot;read&quot;</SPAN>;
  permission java.util.PropertyPermission <SPAN class="code-quote">&quot;*&quot;</SPAN>, <SPAN class="code-quote">&quot;read&quot;</SPAN>;  
};
</PRE>
</DIV></DIV>
<P>Grant this access when you are developing in Eclipse. When you are ready to deploy and run these application in the real world, read the next section as to how to run on popular application servers.</P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-SecurityTipsforPopularApplicationServers"></A>Security Tips for Popular Application Servers</H2>

<P>When Tuscany is run by an application server (whether it be WebSphere, Geronimo, or other), the policy of the application server will form the starting point for Tuscany's security policy. This section gives an overview to the Java 2 security policies of several popular application servers.</P>

<H4><A name="RunningTuscanywithJava2SecurityEnabled-WebSphereApplicationServer"></A>WebSphere Application Server</H4>

<P>There are several different ways to run Tuscany applications on <B>IBM WebSphere Application Server</B>. In either case you may run your Tuscany application as a Java application or a Java Extended Edition applicaiton, depending on which container features you need. Obviously if you use web application features you should run in a web server container. If you are using servlet or persistence features you should run in an applicaiton server container. You may run your Tuscany application and include any Tuscany runtime prerequisite JARs in the package. Another way is to run your Tuscany application without internal runtime prereqs and use IBM's Service Oriented Architecture Feature Pack (SOA FeP) to provide an SCA runtime. In any case running your application with security enabled will be the same.</P>

<P>WAS provides security policy information in a number of places. First there are three locations that provide static security plicy info that may be changed by a system administrator when installing or configuring a server:</P>
<UL>
	<LI>app_server_root/java/jre/lib/security/java.policy</LI>
	<LI>app_server_root/properties/server.policy</LI>
	<LI>profile_root/config/cells/cell_name/nodes/node_name/app.policy</LI>
</UL>


<P>The first of these files will permanently change security policy by all users of the system JVM. The second of these files will change the security policy for all servers in this installation. The third file app.policy includes policy that applies to all enterprise applications on the node to which the app.policy file belongs. All of these policy files are static and used for general system-wide infrastructure. It is suggested that you use these files with care.</P>

<P>For instance, let's say wish to allow certain JARs to read system properties on WAS. This would be the entry to add to app.policy.</P>
<DIV class="code panel" style="border-width: 1px;"><DIV class="codeContent panelContent">
<PRE class="code-java">
grant codeBase <SPAN class="code-quote">&quot;file:${application}&quot;</SPAN> {
 permission java.utilPropertyPermission <SPAN class="code-quote">&quot;${was.install.root}${/}profiles${/}AppSrv01${/}installedAssets${/}vtestService.jar${/}1.0${/}vtestService.jar&quot;</SPAN>, <SPAN class="code-quote">&quot;read&quot;</SPAN>;
};
</PRE>
</DIV></DIV>

<P>A final location to provide Java 2 Security is in the was.policy file of the JAR, WAR, or EAR file that you are deploying. This location provides the fine-grained application-level security control, but the permission needs to be granted in each was.policy file for each application deployed on WAS. Additional details on WebSphere security are provided at the <BR>
<A href="http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Fcsec_rsecmgr2.html" class="external-link" rel="nofollow">WAS Info Center</A>.</P>

<H4><A name="RunningTuscanywithJava2SecurityEnabled-ApacheGeronimo"></A>Apache Geronimo</H4>

<P>Running on <B>Apache Geronimo</B> has similar considerations to running on other application servers. A user may choose to run the SCA application as a standalone SCA application with no container requirements, a web application with dependencies on a web server container, or a full blown JEE application with a need for servlets, JSPs, and other application server requirements.</P>

<P>There is a <B>Geronimo</B> plugin that will help with deploying and running a Tuscany application. Additional details are provided in a<BR>
<A href="http://cwiki.apache.org/TUSCANYWIKI/tuscany-geronimo-integration.html" class="external-link" rel="nofollow">Tuscany Geronimo Integration</A> article.</P>

<H2><A name="RunningTuscanywithJava2SecurityEnabled-Conclusion"></A>Conclusion</H2>

<P>This article provides a number of tips when running Java 2 Security with Tuscany in different environments. Feel free to contact the author or add your own environment tips to this articles. Comments and corrections are appreciated.</P>
							</DIV>
						</DIV>
					</DIV>	
		            <!-- pageContent macro end -->
					
                </TD>
            </TR>
        </TABLE>

		<!-- footer macro -->
				<SCRIPT src="http://www.google-analytics.com/urchin.js" type="text/javascript">
		</SCRIPT>
		<SCRIPT type="text/javascript">
		   _uacct = "UA-1174707-5";
		   urchinTracker();
		</SCRIPT>
		
				<A href="http://www.statcounter.com/" target="_blank"><IMG src="http://c26.statcounter.com/counter.php?sc_project=2619156&java=0&security=94bd7e7d&invisible=0" alt="website stats" border="0"></A>    

		<DIV class="footer">
			Copyright � 2003-2012, The Apache Software Foundation&nbsp;&nbsp;</BR>
                        Apache Tuscany and the Apache Tuscany project logo are trademarks of The Apache Software Foundation.
		</DIV>
		<!-- footer macro end -->

    </BODY>
</HTML>