You are here : Home » Learning security » Applications » Java » Enable securitymanager for Spring and Hibernate

Enable securitymanager for Spring and Hibernate

D 8 January 2011     H 18:25     A Emeric Nasi     C 5 messages


agrandir


License : Copyright Emeric Nasi, some rights reserved
This work is licensed under a Creative Commons Attribution 4.0 International License.
Creative Commons License

I. Tomcat security manager.

The basis of Java security is to enable the security manager.
The security manager allows you to associate a given code (a webapp, a .class, a jar, etc) to one or more authorizations (ex. write on disk, connect to distant host, read properties, use reflection, etc).
The complete list can be found here

The problem with the Java security manager is that contrary to the C language, the Java language security is not on the front scene. Most Java developers don’t know anything about Java (real) security and it is very difficult to find some information about how to setup a security manager policy file.

On a Tomcat application server, the config file that is used by the security manager can be found at $TOMCAT_HOME/conf/catalina.policy.
I suggest you make a copy of this file before editing it, for example on a GNU Linux system :
cp ${CATALINA_HOME}/conf/catalina.policy ${CATALINA_HOME}/conf/catalina.policy.old.

Note: Remember that tomcat must be started with the -security option to activate the security manager.

You can read more info related to Tomcat security manager here.

II. Permissions for Spring and Hibernate

The Spring and the Hibernate framework are widely used in modern J2SE and JEE applications. However it is very difficult to find some information related to "Wish permissions should be authorized for Spring or Hibernate?".
That is why I will give you the configurations I successfully tried.
To try the next code on Tomcat; you should edit your catalina.policy file and add the following lines at the end of the file (you do not need to modify default permissions).

II.1 System properties access

A particularity in the Hibernate code oblige us to give read and write access permissions to all system properties to the Hibernate and Spring jar.


// ---------------- Enable system properties access to spring and hibernate-------------
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/spring-X.X.X.jar" {
  permission java.util.PropertyPermission  "*", "read, write";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/hibernate-X.X.X.jar" {
  permission java.util.PropertyPermission  "*", "read, write";
};

II.2 Allow dependency injection.

Spring as well as Hibernate need access to the highly sensitive permissions that are reflection and runtime access to class members.

Note: Giving reflection permissions access to a jar file is not an insignificant act. Reflection "suppressAccessChecks" permission can allow to access and modify any field in any class of the webApp, even when declared "private static final".



// ---------------- Enable reflection for spring and hibernate ------------

grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/spring-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/hibernate-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/spring-modules-validation-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-beanutils-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-digester-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-validator-X.X.X.jar" {
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

// ----------------------- Enable reflection and runtime for  implementation packages ---------------------- //
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-lang-X.X.X.jar" {
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/<my_webapp_hibernate_layer>-X.X.X.jar" {
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
};

II.3 Allow aspect programming.

 
// ----------------- Grant permission needed for aspectj ---------------------------

grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/spring-X.X.X.jar" {
        // Access to aspectj properties
        permission java.util.PropertyPermission "org.aspectj.tracing.debug", "read";
        permission java.util.PropertyPermission "org.aspectj.tracing.factory", "read";
        permission java.util.PropertyPermission "org.aspectj.weaver.Dump.exception", "read";
        permission java.util.PropertyPermission "org.aspectj.weaver.Dump.condition", "read";
        permission java.util.PropertyPermission "org.aspectj.dump.directory", "read";
         // Enable some runtime features
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
        permission java.lang.RuntimePermission "createClassLoader";
       
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/aspectjweaver-X.X.X.jar" {
        permission java.util.PropertyPermission "org.aspectj.tracing.debug", "read";
        permission java.util.PropertyPermission "org.aspectj.tracing.factory", "read";
        permission java.util.PropertyPermission "org.aspectj.weaver.Dump.exception", "read";
        permission java.util.PropertyPermission "org.aspectj.weaver.Dump.condition", "read";
        permission java.util.PropertyPermission "org.aspectj.dump.directory", "read";
        // Enable some runtime features
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
        permission java.lang.RuntimePermission "createClassLoader";
};

II.4 Enable database connexion.

Hibernate is compatible with most databases. To enable database connexion you need to enable a java.net.SocketPermission on the correct jars for the given host and port.


// ------------- Enable connection to database ----------------------------//

grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/<jdatabase_driver>-X.X.X.jar" {
        permission java.net.SocketPermission "<database_host>:<database_port>", "connect";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/hibernate-X.X.X.jar" {
        permission java.net.SocketPermission"<database_host>:<database_port>", "connect";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-dbcp-X.X.X.jar" {
        permission java.net.SocketPermission "<database_host>:<database_port>", "connect";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/spring-X.X.X.jar" {
        permission java.net.SocketPermission "<database_host>:<database_port>", "connect";
};
grant codeBase "file:${catalina.home}/webapps/my_webapp/WEB-INF/lib/commons-pool-X.X.X.jar" {
        permission java.net.SocketPermission "<database_host>:<database_port>", "connect";
};

III. Finally...

Configuring a securitymanager is a basic important part when you set up security environment for Java. However it is not easy at all. When you try to fulfill this task, your first job is to find the permissions you need (which is quite easy, just look at the security exception log). Next, you need to find which jar needs which permissions and this is the difficult part, it requires you to have a careful look to the security exception stacktrace and to run a lot of tests!.

I hope this article will give you some hints when you will set up your own security manager.

Also in this section

13 January 2011 – Modify any Java class field using reflection.

10 November 2010 – Implement hash service using JCE

1 Forum posts

  • Security manager is a nightmare this article is very helpful.
    Problem is spring 2 is now deprecated. It would be interesting to have the security permissions for Spring 3.


    • hi
      i am using hibernate 3.3.
      my problem is i used hibernate in my jsp pages.
      so if i give permission to only my jsp page its not working.this code work properly:

      grant codeBase "file:$catalina.home/webapps/myapp/*"

      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

      permission java.lang.RuntimePermission "accessDeclaredMembers";
      ;

      but i dont want to grant this permission to all pages. i want to only grant this to my jsp page. but wen i set codebase to my jsp page, i receiv error: can not initialize tuplizer. i use this code:
      grant codeBase "file:$catalina.home/webapps/tajan/fa/index.jsp"

      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

      permission java.lang.RuntimePermission "accessDeclaredMembers";
      ;
      can anyone help me plz?

    • Hi,
      You could give those permissions to the jsp folder and maybe the folder containing your .class files. Also all jar involved needs to have the permissions.

      The best is to look at your security error stack-trace and find all jar that are listed (excepted the java and catalina native jar who have already the permissions in the default catalina.policy file).

    • i tested to give permissions to jsp pages, to jar fiels and to all classes but i received the same error.
      but when i grant permission to may project root folder, it works properly.

      this is the code that works:

      grant codeBase "file:$catalina.home/webapps/myApp"

      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

      permission java.lang.RuntimePermission "accessDeclaredMembers";

      ;

      what is the problem? i read this in a pdf file:You can give a web application additional permissions by creating a grant for its web application directory!

      is this the cause of my problem? what this exactly means?

      thanks a lot for your attention.

    • i think that the only way to grant permission to jsp pages is to grant this to your webapp root folder!

      like this:

      grant codeBase "file:$catalina.home/webapps/myApp"

      can you please guide me to grant permission to a specific jsp page?

      if i only give permission to a jsp pages address, it will not work.

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post