Java SecurityManager: Good introduction to policy files

Question

Can you recommend a good introduction to non-trivial policy files for the standard Java SecurityManager?

Are there examples that go beyond what the Java website offers? Or maybe someone describes how to secure a Tomcat that runs a whole bunch of different web applications?

[EDIT] My use case is an application that can run scripts written by three types of users: 1. application developers, 2. application admins and 3. end users.

Users from group 1 need to be able to access almost any resource (= no need for a special SM).

Group #2 can be trusted but we'd like to protect them from silly mistakes (like calling System.exit).

Group #3 can't be trusted. They usually only write small scripts.

When I run a script, I know where it comes from. Will policy files help with my use case or do I need to write my own SecurityManager?

Answer 1

Have you actually looked at the methods available on SecurityManager ?

• How could it (SecurityManager) possibly answer whether a particular User can do a particular action ?
  • It has no way of knowing what the user was attempting (the action)
  • It has no way of knowing what data the user was attempting the operation upon (the thing).

Police files are only good for resources that need some security constraints that can be expressed with in a short text form and wont change while the jvm is running. Stuff like the following:

• can only read from hardrive/path/to/file.
• can only read system property X
• can only open up sockets on ports ...

Your q does not actually say who you wish test and for what actions they may perform. If you are attempgin tto protect pages (think urls) then you might want to consider something like Spring Security which allows you to say stuff like:

• for url "/crash-computer" only let users in role "nasty" do this
• only users in role "admin" can access "/admin/*" etc

You will need to add your own custom logic to do stuff like only the user who created the X or a super user can update X.