Chapter 14. Java Security Manager

Java Security Manager: The Java Security Manager is a class that manages the external boundary of the Java Virtual Machine (JVM) sandbox, controlling how code executing within the JVM can interact with resources outside the JVM. When the Java Security Manager is activated the Java API checks with the security manager for approval before executing a wide range of potentially unsafe operations.

The Security Manager uses a security policy to determine whether a given action will be permitted or denied.

Security Policy: A set of defined permissions for different classes of code. The Java Security Manager compares actions requested by applications against the security policy. If an action is allowed by the policy, the Security Manager will permit that action to take place. If the action is not allowed by the policy, the Security Manager will deny that action. The security policy can define permissions based on the location of code or on the code's signature.

The Security Manager and the security policy used are configured using the Java Virtual Machine options java.security.manager and java.security.policy .

Security Manager-related options

java.security.manager

Use a security manager, optionally specifying which security manager to use. If no argument is supplied with this option the default JDK security manager, java.lang.SecurityManager, is used. To use another security manager implementation, supply the fully qualified classname of a subclass of java.lang.SecurityManager with this option.

java.security.policy

Specifies a policy file to augment or replace the default security policy for the VM. This option takes two forms:

java.security.policy=policyFileURL: The policy file referenced by policyFileURL will augment the default security policy configured by the VM.
java.security.policy==policyFileURL: The policy file referenced by policyFileURL will replace the default security policy configured by the VM.

The policyFileURL value can be a URL or a file path.

JBoss Enterprise Application Platform does not activate the Java Security Manager by default. To configure the Platform to use the Security Manager, refer to Section 14.1, “Using the Security Manager” .

14.1. Using the Security Manager

JBoss Enterprise Application Platform can use the JDK default Security Manager or a custom security manager. For details on selecting a custom Security Manager, refer to Security Manager-related options .

When the Platform is configured to use a security manager, a security policy file must be specified. A security policy file, jboss-as/bin/server.policy.cert is included as a starting point.

For information on writing security policy, refer to Section 14.3, “Writing Security Policy for JBoss Enterprise Application Platform” .

Configuration File

The file run.conf (Linux) or run.conf.bat (Windows) is used to configure the Security Manager and security policy. This file is found in the jboss-as/bin directory.

This file is used to configure server-level options, and applies to all server profiles. Configuring the Security Manager and security policy involves profile-specific configuration. You may elect to copy the global run.conf or run.conf.bat file from jboss-as/bin/ to the server profile (for example: jboss-as/server/production/run.conf ), and make the configuration changes there. A configuration file in the server profile takes precedence over the global run.conf / run.conf.bat file when the server profile is started.

Procedure 14.1. Activate the Security Manager

This procedure configures JBoss Enterprise Application Platform to start with the Java Security Manager activated.

The file editing actions in this procedure refer to the file run.conf (Linux), or run.conf.bat (Windows) in the server profile directory, if one exists there, or in jboss-as/bin . Refer to Configuration File for details on the location of this file.

Specify the JBoss home directory
Edit the file run.conf (Linux), or run.conf.bat (Windows). Add the jboss.home.dir option, specifying the path to the jboss-as directory of your installation.
Linux
```
JAVA_OPTS="$JAVA_OPTS -Djboss.home.dir=/path/to/jboss-eap-5.1/jboss-as"
```
Windows
```
JAVA_OPTS="%JAVA_OPTS% -Djboss.home.dir=c:\path\jboss-eap-5.1\jboss-as"
```

Specify the server home directory

Add the jboss.server.home.dir option, specifying the path to your server profile.

Linux

JAVA_OPTS="$JAVA_OPTS -Djboss.server.home.dir=path/to/jboss-eap-5.1/jboss-as/server/production"

Windows

JAVA_OPTS="%JAVA_OPTS% -Djboss.server.home.dir=c:\path\to\jboss-eap-5.1\jboss-as\server\production"

Specify the Protocol Handler

Add the java.protocol.handler.pkgs option, specifying the JBoss stub handler.

Linux

JAVA_OPTS="$JAVA_OPTS -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"

Windows

JAVA_OPTS="%JAVA_OPTS% -Djava.protocol.handler.pkgs=org.jboss.handlers.stub"

Specify the security policy to use
Add the $POLICY variable, specifying the security policy to use. Add the variable definition before the line that activates the Security Manager.
Example 14.1. Use the Platform's included security policy
```
POLICY="server.policy.cert"
```
Activate the Security Manager
Uncomment the following line by removing the initial # :
Linux
```
#JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY"
```
Windows
```
#JAVA_OPTS="%JAVA_OPTS% -Djava.security.manager -Djava.security.policy=%POLICY%"
```
Result:
JBoss Enterprise Application Platform is now configured to start with the Security Manager activated.
Optional: Import Red Hat's JBoss signing key
The included security policy grants permissions to JBoss-signed code. If you use the included policy you must import the JBoss signing key to the JDK cacerts key store.
The following command assumes that the environment variable JAVA_HOME is set to the location of a JDK supported by JBoss Enterprise Application Platform 5. You configure JAVA_HOME when you first install JBoss Enterprise Application Platform 5. Refer to the Installation Guide for further information.
Note
To ensure the correct JVM is selected, you can use the alternatives command to select from JDKs installed on your Linux system. Refer to Appendix A, Setting the default JDK with the /usr/sbin/alternatives Utility.
Execute the following command in a terminal, replacing JAVA_HOME with the directory location of your Java installation:
Linux
```
[~]$ sudo JAVA_HOME/bin/keytool -import -alias jboss -file JBossPublicKey.RSA \
-keystore JAVA_HOME/jre/lib/security/cacerts
```
Windows
```
C:> JAVA_HOME\bin\keytool -import  -alias jboss -file JBossPublicKey.RSA -keystore JAVA_HOME\jre\lib\security\cacerts
```
Although broken across two lines in this documentation, the commands above should be entered on one single line in a terminal.
Note
The default password for the cacerts key store is changeit .
Result:
The key used to the sign the JBoss Enterprise Application Platform code is now installed.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Chapter 14. Java Security Manager

14.1. Using the Security Manager

Where did the comment section go?