On 21/03/18 13:45, Christopher Schultz wrote: > Mark, > > On 3/21/18 6:24 AM, Mark Thomas wrote: >> On 21/03/18 05:32, Christopher Schultz wrote: >>> All, >>> >>> I'm exploring running my application under a SecurityManager > >> That's brave. > > Honestly, it really shouldn't be. > > I'm coming to the conclusion that a SecurityManager can really only > limit the damage an application can do to the extent that the > application could already do under normal circumstances. > > That sounds idiotic. Let me explain. > > In order to prevent the application from making arbitrary network > connections, I can whitelist those connections that are okay. Fine. I > get to specify the hostname (e.g. localhost) and port (e.g. 11211) > that the application is allowed to access. > > But since I'm using an exploded WAR file and I don't bother > packaging-up my application into a single JAR file (i.e. I use .class > files in WEB-INF/classes like everyone else), I can't limit those > connections to just my own code.
You can limit permissions to just WEB-INF/classes. There is an exmaple in catalina.policy in Tomcat 9 at least. > So, let's say I have an old version of commons-fileupload and my > application unsafely deserializes an untrusted blob. That means that > newly-instantiated code running within my application can reac-hout to > my memcached server and do whatever it wants. Not great. Only if you grant the necessary permissions to the commons-fileupload WAR. Every piece of code in the stack from the call in question until you reach either the top of the stack of a privileged action has to have the necessary permission. > So in order to get the most benefit from the SecurityManager, I have > to change my application's code (to use PrivilegedActions in places > where it matters) Yes. And don't forget design the public API that can call those PrivilegedActions in such a way that they can't be abused. Generally, the usual rules about not trusting provided data. > and also its packaging, either to a JAR within the > exploded-WAR, or switch to using a WAR file (which for me wouldn't > actually be that hard). I don't believe that is necessary. > If I wanted to run more than one web application with different > permissions, this would be an absolute requirement. As it stands, I > have one webapp per Tomcat instance, so this is less of an issue. > > What would be really great is if Tomcat could manage the protection > domains such that each web application has its own effective policy, > and wouldn't require the use of PrivilegedActions. I'm not sure if any > of that is even possible... just thinking like a lazy developer who > wants to "add security later" -- the impossible dream. It could never be as fine-grained as PrivilegedActions which are probably the best solution we have at the moment but it makes adding security later very hard work. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
