Recent changes to DenyPermissionsForExecutableJar

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 21:26:27 -0000

--- v5
+++ v6
@@ -1,10 +1,8 @@
-# Use policy with deny rule for an executable JAR file
+# Use policy with deny rules for an executable JAR file

 This tutorial shows how to use pro-grade policy with **deny rules**.

-We will start a Jetty web server and use policy file with deny rule to restrict access to the application. The access over the loopback interface (`localhost`) will not be possible, other interfaces should stay working.
-
-*Configuration is described for Linux/Unix systems. Use similar way for Windows.*
+We will start a [Jetty web server](http://www.eclipse.org/jetty/) and use [pro-grade](http://pro-grade.sourceforge.net/pro-grade.html) policy file with deny rules to restrict access to the application. The access from the `localhost` (i.e. loopback) will not be possible. Access for remote clients comming through other network interfaces should stay working.

 ## Prepare

@@ -17,7 +15,7 @@

     java -jar jetty-runner-9.3.14.v20161028.jar .

-If you open now http://localhost:8080/ in your brower, you should see directory listing of the current directory.
+If you open http://localhost:8080/ in your brower, you should see directory listing of the current directory.

 ## Create policy file

@@ -33,10 +31,11 @@
         permission java.net.SocketPermission "", "accept";
     }

+First rule allows everything to anyone. The second rule removes the `SocketPermission` (for localhost target and `accept` action) from the granted set.

 ## Run jetty with the new policy

-If you want to use pro-grade, you can't use `-jar` parameter as you did in previous step because you need to use classpath parameter which doesn't work together with `-jar`. You could use an uber-jar, but let's keep it simple and do it in a standard way.
+If you want to use pro-grade security manager, you can't use `-jar` parameter as you did in previous step because you need to use classpath parameter which doesn't work together with `-jar`. You could use an uber-jar, but let's keep it simple and do it in a standard way.

 The steps to do are:

@@ -54,7 +53,7 @@

 If you open/reload http://localhost:8080/ URL again, you should not be able to connect to the jetty server. Exception should appear in the jetty console window.

-You use your public address instead of loopback (localhost), then you should be able to connect to jetty without problem. (e.g. if your public IP is 192.168.1.1, then try to open http://192.168.1.1:8080/)
+Use your public address instead of loopback (localhost) and you should be able to connect to jetty without problem. (e.g. if your public IP is 192.168.1.1, then try to open http://192.168.1.1:8080/)

 ### Jasper issue

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 21:01:40 -0000

--- v4
+++ v5
@@ -67,29 +67,4 @@
         at org.apache.jasper.compiler.JspRuntimeContext.<init>(JspRuntimeContext.java:115)
         at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:118)
         at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:640)
-        at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:419)
-        at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:892)
-        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
-        at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404)
-        at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366)
-        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
-        at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
-        at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520)
-        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
-        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
-        at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:161)
-        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
-        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
-        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
-        at org.eclipse.jetty.server.Server.start(Server.java:422)
-        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
-        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
-        at org.eclipse.jetty.server.Server.doStart(Server.java:389)
-        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
-        at org.eclipse.jetty.runner.Runner.run(Runner.java:495)
-        at org.eclipse.jetty.runner.Runner.main(Runner.java:536)
+        ...

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 21:00:00 -0000

--- v3
+++ v4
@@ -2,9 +2,9 @@

 This tutorial shows how to use pro-grade policy with **deny rules**.

-We will start a Jetty web server and using policy file with deny rule, we will restrict access to the application.
+We will start a Jetty web server and use policy file with deny rule to restrict access to the application. The access over the loopback interface (`localhost`) will not be possible, other interfaces should stay working.

-*Configuration is described for Linux/Unix systems. Use similar way for Windows - just edit batch files instead of bash scripts.*
+*Configuration is described for Linux/Unix systems. Use similar way for Windows.*

 ## Prepare

@@ -48,7 +48,7 @@
 Now the command looks like:

     java -Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM \
-        -Djava.security.policy==/tmp/deny-localhost.policy \
+        -Djava.security.policy==deny-localhost.policy \
         -cp jetty-runner-9.3.14.v20161028.jar:pro-grade-1.1.1.jar \
         org.eclipse.jetty.runner.Runner .

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 20:54:31 -0000

--- v2
+++ v3
@@ -9,6 +9,7 @@
 ## Prepare

 Download jetty and pro-grade to a test folder:
+
 * https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.3.14.v20161028/jetty-runner-9.3.14.v20161028.jar
 * https://repo1.maven.org/maven2/net/sourceforge/pro-grade/pro-grade/1.1.1/pro-grade-1.1.1.jar

@@ -38,6 +39,7 @@
 If you want to use pro-grade, you can't use `-jar` parameter as you did in previous step because you need to use classpath parameter which doesn't work together with `-jar`. You could use an uber-jar, but let's keep it simple and do it in a standard way.

 The steps to do are:
+
 * provide the main class (the value defined in the JAR in `META-INF/MANIFEST.MF`) on the command line - without `-jar` we don't have it automatically
 * add the original jar to classpath
 * add pro-grade JAR to classpath

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 20:51:50 -0000

--- v1
+++ v2
@@ -9,8 +9,8 @@
 ## Prepare

 Download jetty and pro-grade to a test folder:
- * https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.3.14.v20161028/jetty-runner-9.3.14.v20161028.jar
- * https://repo1.maven.org/maven2/net/sourceforge/pro-grade/pro-grade/1.1.1/pro-grade-1.1.1.jar
+* https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.3.14.v20161028/jetty-runner-9.3.14.v20161028.jar
+* https://repo1.maven.org/maven2/net/sourceforge/pro-grade/pro-grade/1.1.1/pro-grade-1.1.1.jar

 Verify the jetty works by running:

@@ -35,11 +35,15 @@

 ## Run jetty with the new policy

-Now you can't use `-jar` parameter. The steps to do are:
- * provide the main class (the value defined in the JAR in `META-INF/MANIFEST.MF`) on the command line
- * add the original jar to classpath
- * add pro-grade JAR to classpath
- * use pro-grade security manager and the newly created policy
+If you want to use pro-grade, you can't use `-jar` parameter as you did in previous step because you need to use classpath parameter which doesn't work together with `-jar`. You could use an uber-jar, but let's keep it simple and do it in a standard way.
+
+The steps to do are:
+* provide the main class (the value defined in the JAR in `META-INF/MANIFEST.MF`) on the command line - without `-jar` we don't have it automatically
+* add the original jar to classpath
+* add pro-grade JAR to classpath
+* use pro-grade security manager and the newly created policy
+
+Now the command looks like:

     java -Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM \
         -Djava.security.policy==/tmp/deny-localhost.policy \
@@ -48,7 +52,7 @@

 If you open/reload http://localhost:8080/ URL again, you should not be able to connect to the jetty server. Exception should appear in the jetty console window.

-If you use your public address instead of loopback (localhost), then you should be able to connect to jetty without problem. (e.g. if your public IP is 192.168.1.1, then try to open http://192.168.1.1:8080/)
+You use your public address instead of loopback (localhost), then you should be able to connect to jetty without problem. (e.g. if your public IP is 192.168.1.1, then try to open http://192.168.1.1:8080/)

 ### Jasper issue

DenyPermissionsForExecutableJar modified by Josef Cacek

Josef Cacek — Tue, 08 Nov 2016 20:40:14 -0000

Use policy with deny rule for an executable JAR file

This tutorial shows how to use pro-grade policy with deny rules.

We will start a Jetty web server and using policy file with deny rule, we will restrict access to the application.

Configuration is described for Linux/Unix systems. Use similar way for Windows - just edit batch files instead of bash scripts.

Prepare

Download jetty and pro-grade to a test folder:
* https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-runner/9.3.14.v20161028/jetty-runner-9.3.14.v20161028.jar
* https://repo1.maven.org/maven2/net/sourceforge/pro-grade/pro-grade/1.1.1/pro-grade-1.1.1.jar

Verify the jetty works by running:

java -jar jetty-runner-9.3.14.v20161028.jar .

If you open now http://localhost:8080/ in your brower, you should see directory listing of the current directory.

Create policy file

Create a text file named deny-localhost.policy with content:

// Grant all to everyone
grant {
    permission java.security.AllPermission;
};

// Deny access to from localhost
deny {
    permission java.net.SocketPermission "", "accept";
}

Run jetty with the new policy

Now you can't use -jar parameter. The steps to do are:
* provide the main class (the value defined in the JAR in META-INF/MANIFEST.MF) on the command line
* add the original jar to classpath
* add pro-grade JAR to classpath
* use pro-grade security manager and the newly created policy

java -Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM \
    -Djava.security.policy==/tmp/deny-localhost.policy \
    -cp jetty-runner-9.3.14.v20161028.jar:pro-grade-1.1.1.jar \
    org.eclipse.jetty.runner.Runner .

If you open/reload http://localhost:8080/ URL again, you should not be able to connect to the jetty server. Exception should appear in the jetty console window.

If you use your public address instead of loopback (localhost), then you should be able to connect to jetty without problem. (e.g. if your public IP is 192.168.1.1, then try to open http://192.168.1.1:8080/)

Jasper issue

If you see an exception similar to following one in the jetty output, don't worry. It's just a Jasper (JSP compiler) issue with handling custom security policies.

java.lang.SecurityException: attempt to add a Permission to a readonly Permissions object
    at java.security.Permissions.add(Permissions.java:126)
    at java.security.Policy$UnsupportedEmptyCollection.add(Policy.java:827)
    at org.apache.jasper.compiler.JspRuntimeContext.initSecurity(JspRuntimeContext.java:477)
    at org.apache.jasper.compiler.JspRuntimeContext.<init>(JspRuntimeContext.java:115)
    at org.apache.jasper.servlet.JspServlet.init(JspServlet.java:118)
    at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:640)
    at org.eclipse.jetty.servlet.ServletHolder.initialize(ServletHolder.java:419)
    at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:892)
    at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:349)
    at org.eclipse.jetty.webapp.WebAppContext.startWebapp(WebAppContext.java:1404)
    at org.eclipse.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1366)
    at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:778)
    at org.eclipse.jetty.servlet.ServletContextHandler.doStart(ServletContextHandler.java:262)
    at org.eclipse.jetty.webapp.WebAppContext.doStart(WebAppContext.java:520)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
    at org.eclipse.jetty.server.handler.ContextHandlerCollection.doStart(ContextHandlerCollection.java:161)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)
    at org.eclipse.jetty.server.Server.start(Server.java:422)
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:105)
    at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:61)
    at org.eclipse.jetty.server.Server.doStart(Server.java:389)
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
    at org.eclipse.jetty.runner.Runner.run(Runner.java:495)
    at org.eclipse.jetty.runner.Runner.main(Runner.java:536)