I am trying to load multiple policy configuration files in to java security manager for per tenant. As the java secuirty tutorial specifies it is possible to load multiple policy files to the policy object, but the requirement of mine is how can I specify which policy file has to be loaded to which user during runt time in my Multi-Tenant security model which extends the default security Model.
Asked
Active
Viewed 372 times
0
-
Why do you want to have separate security managers? Wouldn't a single security manager that handles separate code sources differently be sufficient? – Joachim Sauer Jun 19 '12 at 12:29
-
No, I want to have a single security manager. A Multi-Tenant Security manager which actually extends the already implemented Security Manager. As you said it will be sufficient if it handles separate code sources differently. But the problem I encounter is I couldn't specify the logic on how to use it differently for each tenant (Which one to be loaded in to the security Manager for different tenants) – ChaaminiM Jun 19 '12 at 13:05
-
You can specify permissions based upon codeBase. However, if you can use separate processes and OS security, I'd strongly recommend that. – Tom Hawtin - tackline Jun 20 '12 at 17:03
2 Answers
0
This sounds a bit scary. If at all possible, I would use a different VM for each tenant. If you can't do that, you probably want to use Policy.setPolicy. You will need a custom implementation of Policy that is basically a wrapper around multiple policies. It probably would have to consult some ThreadLocal variable to see which user context applies for the current thread and then delegate to the appropriate wrapped Policy implementation. To read the policy files, you will probably have to reference the Sun security provider directly. Don't forget to disallow reflection by default or your policy logic will be trivial to circumvent.
John Watts
- 8,717
- 1
- 31
- 35
-
Thanks for the suggestion, I will try it out . "Don't forget to disallow reflection by default or your policy logic will be trivial to circumvent" Can you elaborate more in this point? – ChaaminiM Jun 19 '12 at 13:50
-
You are using a security manager to make sure the code can't do certain things. But reflection lets you do almost anything including violating assumptions that the security manager relies on. Imagine if a reflection call directly modified a private variable, going around the access check in the public method. When I said "by default" I meant start by disabling reflection. Then allow (whitelist) certain uses as needed. – John Watts Jun 19 '12 at 17:43
-
Really, don't depend on looking up the thread. Applets use ThreadGroup, but there's a lot of hackery and non-public interfaces. / I'd certainly take a process per tenant if at all possible. – Tom Hawtin - tackline Jun 20 '12 at 17:02
0
Try to take a look at this blog post. Jens Nordahl describes how to sandbox untrusted plugins, which sounds like what you need.
Ps. Sorry for bumping this post, but it is one of the highest on Google.
