0

I have a WildFly 23 and want to deploy a service via a WAR file that can run BeanShell scripts. The permissions should be very limited. It is sufficient if data and the script can be passed to the service and thus simple calculations can be executed.

Example: I pass a list of customers as POJOs and a script that returns a list of first names. The WebService should then provide me with the list of first names.

The script should not be able to run Runtime.exec, build connections to URLs or otherwise compromise security. Scripts that run endlessly would be terminated by a hung-task-threshold. All I would need is to set a SecurityManager like on the client, on which I then grant only a few permissions. If I understand correctly, however, this option is currently already deprecated and removed as of WildFly 26. How can I tell the new security-manager subsystem that my web service has only a few permissions?

Thanks!

aynber
  • 22,380
  • 8
  • 50
  • 63
Peter
  • 23
  • 3

1 Answers1

1

You should create and add a permissions.xml file in the META-INF folder of your war like this:

<permissions xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
         http://xmlns.jcp.org/xml/ns/javaee/permissions_7.xsd"
version="7">
<permission>
    <class-name>java.io.FilePermission</class-name>
    <name>*</name>
    <actions>read,write</actions>
</permission>

and start the server with the security manager on (I think the flag is --secmanager)

ehsavoie
  • 3,126
  • 1
  • 16
  • 14
  • Thanks, but as far as I understand, the Flag SECMGR="true" is deprecated. How can I do this in WildFly 26? – Peter Aug 17 '22 at 20:03
  • It's deprecated because the security manager itself is deprecated in Java 17. However, passing `-secmgr` to the start up script or setting the `SECMGR=true` as an environment variable currently still works. – James R. Perkins Aug 17 '22 at 21:55
  • Thanks James I wasn't sure of the flag ;) – ehsavoie Aug 18 '22 at 06:21
  • Thanks, the deprecation from SecurityManager in Java 17 was the crucial clue. – Peter Aug 18 '22 at 08:46