- Published on
Secure session management in Java web applications
- Authors
- Name
- Gary Huynh
- @huynhthienthach
Ahoy there! Gather round me hearties, and let's set our course for the island of Java Security Manager and policy files for fine-grained access control
. This place be as mysterious as a map with no 'X', but never fear, we'll navigate these waters together!
First, what's this creature, the Java Security Manager
? It be like the ship's quartermaster, keepin' an eye on every crew member (read: Java application
) on board, and controlling their permissions
. By default, the quartermaster is on a well-deserved shore leave (meaning, Security Manager
ain't enabled by default), but if ye feel the need for some extra discipline, ye can call him back on duty by adding -Djava.security.manager
when launching your application.
java -Djava.security.manager YourApplication
Now, how does our quartermaster know what each crew member can and can't do? That's where policy files
come in. They be like our ship's code, dictating the dos and don'ts for everyone aboard. Here be how ye create one:
Create a file named java.policy
(or call it whatever you fancy):
grant codeBase "file:/path/to/your/jars/*" {
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
permission java.net.SocketPermission "localhost:1024-", "listen";
};
In the above script, we've given our Java applications
the permission
to read
and write
to all files, and to listen to the network on localhost on port 1024
and above.
Now, let's inform our quartermaster about the new rules. Set the java.security.policy
property to the path of your policy file when launching your application:
java -Djava.security.manager -Djava.security.policy=/path/to/your/java.policy YourApplication
With this, our quartermaster's back on duty, armed with a new set of rules, ready to keep the unruly Java applications
in check. Ye have now charted the waters of Java Security Manager
and policy files
! Arrr!