Published on

Secure session management in Java web applications

Authors

Ahoy there! Gather round me hearties, and let's set our course for the island of Java Security Manager and policy files for fine-grained access control. This place be as mysterious as a map with no 'X', but never fear, we'll navigate these waters together!

First, what's this creature, the Java Security Manager? It be like the ship's quartermaster, keepin' an eye on every crew member (read: Java application) on board, and controlling their permissions. By default, the quartermaster is on a well-deserved shore leave (meaning, Security Manager ain't enabled by default), but if ye feel the need for some extra discipline, ye can call him back on duty by adding -Djava.security.manager when launching your application.

java -Djava.security.manager YourApplication

Now, how does our quartermaster know what each crew member can and can't do? That's where policy files come in. They be like our ship's code, dictating the dos and don'ts for everyone aboard. Here be how ye create one:

Create a file named java.policy (or call it whatever you fancy):

grant codeBase "file:/path/to/your/jars/*" {
    permission java.io.FilePermission "<<ALL FILES>>", "read, write";
    permission java.net.SocketPermission "localhost:1024-", "listen";
};

In the above script, we've given our Java applications the permission to read and write to all files, and to listen to the network on localhost on port 1024 and above.

Now, let's inform our quartermaster about the new rules. Set the java.security.policy property to the path of your policy file when launching your application:

java -Djava.security.manager -Djava.security.policy=/path/to/your/java.policy YourApplication

With this, our quartermaster's back on duty, armed with a new set of rules, ready to keep the unruly Java applications in check. Ye have now charted the waters of Java Security Manager and policy files! Arrr!