Skip to content

Commit

Permalink
Merge pull request #118 from metafacture/addSecurityManager
Browse files Browse the repository at this point in the history
Add security manager
  • Loading branch information
katauber authored Jun 21, 2023
2 parents 90ec14a + 63884ee commit 626f9c0
Show file tree
Hide file tree
Showing 3 changed files with 96 additions and 2 deletions.
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,13 @@ $ git clone https://github.com/metafacture/metafacture-playground.git
$ cd metafacture-playground
```

### Move Java policy file

The Metafacture Playground uses the [Java Security Manager](https://docs.oracle.com/javase/tutorial/essential/environment/security.html), so you need to configure proper permissions to run the Metafacture Playground.
Please move `.java.policy_move_to_home_dir` from the project's resources to your user's home directory and remove the suffix '_move_to_home_dir'.
Please adapt in the Java policy the lines concerning the file '.project' like described in the policy.
If there are problems starting and/or running the Playground, to find the problem it may help to add in the project.clj under the key ':jvm-opts' the entry '"-Djava.security.debug=access"' to see if a permission is missing.

### Start in development mode

When using development mode you don't have to restart when changing files. They will be reloaded automatically.
Expand Down
84 changes: 84 additions & 0 deletions resources/.java.policy_move_to_home_dir
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@

// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to remain
// backwards compatible.
// It is strongly recommended that you either remove this permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially unsafe.
// See the API specification of java.lang.Thread.stop() for more
// information.
permission java.lang.RuntimePermission "stopThread";

// allows anyone to listen on dynamic ports
permission java.net.SocketPermission "localhost:0", "listen";

// "standard" properies that can be read by anyone

permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";

permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";

permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";

// permissions for metafacture playground

permission java.io.FilePermission "${user.dir}/-", "write, read, delete";
permission java.io.FilePermission "${java.io.tmpdir}/-", "write, read, delete";
permission java.io.FilePermission "${user.home}/-", "read";

// Please adapt these paths to all parent paths of your user home directory
// Some Fix Code searches a .project file to determine an encoding
// It's no problem when there's no .project file, but it's a problem
// when there's no access in generell to this file
permission java.io.FilePermission "/Users/.project", "read";
permission java.io.FilePermission "/.project", "read";

permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "jetty.git.hash", "write";

permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

permission java.lang.RuntimePermission "getenv.*";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "getContextClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "classLoader";
permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.loader";

permission java.lang.management.ManagementPermission "control";

permission java.net.SocketPermission "localhost:1024-", "accept, listen, resolve";
permission java.net.SocketPermission "*", "accept, connect, resolve";
};



7 changes: 5 additions & 2 deletions src/clj/metafacture_playground/server.clj
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,12 @@
[config.core :refer [env]]
[clojure.tools.logging :as log]
[ring.adapter.jetty :refer [run-jetty]])
(:import
(java.lang SecurityManager))
(:gen-class))

(defn -main [& _args]
(let [port (or (env :port) 3000)]
(System/setSecurityManager (new SecurityManager))
(log/info "Start server with port" port)
(run-jetty #'handler {:port port :join? false :request-header-size 65536})))
(run-jetty #'handler {:port port :join? false :request-header-size 65536})))

0 comments on commit 626f9c0

Please sign in to comment.