JAAS without a Security Manager

Similar Messages

• Ensuring applications use a Security Manager

  Is it possible to enable the use of a security manager by default for Java applications?
  I understand that I can enable a security manager by using the -Djava.security.manager command-line option to java and javaw. But to utilise that I need to modify all scripts that call java/javaw, and I need to remember to include it when running all future java applications I acquire.
  These are the possibilities I've looked at:
  1. A configuration file that stores default options to those commands (similar to the ide.cfg in Netbeans). To my knowledge this feature doesn't exist.
  2. A configuration file for specifying default system properties (the -D prefix indicates it's a system property to be passed to the VM). Again, to my knowledge such a feature doesn't exist.
  3. An option in the ${java.home}/lib/java.security "master security properties file" which forces security managers by default. I couldn't find any such option. In fact, I couldn't find any solid documentation about this master security properties file on the Java web site. (The only information I found was about the JAAS extensions to this file).
  Any help will be greatly appreciated.
  There are two further options I would like to try, but they are nontrivial.
  A. Move to a Unix-based platform where the java/javaw commands are likely to be implemented as shell scripts to which the default options can readily by added. Or if they are not can be seemlessly replaced with a shell script. (I would really like to do this, I've tried to make the switch thrice in the past but have so far encountered difficulties).
  B. Build new java.exe and javaw.exe executables that invoke the originals (perhaps renamed to java-unsafe.exe) with the required default options (perhaps even reading the options from a text file a la Netbeans).
  Thanks in advance. Hopefully there is something obvious I've overlooked that does this.
  P.-S. I notice another poster raised this issue last year, but it received no replies. That post can be found here:
  http://forum.java.sun.com/thread.jsp?forum=61&thread=301657

  For those following this thread I've managed to make one step towards ensuring that no Java code is run locally without a Security Manager.
  It's an OS-level solution protecting against code run by double-clicking a jar file. (Admittedly this is not something I do often, but it's a start).
  The OS is Windows 2000 Professional. To add this protection, I performed the following steps.
  1. Choose the 'Tools'|'Folder Options...' menu item from within Windows Explorer.
  2. Within the 'File Types' tab, select the 'JAR' extension and click 'Advanced'.
  3. Click 'New...'.
  4. Type something like 'run with manager' in the 'Action' field. Type cmd.exe /c "java.exe -Djava.security.manager -jar "%1" %* & pause.exe" in the other field. Click OK.
  5. Ensure that this 'run with manager' action is the default. (I believe that the 'Set Default' button is supposed to do this. It did not do so for me. On my setup the default action was always the action with the earliest alphabetically-listed name.)
  sudheesh_j: Do you have any recommendations as to how to contact Sun? Should I post a Feature Request, or is there a list or email address that I should contact?

• Security Manager and Policy Files

  Hi all,
  I am writing a simple java rmi application, but understand it wont run without a Security Manager installed and a policy file.
  I think I have installed the security manger using the following in the main() method of my client application:
  System.setSecurityManager(new RMISecurityManager());However I am unsure how to use a policy file with this. I have looked on the internet, but it does not seem to be very well documented
  Please could you advise me how to create a policy file that will work for my application and where to place it in my application so that my application can use it.
  Any help would be greatfuly appreciated
  Thanx
  Aaron

  An RMI application doesn't need a security manager unless you are using the codebase feature.

• Disabling the Security Manager

  When the J2EE 1.4 refernce server is running with the Security Manager disabled the web based admin console stops working (some sort of JACC error),although asadmin seems to work fine. Which leads to a few questions :
  1. Is there a way to disable the Security Manager and use the web console ?
  2. Are there other downstream effects to running the server without the Security Manager enabled ? What other features can/will fail?
  Its nice to see Sun putting an emphasis on out of the box security, but using the Security Manager is a real pain during development and is overkill for alot of internal deployments.

  Hi,
  There is no mechanism to disable the SecurityManager in J2EE 1.4. JACC (JSR115) is a new spec that went into 1.4 that allowed for plugging authorization provider in the J2EE. This spec makes it mandatory for us to have the security manager on all the time.
  If you turn off the security manager, the web console should not work properly as it is a web app and has security permissions defined that are interpreted by our JACC provider.
  Downstream effects of running the server with security manager disabled, will mean that all checks that we have as part of the server policy will fail and ofcourse all applications that use authorization checks will fail too.
  We have spent considerable time from this release to improve the performance of the system with the security manager enabled. You should look out for the next release coming out that will have these optimizations.

• Rmi with security manager not working in netbeans

  Hello i'm trying to use rmi but get the error java.security.AccessControlException: access denied (java.net.SocketPermission 127.0.0.1:1099 connect,resolve) when i run it in netbeans. here is my code
  public static void main(String[] args) {
          if (System.getSecurityManager() == null) {
              System.setSecurityManager(new SecurityManager());
          try {
              String name = "Compute";
              Compute engine = new ComputeEngine();
              Compute stub =
                  (Compute) UnicastRemoteObject.exportObject(engine, 0);
              Registry registry = LocateRegistry.getRegistry();
              registry.rebind(name, stub);
              System.out.println("ComputeEngine bound");
          } catch (Exception e) {
              System.err.println("ComputeEngine exception:");
              e.printStackTrace();
      }It works if i don't have a security manager and it works with a security manager if i don't use netbeans to run it and use the command line. i need to use a secuirty manager because the client code is running in eclipse and it moans that there is no security manager if i run it without one
  this is the error i get when running with no security manager
  java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
       java.lang.ClassNotFoundException: takenoteremote.Compute (no security manager: RMI class loader disabled)
  Please help

  I have sort of got it to work, i took out the security manager and used the code base parameter on the command line, and put my interface into a jar file. I can only get it to work though on the command line, if i run it in netbeans it doesn't find the class in the jar file it needs.
  Any ideas?

• Cannot assign custom security manager to repository

  Hello,
  I've been following the details on how to implement a read-only security manager (https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e2ddd63d-0b01-0010-46bb-e092790068cb) and I have run into the following problem:
  After following the instructions for option B in the document (creating a security manager only) and  deploying my project, the new security manager appears in the list of managers on the admin screen (Content Management -> Repository Managers -> Security Manager) but it is not available in the drop down list of security managers for my repository. Without that entry I cannot apply the new security manager to my repository.
  According to the document, the new security manager should be part of this list but it is not even after I've restarted the J2EE engine.
  The document is dated May 2006 so perhaps there have been some changes to the system that are not covered in the document. We are running NW 7.0 SP14.
  Any help in determining why my custom security manager is not part of the security manager drop down list would be appreciated.

  Ok, after much decompiling and inspection of the standard KM security manager implementations I found the answer to my question.
  Basically I found that the security manager tutorial only applies if you plan on using your custom security manager with your own custom repository manager. You cannot apply a security manager created using that document to a standard KM repository manager.
  In my case I want to apply a custom security manager to a standard KM File System Repository. By inspecting the SFSRepositoryManager.cc.xml file I found the following entry:
  <attribute name="securitymgr.ref" type="ref" refType="/cm/repository_managers/security_managers/SecurityManager" mandatory="false" hotReload="true" />
  The refType value defines which security managers are displayed in the drop down list of available Security Managers at runtime for the repository manager. In order to get a custom security manager to be available you must define the cc.xml for your custom security manager so that it extends "SecurityManager" not "SecurityManagerMi" as the tutorial describes.
  Changing the extension means your security manager implementation must also change so that it extends com.sapportals.wcm.repository.manager.AbstractRepositorySubManager and implements com.sapportals.wcm.repository.manager.ISecurityManager.
  Now if only I could figure out how to reward points to myself .....

• Disable or uninstal HP ProtectTools security manager

  My fingerprint scanner has gone down.
  I assume it is a hardware issue as have gone through all HP recomendations to get it working at: http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&dlc=en&docname=c02519007&lc=en&jumpid=reg_r1002_us...
  but nothing has worked.
  Anyway the notebook never leaves my house so it's not an issue. However, everytime I turn the notebook on and log in with my password, HP security manager butts in and spends a minute looking for the reader before telling me the biometric authentication service is not working and asks if I would like to continue without it.
  Can I disable this program to speed boot up time as it is not needed in my instance?

  Hi @taliz ,
  To get your issue more exposure I would suggest posting it in the commercial forums since this is a commercial product. You can do this at Commercial Forums.
  Even though this is a Commercial product, You could follow these steps, even though, I don't recommend this as it is Security Tools.
  Step 1:Click Start, then "All Programs." Select "HP Protect Tools Security Manager" from the list of programs.
  Step 2:Click "Settings." Click the box to the left of the menu. The green check in the box should disappear, which means that the application is disabled.
  Step 3:Close the window and restart the computer. 
  Hope this helps you.
  Thanks.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the bottom to say “Thanks” for helping!

• Default Administrator password in BI Administration Tool - Security Manager

  Hello all,
  I'm new to OBIEE and have recently been playing around in the BI Administration Tool to create my own repository (.rpd) metadata files from demo DBs. I selected "Manage" -> "Security" to open Security Manager and then set a logging level of 2 on the Administrator user.
  UNFORTUNATELY, there is a default password that apparently gets specified that I didn't notice, so when I closed my repository file and tried to re-open it, it is now challenging me for a password that I didn't set, don't know, and have not been able to find in documentation or posted threads anywhere.
  Has anyone else ever come across this problem before or know the default password? Any help would be greatly appreciated. Thanks guys.

  Guys,
  First, let me thank you all for you quick responses and willingness to give me a hand. It's greatly appreciated. And thanks Ally for noticing the name! Glad you liked it. :)
  Unfortunately, my problem still exists. None of the following passwords worked for me: <blank>, "Administrator", "administrator", or "ADMINISTRATOR".
  Also, I should clarify for the thread that I'm not using Paint.rpd or SH.rpd; I'm creating my own repository from scratch. For those who read this post and have literally 90 seconds to spare, I would ask you to try and recreate this same thing with me and see if it's just me (and if I'm crazy):
  1) Open OBI Administration Tool
  2) DO NOT open an existing repository, create a new one. Name it whatever; mine is the default "Metadata1.rpd"
  3) Don't bother adding any metadata to it, go immediately to "Manage" --> "Security" --> "Users" and open up the Administrator user by double-clicking it.
  4) Notice there is a "Password" and "Confirm Password" value already defined by default! DON'T change it (this is the password in question that I accidentally accepted). Just click the "OK" button without making any changes to that form.
  5) Save, close, and then try to re-open this repository you just created. It should be challenging you for a password now, right? And I bet it will not accept <blank> or any variation of "Administrator".
  Believe me, I know better now in the future to not let this happen. But I can't for the life of me figure out this password that was automatically populated and WHY there would be one there in the first place! I was walking through a lab that told me to open this security setting for Administrator to set a logging level, but it did not mention anything about a setting a password. So, I created a repository that I have now magically locked myself out of. :)
  Can anyone else please try to recreate this and let me know if it's just me or not? I am using BI Administration Tool version: 10.1.3.3.2.071217.1900.
  Thanks again guys.

• Advanced Security manager utility

  Can you use advanced security manager utily with Essbase 5.0.2?

  I have used it long time ago with Essbase 5.0.2 patch 11 without any problem.Try it.Ricky Rahi

• Cisco Security Manager Local RBAC Authentication Radius assign user role

  Is it possible to use Cisco Security Manager with local RBAC, authenticate the user to Radius and retrieve it's role from Radius. Getting the authentication to work isn't the problem, but is it also possible to return the role the user has (i.e. Super Admin) via Radius, without having to create all the users one-by-one in the local CSM database with the correct role.
  Can i use a certain Cisco-AV-Pair attribute to return the user role via Radius?

  I just got asked to look at the same situation by one of our security people.
  We have exactly the same problem but it reports a username of "*****" and we are running CSM 4.7 (upgraded last week)

• Oracle Enterprise Security Manager

  Hi!
  I have some problems with installing the Oracle Aplication Server Infrastructure 10g. I need to configure the Oracle Internet Directory. For this i did following steps:
  1) Install the Oracle Aplication Server Infrastructure 10g, which include the OID
  2) For the aplication server database configure a Oracle Context through the Net Configuration Assistant
  3) Configure the database for using OID
  4) Create user in the database that identified globally
  After that i need to configure a Enterprise User in OID. For this i need Oracle Enterprise Security Manager. But ESM isn't installed with the Oracle Aplication Server.
  What application includes Oracle Enterprise Security Manager?
  Thanks a lot!

  Without knowing exactly what he referring to. I can't comments much more.
  What's version are you using?
  Data Guard is very mature feature of Oracle 10g, since it first appeared in Oracle 8i in the form of Standby server.
  Whatever bugs he experienced, he should work with Oracle support to fix it. It could be known bugs that already has a fix, it could be he didn't use the feature correctly and assume it's a bug, it could be a real undocumented bug.
  Using his own stored procedure to monitor data guard like reinventing the wheel. Actually it's worse, what on earth is he thinking that he could out smart whole Data Guard team of Oracle :D

• Cisco Security Manager Advice

  Hi,
  I'm looking into Cisco Security Manager. From what I understand you can monitor and manage Cisco security appliances. I'm interested in the monitoring of our Cisco ASAs - specifically, monitoring VPN sessions and their  trending over months at a time and I would like to monitor other Cisco devices on the network for link problems/performance and such - I don't want to use Cisco Security Manager as a management point. Would Cisco Security Manager not be the right tool for this?
  We have SolarWinds and I've heard that you can assign UnDPs(Device Pollers) to devices you want to monitor, including ASAs and these pollers can give you trending for VPN sessions with graphing. I just want to make the most of our budget dollars.
  Any advice?
  Thanks, Pat.

  CSM 4.3 and above can be used to monitor VPN sessions on Cisco ASAs. You can definitely use CSM as a monitoring only solution for ASAs (without using it for management). You can also explicitly disable policy change privileges for all admins so they do not modify stuff by mistake. Note however that CSM is primarily focused on end-to-end management scenarios (including policy change, troubleshooting, reporting, etc). So you may not find all the bells and whistles in CSM for monitoring scenarios that you may find with some of the pure monitoring only solutions.

• Cisco Security Manager CLI change

  Hi Guys,
  IS there any way to detect a CLI change in Cisco Security Manager without having to manually rediscover policies from CSM
  Can it be automatic?
  Regards

  Following link may help you
  http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/user/guide/defapset.html

• Deleting multiple devices in Cisco Security Manager

  I imported 200 devices from configuration files in cisco security manager which I need to remove again due to updates in the predeployed configurations...
  Does anyone know how to remove devices without selecting every single one and clicking "delete" or restoring the database? :)
  Thanks!

  Maybe from the common services webpage you could select multiple devices at a time ?

• Security manager: what is it for?

  Like title says...when sm is active I have to give explicit authorization for every sensible operation.
  Now, say in my program I want to open a socket: why introduce a security managar and tell it I want to open it?I mean...I need to open this socket, so it's obvious I'll give my ok and this goes for every sensible operation I'll need to do!
  Final user will have my program and use it: he/she can't modify my code and introduce some other sensible operation so I guess security manager is for me, the programmer...
  In the end I feel like building a wall and soon after pierce through it...so why to build it in the first place?
  What am I missing??

  The key thing to keep in mind is that the person creating a program and the person on running the program or on whose behalf the program is run are often not the same.
  Here is a sample flow.
  1. Person A create a program and for sensitive operation invoke the Security Manager (SM)
  2. Person B deploys the program in step 1. They may choose to run it with/without SM depending upon their risk analysis.
  3. Person B, deploys a policy for the program that might allow User A some operation, while not allowing the same operation to user B.
  While the default SM and the default Java Policy file is geared towards code source, there is support for subject based policy. Hope this helps.