Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] security start up mode for jetty7 
All,

I am thinking of adding in a -security mode to the jetty startup
somewhat akin to what I have seen in other places where adding the
option to the cli would trigger jetty to start up with a
SecurityManager and populate it from a default policy file that we
include with the distribution.  I have been working with it a bit and
I think it has merit for environments where we want to control a bit
more the environment jetty is running in.

I toyed with the idea of writing a more custom SecurityManager but I
want to see how far we can go with the basic one and twiddling
permissions.

One thing that has raised an eyebrow is the may different properties
that jetty works with on simply startup and how their format is all
over the board..

// jetty specific properties
        permission java.util.PropertyPermission "DEBUG", "read";
        permission java.util.PropertyPermission "START", "read";
        permission java.util.PropertyPermission "VERBOSE", "read";
        permission java.util.PropertyPermission "STOP.PORT", "read";
        permission java.util.PropertyPermission "STOP.KEY", "read";
        permission java.util.PropertyPermission "IGNORED", "read";
        permission java.util.PropertyPermission "CLASSPATH", "read";
        permission java.util.PropertyPermission "OPTIONS", "read";
        permission java.util.PropertyPermission
"JETTY_NO_SHUTDOWN_HOOK", "read";
        permission java.util.PropertyPermission "ISO_8859_1", "read";
        permission java.util.PropertyPermission "jetty.home", "read, write";
        permission java.util.PropertyPermission "user.home", "read";
        permission java.util.PropertyPermission "jetty.class.path",
"read, write";
        permission java.util.PropertyPermission "java.class.path",
"read, write";
        permission java.util.PropertyPermission "repository", "read, write";
        permission java.util.PropertyPermission "jetty.lib", "read";
        permission java.util.PropertyPermission "jetty.server", "read";
        permission java.util.PropertyPermission "jetty.host", "read";
        permission java.util.PropertyPermission "jetty.port", "read";
        permission java.util.PropertyPermission "start.class", "read";
        permission java.util.PropertyPermission "main.class", "read";
	permission java.util.PropertyPermission
"org.eclipse.jetty.util.log.class", "read";
	permission java.util.PropertyPermission
"org.eclipse.jetty.util.URI.charset", "read";
	permission java.util.PropertyPermission
"org.eclipse.jetty.util.FileResource.checkAliases", "read";
	permission java.util.PropertyPermission
"org.eclipse.jetty.xml.XmlParser.Validating", "read";
	permission java.util.PropertyPermission
"org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
        permission java.util.PropertyPermission
"org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
        permission java.util.PropertyPermission
"org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";

Any thoughts on standardizing the format of the properties that we use
in jetty?  Or making sure that we have reasonable defaults and don't
through exceptions if we are executing in an environment that is
locking off access from reading these properties?

So, anyone have an issues is my adding in some startup functionality
for enabling a secure startup mode that sets up the security manager,
and take a stab at standardizing the jetty specific properties to at
least 2 conventions for naming and formatting conventions? :)

I pulled a branch the other day to experiment with some things can I
could do the changes there is we are concerned about doing them on
trunk right now.  I am half tempted to say I should just do that as I
am also pushing towards getting us out of incubation and able to
release an actual 7.0.0 official release in the shortish term...

thoughts?

jesse


--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx

Back to the top