This tutorial trail discusses how Java security policies are
applied to Openwings components to implement code security. Previous
releases of Openwings (through 0.9.1) ran with a wide-open Java
security policy. Beginning with the 0.9.2 release, each Java component
installed on an Openwings system will need to have its own security
policy.
This tutorial assumes familiarity with Java security principles
in general. We recommend the following resources:
This tutorial also assumes that you are familiar with building
Openwings components. Please see the Developing
Components tutorial trail for more information.
In Openwings, Code Security is implemented by the Install Service
and Container Services. Your component should have a default security
policy that indicates what Java permissions your code should be
granted, and what permissions should be allocated to other components
that use your component's services. This policy does not contain
hardcoded paths but uses the variable notation supported by the
Install Service.
When your component is installed, the Install Service takes your
component's default security policy and performs variable resolution
to turn it into the actual security policy that will be applied
to your component at runtime. This policy file is stored in a
location outside your component's image on the hard drive as a
precaution.
When your component is run, Container Services makes sure that
the component security policy is enforced. The Container Manager
enforces security on standalone Java processes by setting the
java.security.manager and java.security.policy properties. The
Container enforces its own security policy, as well as the component-specific
policy for each process it runs. The Container also has some hardcoded
limitations to protect the integrity of its own data and each
process. These are described in the Container
Release notes.
To configure (or reconfigure) your Openwings components with
a security policy, you will need to do the following:
- Edit your InstallableComponentDescriptorPolicy (ICD)
- Create a security policy file
- Rebuild and re-install your component
- Debug
Next: Editing your ICD
