First of all, a recommendation for debugging component security
- get your component running standalone before you try running
it in a container. To check whether your component is set to run
standalone or in a container, go back to your ICD (pre-installation).
If the "Shared Container Hint" checkbox is set, clear
it. If you intend to run your component in a container, there
are some additional considerations. Please see the container release
notes for more information about the constraints you need to be
concerned about.
To debug security exceptions in your component, your existing
debugging code may be adequate if you're catching exceptions and
printing stack traces. However, there may be cases where you've
not thought to protect code in a try-catch block, and you don't
get a stack trace. In this case, you'll want to set the "java.security.debug"
property for your component. We recommend the following settings:
"access,failure". (See this
developer page for more information on using java.security.debug).
Note this won't work if your process is running inside a container.
After setting this property, you'll want to re-resolve your component
as described on the previous page. Re-run your component. Inspect
the process log to view security permission access checks. Note
that debugging information is quite verbose and will consume considerable
space in your logs, so remember to turn this property off when
you're done. If you search for "denied", you will find
the violations, which you now can add into your component's security
policy and start the process over again.
Security Limitations
In this release, the Installer will grant your component whatever
permissions it asks for in its security policy. Future releases
will include the concept of a component security template, against
which your component's security policy will be tested and limited.
In this release, the Installer limits FilePermissions as follows
when resolving component security policies: components may only
access their own install directories and the platform temp directory
(defined by the property "java.io.tmpdir". However,
no hard limits are enforced, warning messages only at this time.
When you start a process using the Openwings Container Manager,
the security policy set by the "java.security.policy"
property in the ICD will be enforced on your process, whether
it is running standalone or in a container. If your process is
running in a container, you may run into the additional hardcoded
constraints described in the container release notes.
