Java Security Only allow certain applications to run on machine

Hi,

I want to stop all java applications except for one particular application to run on a windows 2003 server machine.  

How do I do this?  

Do I create a security policy? How do I do this, what permissions do I set.  

Also, I want the one java application to be able to create and write to a file.  

Thanks for your help.
chillitoenabAsked:
Who is Participating?
 
objectsConnect With a Mentor Commented:
> is that right?

y

> but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why
> have it for applications at all if the security manager isn't even called every time and the
> security policy isn't checked?

not sure I understand what you mean.

Here's some background on the security manager:
http://java.sun.com/docs/books/tutorial/security1.2/index.html
0
 
objectsCommented:
Not sure you can

why do you need to restrict it?
0
 
chillitoenabAuthor Commented:
I need to run a java application on a server through ASP.  I can't use JSP because it's a Windows IIS server.  This means I need to enable the execute permissions for anonymous web user on the java.exe file.  So this means that any user could run any java application.  I want Java security to stop it.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
objectsCommented:
> I can't use JSP because it's a Windows IIS server.

You can actually still run a JSP container if you wanted.

> So this means that any user could run any java application.

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
0
 
chillitoenabAuthor Commented:
You can actually still run a JSP container if you wanted.

> how?

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.

>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
0
 
objectsCommented:
becuase they don't (or shouldn't need to) have access to java.exe.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.

you can install tomcat for example to run with IIS to handle jsp.
0
 
girionisCommented:
Are we talking about an application or a web application? If it is an application then Tomcat is not of much help. Maybe you want to consider the Java Web Start option: http://java.sun.com/products/javawebstart/download.jsp
0
 
chillitoenabAuthor Commented:
objects,

It is my understanding that when you run an asp page the execution of the page is done either using the role  anonymous web user IUSR_**** or  using the role IWAM_****.  That is if you allowing anonymous access to your pages through IIS.  

Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page.  If I could install tomcat I wouldn't have a problem at all, I could just use JSP.  But I have strict limitations on what is on the server so I have to work with what I have got.  

The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server.  There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this

http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html

but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.

Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC.  The batch file would have to allow the execute permissions which isn't bad.  The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file.  This would be bad.  Here is how you execute a batch file from ASP:

http://www.4guysfromrolla.com/webtech/072199-2.shtml


So I thought I could execute the java application directly from the asp page.  To do this I need to allow access to the java.exe file.  So I wanted to set up some security so that only this one java application can run.  To avoid writing all this I just asked the simple question:  

"How do I do stop all java applications except for one particular application from running through java security?"

 
0
 
objectsCommented:
Sorry I still don't follow, the class being run is controlled by the asp and *not* by the user so where exactly is the security risk.
0
 
chillitoenabAuthor Commented:
I'm probably wrong, but I was thinking that if I allowed the anonymous web user executable writes to java.exe then couldn't they execute any java application. I guess I'm assuming that they know the location of java.exe and they would have to be able to upload a malicious java application onto the server first though.  Am I worrying about nothing?
0
 
chillitoenabAuthor Commented:
When the request comes in to executes the ASP script and there hasn't been any authentication like Windows NT challenge response to establish the user as a particular user on your system from a particular domain, then the system assumes that that the person who wants to execute the ASP script is an anonymous user.   The anonymous user is linked to a user role in windows.

Read this about permissions and  executing applications from ASP it might make things clearer:

http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help

notice the permissions that they are setting for the anonymous web user.

Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
0
 
objectsCommented:
I think I see your concern, perhaps ask in the IIS TA and see if it is a security risk or not.
0
 
chillitoenabAuthor Commented:
objects since you are the java guru, to invoke the java security manager you go

java -Djava.security.manager <whatever>

is that right?

but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
0
 
doronbCommented:
Maybe you can try this:

1) Look through some JNI  tutorial that shows how to LOAD the JVM yourself.

2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.

3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.