Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Java Security Only allow certain applications to run on machine

Posted on 2004-08-25
16
Medium Priority
?
365 Views
Last Modified: 2010-03-31
Hi,

I want to stop all java applications except for one particular application to run on a windows 2003 server machine.  

How do I do this?  

Do I create a security policy? How do I do this, what permissions do I set.  

Also, I want the one java application to be able to create and write to a file.  

Thanks for your help.
0
Comment
Question by:chillitoenab
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 92

Expert Comment

by:objects
ID: 11898492
Not sure you can

why do you need to restrict it?
0
 

Author Comment

by:chillitoenab
ID: 11898610
I need to run a java application on a server through ASP.  I can't use JSP because it's a Windows IIS server.  This means I need to enable the execute permissions for anonymous web user on the java.exe file.  So this means that any user could run any java application.  I want Java security to stop it.
0
 
LVL 92

Expert Comment

by:objects
ID: 11898634
> I can't use JSP because it's a Windows IIS server.

You can actually still run a JSP container if you wanted.

> So this means that any user could run any java application.

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:chillitoenab
ID: 11899647
You can actually still run a JSP container if you wanted.

> how?

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.

>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
0
 
LVL 92

Expert Comment

by:objects
ID: 11899680
becuase they don't (or shouldn't need to) have access to java.exe.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.

you can install tomcat for example to run with IIS to handle jsp.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11900121
Are we talking about an application or a web application? If it is an application then Tomcat is not of much help. Maybe you want to consider the Java Web Start option: http://java.sun.com/products/javawebstart/download.jsp
0
 

Author Comment

by:chillitoenab
ID: 11908944
objects,

It is my understanding that when you run an asp page the execution of the page is done either using the role  anonymous web user IUSR_**** or  using the role IWAM_****.  That is if you allowing anonymous access to your pages through IIS.  

Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page.  If I could install tomcat I wouldn't have a problem at all, I could just use JSP.  But I have strict limitations on what is on the server so I have to work with what I have got.  

The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server.  There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this

http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html

but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.

Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC.  The batch file would have to allow the execute permissions which isn't bad.  The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file.  This would be bad.  Here is how you execute a batch file from ASP:

http://www.4guysfromrolla.com/webtech/072199-2.shtml


So I thought I could execute the java application directly from the asp page.  To do this I need to allow access to the java.exe file.  So I wanted to set up some security so that only this one java application can run.  To avoid writing all this I just asked the simple question:  

"How do I do stop all java applications except for one particular application from running through java security?"

 
0
 
LVL 92

Expert Comment

by:objects
ID: 11908987
Sorry I still don't follow, the class being run is controlled by the asp and *not* by the user so where exactly is the security risk.
0
 

Author Comment

by:chillitoenab
ID: 11909018
I'm probably wrong, but I was thinking that if I allowed the anonymous web user executable writes to java.exe then couldn't they execute any java application. I guess I'm assuming that they know the location of java.exe and they would have to be able to upload a malicious java application onto the server first though.  Am I worrying about nothing?
0
 

Author Comment

by:chillitoenab
ID: 11909074
When the request comes in to executes the ASP script and there hasn't been any authentication like Windows NT challenge response to establish the user as a particular user on your system from a particular domain, then the system assumes that that the person who wants to execute the ASP script is an anonymous user.   The anonymous user is linked to a user role in windows.

Read this about permissions and  executing applications from ASP it might make things clearer:

http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help

notice the permissions that they are setting for the anonymous web user.

Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
0
 
LVL 92

Expert Comment

by:objects
ID: 11909102
I think I see your concern, perhaps ask in the IIS TA and see if it is a security risk or not.
0
 

Author Comment

by:chillitoenab
ID: 11909165
objects since you are the java guru, to invoke the java security manager you go

java -Djava.security.manager <whatever>

is that right?

but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
0
 
LVL 92

Accepted Solution

by:
objects earned 2000 total points
ID: 11909716
> is that right?

y

> but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why
> have it for applications at all if the security manager isn't even called every time and the
> security policy isn't checked?

not sure I understand what you mean.

Here's some background on the security manager:
http://java.sun.com/docs/books/tutorial/security1.2/index.html
0
 
LVL 9

Expert Comment

by:doronb
ID: 12203155
Maybe you can try this:

1) Look through some JNI  tutorial that shows how to LOAD the JVM yourself.

2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.

3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java Flight Recorder and Java Mission Control together create a complete tool chain to continuously collect low level and detailed runtime information enabling after-the-fact incident analysis. Java Flight Recorder is a profiling and event collectio…
In this post we will learn how to connect and configure Android Device (Smartphone etc.) with Android Studio. After that we will run a simple Hello World Program.
Viewers learn about the “for” loop and how it works in Java. By comparing it to the while loop learned before, viewers can make the transition easily. You will learn about the formatting of the for loop as we write a program that prints even numbers…
Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question