chillitoenab
asked on
Java Security Only allow certain applications to run on machine
Hi,
I want to stop all java applications except for one particular application to run on a windows 2003 server machine.
How do I do this?
Do I create a security policy? How do I do this, what permissions do I set.
Also, I want the one java application to be able to create and write to a file.
Thanks for your help.
I want to stop all java applications except for one particular application to run on a windows 2003 server machine.
How do I do this?
Do I create a security policy? How do I do this, what permissions do I set.
Also, I want the one java application to be able to create and write to a file.
Thanks for your help.
ASKER
I need to run a java application on a server through ASP. I can't use JSP because it's a Windows IIS server. This means I need to enable the execute permissions for anonymous web user on the java.exe file. So this means that any user could run any java application. I want Java security to stop it.
> I can't use JSP because it's a Windows IIS server.
You can actually still run a JSP container if you wanted.
> So this means that any user could run any java application.
They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
You can actually still run a JSP container if you wanted.
> So this means that any user could run any java application.
They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
ASKER
You can actually still run a JSP container if you wanted.
> how?
They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
> how?
They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
becuase they don't (or shouldn't need to) have access to java.exe.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.
you can install tomcat for example to run with IIS to handle jsp.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.
you can install tomcat for example to run with IIS to handle jsp.
Are we talking about an application or a web application? If it is an application then Tomcat is not of much help. Maybe you want to consider the Java Web Start option: http://java.sun.com/products/javawebstart/download.jsp
ASKER
objects,
It is my understanding that when you run an asp page the execution of the page is done either using the role anonymous web user IUSR_**** or using the role IWAM_****. That is if you allowing anonymous access to your pages through IIS.
Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page. If I could install tomcat I wouldn't have a problem at all, I could just use JSP. But I have strict limitations on what is on the server so I have to work with what I have got.
The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server. There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this
http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html
but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.
Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC. The batch file would have to allow the execute permissions which isn't bad. The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file. This would be bad. Here is how you execute a batch file from ASP:
http://www.4guysfromrolla.com/webtech/072199-2.shtml
So I thought I could execute the java application directly from the asp page. To do this I need to allow access to the java.exe file. So I wanted to set up some security so that only this one java application can run. To avoid writing all this I just asked the simple question:
"How do I do stop all java applications except for one particular application from running through java security?"
It is my understanding that when you run an asp page the execution of the page is done either using the role anonymous web user IUSR_**** or using the role IWAM_****. That is if you allowing anonymous access to your pages through IIS.
Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page. If I could install tomcat I wouldn't have a problem at all, I could just use JSP. But I have strict limitations on what is on the server so I have to work with what I have got.
The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server. There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this
http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html
but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.
Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC. The batch file would have to allow the execute permissions which isn't bad. The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file. This would be bad. Here is how you execute a batch file from ASP:
http://www.4guysfromrolla.com/webtech/072199-2.shtml
So I thought I could execute the java application directly from the asp page. To do this I need to allow access to the java.exe file. So I wanted to set up some security so that only this one java application can run. To avoid writing all this I just asked the simple question:
"How do I do stop all java applications except for one particular application from running through java security?"
Sorry I still don't follow, the class being run is controlled by the asp and *not* by the user so where exactly is the security risk.
ASKER
I'm probably wrong, but I was thinking that if I allowed the anonymous web user executable writes to java.exe then couldn't they execute any java application. I guess I'm assuming that they know the location of java.exe and they would have to be able to upload a malicious java application onto the server first though. Am I worrying about nothing?
ASKER
When the request comes in to executes the ASP script and there hasn't been any authentication like Windows NT challenge response to establish the user as a particular user on your system from a particular domain, then the system assumes that that the person who wants to execute the ASP script is an anonymous user. The anonymous user is linked to a user role in windows.
Read this about permissions and executing applications from ASP it might make things clearer:
http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help
notice the permissions that they are setting for the anonymous web user.
Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
Read this about permissions and executing applications from ASP it might make things clearer:
http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help
notice the permissions that they are setting for the anonymous web user.
Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
I think I see your concern, perhaps ask in the IIS TA and see if it is a security risk or not.
ASKER
objects since you are the java guru, to invoke the java security manager you go
java -Djava.security.manager <whatever>
is that right?
but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
java -Djava.security.manager <whatever>
is that right?
but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Maybe you can try this:
1) Look through some JNI tutorial that shows how to LOAD the JVM yourself.
2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.
3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
1) Look through some JNI tutorial that shows how to LOAD the JVM yourself.
2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.
3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
why do you need to restrict it?