Solved

Java Security Only allow certain applications to run on machine

Posted on 2004-08-25
16
330 Views
Last Modified: 2010-03-31
Hi,

I want to stop all java applications except for one particular application to run on a windows 2003 server machine.  

How do I do this?  

Do I create a security policy? How do I do this, what permissions do I set.  

Also, I want the one java application to be able to create and write to a file.  

Thanks for your help.
0
Comment
Question by:chillitoenab
16 Comments
 
LVL 92

Expert Comment

by:objects
ID: 11898492
Not sure you can

why do you need to restrict it?
0
 

Author Comment

by:chillitoenab
ID: 11898610
I need to run a java application on a server through ASP.  I can't use JSP because it's a Windows IIS server.  This means I need to enable the execute permissions for anonymous web user on the java.exe file.  So this means that any user could run any java application.  I want Java security to stop it.
0
 
LVL 92

Expert Comment

by:objects
ID: 11898634
> I can't use JSP because it's a Windows IIS server.

You can actually still run a JSP container if you wanted.

> So this means that any user could run any java application.

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:chillitoenab
ID: 11899647
You can actually still run a JSP container if you wanted.

> how?

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.

>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
0
 
LVL 92

Expert Comment

by:objects
ID: 11899680
becuase they don't (or shouldn't need to) have access to java.exe.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.

you can install tomcat for example to run with IIS to handle jsp.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11900121
Are we talking about an application or a web application? If it is an application then Tomcat is not of much help. Maybe you want to consider the Java Web Start option: http://java.sun.com/products/javawebstart/download.jsp
0
 

Author Comment

by:chillitoenab
ID: 11908944
objects,

It is my understanding that when you run an asp page the execution of the page is done either using the role  anonymous web user IUSR_**** or  using the role IWAM_****.  That is if you allowing anonymous access to your pages through IIS.  

Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page.  If I could install tomcat I wouldn't have a problem at all, I could just use JSP.  But I have strict limitations on what is on the server so I have to work with what I have got.  

The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server.  There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this

http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html

but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.

Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC.  The batch file would have to allow the execute permissions which isn't bad.  The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file.  This would be bad.  Here is how you execute a batch file from ASP:

http://www.4guysfromrolla.com/webtech/072199-2.shtml


So I thought I could execute the java application directly from the asp page.  To do this I need to allow access to the java.exe file.  So I wanted to set up some security so that only this one java application can run.  To avoid writing all this I just asked the simple question:  

"How do I do stop all java applications except for one particular application from running through java security?"

 
0
 
LVL 92

Expert Comment

by:objects
ID: 11908987
Sorry I still don't follow, the class being run is controlled by the asp and *not* by the user so where exactly is the security risk.
0
 

Author Comment

by:chillitoenab
ID: 11909018
I'm probably wrong, but I was thinking that if I allowed the anonymous web user executable writes to java.exe then couldn't they execute any java application. I guess I'm assuming that they know the location of java.exe and they would have to be able to upload a malicious java application onto the server first though.  Am I worrying about nothing?
0
 

Author Comment

by:chillitoenab
ID: 11909074
When the request comes in to executes the ASP script and there hasn't been any authentication like Windows NT challenge response to establish the user as a particular user on your system from a particular domain, then the system assumes that that the person who wants to execute the ASP script is an anonymous user.   The anonymous user is linked to a user role in windows.

Read this about permissions and  executing applications from ASP it might make things clearer:

http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help

notice the permissions that they are setting for the anonymous web user.

Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
0
 
LVL 92

Expert Comment

by:objects
ID: 11909102
I think I see your concern, perhaps ask in the IIS TA and see if it is a security risk or not.
0
 

Author Comment

by:chillitoenab
ID: 11909165
objects since you are the java guru, to invoke the java security manager you go

java -Djava.security.manager <whatever>

is that right?

but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
0
 
LVL 92

Accepted Solution

by:
objects earned 500 total points
ID: 11909716
> is that right?

y

> but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why
> have it for applications at all if the security manager isn't even called every time and the
> security policy isn't checked?

not sure I understand what you mean.

Here's some background on the security manager:
http://java.sun.com/docs/books/tutorial/security1.2/index.html
0
 
LVL 9

Expert Comment

by:doronb
ID: 12203155
Maybe you can try this:

1) Look through some JNI  tutorial that shows how to LOAD the JVM yourself.

2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.

3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
java 8 lambda expresssions exception handling 3 91
print map entry 34 69
why cannot we forward request once the response is committed 2 42
Apps blocked by Java 9 81
By the end of 1980s, object oriented programming using languages like C++, Simula69 and ObjectPascal gained momentum. It looked like programmers finally found the perfect language. C++ successfully combined the object oriented principles of Simula w…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
Video by: Michael
Viewers learn about how to reduce the potential repetitiveness of coding in main by developing methods to perform specific tasks for their program. Additionally, objects are introduced for the purpose of learning how to call methods in Java. Define …
This tutorial will introduce the viewer to VisualVM for the Java platform application. This video explains an example program and covers the Overview, Monitor, and Heap Dump tabs.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question