Solved

Java Security Only allow certain applications to run on machine

Posted on 2004-08-25
16
313 Views
Last Modified: 2010-03-31
Hi,

I want to stop all java applications except for one particular application to run on a windows 2003 server machine.  

How do I do this?  

Do I create a security policy? How do I do this, what permissions do I set.  

Also, I want the one java application to be able to create and write to a file.  

Thanks for your help.
0
Comment
Question by:chillitoenab
16 Comments
 
LVL 92

Expert Comment

by:objects
ID: 11898492
Not sure you can

why do you need to restrict it?
0
 

Author Comment

by:chillitoenab
ID: 11898610
I need to run a java application on a server through ASP.  I can't use JSP because it's a Windows IIS server.  This means I need to enable the execute permissions for anonymous web user on the java.exe file.  So this means that any user could run any java application.  I want Java security to stop it.
0
 
LVL 92

Expert Comment

by:objects
ID: 11898634
> I can't use JSP because it's a Windows IIS server.

You can actually still run a JSP container if you wanted.

> So this means that any user could run any java application.

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.
0
 

Author Comment

by:chillitoenab
ID: 11899647
You can actually still run a JSP container if you wanted.

> how?

They shouldn't be able to. How are you running the application?
Your asp should just run the required application.

>If they have the permissions and some-how work out where the java.exe is, and say that are able to copy a jar onto the server, why can't they run java applications?
0
 
LVL 92

Expert Comment

by:objects
ID: 11899680
becuase they don't (or shouldn't need to) have access to java.exe.
All the user does is load the asp page, it is the asp page that runs java.exe.
They don't have access to the asp page, they only recieve the resulting html.
This is the same as for jsp.

you can install tomcat for example to run with IIS to handle jsp.
0
 
LVL 35

Expert Comment

by:girionis
ID: 11900121
Are we talking about an application or a web application? If it is an application then Tomcat is not of much help. Maybe you want to consider the Java Web Start option: http://java.sun.com/products/javawebstart/download.jsp
0
 

Author Comment

by:chillitoenab
ID: 11908944
objects,

It is my understanding that when you run an asp page the execution of the page is done either using the role  anonymous web user IUSR_**** or  using the role IWAM_****.  That is if you allowing anonymous access to your pages through IIS.  

Now I have to call this java application, I didn't write it, I have to call it as it is from the ASP page.  If I could install tomcat I wouldn't have a problem at all, I could just use JSP.  But I have strict limitations on what is on the server so I have to work with what I have got.  

The problem is that I have to run the java application on the server from an ASP page. The web server is a microsoft IIS server.  There are a couple of ways to do this, I could use the Microsoft Java virtual machine and call the java class using COM using something like this

http://www.4guysfromrolla.com/webtech/080999-1.shtml and
http://cephas.net/blog/2004/03/15/scripting_in_asp_with_java.html

but then I would have to have the java application compiled using the java virtual machine, even if I had the source the MS JVM only goes up to Java level 1.1 or something, so there could be probelms there.

Another solution would be to call the java application through a batch file either using wscript or a third party component such as ASPEXEC.  The batch file would have to allow the execute permissions which isn't bad.  The bad thing is that to execute the batch file you need to use the cmd.exe file. So I would have to allow anonymous web users to have execute permissions on the cmd.exe file.  This would be bad.  Here is how you execute a batch file from ASP:

http://www.4guysfromrolla.com/webtech/072199-2.shtml


So I thought I could execute the java application directly from the asp page.  To do this I need to allow access to the java.exe file.  So I wanted to set up some security so that only this one java application can run.  To avoid writing all this I just asked the simple question:  

"How do I do stop all java applications except for one particular application from running through java security?"

 
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 92

Expert Comment

by:objects
ID: 11908987
Sorry I still don't follow, the class being run is controlled by the asp and *not* by the user so where exactly is the security risk.
0
 

Author Comment

by:chillitoenab
ID: 11909018
I'm probably wrong, but I was thinking that if I allowed the anonymous web user executable writes to java.exe then couldn't they execute any java application. I guess I'm assuming that they know the location of java.exe and they would have to be able to upload a malicious java application onto the server first though.  Am I worrying about nothing?
0
 

Author Comment

by:chillitoenab
ID: 11909074
When the request comes in to executes the ASP script and there hasn't been any authentication like Windows NT challenge response to establish the user as a particular user on your system from a particular domain, then the system assumes that that the person who wants to execute the ASP script is an anonymous user.   The anonymous user is linked to a user role in windows.

Read this about permissions and  executing applications from ASP it might make things clearer:

http://forums.aspfree.com/t34333/s.html?highlight=newb+needs+ASP+help

notice the permissions that they are setting for the anonymous web user.

Also, try this
http://rtfm.atrax.co.uk/infinitemonkeys/articles/iis/983.asp
http://www.kamath.com/tutorials/tut002_iisanon.asp
0
 
LVL 92

Expert Comment

by:objects
ID: 11909102
I think I see your concern, perhaps ask in the IIS TA and see if it is a security risk or not.
0
 

Author Comment

by:chillitoenab
ID: 11909165
objects since you are the java guru, to invoke the java security manager you go

java -Djava.security.manager <whatever>

is that right?

but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why have it for applications at all if the security manager isn't even called every time and the security policy isn't checked?
0
 
LVL 92

Accepted Solution

by:
objects earned 500 total points
ID: 11909716
> is that right?

y

> but when you don't use the -Djava.security.manager it doesn't invoke java securiy, so why
> have it for applications at all if the security manager isn't even called every time and the
> security policy isn't checked?

not sure I understand what you mean.

Here's some background on the security manager:
http://java.sun.com/docs/books/tutorial/security1.2/index.html
0
 
LVL 9

Expert Comment

by:doronb
ID: 12203155
Maybe you can try this:

1) Look through some JNI  tutorial that shows how to LOAD the JVM yourself.

2) Write your own JVM loader, it should have "private" access to java.exe and "public" access from the ASP.

3) Your loader can now check the Java classes invoked and abort any application that's not allowed.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Python Assistance 7 36
Java Server Faces parameter pass? 6 22
JList custom Cell Renderer refresh 15 43
Java Loop 4 14
For beginner Java programmers or at least those new to the Eclipse IDE, the following tutorial will show some (four) ways in which you can import your Java projects to your Eclipse workbench. Introduction While learning Java can be done with…
Are you developing a Java application and want to create Excel Spreadsheets? You have come to the right place, this article will describe how you can create Excel Spreadsheets from a Java Application. For the purposes of this article, I will be u…
Viewers learn about the third conditional statement “else if” and use it in an example program. Then additional information about conditional statements is provided, covering the topic thoroughly. Viewers learn about the third conditional statement …
Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now