Felipe Gaúcho works as senior software engineer at Netcetera AG in Switzerland. He is a well known Brazilian JUG leader and open-source evangelist. Felipe works with Java since its early versions and has plans to keep that Java tradition as it is. When he is not coding, he prefers to listen reggae and travel around with his lovely wife Alena and his son Rodrigo. Felipe is a DZone MVB and is not an employee of DZone and has posted 29 posts at DZone. View Full User Profile

Hudson With Security Manager Enabled on GlassFish

12.14.2009
| 5847 views |
  • submit to reddit

GlassFish V3 is out and nothing better to celebrate the newborn than publishing some hints about the best Java EE container ever. As you will notice when you download and install GlassFish V3, the server is very easy to setup and run. But after some initial euphoria, you will also miss some features - for me the most missed ones are:

  • Security: the security manager comes disabled by default, what means you can run "any application but the Java EE Standard ones". Amazing, isn't it? The reason I believe the engineers at SUN decided for that strategy is for historical reasons - none of the popular servers comes with security enabled, what facilitates the fast adoption of the servers and also facilitates the development phase. The consequence of this easiness is well known: most of the developers out there are unable to understand or configure a production-level server. I wrote about that before and there is no reason to stress much this topic, it is just like that.

  • Web tunning out of the box: compression and default HTTP headers are not there, and you are forced to create your own custom filters to make your pages faster. This is another missed feature in any server avaliable today, and I would love to have a button somewhere in the Administrative GUI to say: "please activate the most common tunning options for web-applications deployment". As experiment I suggest you to deploy your favorite project on Glassfish and then to use YSlow to check how is the performance of that application. At first sight you will see some obvious features missing, like GZip compression, and as novice you will have some investigation to do in order to figure out how to enable that. Expires header is another classical missed feature - and I wish the Glassfish HTTP connector to provide a set of common HTTP filters someday. Too specific for a container? Too specific for an abstract architecture point of view? For sure, but the world of Java EE development is majority web-development, and to have a magic button somewhere to active that options is highly recommended.

  • Ready to go plugins: I briefly described the concept here, but as we have DataSource, JavaMail and other resources ready to go we need other stuff in our daily business, like Twitter integration, webdav, etc. So, if my application will notify users by twitter, where I can configure the Twitter resource? where can I download and plug such resource to be available to all my applications? And facebook, google wave and all other hype communication and social networks out there? Is it application level code? for sure it is, but why not to have this available in my container in the most easy way as possible? Something for the future I guess...

To exemplify my wish list, I will show you how to deploy a Hudson application in a Glassfish with the security manager enabled.

Enabling the Security Manager of the GlassFish V3

Nothing easier than enabling the security manager of GlassFish, you have two options:

  1. ASADMIN CLI: through line command you can activate the security manager like that:

    asadmin create-jvm-options --user adminuser -Djava.security.manager

  2. Administrative GUI: you can access the Admin GUI of Glassfish on the address http://localhost:4848, and then you should find the Security option in the left menu and then enable the Security Manager in a checkboy available in the the central, as shown in the below figure.

After enabling the security manager, you should restart the server to make the changes effective. And now if you want to deploy and run a Hudson application you will be surprised by a security exception shown in the below figure.

Before to proceed to the technical details, it is worthy to mention a strange message in this error page:

... if you have no idea what a security manager is, then the easiest way to fix the problem is simply to turn the security manager off ...

Seriously, I couldn't imagine more unfortunate suggestion because Security Manager is disabled by default and if it is enabled it is due to some reason. To suggest a novice developer to disable the security just to run Hudson is somewhat weird - and IMHO that message should be removed or replaced by something less dangerous. It is actually not difficult to unleash Hudson under the Security Manager, so I can't see a good reason to offer the users any action with unpredictable side-effects - specially when we are talking about security features. Let me show you a a proper way of solving the Hudson security issue.

Enabling Hudson to run with the Security Manager Enabled

Hudson security is implemented at the application level, so Hudson is not affected and do not profit on the security manager features. The Security Manager protects the file system by default, so any application trying to access files needs to be configured for that purpose. In order allow an application to access the file system, you need to edit the security policy file, what in Glassfish is located in the folder

glassfishv3/glassfish/domains/domain1/config/server.policy

Open this file and add the following entries:

grant codeBase "file:${com.sun.aas.installRoot}/domains/domain1/applications/hudson/-" {
permission java.security.AllPermission;
};

grant codeBase "file:/home/fgaucho/.hudson/-" {
permission java.security.AllPermission;
};

Important: the tokens highlighted in bold means folders that you should adapt to your local installation, specially the /home/fgaucho that points to the default user folder in my Linux OS. If you are using Windows, please don't forget to use inverted \ slashes. Done! You can see an example of Hudson running under the Security Manager here. You can use the same configuration for any application that is not using the container for security - like a Spring application, for example.

From http://weblogs.java.net/blog/felipegaucho

Published at DZone with permission of Felipe Gaúcho, author and DZone MVB.

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)

Comments

Josh Marotti replied on Mon, 2009/12/14 - 2:43pm

The whole if you don't know what a  security manager is, turn it off is probably just to get people just learning java/j2ee to get things rolling.  But thanks for the step-by-step... makes it easier for the pros amonst us to get it up and running like we want, faster.

Mast Ermnd replied on Thu, 2009/12/17 - 2:16pm

Correct me if I'm wrong, but I don't think Hudson is an app that gets deployed to production environments often. If you're just using it during development and/or on a development server, and given the fact that it uses application-level security, I don't think the advice to turn off the security manager is a bad thing!

Felipe Gaúcho replied on Sat, 2010/01/02 - 4:11am in response to: Mast Ermnd

@Mastermnd: the problem is not Hudson, the problem is: when you disable the security manager, you do that for all applications and not only for Hudson ;)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.