Codesource-based Secure Scripting

Security policy in Java is defined in terms of code source, which is characterized by digital signatures on the code and the origin of the mobile code (See Java2 Security). Security policy is defined in Policy files.

The -s option of the pnuts command allows you to execute scripts safely under a certain security policy.

Secure Scripting with Pnuts API

pnuts.security.SecurePnutsImpl class is a wrapper class of Implementation class which adds a security functionality using JDK1.2 security. This class, by default, allows safe execution of remote scripts just as Java applet. In addition, security policy can be defined based on the code source of the script.

To execute a script safely, a security manager must be registered. To register a security manager, either give -Djava.security.manager option to the java command or execute 'System.setSecyrityManager(new SecurityManager())' before executing the script.

In addition, java.security.AllPermission must be givent to the URL of the pnuts.jar file. One of the following steps is needed.

• Copy pnuts.jar to ${JAVA_HOME}/jre/lib/ext/.
• Specify pnuts.jar to the -Xbootclasspath option of java command
• Explicitly define a policy
  e.g. ${user.home}/.java.policy

  grant codebase "file:/c:/pnuts/pnuts.jar" {
      permission java.security.AllPermission;
  };
  

When a script is executed with a context to which a SecurePnutsImpl is set as follows, the scripts is executed safely under Java2 security.

context.setImplementation(SecurePnutsImpl(context.getImplementation()));

Example

Suppose you have the following script.

println(getProperty("java.home"))

To execute the script in the Java2 security, set SecurePnutsImpl to a context and pass it to loadFile() call.

import pnuts.lang.*;
import pnuts.security.*;

...
if (System.getSecurityManager() == null){
   System.setSecurityManager(new SecurityManager());
}
Context context = new Context();
context.setImplementation(new SecurePnutsImpl(context.getImplementation()));

Pnuts.loadFile("test1.pnut", context);

Since java.util.PropertyPermission is required in the security policy in order to read the property "java.home", AccessControlException is thrown if no security policy is explicitly specified.

The script would work if the following policy file is defined.

grant codebase "file:${user.home}/-" {
   permission java.util.PropertyPermission "java.home", "read";
};

This policy gives a permission to read "java.home" property for scripts under the directory that the "user.home" property indicates. Save this policy file as ${user.home}/.java.policy, or specify the file name as -Djava.security.policy= option of the java command.