Step 9 - Secure Sandbox

---

Untrusted scripts and applets must only be allowed access to a small set of well defined JVM features, such as manipulation of the DOM and connection to the original server. They should be denied access to the file system and arbitrary network connections. In other words, scripts and applets should be run in a secure sandbox with no way to escape from it.

Due to the LiveConnect implementation, scripts can do everything an applet can do, so it is very important not to trust arbitrary scripts as well.

To activate the sandbox you must install a suitable SecurityManager, as this step of the tutorial shows.

The following is added as the first line of the main method:

SecurityKit.installDefaultSecurityManager();
 

The following import is also required to be able to use the SecurityManager:

import ice.util.security.SecurityKit;
 

The whole method now is as follows:

public static void main(String[] args) {

    SecurityKit.installDefaultSecurityManager();

    StormBase stormBase = new StormBase();
 
    URLStreamHandlerFactory.addStreamHandler(

        "http", "ice.net.HttpURLStreamHandler");

    HttpURLConnection.setGlobalCookieManager(new CookieManager());
 
    AuthenticationManager authenticationManager =

        new AuthenticationManager();

    authenticationManager.addAuthenticationListener(new Authenticator());

    HttpURLConnection.setGlobalAuthenticationManager(authenticationManager);
 
    ProxyManager proxyManager = new ProxyManager();

        proxyManager.setProxyUse(true);

        HttpURLConnection.setGlobalProxyManager(proxyManager);
 
    URL.setURLStreamHandlerFactory(new URLStreamHandlerFactory());
 
    String location = "http://www.yahoo.com";
 
    if (args.length > 0) {

        location = args[0];

    }
 
    stormBase.setViewportCallback(new MyCallback());

    stormBase.setScripterCallback(new MyScripterCallback());

    stormBase.addPropertyChangeListener(new VisitedLinks(), null);

    stormBase.renderContent(location, null, "MyBrowser");

}


 

If the Java 2 Security implementation is available on the system, SecurityKit.installDefaultSecurityManager( ) will install the default implementation of SecurityManager and configure it correctly.

Otherwise the method installs a special implementation of SecurityManager for Java 1 that provides the necessary sandbox for scripts and applets.

Under Java 1 this is all that is necessary, but under Java 2 you must also ensure that system policy allows the JAR files access to Java network facilities. Otherwise Java 2 SecurityManager would stop the browser from doing its job.

A simple way to do this is to provide a special policy file. An example of such a file, ib.policy, is shown below. This file is also included in the tutorial\step09 directory.

Figure 9-1 Example Policy File

// Standard extensions get all permissions by default
 
grant codeBase "file:${java.home}/lib/ext/*" {

    permission java.security.AllPermission;

};
 
grant codeBase "file:${ice.install.dir}/*"{

    permission java.security.AllPermission;

};
 
grant codeBase "file:${user.dir}"{

    permission java.security.AllPermission;

};
 
// default permissions granted to all domains
 
grant { 

    // Allows any thread to stop itself using the java.lang.Thread.stop()

    // method that takes no argument.

    // Note that this permission is granted by default only to remain

    // backwards compatible.

    // It is strongly recommended that you either remove this permission

    // from this policy file or further restrict it to code sources

    // that you specify, because Thread.stop() is potentially unsafe.

    // See "http://java.sun.com/notes" for more information.

    permission java.lang.RuntimePermission "stopThread";
 
    // allows anyone to listen on un-privileged ports

    permission java.net.SocketPermission "localhost:1024-", "listen";
 
    // "standard" properies that can be read by anyone
 
    permission java.util.PropertyPermission "java.version", "read";

    permission java.util.PropertyPermission "java.vendor", "read";

    permission java.util.PropertyPermission "java.vendor.url", "read";

    permission java.util.PropertyPermission "java.class.version", "read";

    permission java.util.PropertyPermission "os.name", "read";

    permission java.util.PropertyPermission "os.version", "read";

    permission java.util.PropertyPermission "os.arch", "read";

    permission java.util.PropertyPermission "file.separator", "read";

    permission java.util.PropertyPermission "path.separator", "read";

    permission java.util.PropertyPermission "line.separator", "read";
 
    permission java.util.PropertyPermission "java.specification.version",

     "read";

    permission java.util.PropertyPermission "java.specification.vendor",

     "read";

    permission java.util.PropertyPermission "java.specification.name",

     "read";
 
    permission java.util.PropertyPermission "java.vm.specification.version",

     "read";

    permission java.util.PropertyPermission "java.vm.specification.vendor",

     "read";

    permission java.util.PropertyPermission "java.vm.specification.name",

     "read";

    permission java.util.PropertyPermission "java.vm.version", "read";

    permission java.util.PropertyPermission "java.vm.vendor", "read";

    permission java.util.PropertyPermission "java.vm.name", "read";

};


 

In this policy file, the following lines grant all permissions to any code under the directory given by the ice.install.dir system property:

grant codeBase "file:${ice.install.dir}/*"{

    permission java.security.AllPermission;

};


 

Then you can invoke MyBrowser with the following command:

java -Dice.install.dir=<full path to ICEbrowser lib directory> 

    -Djava.security.policy=ib.policy MyBrowser
 

Copyright 2005. ICEsoft Technologies, Inc. http://www.icesoft.com