Difference between revisions of "Jetty/Feature/Secure Mode"

From Eclipsepedia

< Jetty‎ | Feature
Jump to: navigation, search
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
{{Jetty Feature
 
{{Jetty Feature
 
| introduction=
 
| introduction=
Jetty has support for running in a 'secure' mode in a couple of different ways.
+
 
 +
Running under the security manager and strictly specified policies is an effectively way of ensuring your application is executing fairly strict boundaries.  Jetty has native support for executing under this standard jdk security model with a few additional benefits. See [http://java.sun.com/javase/6/docs/technotes/guides/security/PolicyFiles.html Policy Implementation and Permissions] for specific details on how this works within java itself.
  
 
| body=
 
| body=
  
=== Typical Jetty Startup ===
 
  
  > java -jar start.jar OPTIONS=secure,default
+
=== Jetty Startup w/JettyPolicy ===
 +
 
 +
  > java -jar start.jar --secure
 +
 
 +
This will start up Jetty using the custom org.eclipse.jetty.policy.JettyPolicy implementation for loading and processing policy files, and install a security manager early before the Jetty server starts to bootstrap itself up through the XMLConfiguration mechanism.
 +
 
 +
Some features of using the JettyPolicy are currently:
 +
 
 +
* specification of multiple policy files (via start.config)
 +
* automatic reloading of policies (enabled via -Dorg.eclipse.jetty.policy.RELOAD=true variable)
 +
 
  
This will start up Jetty using the custom org.eclipse.jetty.policy.JettyPolicy implementation for loading and processing policy files, and install a security manager very before the Jetty server starts to bootstrap itself up through the XMLConfiguration mechanism.  This mechanism allows for the specification of multiple policy files if you so choose which can be registered in the start.config file.
 
  
=== Typical JVM Startup ===
+
=== Typical JVM Startup w/standard policy ===
  
  > java -Djava.security.manager -Djava.security.policy=lib/secure/jetty.policy -jar start.jar
+
  > java -Djava.security.manager -Djava.security.policy=lib/policy/jetty.policy -jar start.jar
  
This is the standard JDK mechanism for starting up the JVM with the policy and security manager in place.
+
This is the standard JDK mechanism for starting up the JVM with the policy and security manager in place. Note that different policy parsers are more forgiving then others, for instance the one in the standard jvm violently enforces the ; ending permission declarations while the one in harmony which the JettyPolicy itself is based off is more permissive.
 +
}}

Revision as of 22:05, 15 September 2009



Contents

Introduction

Running under the security manager and strictly specified policies is an effectively way of ensuring your application is executing fairly strict boundaries. Jetty has native support for executing under this standard jdk security model with a few additional benefits. See Policy Implementation and Permissions for specific details on how this works within java itself.

Feature

Jetty Startup w/JettyPolicy

> java -jar start.jar --secure

This will start up Jetty using the custom org.eclipse.jetty.policy.JettyPolicy implementation for loading and processing policy files, and install a security manager early before the Jetty server starts to bootstrap itself up through the XMLConfiguration mechanism.

Some features of using the JettyPolicy are currently:

  • specification of multiple policy files (via start.config)
  • automatic reloading of policies (enabled via -Dorg.eclipse.jetty.policy.RELOAD=true variable)


Typical JVM Startup w/standard policy

> java -Djava.security.manager -Djava.security.policy=lib/policy/jetty.policy -jar start.jar

This is the standard JDK mechanism for starting up the JVM with the policy and security manager in place. Note that different policy parsers are more forgiving then others, for instance the one in the standard jvm violently enforces the ; ending permission declarations while the one in harmony which the JettyPolicy itself is based off is more permissive.