Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jakartaee-platform-dev] <permissions.xml> should we deprecate?


On Fri, Mar 4, 2022 at 4:53 PM Doyle, James, K <jdoyle@xxxxxxxxxx> wrote:

Hi,

 

Previously I posted similar concerns to the OpenJDK security mailing list, asking what we can expect from the JVM in the future to support our use case that Java Security Manager addressed.  (See https://mail.openjdk.java.net/pipermail/security-dev/2021-September/027279.html)



> The permissions give us a way to use a deny-by-default model and require a whitelist of the files, directories, hosts, ports, URLs, etc. that each application actually needs.

Perhaps this needs to be looked at, and investigated why exactly a minimal OS in a virtual server, running the AS with a user with minimal privileges, and a restricted number of outgoing ports and hosts (outgoing firewall) can not do this.

The concerns themselves as reported seem absolutely valid, there's no question about that. But just anecdotal in my own experience for my own use cases I've always been able to mitigate those concerns using the above strategy.

Kind regards,
Arjan


 

Back to the top