Reputation: 1714
Is there a Java web framework that uses Java's security manager for fine-grained security?
In a standard webapp setting, all code runs with the same privileges. It would be desirable to follow the principle of least privilege instead, and Java's security manager (the "sandbox") should in theory make that possible.
I imagine a setting in which the code in a webapp consists of a "front end" whose code is privileged to do only things that the logged-in user is allowed to do, and a "back end" which runs with greater privileges and imposes those limitations on the "front end" code. Then templates and much of the control logic would be part of the less-privileged "front-end" code, limiting the ways an attacker can compromise security.
Has this already been done? Is it part of any commonly-used web framework already?
Upvotes: 4
Views: 226
Answers (1)
Reputation: 60997
I think Kohsuke's Stapler framework uses (or can use) a Java security manager, but I can't find a reference for that at the moment. The Stapler framework is great (it's primarily used by Hudson/Jenkins) but the documentation for it is woefully incomplete.
Upvotes: 1
Related Questions
- Security Framework for Java Swing Applications
- Java WebApp Security frameworks
- Should I use Security Manager in Java web applications?
- Any library for authentication in a java web-app?
- Security Framework like seam for Java EE - JSP, Servlet, DAO
- Other SecurityManager implementations available?
- Best Java framework to manage/create dynamic security policy rules?
- Framework like Spring Security for Java EE?
- Is SecurityManager a full security solution?
- Security framework for java with object granularity