Jedox Integrator: Security of Script Jobs and Functions

image_pdfimage_print

It is possible to define restrictions to the capabilities of a script inside of a Groovy function or a Groovy job with the configuration of the Java Security Manager. The authorizations inside of the script are those of the OS user of the JedoxSuiteTomcatService service.

The following steps have to be performed:

1. Stop and remove JedoxSuiteTomcatService with <Jedox Install Directory>\tomcat\bin\serviceRemove.bat
(should be run as Administrator).

2. Enable the Java Security Manager
Edit the file <Jedox Install Directory>\tomcat\bin\setenv.bat.
Add this row at the end of the file:

set SECURITY_POLICY_PARAM=-Djava.security.manager;-Djava.security.policy=".\conf\catalina.policy";

3. Define the privileges
The permissions are defined in the policy file <Jedox Install Directory>tomcat\conf\catalina.policy.
For Groovy scripts, they are set in this section:

grant codeBase "file:/groovy/shell" {
 ...
 };

The default setting doesn’t define any restrictions:

permission java.security.AllPermission;

It has to be replaced by the desired privileges inside of the scripts. 

E.g. only read access to all files under directory C:\Users\xyz:

permission java.io.FilePermission ""C:${file.separator}Users${file.separator}xyz${file.separator}-",", "read";

For more information on the policy file, see http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html

4. Install and restart JedoxSuiteTomcatService with <Jedox Install Directory>\tomcat\bin\serviceInstall.bat
(should be run as Administrator).

By default, a Security Manager is used that checks no action except the termination of the Java virtual machine (SecurityManager.checkExit). This check cannot be removed by a configuration of a custom Security Manager.

Note: the activation of the Jedox security manager affects the whole JedoxSuiteTomcat service, e.g. the Jedox Integrator server. This may result in a slight decrease in performance for some cases.

image_pdfimage_print
Was this post helpful?
NoYes (No Ratings Yet)
Loading...