How to set the Linux security environment for executing Java programs

Article Title: how to set the Linux security environment for Java program execution. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Enterprise Java expert Dennis Sosnoski elaborated on his point of view on how Java Server technology is suitable for Linux, and then gave some suggestions on setting Tomcat Java servlet Engine safely on Linux.

The Linux and Java platforms have a long history but often experience twists and turns. Building a high-performance Virtual Machine must keep up with the increasing collection of core Java APIs, the complexity brought about by this greatly makes it difficult to develop an open source program code "Clean Room" on the Java platform for early operations. The licensed Java technology can be used in Linux, but these implementations are not open source program code. Therefore, most Linux distributions do not include the licensed implementation.

Despite these difficulties, the Java platform provides many benefits, resulting in more and more use of this licensed implementation on Linux, especially for server applications. In this article, I reviewed the advantages of the Java platform for server applications, and then studied the problems involved in simple and secure deployment of Java services on Linux. As an actual example, I will discuss how to set detailed information about the widely used Tomcat Java servlet engine of the Apache Software Foundation for independent jobs.

　　Why Java Platform?

There are many reasons to explain why the Java platform has become a widely accepted choice for server-based commercial applications. I will mainly discuss three reasons that I think are critical to this environment? Cross-platform compatibility, Managed execution environment, and ease of development.

Java applications provide binary compatibility across multiple operating systems and hardware platforms. Especially for non-GUI server applications, in this type of applications, a very small number of tests are usually required in the actual target system. The staff can perform coding and debugging on any platform they like, while still deploying these applications to environments that they might not directly control.

Java Virtual Machine (JVM) Environment execution features in several ways to enhance program security. One of the most notable aspects is that the combination of strict class checks, array boundary checks, and automatic garbage collection completely prevents the most destructive form of server program code attacks? Buffer overflow, repeated release errors, and free pointers. The Java language was used for applet in the early days. With the development, the language also has a complete system for fine-grained access control over facilities that are already at risk of security. These methods are available for independent applications, but they have been built into the architecture of many Java services.

These program security features also provide the convenience of Java development. It is difficult to make any precise measurement of the category of convenience, however, most staff who turn to Java programmers who have a background in languages such as C and C ++ admit that their productivity has increased since the change. This is partly because class type determination is strictly executed during compilation and execution, and the simplicity of automatic memory management. Another factor is the set of standard APIs developed for the Java platform. These APIs may be a major challenge for new staff, but once learned, they will provide excellent cross-platform support for various enterprise needs.

Of course, for some applications, the Java platform may be a bad choice. Although the JVM architecture is continuously improved, Java applications generally run slightly slower than C or C ++ applications using the same algorithm. Based on my experience and tests, I estimate that the speed difference is within the range of 20% to 50% for most server applications executed on the licensed JVM, however, this depends largely on the quality of the program code. Compared with stand-alone programs, Java applications executed on these JVMs still endure slow startup, but this is not a major problem for long-running server applications. In most cases, the performance is reduced and the start time is slow? It is a small cost for obtaining enhanced security and faster development advantages of the Java platform.

　　Open source code alternative

In addition to the standard licensed JVM (free of charge, but restricted by source code; available for Linux in the Sun, IBM, BEA, and Blackdown organizations), there are several other alternatives to Linux. These options include the "Clean Room" open source JVM implementation, among which Kaffe (included in many Linux distributions) is the most widely used ). Kaffe is a very meaningful project and it has done some surprising work, but it can only provide limited compatibility with the currently licensed JVM. Therefore, it is generally not applicable to enterprise-class server applications.

There are also several alternative options for the open source code of the local program code compiler for Java programs. The most important project here is GCJ. using a native program code compiler, such as CGJ, converts platform-specific Java bytecode into platform-specific program code prior to execution (this is a comparison with execution in JVM, in JVM, bytecode is usually converted into platform-specific program code during execution ).

The compilation of local program code shows that it is very likely to become a method to avoid slow startup of Java applications executed in JVM. However, compilers using this method usually cannot match the stable state performance of the contemporary chartered JVM. This situation is particularly prominent if Java applications use dynamic features of the Java platform (such as using reflection to access fields or load the classes selected during execution. Depending on the implementation and compilation options used, the compilation of local program code may also weaken many of the security features of the Java platform during execution. Finally, due to license issues, many Java APIs cannot be used with compiled local program code. Due to these restrictions, compilation of local program code is not a good choice for Java platform server applications.

　　C # how?

One alternative to the Java Runtime Environment is Microsoft's C # Language and related Common Language Runtime (CLR ). C # is a closely related derivative of the Java language. CLR may allow C # to be used on many platforms. CLR also provides many JVM execution-time security features (despite escaping from the exit that seriously weakens security assurance ). Microsoft. Net also supports the option to pre-compile the code into the local program for faster startup, which is the same as what GCJ does for Java bytecode. Of course, Linux users cannot directly use this function, because. Net is only applicable to Windows systems.

Mono Project is committed to building "CLean Room" open source code C # for a variety of Linux products and products equivalent to CLR. Now, the C # compiler in this project has been developed and most of the CLR has been completed. Microsoft has released it for standardization. However, from the perspective of performance and functionality, there is still much work to be done before it becomes a reasonable alternative to the Java platform. CLR only includes the basic content equivalent to the Java core category library. Before we can regard it as a reasonable option for enterprise software development, we need to use many additional APIs to supplement it.

The Mono Project is dedicated to developing projects other than CLR.. Net, if the transplantation is successful, and if Microsoft is incorrect. these parts of Net impose its patent rights-then they will help meet the needs of C # to become a reliable platform for Linux server software development. However, to make those assumptions a reality, you still need to do a lot of work. At the same time, java program native program code compiler and open source JVM provide stable alternative options for those who really want to avoid having to use a licensed JVM and can tolerate limited functionality.

[1] [2] [3] [4] Next page