In one of my current projects, my application has some pretty strict security requirements.  It’s designed so that only a small piece of the functionality is available to external users, while the full application can only be accessed by internal and partner users.  To ensure that the line isn’t breached, we’ve set up two parallel environments - the private side runs on the same servers as the rest of the internal applications with the public side isolated from the more secure internal applications.  This isn’t really anything that out of the ordinary.

Obviously we’ve got authentication and authorization procedures on the public side to ensure that users only see only what they’re allowed to see.  But is there a way to be even safer?  What if our public application included only the functionality that the public can see?

That’s exactly what we’ve done.  Our build script, which I’ll cover in more detail in a future post, allows us to declare Java packages to exclude from the public application package.  In the build.xml for each project, we optionally include an Ant property called “exclude.public” that contains a comma separated list of packages to exclude.

<property name="public.exclude" value="com/mycompany/myapp/packagea/**,
              com/mycompany/myapp/packageb/**,
              com/mycompany/myapp/packagec/**"/>

We’re using the Ant-contrib library to get real conditional logic within our Ant scripts, to make it easier to provide a default value for our properties in case we’d like to publish the full application.

    <target name="public-only">
        <if>
            <isset property="exclude.private"></isset>
            <then>
                <property name="excluded.files" value="${public.exclude}"/>
                <property name="dist.subdir" value="public/"/>
            </then>
            <else>
                <property name="excluded.files" value=""/>
                <property name="dist.subdir" value=""/>
            </else>
        </if>
    </target>

If we indicate we only want to build the public application, the public.exclude property becomes the value for the “excludes” attribute of the javac task - completely removing the code from the public application.

<javac srcdir="${src.dir}" destdir="${classes.dir}"
        classpathref="lib.path.id" debug="true"
        excludes="${excluded.files}"></javac>

Since the final package doesn’t even contain the dangerous code, we’ve made it impossible to execute even if all our other security fails us (unless of course we deploy the wrong package to the server).

This entry was posted on Thursday, August 21st, 2008 at 7:03 pm and is filed under Java, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.