25.4 Modern Security Patterns and Least Privilege
Modern security requires multiple layers of defense, operating system integration, and adherence to the principle of least privilege.
Operating System Sandboxing
// Container Security Concepts
public class ContainerSecurity {
public static void printContainerSecurityPractices() {
System.out.println("=== CONTAINER SECURITY ===");
System.out.println("\n--- DOCKER BEST PRACTICES ---");
System.out.println("1. Run as non-root user:");
System.out.println(" Dockerfile:");
System.out.println(" RUN addgroup -g 1000 appuser && \\");
System.out.println(" adduser -u 1000 -G appuser -s /bin/sh -D appuser");
System.out.println(" USER appuser");
System.out.println("\n2. Read-only root filesystem:");
System.out.println(" docker run --read-only \\");
System.out.println(" --tmpfs /tmp \\");
System.out.println(" myapp:latest");
System.out.println("\n3. Drop capabilities:");
System.out.println(" docker run --cap-drop=ALL \\");
System.out.println(" --cap-add=NET_BIND_SERVICE \\");
System.out.println(" myapp:latest");
System.out.println("\n4. Resource limits:");
System.out.println(" docker run \\");
System.out.println(" --memory=512m \\");
System.out.println(" --cpus=1.0 \\");
System.out.println(" --pids-limit=100 \\");
System.out.println(" myapp:latest");
System.out.println("\n5. Security options:");
System.out.println(" docker run \\");
System.out.println(" --security-opt=no-new-privileges \\");
System.out.println(" --security-opt=seccomp=seccomp-profile.json \\");
System.out.println(" myapp:latest");
System.out.println("\n--- KUBERNETES SECURITY ---");
System.out.println("Pod Security Standards:");
System.out.println(" - Privileged: No restrictions (avoid)");
System.out.println(" - Baseline: Minimal restrictions");
System.out.println(" - Restricted: Heavily restricted (recommended)");
}
public static void printKubernetesSecurityContext() {
System.out.println("\n=== KUBERNETES POD SECURITY CONTEXT ===");
String yaml = """
apiVersion: v1
kind: Pod
metadata:
name: secure-app
spec:
# Pod-level security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
seccompProfile:
type: RuntimeDefault
containers:
- name: app
image: myapp:latest
# Container-level security context
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
# Resource limits
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "256Mi"
cpu: "250m"
# Volume mounts (read-only where possible)
volumeMounts:
- name: tmp
mountPath: /tmp
- name: config
mountPath: /etc/config
readOnly: true
volumes:
- name: tmp
emptyDir: {}
- name: config
configMap:
name: app-config
""";
System.out.println(yaml);
}
}
Principle of Least Privilege
// Least Privilege Implementation
public class LeastPrivilege {
public static void printLeastPrivilegePrinciples() {
System.out.println("=== PRINCIPLE OF LEAST PRIVILEGE ===");
System.out.println("\n--- APPLICATION LEVEL ---");
System.out.println("1. Minimal permissions:");
System.out.println(" - Grant only required permissions");
System.out.println(" - No wildcard permissions in production");
System.out.println(" - Time-bound elevated permissions");
System.out.println("\n2. Separation of duties:");
System.out.println(" - Read-only users for reporting");
System.out.println(" - Separate admin accounts");
System.out.println(" - No shared accounts");
System.out.println("\n3. Service accounts:");
System.out.println(" - Dedicated account per service");
System.out.println(" - No human users for services");
System.out.println(" - Rotate service credentials");
System.out.println("\n--- OPERATING SYSTEM LEVEL ---");
System.out.println("1. Run as non-root:");
System.out.println(" - Dedicated application user");
System.out.println(" - No sudo/root access");
System.out.println(" - Minimal group memberships");
System.out.println("\n2. File system permissions:");
System.out.println(" - chmod 600 for sensitive files");
System.out.println(" - Read-only mounts where possible");
System.out.println(" - Minimal write access");
System.out.println("\n3. Network isolation:");
System.out.println(" - Firewall rules (deny by default)");
System.out.println(" - Security groups");
System.out.println(" - Network policies (Kubernetes)");
System.out.println("\n--- DATABASE LEVEL ---");
System.out.println("1. Minimal privileges:");
System.out.println(" - SELECT/INSERT/UPDATE only");
System.out.println(" - No DDL permissions");
System.out.println(" - No SUPER/ADMIN privileges");
System.out.println("\n2. Connection limits:");
System.out.println(" - Max connections per user");
System.out.println(" - Query timeouts");
System.out.println(" - Rate limiting");
}
}
// Application user management
public class ApplicationUserManagement {
// Run application as dedicated user (Linux example)
public static void printUserSetup() {
System.out.println("=== APPLICATION USER SETUP (LINUX) ===");
System.out.println("\n# Create dedicated application user");
System.out.println("sudo useradd -r -s /sbin/nologin -d /opt/myapp myapp");
System.out.println("\n# Create application directories");
System.out.println("sudo mkdir -p /opt/myapp/{bin,config,logs,data}");
System.out.println("sudo chown -R myapp:myapp /opt/myapp");
System.out.println("\n# Set permissions");
System.out.println("sudo chmod 755 /opt/myapp/bin");
System.out.println("sudo chmod 750 /opt/myapp/config");
System.out.println("sudo chmod 750 /opt/myapp/logs");
System.out.println("sudo chmod 700 /opt/myapp/data");
System.out.println("\n# Secure configuration file");
System.out.println("sudo chmod 600 /opt/myapp/config/application.properties");
System.out.println("\n# Run application as myapp user");
System.out.println("sudo -u myapp java -jar /opt/myapp/bin/app.jar");
}
// Systemd service with security hardening
public static void printSystemdService() {
System.out.println("\n=== SYSTEMD SERVICE (HARDENED) ===");
String service = """
[Unit]
Description=My Java Application
After=network.target
[Service]
Type=simple
User=myapp
Group=myapp
# Working directory
WorkingDirectory=/opt/myapp
# Command
ExecStart=/usr/bin/java -jar /opt/myapp/bin/app.jar
# Security hardening
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/opt/myapp/logs /opt/myapp/data
# Resource limits
LimitNOFILE=65535
LimitNPROC=512
MemoryLimit=1G
TasksMax=256
# Restart policy
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
""";
System.out.println(service);
}
}
Secure Defaults and Configuration
// Secure configuration management
public class SecureConfiguration {
// Application properties with security in mind
public static void printSecureDefaults() {
System.out.println("=== SECURE CONFIGURATION DEFAULTS ===");
System.out.println("\n--- application.properties ---");
String props = """
# Server configuration
server.port=8080
server.address=127.0.0.1 # Bind to localhost only
# TLS configuration
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=${KEYSTORE_PASSWORD}
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.3,TLSv1.2
# Security headers
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.same-site=strict
# Session timeout (30 minutes)
server.servlet.session.timeout=30m
# Hide error details in production
server.error.include-message=never
server.error.include-binding-errors=never
server.error.include-stacktrace=never
server.error.include-exception=false
# Database connection
spring.datasource.url=jdbc:postgresql://localhost:5432/mydb?ssl=true
spring.datasource.username=${DB_USERNAME}
spring.datasource.password=${DB_PASSWORD}
# Connection pool limits
spring.datasource.hikari.maximum-pool-size=10
spring.datasource.hikari.minimum-idle=2
spring.datasource.hikari.connection-timeout=30000
spring.datasource.hikari.idle-timeout=600000
spring.datasource.hikari.max-lifetime=1800000
# Actuator security
management.endpoints.web.exposure.include=health,metrics
management.endpoint.health.show-details=when-authorized
management.metrics.export.prometheus.enabled=false
""";
System.out.println(props);
}
// Environment variable injection
public static class EnvironmentConfig {
public static String getDatabasePassword() {
String password = System.getenv("DB_PASSWORD");
if (password == null || password.isEmpty()) {
throw new IllegalStateException(
"DB_PASSWORD environment variable not set");
}
return password;
}
public static String getApiKey() {
String apiKey = System.getenv("API_KEY");
if (apiKey == null) {
throw new IllegalStateException(
"API_KEY environment variable not set");
}
return apiKey;
}
public static void validateConfiguration() {
List<String> missing = new ArrayList<>();
if (System.getenv("DB_PASSWORD") == null) {
missing.add("DB_PASSWORD");
}
if (System.getenv("KEYSTORE_PASSWORD") == null) {
missing.add("KEYSTORE_PASSWORD");
}
if (System.getenv("JWT_SECRET") == null) {
missing.add("JWT_SECRET");
}
if (!missing.isEmpty()) {
throw new IllegalStateException(
"Missing required environment variables: " + missing);
}
}
}
}
Security Manager Replacement Strategies
// Alternatives to deprecated SecurityManager
public class SecurityManagerAlternatives {
public static void printAlternatives() {
System.out.println("=== SECURITY MANAGER ALTERNATIVES ===");
System.out.println("\n--- 1. OPERATING SYSTEM ISOLATION ---");
System.out.println("Replace SecurityManager file access checks with:");
System.out.println(" - Container read-only filesystem");
System.out.println(" - OS file permissions (chmod, ACLs)");
System.out.println(" - SELinux/AppArmor policies");
System.out.println(" - Kubernetes pod security policies");
System.out.println("\n--- 2. JPMS ENCAPSULATION ---");
System.out.println("Replace SecurityManager API access checks with:");
System.out.println(" - Module exports/opens");
System.out.println(" - Strong encapsulation");
System.out.println(" - Service-based architecture");
System.out.println("\n--- 3. APPLICATION-LEVEL AUTHORIZATION ---");
System.out.println("Replace SecurityManager permission checks with:");
System.out.println(" - Spring Security @PreAuthorize");
System.out.println(" - Custom authorization framework");
System.out.println(" - RBAC/ABAC models");
System.out.println("\n--- 4. PROCESS ISOLATION ---");
System.out.println("Replace SecurityManager process controls with:");
System.out.println(" - Separate JVM processes");
System.out.println(" - Container isolation");
System.out.println(" - Microservices architecture");
System.out.println("\n--- 5. NETWORK ISOLATION ---");
System.out.println("Replace SecurityManager socket controls with:");
System.out.println(" - Firewall rules");
System.out.println(" - Security groups (cloud)");
System.out.println(" - Network policies (Kubernetes)");
System.out.println(" - Service mesh (Istio, Linkerd)");
}
// Example: File access control
public static class FileAccessControl {
private final Set<String> allowedPaths;
public FileAccessControl(Set<String> allowedPaths) {
this.allowedPaths = new HashSet<>(allowedPaths);
}
public void checkRead(String path) {
Path normalizedPath = Paths.get(path).normalize();
boolean allowed = allowedPaths.stream()
.anyMatch(allowed ->
normalizedPath.startsWith(Paths.get(allowed).normalize())
);
if (!allowed) {
throw new SecurityException(
"Read access denied: " + path);
}
}
public void checkWrite(String path) {
Path normalizedPath = Paths.get(path).normalize();
boolean allowed = allowedPaths.stream()
.anyMatch(allowed ->
normalizedPath.startsWith(Paths.get(allowed).normalize())
);
if (!allowed) {
throw new SecurityException(
"Write access denied: " + path);
}
}
}
}
Defense in Depth
// Multi-layered security approach
public class DefenseInDepth {
public static void printSecurityLayers() {
System.out.println("=== DEFENSE IN DEPTH ===");
System.out.println("\n--- LAYER 1: NETWORK ---");
System.out.println("✓ Firewall rules");
System.out.println("✓ VPC/subnet isolation");
System.out.println("✓ Network segmentation");
System.out.println("✓ DDoS protection");
System.out.println("✓ TLS for all connections");
System.out.println("\n--- LAYER 2: APPLICATION ---");
System.out.println("✓ Input validation");
System.out.println("✓ Output encoding");
System.out.println("✓ CSRF protection");
System.out.println("✓ XSS prevention");
System.out.println("✓ SQL injection prevention");
System.out.println("\n--- LAYER 3: AUTHENTICATION ---");
System.out.println("✓ Strong password policy");
System.out.println("✓ Multi-factor authentication");
System.out.println("✓ Account lockout");
System.out.println("✓ Session management");
System.out.println("✓ Token expiration");
System.out.println("\n--- LAYER 4: AUTHORIZATION ---");
System.out.println("✓ Role-based access control");
System.out.println("✓ Principle of least privilege");
System.out.println("✓ Permission checks at every layer");
System.out.println("✓ Audit logging");
System.out.println("\n--- LAYER 5: DATA ---");
System.out.println("✓ Encryption at rest");
System.out.println("✓ Encryption in transit");
System.out.println("✓ Data masking");
System.out.println("✓ Secure key management");
System.out.println("✓ Regular backups");
System.out.println("\n--- LAYER 6: INFRASTRUCTURE ---");
System.out.println("✓ Container security");
System.out.println("✓ OS hardening");
System.out.println("✓ Regular patching");
System.out.println("✓ Vulnerability scanning");
System.out.println("✓ Intrusion detection");
System.out.println("\n--- LAYER 7: MONITORING ---");
System.out.println("✓ Security event logging");
System.out.println("✓ Anomaly detection");
System.out.println("✓ Real-time alerts");
System.out.println("✓ Incident response");
System.out.println("✓ Regular security audits");
}
}
Security Checklist
// Production security checklist
public class ProductionSecurityChecklist {
public static void printChecklist() {
System.out.println("=== PRODUCTION SECURITY CHECKLIST ===");
System.out.println("\n[AUTHENTICATION]");
System.out.println("☐ MFA enabled for all users");
System.out.println("☐ Strong password policy enforced");
System.out.println("☐ Account lockout after failed attempts");
System.out.println("☐ Session timeout configured");
System.out.println("☐ Secure password storage (bcrypt, Argon2)");
System.out.println("\n[AUTHORIZATION]");
System.out.println("☐ RBAC/ABAC implemented");
System.out.println("☐ Least privilege principle applied");
System.out.println("☐ Authorization checks at all layers");
System.out.println("☐ Regular permission audits");
System.out.println("☐ Authorization decisions logged");
System.out.println("\n[ENCRYPTION]");
System.out.println("☐ TLS 1.2+ for all connections");
System.out.println("☐ Strong cipher suites only");
System.out.println("☐ Database encryption at rest");
System.out.println("☐ Secure key management (KMS)");
System.out.println("☐ No hardcoded secrets");
System.out.println("\n[APPLICATION]");
System.out.println("☐ Input validation on all inputs");
System.out.println("☐ Output encoding for XSS prevention");
System.out.println("☐ Parameterized queries (SQL injection)");
System.out.println("☐ CSRF protection enabled");
System.out.println("☐ Security headers configured");
System.out.println("☐ Error messages sanitized");
System.out.println("☐ Dependencies up to date");
System.out.println("☐ Vulnerability scanning enabled");
System.out.println("\n[INFRASTRUCTURE]");
System.out.println("☐ Run as non-root user");
System.out.println("☐ Container security (read-only, dropped caps)");
System.out.println("☐ Network isolation (firewall, security groups)");
System.out.println("☐ Resource limits configured");
System.out.println("☐ Regular OS patching");
System.out.println("☐ Intrusion detection enabled");
System.out.println("\n[LOGGING & MONITORING]");
System.out.println("☐ Security events logged");
System.out.println("☐ Audit trail for sensitive operations");
System.out.println("☐ Log aggregation configured");
System.out.println("☐ Real-time security alerts");
System.out.println("☐ Regular log review");
System.out.println("☐ Incident response plan");
System.out.println("\n[COMPLIANCE]");
System.out.println("☐ Data retention policy");
System.out.println("☐ Privacy policy implemented");
System.out.println("☐ Regulatory compliance (GDPR, HIPAA, etc.)");
System.out.println("☐ Regular security audits");
System.out.println("☐ Penetration testing");
System.out.println("☐ Security training for team");
}
}
Best Practices
- Defense in depth: Multiple security layers, not single point of failure.
- Least privilege: Grant minimum necessary permissions at all levels.
- Fail securely: Deny access on errors, don't fail open.
- Container security: Use hardened containers with minimal privileges.
- OS isolation: Leverage OS security features (SELinux, AppArmor, seccomp).
- Network isolation: Use firewalls, security groups, network policies.
- Secure defaults: Start restrictive, relax only when necessary.
- Environment separation: Dev, staging, production with different credentials.
- Regular updates: Patch OS, runtime, dependencies promptly.
- Audit and monitor: Log security events, set up alerts.
- Incident response: Have plan for security incidents.
- Security by design: Consider security from the start, not as afterthought.