Every application that is installed
or updated in a Java Cloud Service - SaaS
Extension instance
is first validated by the Whitelist tool. This tool validates deployment descriptors and
other application configuration files, such as the log4j.properties file, as
part of the
Java API validation.
If there are Java API validations, the tool may not reject the application
from being deployed. Instead, it creates a warning report against the violations.
A security exception will be raised only during runtime, should those exceptions be
exercised
when the application is running. For example, it is common for third-party libraries to
raise
warnings during Whitelist validation; however, they are rarely exercised during runtime.
You can locally validate an application by using the whitelist.jar, which is
available in the
Java Cloud Service - SaaS Extension SDK.
$>java -jar whitelist.jar
Usage: java -jar whitelist.jar [-argument ...] [-help] [file1 file2 dir1 dir2
...]
This tool can be used to scan one or more class files, JAR files, deployable archives (WAR or
EAR),
or exploded directories for any usages that are not allowed. It can also verify whether the
input file
(when the input file is not a class, JAR, WAR, or EAR) can be packaged inside a deployable
archive.
For example:
java -jar whitelist.jar -log /home/log/newlog.log /home/apps/myapp.war
- java -jar whitelist.jar myapp.jar
Options:
----------------------
log - The path to the log file where the scan result will be written to.
Shortcut:l
grid - The flag (true/false) that indicates if the error listing should be
done in a grid. Please ensure to have more width on the console
window to ensure that the grid does not wrap.
Shortcut:g
Default Value: false
gridwidth - The maximum width of the grid. You can use this if you want to
limit the width of the grid display (for instance, when you have a
smaller display).
Note: If you specify a smaller width, the grid might not be
formed to fit within the width. This is applicable when grid is true.
Shortcut:gw
Default Value: 180
$java -jar whitelist.jar localremote-ejb.jar -grid
#===========================================================================#
| Whitelist validation - localremote-ejb.jar |
#===========================================================================#
| Entry | Validation Error(s) - 3 |
|=============================|=============================================|
|com/prohorenko/localremote/ |Type javax.ejb.EJBObject not |
|ExRem.class(2) |allowed.(OnClassSignature:com.prohorenko. |
| |localremote.ExRem ->Base type) |
| |Type java.rmi.RemoteException not allowed. |
| |(Exceptions at method:sayHello -> |
| |OnClassSignature:java.rmi.RemoteException) |
|-----------------------------+---------------------------------------------|
|com/prohorenko/localremote |Type java.rmi.RemoteException not allowed. |
|/ExRemHome.class(1) |(Exceptions at method:create-> |
| |OnClassSignature:java.rmi.RemoteException) |
+-----------------------------+---------------------------------------------+
ERROR - Whitelist validation has failed with 3 error(s).