WebSphere Application Server

JSR-352 (Java Batch) Post #85: Security Overview

By David Follis posted Wed April 08, 2020 08:25 AM

This post is part of a series delving into the details of the JSR-352 (Java Batch) specification. Each post examines a very specific part of the specification and looks at how it works and how you might use it in a real batch application.

To start at the beginning, follow the link to the first post.

The next post in the series is here.

This series is also available as a podcast on iTunesGoogle PlayStitcher, or use the link to the RSS feed

Security is a large and complex topic.  Securing the batch environment properly is going to be important if you plan to run your Java Batch applications in a production environment.  The next few posts will try to hit a few of the more interesting points that you might want to consider.  These posts are, of course, by no means the definitive word on proper security set up. 

So what sorts of things do we need to worry about?  We’ll assume you’ve got the server(s) themselves set up properly and able to correctly access their own configuration and runtime libraries.  We do still want to worry about access to the server to submit and manage jobs.  This is an operational consideration that can get pretty complicated.

We’ll also want to make sure the batch container code can access the resources it needs (the Job Repository and possibly a job message queue).  And we need to make sure nobody else can get to those resources to muck around in them.

And finally, we’ll want to be sure we’ve handled the batch application’s access to resources it needs.  This might include files or databases or other resource managers.  Control of access to those will depend on how the resource is accessed and it might matter what identity the job itself is running under. 

If your servers are publishing batch events into the batch topic tree, access to subscribe (and publish) will be important. 

And remember that joblogs are being written into the server’s file system, so access to those directories will need to be controlled. 

In subsequent posts we’ll take a closer look at a few of these topics.  There are, of course, many more.  You might have a look at IBM Techdoc WP102696 for more details and examples.