8.8.2 Setting security policy
This section describes the setting of the security policy.
You must set up the security policy when changing the configuration of the Logger class of the J2SE1.4 specifications, creating a FileHandler class, and directly implementing the logging functionality of the standard J2SE in a source program of the application. You define the security polity in server.policy (security policy file for J2EE servers) or web.policy (SecurityManager definition file).
Note that when defining the security policy in server.policy, specify the settings by using the Smart Composer functionality command, after building the system.
You need not set up the security policy when specifying the output for a logger, which is built on the basis of the parameters of the Easy Setup definition file. You must set up the security policy in the following cases:
-
When creating a J2SE standard file handler in the source code of a user application
-
When changing the configuration of a logger by invoking the addHandler method in the Logger class
In such cases, the security policy used for the Java logging API operations is required. Specify the following security permissions as and when required.
The setting contents of server.policy are given below.
- Organization of this subsection
(1) When creating filters and formatters with reflection
You add the following line when creating the Filter class or the Formatter class with reflection:
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
All the Handler classes acquire the properties from the log manager (LogManager) and generate the Formatter class or Filter class by using the Reflection functionality at the time of execution. Therefore, you must have permissions related to Reflection.
(2) When setting properties of log manager (LogManager)
You add the following line when setting the properties of a log manager:
permission java.util.PropertyPermission "*", "read, write";
A log manager must have reading and writing permissions (set** of Property) for the property values used for log output.
(3) When using J2SE standard file handler (When using the classes (FileHandler and CJMessageFileHandler) that output File)
You add the following line when using the classes (FileHandler and CJMessageFileHandler) that output File:
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
You must have permissions to actually output the log to a file. You must have reading and writing permissions when you want to output the log to a file.
(4) When changing a log system by using the Logger.addHandler method of the Java logging API
You add the following line when using the logging API of the J2SE1.4 specification:
permission java.util.logging.LoggingPermission "control";
You must specify the security permissions for using the Java logging API. You cannot use logging APIs, if this value is not specified.
(5) Setting example
The following is an example of setting server.policy (security policy file for a J2EE server), when changing the log system by using the Logger.addHandler method of the Java logging APIs, from Servlets of J2EE applications.
Setting example
//
// Grant permissions to JSP/Servlet
//
grant codeBase "file:${ejbserver.http.root}/web/${ejbserver.serverName}/-" {
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
permission java.util.PropertyPermission "*", "read";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "createLoginContext.*";
//For J2SE Logging Source
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.util.PropertyPermission "*", "read, write";
permission java.util.logging.LoggingPermission "control";
};For details on how to define server.policy (security policy file for J2EE servers), see 2.2.4 server.policy (Security policy file for J2EE servers) in the uCosminexus Application Server Definition Reference Guide.