2.2.4 server.policy (Security policy file for J2EE servers)

Organization of this subsection

(1) Format
(2) File storage location
(3) Functionality
(4) Examples of coding
(5) Notes

(1) Format

The security policy file follows the format of the security policy file of J2SE.

To Page Top

(2) File storage location

In Windows

Cosminexus-installation-directory\CC\server\usrconf\ejb\server-name\
In UNIX

/opt/Cosminexus/CC/server/usrconf/ejb/server-name/

To Page Top

(3) Functionality

Specify the security policy of the JavaVM that executes the J2EE servers.

If you change the contents of this file while the J2EE server is running, the changes become effective only when the J2EE server is started next.

To Page Top

(4) Examples of coding

The contents of the used policy file are as follows:

// (1)
// Grant all permissions to the java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
 
// (2)
// Grant all permissions to the java tools, etc
// Note: java.home is the jre, not the installation dir for the jdk
grant codeBase "file:${java.home}/../lib/*" {
permission java.security.AllPermission;
};
 
// (3)
// Grant all permissions to anything loaded from the
// EJB server itself
 
grant codeBase "file:${ejbserver.install.root}/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${tpbroker.java.home}/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/DABJ/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/manager/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/c4web/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/c4web/exlib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/jaxws/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/jaxrs/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/jaxp/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/CTM/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/PRF/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/wss/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/XMLSEC/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${ejbserver.install.root}/sfo/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${hntrlib.home}/classes/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/common/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${ejbserver.install.root}/weld/lib/*" {
permission java.security.AllPermission;
};
 
// (4)
// Grant all permissions to the container generated stubs and
// implementation classes
grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/containers/-" {
permission java.security.AllPermission;
};
 
// (5)
// Grant all permissions to imported resource (datasource) implementations
// implementation classes
grant codeBase "http://*/ejb/${ejbserver.serverName}/import/resjars/-" {
permission java.security.AllPermission;
};
 
 
// (6)
// Grant permissions to resource adapters
// 
grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/rarjars/-" {
 
// For uCosminexus TP1 Connector & TP1/Client/J
permission java.util.PropertyPermission "*", "read, write";
 
// For uCosminexus TP1 Connector & TP1/Client/J & Cosminexus Reliable Messaging
permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete";
permission java.net.SocketPermission "*", "connect,listen,accept";
 
// For TP1/Message Queue - Access
permission java.lang.RuntimePermission "loadLibrary.*";
 
// For TP1/Message Queue - Access & Cosminexus Reliable Messaging
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "modifyThread";
 
// For DB Connector
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 
// For authentication (from J2EE RI server.policy file)
permission javax.security.auth.PrivateCredentialPermission "* * \"*\"", "read";
 
// For Cosminexus Reliable Messaging
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission java.lang.RuntimePermission "getenv.HRMDIR";
 
// For Cosminexus SOA FTP Inbound Adapter
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
 
 
// (7)
// Grant permissions to JSP/Servlet
//
grant codeBase "file:${ejbserver.http.root}/web/${ejbserver.serverName}/-" {
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
permission java.util.PropertyPermission "*", "read";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "createLoginContext.*";
};
 
 
// (8)
// Grant permissions to Cosminexus Service Coordinator
//
grant codeBase "file:${cosminexus.home}/CSC/lib/*" {
permission java.security.AllPermission;
};
 
 
// (9)
// Grant permissions to custom login modules
//
grant codeBase "file:${cosminexus.home}/manager/modules/-" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
};
 
 
// (10)
// Grant minimal permissions to everything else:
// EJBs
// client implementation classes
grant {
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
};

The examples of coding from (1) to (10) are as follows:

(1)

Grant the following permission to the class files present below ext directory of JDK:

Grant all access permissions

(2)

Grant the following permission to the class files present below lib directory of JDK:

Grant all access permissions

(3)

Grant the following permission to the class files used in a J2EE server:

Grant all access permissions

(4)

Grant the following permission to class files, such as stub and skeleton that are generated by the J2EE server.

Grant all access permissions

(5)

Grant the following permission to the class files of the resources used by a J2EE server:

Grant all access permissions

(6)

Grant the following access permissions to the class files of the resource adapters used by a J2EE server:

Allow read and write of the entire property information
Allow read, write, and deletion of all files
Allow connection to the network, standby for connection, and acceptance of a connection for all socket communications
Allow loading of all libraries
Allow changing of thread groups
Allow changing of threads
Allow all reflection operations
Allow access to all private Credentials owned by any Subject
Allow changing of sets of private Credentials correlated to the Subject
Allow the collection of values for the environment variable HRMDIR
The class loader can be obtained
The context class loader can be set up
The declared class members can be accessed

Note

The directory managed by the J2EE server which is the deployment destination of JAR files in the resource adapter is described.
All resource adapters running in the J2EE server are within the valid range.

(7)

Grant the following access permissions to the class files of JSPs and servlets:

Allow loading of all libraries
Allow print job requests
Allow changing of threads
Allow changing of thread groups
Allow network connection for all socket communications
Allow read and write for all files
Allow read of the entire property information
Subject reference is permitted
The LoginContext class can be instantiated with any name

(8)

Grant the following access permissions to the class files of Cosminexus Service Coordinator:

Grant all access permissions

(9)

The custom login module for integrated user management has the following permissions:

All the files can be read
Principal and Credential can be added in Subject

(10)

Grant the following access permissions to all class files:

Allow read of the entire property information
Allow print job requests
Allow network connection for all socket communications

To Page Top

(5) Notes

If you use the server.policy file with an invalid syntax or without appropriate access permissions, java.lang.StackOverflowError or java.lang.OutOfMemoryError occurs, and the J2EE server might terminate abnormally.
The minimum required access permissions for operating the J2EE server is coded in the server.policy file generated when setting up the server. Do not delete and change the coding lines in the generated server.policy file.

To Page Top