2.2.4 server.policy (Security policy file for J2EE servers)
- Organization of this subsection
(1) Format
The security policy file follows the format of the security policy file of J2SE.
(2) File storage location
-
In Windows
Cosminexus-installation-directory\CC\server\usrconf\ejb\server-name\
-
In UNIX
/opt/Cosminexus/CC/server/usrconf/ejb/server-name/
(3) Functionality
Specify the security policy of the JavaVM that executes the J2EE servers.
If you change the contents of this file while the J2EE server is running, the changes become effective only when the J2EE server is started next.
(4) Examples of coding
The contents of the used policy file are as follows:
// (1) // Grant all permissions to the java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // (2) // Grant all permissions to the java tools, etc // Note: java.home is the jre, not the installation dir for the jdk grant codeBase "file:${java.home}/../lib/*" { permission java.security.AllPermission; }; // (3) // Grant all permissions to anything loaded from the // EJB server itself grant codeBase "file:${ejbserver.install.root}/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${tpbroker.java.home}/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/DABJ/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/manager/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/c4web/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/c4web/exlib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/jaxws/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/jaxrs/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/jaxp/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/CTM/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/PRF/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/wss/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/XMLSEC/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${ejbserver.install.root}/sfo/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${hntrlib.home}/classes/*" { permission java.security.AllPermission; }; grant codeBase "file:${cosminexus.home}/common/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${ejbserver.install.root}/weld/lib/*" { permission java.security.AllPermission; }; // (4) // Grant all permissions to the container generated stubs and // implementation classes grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/containers/-" { permission java.security.AllPermission; }; // (5) // Grant all permissions to imported resource (datasource) implementations // implementation classes grant codeBase "http://*/ejb/${ejbserver.serverName}/import/resjars/-" { permission java.security.AllPermission; }; // (6) // Grant permissions to resource adapters // grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/rarjars/-" { // For uCosminexus TP1 Connector & TP1/Client/J permission java.util.PropertyPermission "*", "read, write"; // For uCosminexus TP1 Connector & TP1/Client/J & Cosminexus Reliable Messaging permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete"; permission java.net.SocketPermission "*", "connect,listen,accept"; // For TP1/Message Queue - Access permission java.lang.RuntimePermission "loadLibrary.*"; // For TP1/Message Queue - Access & Cosminexus Reliable Messaging permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "modifyThread"; // For DB Connector permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // For authentication (from J2EE RI server.policy file) permission javax.security.auth.PrivateCredentialPermission "* * \"*\"", "read"; // For Cosminexus Reliable Messaging permission javax.security.auth.AuthPermission "modifyPrivateCredentials"; permission java.lang.RuntimePermission "getenv.HRMDIR"; // For Cosminexus SOA FTP Inbound Adapter permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; }; // (7) // Grant permissions to JSP/Servlet // grant codeBase "file:${ejbserver.http.root}/web/${ejbserver.serverName}/-" { permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read, write"; permission java.util.PropertyPermission "*", "read"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "createLoginContext.*"; }; // (8) // Grant permissions to Cosminexus Service Coordinator // grant codeBase "file:${cosminexus.home}/CSC/lib/*" { permission java.security.AllPermission; }; // (9) // Grant permissions to custom login modules // grant codeBase "file:${cosminexus.home}/manager/modules/-" { permission java.io.FilePermission "<<ALL FILES>>", "read"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; }; // (10) // Grant minimal permissions to everything else: // EJBs // client implementation classes grant { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; };
The examples of coding from (1) to (10) are as follows:
- (1)
-
Grant the following permission to the class files present below ext directory of JDK:
-
Grant all access permissions
-
- (2)
-
Grant the following permission to the class files present below lib directory of JDK:
-
Grant all access permissions
-
- (3)
-
Grant the following permission to the class files used in a J2EE server:
-
Grant all access permissions
-
- (4)
-
Grant the following permission to class files, such as stub and skeleton that are generated by the J2EE server.
-
Grant all access permissions
-
- (5)
-
Grant the following permission to the class files of the resources used by a J2EE server:
-
Grant all access permissions
-
- (6)
-
Grant the following access permissions to the class files of the resource adapters used by a J2EE server:
-
Allow read and write of the entire property information
-
Allow read, write, and deletion of all files
-
Allow connection to the network, standby for connection, and acceptance of a connection for all socket communications
-
Allow loading of all libraries
-
Allow changing of thread groups
-
Allow changing of threads
-
Allow all reflection operations
-
Allow access to all private Credentials owned by any Subject
-
Allow changing of sets of private Credentials correlated to the Subject
-
Allow the collection of values for the environment variable HRMDIR
-
The class loader can be obtained
-
The context class loader can be set up
-
The declared class members can be accessed
- Note
-
-
The directory managed by the J2EE server which is the deployment destination of JAR files in the resource adapter is described.
-
All resource adapters running in the J2EE server are within the valid range.
-
-
- (7)
-
Grant the following access permissions to the class files of JSPs and servlets:
-
Allow loading of all libraries
-
Allow print job requests
-
Allow changing of threads
-
Allow changing of thread groups
-
Allow network connection for all socket communications
-
Allow read and write for all files
-
Allow read of the entire property information
-
Subject reference is permitted
-
The LoginContext class can be instantiated with any name
-
- (8)
-
Grant the following access permissions to the class files of Cosminexus Service Coordinator:
-
Grant all access permissions
-
- (9)
-
The custom login module for integrated user management has the following permissions:
-
All the files can be read
-
Principal and Credential can be added in Subject
-
- (10)
-
Grant the following access permissions to all class files:
-
Allow read of the entire property information
-
Allow print job requests
-
Allow network connection for all socket communications
-
(5) Notes
-
If you use the server.policy file with an invalid syntax or without appropriate access permissions, java.lang.StackOverflowError or java.lang.OutOfMemoryError occurs, and the J2EE server might terminate abnormally.
-
The minimum required access permissions for operating the J2EE server is coded in the server.policy file generated when setting up the server. Do not delete and change the coding lines in the generated server.policy file.