3.2.3 server.policy (Security policy file for batch servers)

Organization of this subsection

(1) Format
(2) File storage location
(3) Functionality
(4) Examples of coding
(5) Notes

(1) Format

The security policy file follows the format of the security policy file of J2SE.

To Page Top

(2) File storage location

In Windows

Cosminexus-installation-directory\CC\server\usrconf\ejb\server-name\
In UNIX

/opt/Cosminexus/CC/server/usrconf/ejb/server-name/

To Page Top

(3) Functionality

Specify the security policy of the JavaVM that executes the batch servers.

If you change the contents of this file while the batch server is running, the changes become effective only when the batch server is started next.

To Page Top

(4) Examples of coding

The contents of the used policy file are as follows:

// (1)
// Grant all permissions to the java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
 
// (2)
// Grant all permissions to the java tools, etc
// Note: java.home is the jre, not the installation dir for the jdk
grant codeBase "file:${java.home}/../lib/*" {
permission java.security.AllPermission;
};
 
// (3)
// Grant all permissions to anything loaded from the
// EJB server itself
 
grant codeBase "file:${ejbserver.install.root}/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${tpbroker.java.home}/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/DABJ/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/manager/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/c4web/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/c4web/exlib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/jaxp/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/CTM/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/PRF/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/wss/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${cosminexus.home}/XMLSEC/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${ejbserver.install.root}/sfo/lib/*" {
permission java.security.AllPermission;
};
grant codeBase "file:${hntrlib.home}/classes/*" {
permission java.security.AllPermission;
};
 
 
// (4)
// Grant all permissions to the container generated stubs and
// implementation classes
grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/containers/-" {
permission java.security.AllPermission;
};
 
// (5)
// Grant all permissions to imported resource (datasource) implementations
// implementation classes
grant codeBase "http://*/ejb/${ejbserver.serverName}/import/resjars/-" {
permission java.security.AllPermission;
};
 
 
// (6)
// Grant permissions to resource adapters
// 
grant codeBase "file:${ejbserver.http.root}/ejb/${ejbserver.serverName}/rarjars/-" {
 
// For Cosminexus TP1 Connector & TP1/Client/J
permission java.util.PropertyPermission "*", "read, write";
 
// For Cosminexus TP1 Connector & TP1/Client/J & Cosminexus Reliable Messaging 
permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete";
permission java.net.SocketPermission "*", "connect,listen,accept";
 
// For TP1/Message Queue - Access
permission java.lang.RuntimePermission "loadLibrary.*";
 
// For TP1/Message Queue - Access & Cosminexus Reliable Messaging
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "modifyThread";
 
// For DB Connector
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 
// For authentication (from J2EE RI server.policy file)
permission javax.security.auth.PrivateCredentialPermission "* * \"*\"", "read";
 
// For Cosminexus Reliable Messaging
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
permission java.lang.RuntimePermission "getenv.HRMDIR";
 
// For Cosminexus SOA FTP Inbound Adapter
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
};
 
 
// (7)
// Grant permissions to JSP/Servlet
//
grant codeBase "file:${ejbserver.http.root}/web/${ejbserver.serverName}/-" {
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>", "read, write";
permission java.util.PropertyPermission "*", "read";
};
 
 
// (8)
// Grant permissions to Cosminexus Service Coordinator
//
grant codeBase "file:${cosminexus.home}/CSC/lib/*" {
permission java.lang.security.AIIPermission;
};
 
 
// (9)
//
// Grant minimal permissions to everything else:
//  Batch applications
//  EJBs
//  client implementation classes
grant  {
permission java.security.AllPermission;
};

The examples of coding from (1) to (9) are as follows:

(1)

Grant the following permission to the class files present below ext directory of JDK:

Grant all access permissions

(2)

Grant the following permission to the class files present below lib directory of JDK:

Grant all access permissions

(3)

Grant the following permission to the class files used in a batch server:

Grant all access permissions

(4)

Grant the following permission to class files, such as stub and skeleton that are generated by the batch server.

Grant all access permissions

(5)

Grant the following permission to the class files of the resources used by a batch server:

Grant all access permissions

(6)

Grant the following access permissions to the class files of the resource adapters used by a batch server:

Allow read and write of the entire property information
Allow read, write, and deletion of all files
Allow connection to the network, standby for connection, and acceptance of a connection for all socket communications
Allow loading of all libraries
Allow changing of thread groups
Allow changing of threads
Allow all reflection operations
Allow access to all private Credentials owned by any Subject
Allow changing of sets of private Credentials correlated to the Subject
Allow the collection of values for the environment variable HRMDIR

Notes:

The directory managed by the batch server, which is the deployment destination of JAR files in the resource adapter, is described.
All resource adapters running in the batch server are within the valid range.

(7)

Grant the following access permissions to the class files of JSPs and servlets:

Allow loading of all libraries
Allow print job requests
Allow changing of threads
Allow changing of thread groups
Allow network connection for all socket communications
Allow read and write for all files
Allow read of the entire property information

(8)

Grant the following access permissions to the class files of Cosminexus Service Coordinator:

Grant all access permissions

(9)

Grant the following access permissions to all class files:

Grant all access permissions

To Page Top

(5) Notes

If you use the server.policy file with an invalid syntax or without appropriate access permissions, java.lang.StackOverflowError or java.lang.OutOfMemoryError occurs, and the batch server might terminate abnormally.
The minimum required access permissions for operating the batch server is coded in the server.policy file generated when setting up the server. Do not delete and change the coding lines in the generated server.policy file. However, if the following access permissions are set up, you can delete java.security.AllPermission that exists in grant, for which signedBy, codebase, and principal are not specified:
- java.util.PropertyPermission "*", "read";
- java.lang.RuntimePermission "queuePrintJob";
- java.net.SocketPermission "*", "connect";

To Page Top