1 Reply Latest reply on Sep 20, 2002 5:01 PM by dediana

Using SecurityManager

dediana Sep 20, 2002 12:43 PM

Hi all,

I need to guarantee that EJBs deployed at my server respect some restrictions like not open ServerSockets or use file access. As far as I know, the only way to have at least some of these restrictions working is to set them up through the SecurityManager. I came up with 2 possible approaches to this:
First, JBoss 3.0 has a server.policy file in the conf directory. I thought JBoss could implicitly read it, but it didn´t work.
Second, I thought of start the SecurityManager explicitly (-Djava.security.manager -Djava.security.policy=="%JBOSS_HOME%/server/default/conf/server.policy") and nothing happens (I even tried to use an invalid policy file and still nothing happens).
Is invoking the SecurityManager the right thing to do in my case? If so, how? If don´t, what should I do?

Thanks in advance,
Dediana

1. Re: Using SecurityManager

dediana Sep 20, 2002 5:01 PM (in response to dediana)

OK, I discovered that there is an MBean that do the work.
It has to be configured in jboss-service.xml:

<mbean
code="org.jboss.security.plugins.SecurityPolicyService"
name="jboss.security:service=SecurityPolicyService">
<attribute name="PolicyFile">server.xml</attribute>
</mbean>

and server.xml has the same information that a policy file. My configuration is:

<?xml version='1.0' encoding='UTF-8' ?>

<application-policy>
<authorization>
<grant>
<permission>
<name>java.io.FilePermission</name>
<code>C:/Test/-</code>
<actions>read</actions>
</permission>
</grant>
</authorization>
</application-policy>

But it still doesn´t work.
Any hints?

Thanks,
Dediana
Actions