The server.policy is just a place holder. You need to setup the security manager and security policy like any other java application. We don't configure a security manager by default. An ant macrodef from our testsuite for running with a security manager:

 <macrodef name="start-securitymgr"
 description="Starts a jboss configuration with a security manager">
 <attribute name="policy" default="${build.resources}/securitymgr/server.policy"/>
 <attribute name="conf" default="default"/>
 <attribute name="host" default="${node0}"/>
 <attribute name="jvmargs" default="-Xmx64m"
 description="An additional jvmarg line set after any ${jpda.cmdline}"/>
 <attribute name="jboss.home.dir" default="${jboss.dist}" />
 <attribute name="jboss.server.home.dir" default="${jboss.dist}${/}server${/}@{conf}" />
 <attribute name="security.debug" default="failure" />
 <sequential>
 <echo message="Starting @{conf} with policy @{policy}" />
 <echo message="jboss.home.dir=@{jboss.home.dir}" />
 <echo message="jboss.server.home.dir=@{jboss.server.home.dir}" />
 <java classname="org.jboss.Main" fork="true" spawn="true"
 dir="${jboss.dist}/bin">
 <classpath refid="jboss.boot.classpath"/>
 <jvmarg line="${jpda.cmdline}" />
 <jvmarg line="@{jvmargs}" />
 <jvmarg value="-Djboss.home.dir=@{jboss.home.dir}" />
 <jvmarg value="-Djboss.server.home.dir=@{jboss.server.home.dir}" />
 <jvmarg value="-Djava.security.manager"/>
 <jvmarg value="-Djava.security.policy==@{policy}"/>
 <jvmarg value="-Djava.security.debug=@{security.debug}"/>
 <arg value="-c"/>
 <arg value="@{conf}"/>
 <arg value="-b"/>
 <arg value="@{host}"/>
 </java>
 <echo message="Spawned jboss" />
 </sequential>
 </macrodef>

Hi,


As I understand it, this means that in order to use specific security configurations based on permissions, the startup script of jboss must be modified to include a security configuration.

Nevertheless, this means that every application deployed on JBoss will run with the same security configuration. I can't imagine this is what we want. Ideally, the security configuration should be deployed with the application itself or not? The current approach means that whenever the security config changes for a single deployed application, then the entire server must be restarted for the changes to take effect.

Anyway, what would be the best solution? Having grants in the policy file that include code base, using the auth.policy.provider for to implement (deployed) application-specific security, or using only the authentication features and not using JAAS for authorization at all?

What are your thoughts?

Cheers
Erik

Just saw that javax.securitg.auth.Policy is deprecated and that now java.security.Policy must be used and the property name is policy.provider.

All that is currently supported requires differentiation of application security policies by codebase. We will be looking at expanding the JACC security service: http://wiki.jboss.org/wiki/Wiki.jsp?page=JACC

to support a more flexible configuration and permissions other than just the j2ee javax.security.jacc.* ones.

The design discussion of the JACC service enhancments are here:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=66840