JBOSS AS 5 java.policy?
brianx Nov 22, 2011 3:17 PMThe default java.policy file grants everything to everyone:
grant {
permission java.security.AllPermission;
};
...and that's not good. The JBoss worm discovered lately woke me up to the need to fix this.
Right now I'm looking for a policy file that just lets JBoss AS 5 startup. No deployed apps yet, just to get JBoss up and running by itself.
So I add "-Djava.security.manager -Djava.security.policy=jboss.policy" to run.sh and create a jboss.policy file in the jboss bin directory.
<jboss.policy>
// Standard extensions get all permissions by default
grant codeBase "file:$java.ext.dirs/*" { permission java.security.AllPermission; };
// These permissions apply to JBOSS
// NOTE THAT JBOSS HAS TO BE STARTED FROM WITHIN THE CODEBASE SPECIFIED FOR THESE TO BE GRANTED.
grant codeBase "file:/apps/local/jboss-5.1.0.GA/-"
{
permission java.io.FilePermission "*", "read";
permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/", "read";
permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/*", "read";
permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/-", "read";
permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/server/default/log", "read";
permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/server/default/conf/-", "read";
permission java.util.logging.LoggingPermission "control";
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "exitVM.0";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission "*", "*";
permission javax.management.MBeanTrustPermission "register";
permission java.security.SecurityPermission "getAccessControlContext";
permission org.jboss.metadata.spi.stack.MetaDataStackPermission "modify";
};
<jboss.policy>
This gets me to the point where now I am getting ClassNotFoundExceptions on internal JBoss classes. I am attempting to grant "read" to these classes, but I'm not sure I'm even barking up the right tree.
So the question is, "Does anyone have a java.policy that allows JBoss AS5 to start?"
I'm continuing to work on this. If I get it working I'll post it here.