2 Replies Latest reply on Dec 6, 2011 1:10 PM by brianx

    JBOSS AS 5 java.policy?

    brianx
    brianx Nov 22, 2011 3:17 PM

      The default java.policy file grants everything to everyone:

       

      grant {

      permission java.security.AllPermission;

      };

       

      ...and that's not good.  The JBoss worm discovered lately woke me up to the need to fix this.

       

       

      Right now I'm looking for a policy file that just lets JBoss AS 5 startup.  No deployed apps yet, just to get JBoss up and running by itself.

       

      So I add "-Djava.security.manager -Djava.security.policy=jboss.policy" to run.sh and create a jboss.policy file in the jboss bin directory.

       

       

      <jboss.policy>

       

      // Standard extensions get all permissions by default

      grant codeBase "file:$java.ext.dirs/*" { permission java.security.AllPermission; };

       

       

      // These permissions apply to JBOSS

      // NOTE THAT JBOSS HAS TO BE STARTED FROM WITHIN THE CODEBASE SPECIFIED FOR THESE TO BE GRANTED.

      grant codeBase "file:/apps/local/jboss-5.1.0.GA/-"

      {

        permission java.io.FilePermission "*", "read";

        permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/", "read";

        permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/*", "read";

        permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/-", "read";

        permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/server/default/log", "read";

        permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/server/default/conf/-", "read";

        permission java.util.logging.LoggingPermission "control";

        permission java.util.PropertyPermission "*", "read,write";

        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

        permission java.lang.RuntimePermission "getProtectionDomain";

        permission java.lang.RuntimePermission "setContextClassLoader";

        permission java.lang.RuntimePermission "createClassLoader";

        permission java.lang.RuntimePermission "getClassLoader";

        permission java.lang.RuntimePermission "setFactory";

        permission java.lang.RuntimePermission "shutdownHooks";

        permission java.lang.RuntimePermission "accessDeclaredMembers";

        permission java.lang.RuntimePermission "exitVM.0";

        permission javax.management.MBeanServerPermission "createMBeanServer";

        permission javax.management.MBeanPermission "*", "*";

        permission javax.management.MBeanTrustPermission "register";

        permission java.security.SecurityPermission "getAccessControlContext";

        permission org.jboss.metadata.spi.stack.MetaDataStackPermission "modify";

      };

       

      <jboss.policy>

       

       

      This gets me to the point where now I am getting ClassNotFoundExceptions on internal JBoss classes.  I am attempting to grant "read" to these classes, but I'm not sure I'm even barking up the right tree.

       

      So the question is, "Does anyone have a java.policy that allows JBoss AS5 to start?"

       

      I'm continuing to work on this.  If I get it working I'll post it here.

      • 2427 Views
      • Tags:
        • 1. Re: JBOSS AS 5 java.policy?
          brianx
          brianx Nov 23, 2011 11:02 AM (in response to brianx)

          OK I've got all the permissions that cause problems.  Now I'm seeing this:

           

          Deployment "AttachmentsSerializer" is in error due to: java.lang.ClassNotFoundException: Unexpected error during load of: org.jboss.system.server.profileservice.repository.JAXBAttachmentSerializer, msg=Error determining protection domain for ZipEntryHandler@1380239564[path=org/jboss/system/server/profileservice/repository/JAXBAttachmentSerializer.class context=file:/home/brianx/apps/local/jboss-5.1.0.GA/lib/jboss-system.jar real=file:/home/brianx/apps/local/jboss-5.1.0.GA/lib/jboss-system.jar/org/jboss/system/server/profileservice/repository/JAXBAttachmentSerializer.class]

           

          ...I've tried granting "read" for both the context and real:

           

           

            permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/jboss-system.jar", "read";

            permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/jboss-system.jar/-", "read";

            permission java.io.FilePermission "/apps/local/jboss-5.1.0.GA/lib/jboss-system.jar/org/jboss/system/server/profileservice/repository/JAXBAttachmentSerializer.class", "read";

           

           

          ...but no joy - I think I'm barking up the wrong tree. 

            • Actions
          • 2. Re: JBOSS AS 5 java.policy?
            brianx
            brianx Dec 6, 2011 1:10 PM (in response to brianx)

            got all the "denied" messages out.  Now I'm getting an exception on the AuthorizationManager.

             

            so the question now is - what is it about using a custom java.policy file that causes the AuthorizationManager to not be deployed?

             

            Here's the stacktrace I'm seeing at the moment:

             

            14:40:05,879 DEBUG [AuthenticatorBase]  Calling hasUserDataPermission()

            14:40:05,879 DEBUG [RealmBase]   User data constraint already satisfied

            14:40:05,916 ERROR [CoyoteAdapter] An exception or error occurred in the container during the request processing

            java.lang.IllegalStateException: Authorization Manager is null

                      at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:185)

                      at org.jboss.web.tomcat.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:643)

                      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:461)

                      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

                      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                      at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567)

                      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

                      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

                      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

                      at java.lang.Thread.run(Thread.java:722)

              • Actions