I have been struggling for some time with how to configure JBoss to enforce the Java 2 security policy (EJB1.1 spec. section 220.127.116.11). There is much documentation about configuring users and method access (declarative security) but practically nothing about Java 2 security.
I just started using JBoss 2.4.4 (from JBoss 2.2.2) and the <enforce-ejb-restrictions> element of the standard-jboss.xml is new. This seems to be the answer to my prayers...I have invested alot of time in configuring JBoss2.2.2 and am no closer to my goal.
However, aside from a comment in the jboss DTD there is no discussion about this new miracle element. I have set it to true and nothing in our application execution seems to change. I am sure that we violate the Java security policy (JNI, XML file read) but nothing happens.
In order for <enforce-ejb-restrictions> to be effective do I need to enable a security manager? If so does the JAAS security manager also handle such security or just user authentication and authorization? Where is the implementation of org.jboss.security.plugins.JaasSecurityManager anyway? When I do not need user a&a can I just use the java.lang.SecurityManager?
Someone please give me the lowdown! I have tried on my own and can't get any farther.