1 Reply Latest reply on Sep 20, 2002 5:01 PM by Mauricio De Diana

    Using SecurityManager

    Mauricio De Diana Newbie

      Hi all,

      I need to guarantee that EJBs deployed at my server respect some restrictions like not open ServerSockets or use file access. As far as I know, the only way to have at least some of these restrictions working is to set them up through the SecurityManager. I came up with 2 possible approaches to this:
      First, JBoss 3.0 has a server.policy file in the conf directory. I thought JBoss could implicitly read it, but it didn´t work.
      Second, I thought of start the SecurityManager explicitly (-Djava.security.manager -Djava.security.policy=="%JBOSS_HOME%/server/default/conf/server.policy") and nothing happens (I even tried to use an invalid policy file and still nothing happens).
      Is invoking the SecurityManager the right thing to do in my case? If so, how? If don´t, what should I do?

      Thanks in advance,
      Dediana

        • 1. Re: Using SecurityManager
          Mauricio De Diana Newbie

          OK, I discovered that there is an MBean that do the work.
          It has to be configured in jboss-service.xml:

          <mbean
          code="org.jboss.security.plugins.SecurityPolicyService"
          name="jboss.security:service=SecurityPolicyService">
          <attribute name="PolicyFile">server.xml</attribute>
          </mbean>

          and server.xml has the same information that a policy file. My configuration is:

          <?xml version='1.0' encoding='UTF-8' ?>

          <application-policy>
          <authorization>
          <grant>
          <permission>
          <name>java.io.FilePermission</name>
          <code>C:/Test/-</code>
          <actions>read</actions>
          </permission>
          </grant>
          </authorization>
          </application-policy>

          But it still doesn´t work.
          Any hints?

          Thanks,
          Dediana