0 Replies Latest reply on Aug 2, 2003 9:33 AM by Sanne de

    server.policy revoke read/write rights

    Sanne de Novice

      Hi,

      I'm trying to figure out a way to get a more reasonable server.policy file. A big step forward would be if I could restrict read/write rights to only the jboss install dir, or even only the logging and tmp dir.

      Does anyboy know how the policies are handled?
      If I would only like to restrict reading and writing to only the jboss dir could I do:

      grant {
      permission java.io.FilePermission
      "${jboss.home}/", "read, write, delete, execute";
      };

      grant {
      // Allow everything for now
      permission java.security.AllPermission;
      };


      So that any reading and writing operations would choke in the first rule, but for the rest everything is allowed. (Alternatively I'll have to figure out a good policy by trial and error.)

      Or has everyboy been sloppy with security up till now ;-)

      I also tried running with a security manager and with the option -Djava.security.debug=access this debug information gives policy access related debugging info.

      After capturing the output, sorting it in my text editor and removing all the doubles I got this list:

      access: access allowed (java.util.logging.LoggingPermission control)
      access: access allowed (java.util.PropertyPermission user.variant read)
      ....
      access: access allowed (java.util.PropertyPermission awt.toolkit read)
      access: access allowed (java.util.PropertyPermission * read,write)
      access: access allowed (java.net.SocketPermission home resolve)
      access: access allowed (java.net.NetPermission specifyStreamHandler)
      access: access allowed (java.lang.reflect.ReflectPermission suppressAccessChecks)
      access: access allowed (java.lang.RuntimePermission shutdownHooks)
      access: access allowed (java.lang.RuntimePermission setIO)
      access: access allowed (java.lang.RuntimePermission setFactory)
      access: access allowed (java.lang.RuntimePermission setContextClassLoader)
      access: access allowed (java.lang.RuntimePermission org.jboss.security.SecurityAssociation.setPrincipalInfo)
      access: access allowed (java.lang.RuntimePermission loadLibrary.zip)
      access: access allowed (java.lang.RuntimePermission loadLibrary.net)
      access: access allowed (java.lang.RuntimePermission getProtectionDomain)
      access: access allowed (java.lang.RuntimePermission getClassLoader)
      access: access allowed (java.lang.RuntimePermission createClassLoader)
      access: access allowed (java.lang.RuntimePermission accessDeclaredMembers)
      access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.text.resources)
      access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.reflect)
      access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.net.www.protocol.c)
      access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.beans.editors)
      access: access allowed (java.io.FilePermission \C:\javastuff\programs\jboss\320\lib\xml-apis.jar read)
      ...
      access: access allowed (java.io.FilePermission \C:\javastuff\programs\jboss\320\lib\xercesImpl.jar read)

      Unfortunately JBoss hangs on creating the logging service when running with the server.policy so:

      a. I'm not getting all the access lines
      b. It's not working for now

      Sanne