server.policy revoke read/write rights
sanne Aug 2, 2003 9:33 AMHi,
I'm trying to figure out a way to get a more reasonable server.policy file. A big step forward would be if I could restrict read/write rights to only the jboss install dir, or even only the logging and tmp dir.
Does anyboy know how the policies are handled?
If I would only like to restrict reading and writing to only the jboss dir could I do:
grant {
permission java.io.FilePermission
"${jboss.home}/", "read, write, delete, execute";
};
grant {
// Allow everything for now
permission java.security.AllPermission;
};
So that any reading and writing operations would choke in the first rule, but for the rest everything is allowed. (Alternatively I'll have to figure out a good policy by trial and error.)
Or has everyboy been sloppy with security up till now ;-)
I also tried running with a security manager and with the option -Djava.security.debug=access this debug information gives policy access related debugging info.
After capturing the output, sorting it in my text editor and removing all the doubles I got this list:
access: access allowed (java.util.logging.LoggingPermission control)
access: access allowed (java.util.PropertyPermission user.variant read)
....
access: access allowed (java.util.PropertyPermission awt.toolkit read)
access: access allowed (java.util.PropertyPermission * read,write)
access: access allowed (java.net.SocketPermission home resolve)
access: access allowed (java.net.NetPermission specifyStreamHandler)
access: access allowed (java.lang.reflect.ReflectPermission suppressAccessChecks)
access: access allowed (java.lang.RuntimePermission shutdownHooks)
access: access allowed (java.lang.RuntimePermission setIO)
access: access allowed (java.lang.RuntimePermission setFactory)
access: access allowed (java.lang.RuntimePermission setContextClassLoader)
access: access allowed (java.lang.RuntimePermission org.jboss.security.SecurityAssociation.setPrincipalInfo)
access: access allowed (java.lang.RuntimePermission loadLibrary.zip)
access: access allowed (java.lang.RuntimePermission loadLibrary.net)
access: access allowed (java.lang.RuntimePermission getProtectionDomain)
access: access allowed (java.lang.RuntimePermission getClassLoader)
access: access allowed (java.lang.RuntimePermission createClassLoader)
access: access allowed (java.lang.RuntimePermission accessDeclaredMembers)
access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.text.resources)
access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.reflect)
access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.net.www.protocol.c)
access: access allowed (java.lang.RuntimePermission accessClassInPackage.sun.beans.editors)
access: access allowed (java.io.FilePermission \C:\javastuff\programs\jboss\320\lib\xml-apis.jar read)
...
access: access allowed (java.io.FilePermission \C:\javastuff\programs\jboss\320\lib\xercesImpl.jar read)
Unfortunately JBoss hangs on creating the logging service when running with the server.policy so:
a. I'm not getting all the access lines
b. It's not working for now
Sanne