[jboss-cvs] JBossAS SVN: r82179 - in projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US: extras and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Dec 10 00:18:09 EST 2008
Author: Darrin
Date: 2008-12-10 00:18:09 -0500 (Wed, 10 Dec 2008)
New Revision: 82179
Added:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Policy_File.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/security_cc.policy
Removed:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml
Modified:
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
Log:
JBOSSCC-30
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml 2008-12-10 04:53:08 UTC (rev 82178)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Common_Criteria_Configuration_Guide.xml 2008-12-10 05:18:09 UTC (rev 82179)
@@ -15,6 +15,7 @@
<xi:include href="RHEL_4_RPM_List.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="RHEL_5_RPM_List.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Ports.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="Security_Policy_File.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="Revision_History.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</book>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-10 04:53:08 UTC (rev 82178)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Requirements_for_the_Evaluated_Configuration.xml 2008-12-10 05:18:09 UTC (rev 82179)
@@ -186,7 +186,7 @@
<screen>cp -pr <replaceable>${JBOSS_HOME}</replaceable>/server/production <replaceable>${JBOSS_HOME}</replaceable>/server/production.backup</screen>
<para>In an emergency you can always retrieve the original files from the
- installation zip file.</para>
+ installation files.</para>
<section id="configuration_requirements-setup_configuration">
<title>Setup Configuration</title>
@@ -435,8 +435,11 @@
</listitem>
<listitem>
- <para>Comment out the policy for <literal>HsqlDbRealm</literal> in the
- <filename>${JBOSS_HOME}/server/production/conf/login-config.xml</filename> file as shown.</para>
+ <para>
+ Comment out the policy for <literal>HsqlDbRealm</literal> in the
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/server/production/conf/login-config.xml</filename>
+ file as shown.
+ </para>
<programlisting language="xml"><xi:include parse="text" href="extras/login-config.xmlt" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
</listitem>
</orderedlist>
@@ -445,6 +448,18 @@
<ulink url="http://www.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/4.3.0.cp03/html-single/Server_Configuration_Guide/index.html#alternative_DBs"></ulink>.</para>
</section>
+ <section id="Common_Criteria_Guide-changes_to_policy">
+ <title>Required changes to the included JSM policy</title>
+
+ <para>
+ The supplied Java Security Manager policy file that is included with JBoss EAP must be
+ replaced with the policy file specifed in <xref linkend="appe-security_policy" />. The
+ policy file that must be replaced is
+ <filename><replaceable>${JBOSS_HOME}</replaceable>/bin/security_cc.policy</filename>.
+ </para>
+
+ </section>
+
<section id="Common_Criteria_Guide-Developer_Guidelines-java_security_permissions">
<title>Guidance on Configuring Java Security Permissions</title>
<para>
Modified: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml 2008-12-10 04:53:08 UTC (rev 82178)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Configuration.xml 2008-12-10 05:18:09 UTC (rev 82179)
@@ -10,16 +10,20 @@
Windows as well a configuration file , <filename>run.conf</filename>, which determines
the startup environment of the server. </para>
- <para>The evaluated configuration of JBoss EAP has been certified both with and without
+ <para>
+ The evaluated configuration of JBoss EAP has been certified both with and without
the use of the Java Security Manger. If you use the Java Security Manager, you must
- also use the specific policy which is supplied with the product. Operating JBoss EAP
- using the Java Security Manager and a modified or completely different policy is not
- considered to be a certified configuration.</para>
+ also use the policy settings as defined in <xref linkend="appe-security_policy" />.
+ Operating JBoss EAP using the Java Security Manager and different policy settings is
+ not considered to be a certified configuration.
+ </para>
- <para>This allows two modes of operation which affect how JBoss EAP can protect
+ <para>
+ This allows two modes of operation which affect how JBoss EAP can protect
itself against the behavior of applications. These modes are discussed fully below.
As the administrator of your JBoss EAP server, you must decide which mode of
- operation is most appropriate.</para>
+ operation is most appropriate.
+ </para>
<section id="starting_EAP">
<title>Starting the JBoss EAP Server</title>
@@ -40,17 +44,16 @@
<screen>$ cd $JBOSS_HOME/bin
$ ./run.sh -b <replaceable>${ip_address}</replaceable> -c production</screen></example>
-
<para>JBoss EAP's default behavior is to run without the use of the Java Security
Manager. This means that any application deployed on JBoss EAP will be running in
the same namespace as JBoss EAP itself. In this environment it is possible that an
application deployed on JBoss EAP may interfere with the execution of JBoss EAP
itself either accidentally or intentionally.</para>
- <para>If you choose to run without using the Java Security Manger & supplied
- policy then you are responsible for performing your own risk analysis to ensure
- that deployed applications do not contain bugs that may be abused by users of
- the application to circumvent the security functionality of JBoss EAP.</para>
+ <para>If you choose to run without using the Java Security Manger & specified
+ policy settings then you are responsible for performing your own risk analysis to
+ ensure that deployed applications do not contain bugs that may be abused by users
+ of the application to circumvent the security functionality of JBoss EAP.</para>
<para>It is only recommended to run in this mode if your deployed applications
require more permissions that the included security policy allows.</para>
@@ -59,16 +62,24 @@
<section id="enabling_JSM">
<title>Enabling the Java Security Manager</title>
- <para>By enabling the Java Security Manager with the included policy file
- (<filename>security_cc.policy</filename>) JBoss EAP is protected from any
- application deployed on it accidentally or intentionally interfering with
- its operation.</para>
+ <para>
+ By enabling the Java Security Manager with the specified policy JBoss EAP is
+ protected from any application deployed on it accidentally or intentionally
+ interfering with its operation.
+ </para>
<para>This policy limits the granting of full permissions to those jar files
- included with the evaluated configuration. All other deployed jar files are
- limited to read-only file-system access, adding queue print items &
- connecting to sockets.</para>
+ included with the evaluated configuration.</para>
+ <warning>
+ <para>
+ If you use the Java Security Manager, you configure the policy settings as explained in
+ <xref linkend="Common_Criteria_Guide-changes_to_policy" />. Operating JBoss EAP using
+ the Java Security Manager with different policy settings is not considered to be a
+ certified configuration.
+ </para>
+ </warning>
+
<para>You must edit the file <filename>run.conf</filename> located in the Enterprise
Platform home directory at <filename>/jboss-as/server/production/</filename> and uncomment
the lines indicated below to enable the Java Security Manager. Once those items are
@@ -103,12 +114,15 @@
<programlisting>policy.provider=sun.security.provider.PolicyFile</programlisting>
<formalpara>
- <title>Policy file configuration</title>
- <para>Users and administrators are free to add their own permission blocks to the policy file,
- however the permissions that are shipped with the JBoss Enterprise Application Platform cannot
- be changed; doing so will invalidate the certification. Indeed any modifications of the security
- policy except what has been specified within this guide, will invalidate the certification
- configuration. </para>
+ <title>Additional Policy file configuration</title>
+ <para>
+ Users and administrators are free to add their own permission blocks to the policy file,
+ however the permissions that are specified for JBoss EAP cannot be changed; doing so will
+ invalidate the certification. Indeed any modifications of the security policy except what has
+ been specified within this guide, will invalidate the certification configuration. Refer to
+ <xref linkend="Common_Criteria_Guide-Developer_Guidelines-java_security_permissions" /> for
+ additional information on this topic.
+ </para>
</formalpara>
</section>
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Policy_File.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Policy_File.xml (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Security_Policy_File.xml 2008-12-10 05:18:09 UTC (rev 82179)
@@ -0,0 +1,10 @@
+<?xml version='1.0'?>
+<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+]>
+
+<appendix id="appe-security_policy">
+<title>Required Java Security Manager Policy File</title>
+
+<programlisting><xi:include parse="text" href="extras/security_cc.policy" xmlns:xi="http://www.w3.org/2001/XInclude" /></programlisting>
+
+</appendix>
Deleted: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml 2008-12-10 04:53:08 UTC (rev 82178)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/Tested_Security_Policy.xml 2008-12-10 05:18:09 UTC (rev 82179)
@@ -1,77 +0,0 @@
-<?xml version='1.0'?>
-<!DOCTYPE appendix PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
-]>
-
-<appendix id="Common_Criteria_Guide-Tested_Security_Policy">
-
- <title>Tested Security Policy</title>
-
- <para>
- Below is the security policy that was used during the certification evaluation and testing. It does (fill in here with a description of what it does).
- </para>
-
- <programlisting>// The Java2 security policy for the securitymgr tests
-// Install with -Djava.security.policy==server.policy
-// and -Djboss.home.dir=path_to_jboss_distribution
-
-// Trusted core Java code
-grant codeBase "file:${java.home}/lib/ext/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:${java.home}/lib/*" {
- permission java.security.AllPermission;
-};
-// For java.home pointing to the JDK jre directory
-grant codeBase "file:${java.home}/../lib/*" {
- permission java.security.AllPermission;
-};
-
-// Trusted core Jboss code
-grant codeBase "file:${jboss.home.dir}/bin/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:${jboss.home.dir}/lib/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:${jboss.server.home.dir}/lib/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:${jboss.server.home.dir}/work/-" {
- permission java.security.AllPermission;
-};
-
-// Permissions for the WarPermissionsUnitTestCase
-grant codeBase "file:${jboss.test.deploy.dir}/securitymgr/-" {
- permission java.util.PropertyPermission "*", "read";
- permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
-};
-
-// Minimal permissions are allowed to everyone else
-grant {
- permission java.util.PropertyPermission "*", "read";
- permission java.lang.RuntimePermission "queuePrintJob";
- permission java.net.SocketPermission "*", "connect";
- permission java.security.SecurityPermission "getPolicy";
- permission java.lang.RuntimePermission "accessClassInPackage.*";
- permission java.lang.RuntimePermission "getProtectionDomain";
- permission java.lang.RuntimePermission "getClassLoader";
- permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
- permission javax.management.MBeanServerPermission "findMBeanServer";
- permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
- permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[jboss*:*]", "*";
- permission javax.security.auth.AuthPermission "createLoginContext.*";
-};
-
-// To handle tests run with JBoss installed from RPMs - http://jira.jboss.com/jira/browse/JBPAPP-60
-grant codeBase "file:/usr/share/java/-" {
- permission java.security.AllPermission;
-};
-grant codeBase "file:/etc/jbossas/-" {
- permission java.security.AllPermission;
-};
-</programlisting>
-
-</appendix>
\ No newline at end of file
Added: projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/security_cc.policy
===================================================================
--- projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/security_cc.policy (rev 0)
+++ projects/docs/enterprise/4.3.3/Common_Criteria_Guide/en-US/extras/security_cc.policy 2008-12-10 05:18:09 UTC (rev 82179)
@@ -0,0 +1,646 @@
+//**********************************************************************
+// Common Criteria Evaluated Configuration Java2 Security Manager Policy
+// Author: Anil Saldhana
+//**********************************************************************
+
+//**********************************************************
+//
+// Section 1: JBOSS code with codebase references in time
+// of JBOSS startup
+// (Permissions are given fully)
+// Do not modify this section.
+//
+//**********************************************************
+grant codeBase "file:${user.dir}/run.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${user.dir}/../lib/*" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${user.dir}/../server/production/lib/-" {
+ permission java.security.AllPermission;
+};
+
+//******************* End of Section 1 **********************
+
+//**********************************************************
+//
+// Section 2: Java JDK Core Code
+// Trusted core Java code
+// (Permissions are given fully)
+// Do not modify this section.
+//
+//**********************************************************
+grant codeBase "file:${java.home}/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+grant codeBase "file:${java.home}/lib/*" {
+ permission java.security.AllPermission;
+};
+// For java.home pointing to the JDK jre directory
+grant codeBase "file:${java.home}/../lib/*" {
+ permission java.security.AllPermission;
+};
+
+//******************* End of Section 2 **********************
+
+
+//**********************************************************
+//
+// Section 3: Permissions assigned to JBoss Core Codebase
+// Trusted JBoss code
+//
+// Do not modify this section.
+//
+//**********************************************************
+grant codeBase "file:${jboss.home.dir}/bin/-" {
+ permission java.security.AllPermission;
+};
+
+// Trust all the jars in the server lib that JBoss has shipped
+grant codeBase "file:${jboss.home.dir}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/work/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/activation.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/antlr.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/asm-attrs.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/asm.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/autonumber-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/avalon-framework.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/bcel.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/bindingservice-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/bsf.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/bsh-deployer.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/bsh.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/cglib.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/commons-codec.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/commons-collections.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/commons-httpclient.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/commons-logging.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/dom4j.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/ejb3-persistence.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/el-api.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hibernate3.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hibernate-annotations.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hibernate-commons-annotations.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hibernate-entitymanager.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hibernate-validator.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hsqldb.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/hsqldb-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jacorb.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/javassist.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jaxen.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-cache-jdk50.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-common-jdbc-wrapper.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-ejb3x.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossha.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-hibernate.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-iiop.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-j2ee.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-jaxrpc.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-jaxws.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-jca.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-jsr77.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-jsr88.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossjta-integration.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossjta.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-management.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-messaging-client.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-messaging.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-monitoring.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-remoting-int.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-remoting.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-saaj.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-serialization.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-srp.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbosssx.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-transaction.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossts-common.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jboss-vfs.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossws-common.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossws-framework.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossws-jboss42.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jbossws-spi.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jgroups.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jmx-adaptor-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jnpserver.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/joesnmp.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/jsp-api.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/log4j.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/log4j-snmp-appender.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/mail.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/mail-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/properties-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/quartz-all.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/scheduler-plugin-example.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/scheduler-plugin.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/servlet-api.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/lib/xmlentitymgr.jar" {
+ permission java.security.AllPermission;
+};
+
+// DEPLOY DIR
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jms-ra.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/quartz-ra.rar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/httpha-invoker.sar/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-web-cluster.sar/jboss-web-cluster.aop" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jaxb-api.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jaxb-impl.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jboss-jaxb-intros.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jboss-jaxrpc.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jboss-jaxws.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jboss-saaj.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jbossws-core.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/jbossws-native.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/policy.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/stax-api.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/wsdl4j.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/wstx.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/xmlsec.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar/juddi.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar/juddi-saaj.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar/juddi-service.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar/juddi.war" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar/scout.jar" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar/*" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/ejb3.deployer/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-aop-jdk50.deployer/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-web.deployer/*" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-web.deployer/jsf-libs/*" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
+ permission java.security.AllPermission;
+};
+
+
+grant codeBase "file:${jboss.server.home.dir}/tmp/-" {
+
+ permission java.io.FilePermission "${jboss.server.home.dir}/-", "read,write,delete";
+ permission java.io.FilePermission "${java.io.tmpdir}", "read,write,delete";
+
+ permission java.io.FilePermission "<<ALL FILES>>", "read";
+
+ // MBean permissions
+ permission javax.management.MBeanTrustPermission "*";
+ permission javax.management.MBeanServerPermission "findMBeanServer";
+ permission javax.management.MBeanPermission "*", "*";
+
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "createClassLoader";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole";
+ permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
+ permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
+
+ permission java.net.NetPermission "specifyStreamHandler";
+
+ permission java.util.PropertyPermission "*", "read,write";
+ permission java.security.SecurityPermission "getProperty.package.definition";
+ permission java.security.SecurityPermission "setProperty.package.definition";
+ permission java.security.SecurityPermission "getProperty.package.access";
+ permission java.security.SecurityPermission "setProperty.package.access";
+ permission java.security.SecurityPermission "setPolicy";
+ permission java.security.SecurityPermission "putProviderProperty.JBossSX";
+ permission java.security.SecurityPermission "insertProvider.JBossSX";
+
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+
+ permission java.net.SocketPermission "*:1024-", "accept,listen";
+ permission java.util.logging.LoggingPermission "control";
+
+ permission javax.security.auth.AuthPermission "doAsPrivileged";
+ permission javax.security.auth.AuthPermission "modifyPrincipals";
+
+ permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"", "read";
+ permission javax.security.auth.PrivateCredentialPermission "javax.crypto.spec.SecretKeySpec * \"*\"", "read";
+ permission javax.security.auth.PrivateCredentialPermission "org.jboss.security.srp.SRPParameters * \"*\"", "read";
+
+ permission java.security.SecurityPermission "getPolicy";
+ permission java.lang.RuntimePermission "accessClassInPackage.*";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
+
+ permission javax.security.auth.AuthPermission "createLoginContext.*";
+ permission javax.security.auth.AuthPermission "getLoginConfiguration";
+
+ permission java.net.SocketPermission "*", "connect,accept,resolve";
+ permission org.jboss.naming.JndiPermission "JAXR", "bind,rebind,unbind,lookup,list,listBindings,createSubcontext";
+};
+
+//******************* End of Section 3 **********************
+
+//**********************************************************
+//
+// Section 4: JBoss EAP Testsuite Permissions
+//
+// This section is just for test suite purpose and can
+// safely removed.
+// General recomendation: This section should be deleted or
+// commented out in production.
+//**********************************************************
+
+// Testing configuration lib directory permissions
+grant codeBase "file:${user.dir}/../server/cc/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// Permissions for the WarPermissionsUnitTestCase
+// Permissions for crypto tests (putProvider)
+grant codeBase "file:${jboss.test.deploy.dir}/-" {
+ permission java.util.PropertyPermission "*", "read";
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+ permission java.security.SecurityPermission "putProviderProperty.JBossSX";
+ permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>", "bind,rebind,unbind,lookup,list,listBindings,createSubcontext";
+};
+
+// Following JDBC driver is included just for CC test purpose.
+// When you test with different JDBC driver than Oracle DB you have to create your own entries.
+grant codeBase "file:${jboss.server.home.dir}/lib/ojdbc14.jar" {
+ // change host name and port to one where your database resides.
+ permission java.net.SocketPermission "dev68.qa.atl2.redhat.com:1521", "connect";
+
+ permission java.util.PropertyPermission "oracle.net.wallet_location", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.defaultNChar", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.convertNcharLiterals", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.V8Compatible", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant", "read";
+ permission java.util.PropertyPermission "oracle.jdbc.FastConnectionFailover", "read";
+ permission java.util.PropertyPermission "oracle.net.tns_admin", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+ permission java.util.PropertyPermission "user.name", "read";
+ permission java.util.PropertyPermission "java.version", "read";
+
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.jdbc.odbc";
+ permission java.net.SocketPermission "*", "resolve";
+
+};
+
+//******************* End of Section 4 **********************
+
+
+//**************************************************************
+//
+// Section 5: User Applications Permissions
+//
+// This sections is for user application permissions.
+// Can be modified with care and attention to previously
+// entered permissions.
+//**************************************************************
+
+// Following lines are here as template for creating JDBC driver permissions entry
+// specific for your database. If using Oracle, one can copy JDBC driver permissions
+// from Section 4.
+//grant codeBase "file:${jboss.server.home.dir}/lib/<your JDBC driver>.jar" {
+// <grant necessary permissions>
+//};
+
+// Minimal permissions are allowed to everyone else
+grant {
+ permission java.lang.RuntimePermission "queuePrintJob";
+};
+
+//******************* End of Section 5 **********************
More information about the jboss-cvs-commits
mailing list