<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
<table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td>
<table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
<tbody>
<tr>
<td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
<h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
<!-- To have a header image/logo replace the name below with your img tag -->
<!-- Email clients will render the images when the message is read so any image -->
<!-- must be made available on a public server, so that all recipients can load the image. -->
<a href="https://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">JBoss Community</a></h1>
</td>
</tr>
<tr>
<td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
AS8: JBoss Security Manager Implementation Plan
</h3>
<span style="margin-bottom: 10px;">
new comment by <a href="https://community.jboss.org/people/dmlloyd">David Lloyd</a> <a href="https://community.jboss.org/docs/DOC-48386#comment-11605">View all comments on this document</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>No, actually.  The user just adds the module like normal.  The default module properties are "AllPermission" but you can specify a more restrictive set in the module.xml file.  The reason we went away from signing is that it doesn't really afford any more security - if you have access to the filesystem, you can make the AS run without a security manager anyway.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>It is also possible to further restrict permissions using the JDK's default policy mechanism.  The effective permissions are the intersection of the module specified permissions and the global policy.  But it is designed so that a policy file is not required in the simplest case.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Finally we will have *some* mechanism (not yet determined) to specify a policy that applies to deployments.</p></div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>