[jboss-remoting-commits] JBoss Remoting SVN: r3914 - remoting2/branches/2.x/src/etc.
jboss-remoting-commits at lists.jboss.org
jboss-remoting-commits at lists.jboss.org
Wed Apr 9 02:55:22 EDT 2008
Author: ron.sigal at jboss.com
Date: 2008-04-09 02:55:22 -0400 (Wed, 09 Apr 2008)
New Revision: 3914
Modified:
remoting2/branches/2.x/src/etc/remoting.security.policy.core
Log:
JBREM-920, JBREM-934: Eliminated unnecessary permissions.
Modified: remoting2/branches/2.x/src/etc/remoting.security.policy.core
===================================================================
--- remoting2/branches/2.x/src/etc/remoting.security.policy.core 2008-04-09 06:51:29 UTC (rev 3913)
+++ remoting2/branches/2.x/src/etc/remoting.security.policy.core 2008-04-09 06:55:22 UTC (rev 3914)
@@ -1,3 +1,24 @@
+// JBoss, Home of Professional Open Source
+// Copyright 2005, JBoss Inc., and individual contributors as indicated
+// by the @authors tag. See the copyright.txt in the distribution for a
+// full listing of individual contributors.
+//
+// This is free software; you can redistribute it and/or modify it
+// under the terms of the GNU Lesser General Public License as
+// published by the Free Software Foundation; either version 2.1 of
+// the License, or (at your option) any later version.
+//
+// This software is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public
+// License along with this software; if not, write to the Free
+// Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+// 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+//
+
//****************************************************************************************************************************************************************
//****************************************************************************************************************************************************************
//***************************************************
@@ -25,7 +46,7 @@
//****************************************************************************************************************************************************************
-grant codeBase "file:${build.home}/output/classes/-"
+grant codeBase "file:${build.home}/output/lib/jboss-remoting.jar"
{
/////////////////////////////////////////////////////////////////////////////////////////////
@@ -54,21 +75,19 @@
/////////////////////////////////////////////////////////////////////////////////////////////
-// Used by remote class loading system
+// Runtime permissions
+ // Used by remote class loading system
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
-
-/////////////////////////////////////////////////////////////////////////////////////////////
-// Used by:
-// org.jboss.remoting.security.SSLSOcketBuilder
-// org.jboss.remoting.transport.coyote.CoyoteInvoker
-// org.jboss.remoting.transport.http.HTTPClientInvoker
-// org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
-// org.jboss.remoting.transporter.TransporterHandler
-// org.jboss.remoting.InvokerRegistry
-
+ // Used by:
+ // org.jboss.remoting.security.SSLSocketBuilder
+ // org.jboss.remoting.transport.coyote.CoyoteInvoker
+ // org.jboss.remoting.transport.http.HTTPClientInvoker
+ // org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
+ // org.jboss.remoting.transporter.TransporterHandler
+ // org.jboss.remoting.InvokerRegistry
permission java.lang.RuntimePermission "accessClassInPackage.*";
@@ -77,63 +96,53 @@
permission javax.management.MBeanTrustPermission "register";
- // org.jboss.remoting.callback.ServerInvokerCallbackHandler ?? getClassLoader
+ // Used by org.jboss.remoting.callback.ServerInvokerCallbackHandler ?? getClassLoader
permission javax.management.MBeanPermission "*#SSLSocketBuilder[*:*]", "getAttribute";
-// permission javax.management.MBeanPermission"org.jboss.remoting.security.SSLServerSocketFactoryServiceMBean#-[*:*]", "getClassLoaderFor, isInstanceOf";
-// permission javax.management.MBeanPermission "org.jboss.remoting.security.SSLServerSocketFactoryService#-[*:*]", "getClassLoaderFor";
permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf";
- // org.jboss.remoting.detection.AbstractDetector // necessary for proxy ?
+ // Used by org.jboss.remoting.detection.AbstractDetector // necessary for proxy ?
permission javax.management.MBeanPermission "*#addServer[remoting:type=NetworkRegistry]", "invoke";
permission javax.management.MBeanPermission "*#updateServer[remoting:type=NetworkRegistry]", "invoke";
permission javax.management.MBeanPermission "*#removeServer[remoting:type=NetworkRegistry]", "invoke";
permission javax.management.MBeanPermission "*#Servers[*:*]", "getAttribute"; // needed
-
- // org.jboss.remoting.detection.util.DetectorUtil
+ // Used by org.jboss.remoting.detection.util.DetectorUtil
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]", "registerMBean";
permission javax.management.MBeanPermission "org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]", "registerMBean";
permission javax.management.MBeanPermission "org.jboss.remoting.detection.*#-[remoting:type=Detector,*]", "registerMBean";
-// permission javax.management.MBeanPermission "org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]", "registerMBean, queryMBeans, isInstanceOf";
-
- // org.jboss.remoting.ident.Identity
-// permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]", "isInstanceOf";
+ // Used by org.jboss.remoting.ident.Identity
permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#MBeanServerId[JMImplementation:type=MBeanServerDelegate]", "getAttribute";
permission javax.management.MBeanPermission "-#ServerDataDir[jboss.system:type=ServerConfig]", "getAttribute";
-// permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]", "queryMBeans, isInstanceOf";
- // org.jboss.remoting.network.NetworkRegistryFinder
+ // Used by org.jboss.remoting.network.NetworkRegistryFinder
permission javax.management.MBeanPermission "*#-[*:*]", "queryMBeans";
- // org.jboss.remoting.network.NetworkRegistryQuery // need getClassloaderFor ??
+ // Used by org.jboss.remoting.network.NetworkRegistryQuery // need getClassloaderFor ??
permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[*:*]", "isInstanceOf";
- // org.jboss.remoting.security.CustomSSLServerSocketFactory // necessary ??
+ // Used by org.jboss.remoting.security.CustomSSLServerSocketFactory // necessary ??
permission javax.management.MBeanPermission "org.jboss.remoting.security.CustomSSLServerSocketFactory#*[*:*]", "invoke";
- // org.jboss.remoting.security.ServerSocketFactoryWrapper
+ // Used by org.jboss.remoting.security.ServerSocketFactoryWrapper
permission javax.management.MBeanPermission "*#createServerSocket[*:*]", "invoke";
- // org.jboss.remoting.transport.Connector // isInstanceOf ??
+ // Used by org.jboss.remoting.transport.Connector // isInstanceOf ??
permission javax.management.MBeanPermission "org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]", "registerMBean, unregisterMBean";
-// permission javax.management.MBeanPermission "org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]", "unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
- // org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
+ // Used by org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
permission javax.management.MBeanServerPermission "findMBeanServer";
- // org.jboss.remoting.transporter.InternalTransporterServices
+ // Used by org.jboss.remoting.transporter.InternalTransporterServices
permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]", "registerMBean";
- // org.jboss.remoting.transporter.TransporterClient and org.jboss.remoting.transporter.Transporter.Server
+ // Used by org.jboss.remoting.transporter.TransporterClient and org.jboss.remoting.transporter.Transporter.Server
permission javax.management.MBeanServerPermission "createMBeanServer";
-// permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf, registerMBean";
-
-
+
/////////////////////////////////////////////////////////////////////////////////////////////
-// Can't create sockets without it
+// Socket permissions. Can't create sockets without it.
permission java.net.SocketPermission "*:*", "accept,connect,listen,resolve";
@@ -172,18 +181,11 @@
permission java.util.PropertyPermission "remoting.stream.port", "read";
permission java.util.PropertyPermission "remoting.stream.transport", "read";
permission java.util.PropertyPermission "tomcat.util.buf.StringCache.*", "read";
-
-
-/////////////////////////////////////////////////////////////////////////////////////////////
-// Tomcat native - TODO - this should be in a privileged block in jbossnative
-// permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
-// permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
-// permission java.util.PropertyPermission "java.library.path", "read";
-
/////////////////////////////////////////////////////////////////////////////////////////////
-// TODO - JBoss Serialization SHOULD be doing these operations in a privileged block - JBSER-105
+// Permissions used by JBossSerialization.
+// [TODO - JBoss Serialization SHOULD be doing these operations in a privileged block - JBSER-105]
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "accessClassInPackage.*";
@@ -191,12 +193,13 @@
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.io.SerializablePermission "enableSubclassImplementation";
- // org.jboss.remoting.serialization.impl.java.MarshalledValueOutputStream
- permission java.io.SerializablePermission "enableSubstitution"; // <- this one is a "maybe" :-)
+ // Used by org.jboss.remoting.serialization.impl.java.MarshalledValueOutputStream
+ permission java.io.SerializablePermission "enableSubstitution";
/////////////////////////////////////////////////////////////////////////////////////////////
-// TODO - We should use a version of JBoss logging + log4j that does this stuff in privileged blocks
+// Permissions used by Logging
+// [TODO - We should use a version of JBoss logging + log4j that does this stuff in privileged blocks]
permission java.io.FilePermission "${build.home}${/}src${/}etc${/}log4j.properties", "read";
permission java.io.FilePermission "${build.home}${/}src${/}etc${/}log4j.xml", "read";
@@ -218,15 +221,3 @@
permission java.util.PropertyPermission "org.apache.commons.logging.Log", "read";
};
-
-//****************************************************************************************************************************************************************
-//****************************************************************************************************************************************************************
-//******************************************************************
-//**** Permissions for third party libraries ****
-//******************************************************************
-//******************************************************************
-grant codeBase "file:${build.home}/lib/-"
-{
- permission java.security.AllPermission;
-};
-
More information about the jboss-remoting-commits
mailing list