[jboss-remoting-commits] JBoss Remoting SVN: r3914 - remoting2/branches/2.x/src/etc.

Wed Apr 9 02:55:22 EDT 2008

Author: ron.sigal at jboss.com
Date: 2008-04-09 02:55:22 -0400 (Wed, 09 Apr 2008)
New Revision: 3914

Modified:
   remoting2/branches/2.x/src/etc/remoting.security.policy.core
Log:
JBREM-920, JBREM-934: Eliminated unnecessary permissions.

Modified: remoting2/branches/2.x/src/etc/remoting.security.policy.core
===================================================================

--- remoting2/branches/2.x/src/etc/remoting.security.policy.core	2008-04-09 06:51:29 UTC (rev 3913)
+++ remoting2/branches/2.x/src/etc/remoting.security.policy.core	2008-04-09 06:55:22 UTC (rev 3914)
@@ -1,3 +1,24 @@
+// JBoss, Home of Professional Open Source
+// Copyright 2005, JBoss Inc., and individual contributors as indicated
+// by the @authors tag. See the copyright.txt in the distribution for a
+// full listing of individual contributors.
+//
+// This is free software; you can redistribute it and/or modify it
+// under the terms of the GNU Lesser General Public License as
+// published by the Free Software Foundation; either version 2.1 of
+// the License, or (at your option) any later version.
+//
+// This software is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public
+// License along with this software; if not, write to the Free
+// Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+// 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+//
+
 //****************************************************************************************************************************************************************
 //****************************************************************************************************************************************************************
 //***************************************************
@@ -25,7 +46,7 @@
 //****************************************************************************************************************************************************************
 
  
-grant codeBase "file:${build.home}/output/classes/-"
+grant codeBase "file:${build.home}/output/lib/jboss-remoting.jar"
 {
 
 /////////////////////////////////////////////////////////////////////////////////////////////
@@ -54,21 +75,19 @@
     
     
 /////////////////////////////////////////////////////////////////////////////////////////////
-// Used by remote class loading system
+// Runtime permissions
 
+    // Used by remote class loading system
     permission java.lang.RuntimePermission "createClassLoader";
     permission java.lang.RuntimePermission "getClassLoader";
 
-
-/////////////////////////////////////////////////////////////////////////////////////////////
-// Used by:
-//     org.jboss.remoting.security.SSLSOcketBuilder
-//     org.jboss.remoting.transport.coyote.CoyoteInvoker
-//     org.jboss.remoting.transport.http.HTTPClientInvoker
-//     org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
-//     org.jboss.remoting.transporter.TransporterHandler
-//     org.jboss.remoting.InvokerRegistry
-     
+    // Used by:
+    //     org.jboss.remoting.security.SSLSocketBuilder
+    //     org.jboss.remoting.transport.coyote.CoyoteInvoker
+    //     org.jboss.remoting.transport.http.HTTPClientInvoker
+    //     org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
+    //     org.jboss.remoting.transporter.TransporterHandler
+    //     org.jboss.remoting.InvokerRegistry 
     permission java.lang.RuntimePermission "accessClassInPackage.*";
 
 
@@ -77,63 +96,53 @@
 
     permission javax.management.MBeanTrustPermission "register";
             
-    // org.jboss.remoting.callback.ServerInvokerCallbackHandler ?? getClassLoader
+    // Used by org.jboss.remoting.callback.ServerInvokerCallbackHandler ?? getClassLoader
     permission javax.management.MBeanPermission "*#SSLSocketBuilder[*:*]", "getAttribute";
-//    permission javax.management.MBeanPermission"org.jboss.remoting.security.SSLServerSocketFactoryServiceMBean#-[*:*]", "getClassLoaderFor, isInstanceOf"; 
-//    permission javax.management.MBeanPermission "org.jboss.remoting.security.SSLServerSocketFactoryService#-[*:*]", "getClassLoaderFor";
     permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf";    
         
-    // org.jboss.remoting.detection.AbstractDetector   // necessary for proxy ?
+    // Used by org.jboss.remoting.detection.AbstractDetector   // necessary for proxy ?
     permission javax.management.MBeanPermission "*#addServer[remoting:type=NetworkRegistry]", "invoke";
     permission javax.management.MBeanPermission "*#updateServer[remoting:type=NetworkRegistry]", "invoke";
     permission javax.management.MBeanPermission "*#removeServer[remoting:type=NetworkRegistry]", "invoke";
     permission javax.management.MBeanPermission "*#Servers[*:*]", "getAttribute"; // needed
 
-    
-    // org.jboss.remoting.detection.util.DetectorUtil
+    // Used by org.jboss.remoting.detection.util.DetectorUtil
     permission javax.management.MBeanServerPermission "createMBeanServer";
     permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]", "registerMBean";
     permission javax.management.MBeanPermission "org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]", "registerMBean";
     permission javax.management.MBeanPermission "org.jboss.remoting.detection.*#-[remoting:type=Detector,*]", "registerMBean";
-//   permission javax.management.MBeanPermission "org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]", "registerMBean, queryMBeans, isInstanceOf";
-
     
-    // org.jboss.remoting.ident.Identity
-//    permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]", "isInstanceOf";
+    // Used by org.jboss.remoting.ident.Identity
     permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#MBeanServerId[JMImplementation:type=MBeanServerDelegate]", "getAttribute";
     permission javax.management.MBeanPermission "-#ServerDataDir[jboss.system:type=ServerConfig]", "getAttribute";
-//    permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]", "queryMBeans, isInstanceOf";
         
-    // org.jboss.remoting.network.NetworkRegistryFinder
+    // Used by org.jboss.remoting.network.NetworkRegistryFinder
     permission javax.management.MBeanPermission "*#-[*:*]", "queryMBeans";
     
-    // org.jboss.remoting.network.NetworkRegistryQuery // need getClassloaderFor ??
+    // Used by org.jboss.remoting.network.NetworkRegistryQuery // need getClassloaderFor ??
     permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[*:*]", "isInstanceOf";
 
-    // org.jboss.remoting.security.CustomSSLServerSocketFactory // necessary ??
+    // Used by org.jboss.remoting.security.CustomSSLServerSocketFactory // necessary ??
     permission javax.management.MBeanPermission "org.jboss.remoting.security.CustomSSLServerSocketFactory#*[*:*]", "invoke";
     
-    // org.jboss.remoting.security.ServerSocketFactoryWrapper
+    // Used by org.jboss.remoting.security.ServerSocketFactoryWrapper
     permission javax.management.MBeanPermission "*#createServerSocket[*:*]", "invoke";
     
-    // org.jboss.remoting.transport.Connector // isInstanceOf ??
+    // Used by org.jboss.remoting.transport.Connector // isInstanceOf ??
     permission javax.management.MBeanPermission "org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]", "registerMBean, unregisterMBean";
-//    permission javax.management.MBeanPermission "org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]", "unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
    
-    // org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
+    // Used by org.jboss.remoting.transport.servlet.web.ServerInvokerServlet
     permission javax.management.MBeanServerPermission "findMBeanServer";
    
-    // org.jboss.remoting.transporter.InternalTransporterServices
+    // Used by org.jboss.remoting.transporter.InternalTransporterServices
     permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]", "registerMBean";
     
-    // org.jboss.remoting.transporter.TransporterClient and org.jboss.remoting.transporter.Transporter.Server
+    // Used by org.jboss.remoting.transporter.TransporterClient and org.jboss.remoting.transporter.Transporter.Server
     permission javax.management.MBeanServerPermission "createMBeanServer";
    
-//    permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf, registerMBean";
-
-
+   
 /////////////////////////////////////////////////////////////////////////////////////////////
-// Can't create sockets without it
+// Socket permissions.  Can't create sockets without it.
 
     permission java.net.SocketPermission "*:*", "accept,connect,listen,resolve";
     
@@ -172,18 +181,11 @@
     permission java.util.PropertyPermission "remoting.stream.port", "read"; 
     permission java.util.PropertyPermission "remoting.stream.transport", "read";   
     permission java.util.PropertyPermission "tomcat.util.buf.StringCache.*", "read";
-    
-    
-/////////////////////////////////////////////////////////////////////////////////////////////
-// Tomcat native - TODO - this should be in a privileged block in jbossnative
 
-//    permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
-//    permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
-//    permission java.util.PropertyPermission "java.library.path", "read";
 
-
 /////////////////////////////////////////////////////////////////////////////////////////////
-// TODO - JBoss Serialization SHOULD be doing these operations in a privileged block - JBSER-105
+// Permissions used by JBossSerialization.
+// [TODO - JBoss Serialization SHOULD be doing these operations in a privileged block - JBSER-105]
 
     permission java.lang.RuntimePermission "accessDeclaredMembers";
     permission java.lang.RuntimePermission "accessClassInPackage.*";
@@ -191,12 +193,13 @@
     permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
     permission java.io.SerializablePermission "enableSubclassImplementation";
 
-    // org.jboss.remoting.serialization.impl.java.MarshalledValueOutputStream
-    permission java.io.SerializablePermission "enableSubstitution"; // <- this one is a "maybe" :-)
+    // Used by org.jboss.remoting.serialization.impl.java.MarshalledValueOutputStream
+    permission java.io.SerializablePermission "enableSubstitution";
 
 
 /////////////////////////////////////////////////////////////////////////////////////////////
-// TODO - We should use a version of JBoss logging + log4j that does this stuff in privileged blocks
+// Permissions used by Logging
+// [TODO - We should use a version of JBoss logging + log4j that does this stuff in privileged blocks]
 
       permission java.io.FilePermission "${build.home}${/}src${/}etc${/}log4j.properties", "read";
       permission java.io.FilePermission "${build.home}${/}src${/}etc${/}log4j.xml", "read";
@@ -218,15 +221,3 @@
       permission java.util.PropertyPermission "org.apache.commons.logging.Log", "read";
 };
 
-
-//****************************************************************************************************************************************************************
-//****************************************************************************************************************************************************************
-//******************************************************************
-//****           Permissions for third party libraries          ****
-//******************************************************************
-//****************************************************************** 
-grant codeBase "file:${build.home}/lib/-"
-{
-    permission java.security.AllPermission;
-};
-


