12:43 a.m.
Author: ron.sigal(a)jboss.com
Date: 2008-04-02 01:43:36 -0400 (Wed, 02 Apr 2008)
New Revision: 3878
Modified:
remoting2/branches/2.x/test.policy
Log:
JBREM-934: Various additions and modifications.
Modified: remoting2/branches/2.x/test.policy
===================================================================
--- remoting2/branches/2.x/test.policy 2008-04-02 05:41:45 UTC (rev 3877)
+++ remoting2/branches/2.x/test.policy 2008-04-02 05:43:36 UTC (rev 3878)
@@ -1,85 +1,143 @@
+//***************************************************
+//**** Permissions to run Remoting itself ****
+//***************************************************
+grant codeBase "file:${build.home}/output/classes/-"
+{
+/////////////////////////////////////////////////////////////////////////////////////////////
+// Used by remote class loading system
-// Permissions to run Remoting itself
-grant codeBase "file:${build.home}/output/classes/-" {
- // Used by remote class loading system
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
- // Can't create sockets without it
+/////////////////////////////////////////////////////////////////////////////////////////////
+// Can't create sockets without it
+
permission java.net.SocketPermission "*:*",
"accept,connect,listen,resolve";
- // HTTP client invokers use Class.getMethod()
+/////////////////////////////////////////////////////////////////////////////////////////////
+// HTTP client invokers use Class.getMethod()
+
permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.www.protocol.https";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.www.protocol.http";
- // Permission to create an MBean server
+/////////////////////////////////////////////////////////////////////////////////////////////
+// MBean permissions
+
permission javax.management.MBeanServerPermission "createMBeanServer,
releaseMBeanServer";
permission javax.management.MBeanTrustPermission "register";
+
+ // org.jboss.remoting.ident.Identity
+ permission javax.management.MBeanPermission
"javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]",
"queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"javax.management.MBeanServerDelegate#MBeanServerId[JMImplementation:type=MBeanServerDelegate]",
"getAttribute";
- permission javax.management.MBeanPermission "-#-[-]",
"queryMBeans";
- permission javax.management.MBeanPermission
"org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]",
"queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"org.jboss.remoting.ServerInvoker#-[jboss.remoting:service=invoker,*]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]",
"queryMBeans, isInstanceOf, getAttribute";
- permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=JNDIDetector]",
"queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=MulticastDetector]",
"queryMBeans, isInstanceOf, unregisterMBean";
- permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]",
"queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#Servers[remoting:type=NetworkRegistry]",
"getAttribute";
permission javax.management.MBeanPermission
"-#ServerDataDir[jboss.system:type=ServerConfig]", "getAttribute";
+
+ // org.jboss.remoting.callback.ServerInvokerCallbackHandler
+ permission javax.management.MBeanPermission "*#SSLSocketBuilder[*:*]",
"getAttribute";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryServiceMBean#-[*:*]",
"isInstanceOf";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryService#-[*:*]",
"getClassLoaderFor";
+
+ // org.jboss.remoting.network.NetworkRegistryFinder
+ permission javax.management.MBeanPermission "*#-[*:*]",
"queryMBeans";
+ // jboss.remoting.network.NetworkRegistryQuery
+ permission javax.management.MBeanPermission "NetworkRegistryMBean#-[*:*]",
"isInstanceOf";
+
+ // org.jboss.remoting.detection.AbstractDetector
+// permission javax.management.MBeanPermission "*#*[*:*]",
"invoke";
+ permission javax.management.MBeanPermission
"*#addServer[remoting:type=NetworkRegistry]", "invoke";
+ permission javax.management.MBeanPermission
"*#updateServer[remoting:type=NetworkRegistry]", "invoke";
+ permission javax.management.MBeanPermission
"*#removeServer[remoting:type=NetworkRegistry]", "invoke";
+ permission javax.management.MBeanPermission "*#Servers[*:*]",
"getAttribute";
+
+ // org.jboss.remoting.transport.Connector
+ permission javax.management.MBeanPermission
"org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
+
+ // org.jboss.remoting.detection.util.DetectorUtil and
org.jboss.remoting.transporter.InternalTransporterServices
+ permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]",
"registerMBean";
+
+ // org.jboss.remoting.detection.util.DetectorUtil
+ permission javax.management.MBeanPermission
"org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]",
"registerMBean, queryMBeans, isInstanceOf";
+
+// permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=JNDIDetector]",
"queryMBeans, isInstanceOf";
+// permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=MulticastDetector]",
"queryMBeans, isInstanceOf, unregisterMBean";
+// permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]",
"queryMBeans, isInstanceOf";
+
+// permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryService#-[*:*]",
"isInstanceOf";
+
+ // org.jboss.remoting.security.CustomSSLServerSocketFactory
+ permission javax.management.MBeanPermission
"org.jboss.remoting.security.CustomSSLServerSocketFactory#*[*:*]",
"invoke";
+
+
+ permission javax.management.MBeanPermission
"org.jboss.*#createServerSocket[*:*]", "invoke";
+ permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf,
registerMBean";
+
+
// TODO: Figure out why these aren't covered by the AllPermission entries below
- permission javax.management.MBeanPermission
"org.jboss.test.remoting.detection.metadata.MetadataTestCase$TestNetworkRegistry#-[remoting:type=NetworkRegistry]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
+// permission javax.management.MBeanPermission
"org.jboss.test.remoting.detection.metadata.MetadataTestCase$TestNetworkRegistry#-[remoting:type=NetworkRegistry]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
- // System properties accessed by Remoting
- permission java.util.PropertyPermission
"jboss.remoting.pre_2_0_compatible", "read";
- permission java.util.PropertyPermission "jboss.remoting.version",
"read, write";
- permission java.util.PropertyPermission "legacyParsing", "read";
- permission java.util.PropertyPermission "jboss.bind.address",
"read";
- permission java.util.PropertyPermission "remoting.bind_by_host",
"read";
+/////////////////////////////////////////////////////////////////////////////////////////////
+// System properties accessed by Remoting
+
+ permission java.util.PropertyPermission "SERIALIZATION", "read";
+ permission java.util.PropertyPermission "file.separator",
"read";
+ permission java.util.PropertyPermission "http.basic.password",
"read";
+ permission java.util.PropertyPermission "http.basic.username",
"read";
+ permission java.util.PropertyPermission "javax.net.ssl.keyStore",
"read";
+ permission java.util.PropertyPermission "javax.net.ssl.keyStorePassword",
"read";
+ permission java.util.PropertyPermission "javax.net.ssl.keyStoreType",
"read";
permission java.util.PropertyPermission "javax.net.ssl.trustStore",
"read";
+ permission java.util.PropertyPermission "javax.net.ssl.trustStorePassword",
"read";
permission java.util.PropertyPermission "javax.net.ssl.trustStoreType",
"read";
- permission java.util.PropertyPermission "javax.net.ssl.trustStorePassword",
"read";
- permission java.util.PropertyPermission "javax.net.ssl.keyStorePassword",
"read";
- permission java.util.PropertyPermission "javax.net.ssl.keyStoreType",
"read";
- permission java.util.PropertyPermission "javax.net.ssl.keyStore",
"read";
- permission java.util.PropertyPermission "jboss.identity.domain",
"read";
+ permission java.util.PropertyPermission "jboss.bind.address",
"read";
permission java.util.PropertyPermission "jboss.identity", "read,
write";
permission java.util.PropertyPermission "jboss.identity.dir",
"read";
+ permission java.util.PropertyPermission "jboss.identity.domain",
"read";
+ permission java.util.PropertyPermission "jboss.remoting.compression.debug",
"read";
+ permission java.util.PropertyPermission "jboss.remoting.compression.min",
"read";
+ permission java.util.PropertyPermission "jboss.remoting.domain",
"write";
+ permission java.util.PropertyPermission "jboss.remoting.instanceid",
"write";
permission java.util.PropertyPermission "jboss.remoting.jmxid",
"write";
- permission java.util.PropertyPermission "jboss.remoting.instanceid",
"write";
- permission java.util.PropertyPermission "jboss.remoting.domain",
"write";
- permission java.util.PropertyPermission "SERIALIZATION", "read";
- permission java.util.PropertyPermission "http.basic.username",
"read";
- permission java.util.PropertyPermission "http.basic.password",
"read";
+ permission java.util.PropertyPermission
"jboss.remoting.pre_2_0_compatible", "read";
+ permission java.util.PropertyPermission "jboss.remoting.version",
"read, write";
+ permission java.util.PropertyPermission "jboss.server.data.dir",
"read";
+ permission java.util.PropertyPermission "legacyParsing", "read";
+ permission java.util.PropertyPermission "org.apache.tomcat.util.*",
"read";
permission java.util.PropertyPermission
"org.jboss.remoting.defaultSocketFactory", "read";
- permission java.util.PropertyPermission "jboss.server.data.dir",
"read";
- permission java.util.PropertyPermission "file.separator",
"read";
- permission java.util.PropertyPermission "jboss.remoting.compression.debug",
"read";
- permission java.util.PropertyPermission "jboss.remoting.compression.min",
"read";
- permission java.util.PropertyPermission "remoting.stream.transport",
"read";
+ permission java.util.PropertyPermission
"org.jboss.security.ignoreHttpsHost" , "read";
+ permission java.util.PropertyPermission "remoting.bind_by_host",
"read";
permission java.util.PropertyPermission "remoting.stream.host",
"read";
permission java.util.PropertyPermission "remoting.stream.port",
"read";
- permission java.util.PropertyPermission
"org.jboss.security.ignoreHttpsHost" , "read";
- permission java.util.PropertyPermission
"tomcat.util.buf.StringCache.byte.enabled", "read";
-
- // Tomcat native - TODO - this should be in a privileged block in jbossnative
+ permission java.util.PropertyPermission "remoting.stream.transport",
"read";
+ permission java.util.PropertyPermission "tomcat.util.buf.StringCache.*",
"read";
+
+/////////////////////////////////////////////////////////////////////////////////////////////
+// Tomcat native - TODO - this should be in a privileged block in jbossnative
+
permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
permission java.util.PropertyPermission "java.library.path",
"read";
- // Permission to read the test keystore
- permission java.io.FilePermission "${build.home}/output/tests/classes/-",
"read";
+/////////////////////////////////////////////////////////////////////////////////////////////
+// File permissions
+
permission java.io.FilePermission "${build.home}", "read";
permission java.io.FilePermission "${build.home}/jboss.identity",
"read";
+ permission java.io.FilePermission "${build.home}", "read";
permission java.io.FilePermission "-", "read";
+ permission java.io.FilePermission "-", "delete"; // Used by
org.jboss.remotinng.callback.CallbackStore: configurable.
- // Permission for org.jboss.remoting.ident.Identity to create
"jboss.identity" file. Could be extended.
- permission java.io.FilePermission "${build.home}", "write";
+ // Permission for org.jboss.remoting.ident.Identity to create and read
"jboss.identity" file. Could be extended.
+ permission java.io.FilePermission "-", "read, write";
- // Used by org.jboss.util.propertyeditor.PropertyEditors.mapJavaBeanProperties(),
though still a Remoting permission I think
+/////////////////////////////////////////////////////////////////////////////////////////////
+// Used by org.jboss.util.propertyeditor.PropertyEditors.mapJavaBeanProperties(), though
still a Remoting permission I think
+
permission java.lang.RuntimePermission
"accessClassInPackage.sun.beans.editors";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.www.protocol.http";
- // TODO - JBoss Serialization SHOULD be doing these operations in a privileged block
- JBSER-105
+/////////////////////////////////////////////////////////////////////////////////////////////
+// TODO - JBoss Serialization SHOULD be doing these operations in a privileged block -
JBSER-105
+
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
@@ -88,7 +146,9 @@
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.io.SerializablePermission "enableSubstitution"; // <-
this one is a "maybe" :-)
- // TODO - We should use a version of JBoss logging + log4j that does this stuff in
privileged blocks
+/////////////////////////////////////////////////////////////////////////////////////////////
+// TODO - We should use a version of JBoss logging + log4j that does this stuff in
privileged blocks
+
permission java.util.PropertyPermission
"org.jboss.logging.Logger.pluginClass", "read";
permission java.io.FilePermission "${build.home}/src/etc/log4j.properties",
"read";
permission java.util.PropertyPermission "log4j.defaultInitOverride",
"read";
@@ -110,30 +170,53 @@
permission java.io.FilePermission "${build.home}/output/classes/-",
"read";
};
-grant codeBase "file:${build.home}/lib/-" {
+
+//******************************************************************
+//**** Permissions for third party libraries ****
+//******************************************************************
+grant codeBase "file:${build.home}/lib/-"
+{
permission java.security.AllPermission;
};
-grant codeBase "file:${build.home}/src/etc/-" {
- permission java.security.AllPermission;
+//grant codeBase "file:${build.home}/src/etc/-" {
+// permission java.security.AllPermission;
+//};
+
+//******************************************************************
+//**** Permissions needed by Remoting to run the test suite ****
+//******************************************************************
+grant codeBase "file:${build.home}/output/classes/-"
+{
+ // Permission to read the test keystore
+ permission java.io.FilePermission "${build.home}/output/tests/classes/-",
"read";
};
-grant codeBase "file:${build.home}/output/tests/classes/-" {
+//***************************************************
+//**** Permissions used by the test suite ****
+//***************************************************
+grant codeBase "file:${build.home}/output/tests/classes/-"
+{
// Used by the test suite itself
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.management.MBeanServerPermission "createMBeanServer,
findMBeanServer";
+ permission javax.management.MBeanServerPermission "*";
permission javax.management.MBeanTrustPermission "register";
- permission javax.management.MBeanPermission
"org.jboss.remoting.ServerInvoker#-[jboss.remoting:service=invoker,*]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]",
"unregisterMBean, registerMBean, queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"org.jboss.remoting.transport.Connector#-[jboss.remoting:type=Connector,*]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"org.jboss.remoting.transport.Connector#-[test:type=connector]",
"registerMBean";
permission javax.management.MBeanPermission
"org.jboss.test.remoting.detection.metadata.MetadataTestCase$TestNetworkRegistry#-[remoting:type=NetworkRegistry]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf,
addNotificationListener";
- permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=JNDIDetector]",
"registerMBean, queryMBeans, isInstanceOf";
- permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=MulticastDetector]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.network.NetworkRegistry#-[remoting:type=NetworkRegistry]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf,
addNotificationListener";
+// permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:type=JNDIDetector]",
"registerMBean, queryMBeans, isInstanceOf";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.detection.multicast.MulticastDetector#-[remoting:*]",
"registerMBean, unregisterMBean, queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryService#-[jboss:type=serversocketfactory]",
"registerMBean, queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"org.jboss.test.remoting.transport.config.FactoryConfigTestCaseParent$SelfIdentifyingServerSocketFactory#-[jboss:type=serversocketfactory]",
"registerMBean, queryMBeans, isInstanceOf";
permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryService#-[jboss:type=serversocketfactory2]",
"registerMBean";
-
+ permission javax.management.MBeanPermission
"org.jboss.remoting.security.SSLServerSocketFactoryService#createServerSocket[jboss:*]",
"invoke";
+ permission javax.management.MBeanPermission
"org.jboss.test.remoting.transport.rmi.ssl.config.FactoryConfigTestCase$SerializableServerSocketFactory#-[jboss:type=serversocketfactory]",
"registerMBean";
+ permission javax.management.MBeanPermission
"org.jboss.test.remoting.transport.rmi.ssl.config.FactoryConfigTestCase$SerializableServerSocketFactory#-[jboss:type=serversocketfactory2]",
"registerMBean";
+ permission javax.management.MBeanPermission
"org.jboss.remoting.transport.socket.SocketServerInvoker#Configuration[jboss.remoting:service=invoker,*]",
"getAttribute";
+
permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
@@ -157,6 +240,8 @@
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.io.SerializablePermission "enableSubstitution"; // <-
this one is a "maybe" :-)
+
+ permission java.util.PropertyPermission "loader.path", "read";
// TESTING ONLY - Use with the LoggingSecurityManager to locate needed permissions
for the above block
// permission java.security.AllPermission;
@@ -165,3 +250,8 @@
grant codeBase "file:${ant.library.dir}/-" {
permission java.security.AllPermission;
};
+
+grant
+{
+ permission java.security.SecurityPermission "getProperty.*";
+};
\ No newline at end of file
6601
days inactive
6601
days old
jboss-remoting-commits@lists.jboss.org
0 comments
1 participants
participants (1)
-
jboss-remoting-commits@lists.jboss.org