Author: ron.sigal(a)jboss.com Date: 2008-05-17 15:15:50 -0400 (Sat, 17 May 2008) New Revision: 4194 Modified: remoting2/branches/2.x/src/etc/remoting.security.policy.core Log: JBREM-920, JBREM-978: Added some documentation; commented out and modified some MBeanPermissions. Modified: remoting2/branches/2.x/src/etc/remoting.security.policy.core =================================================================== --- remoting2/branches/2.x/src/etc/remoting.security.policy.core 2008-05-17 02:47:01 UTC (rev 4193) +++ remoting2/branches/2.x/src/etc/remoting.security.policy.core 2008-05-17 19:15:50 UTC (rev 4194) @@ -31,7 +31,7 @@ //**** variation on the permissionslisted below, even if the calling code runs without //**** these restrictions. //**** -//**** There are two ways in which it may be necessary or desirable to modify the +//**** There are a few ways in which it may be necessary or desirable to modify the //**** the permissions listed below. //**** //**** 1. It may be necessary to change the java.io.FilePermission permissions, according @@ -45,8 +45,11 @@ //**** org.jboss.test.remoting.security.*ProxyTestCase test classes in the accompanying //**** remoting.security.policy.tests file, which is used to run the Remoting test suite //**** -//**** 3. Some permission may be eliminated, according to which Remoting facilities are used. +//**** 3. Some facilities always use MBeans. The MBean permissions given below may be +//**** restricted to particular ObjectNames. //**** +//**** 4. Some permission may be eliminated, according to which Remoting facilities are used. +//**** //**** Other than changes made according to items 1 and 2, it should not be necessary to grant //**** any additional permissions. //**** @@ -89,27 +92,23 @@ // MBean permissions // // Some variation of the following might be needed if Remoting gets an MBean in place of an ordinary object. -// permission javax.management.MBeanPermission "*#MBeanServer[*:*]", "setAttribute"; -// -// // For example, if a Connector is configured with MBean ServerInvocationHandler: -// permission javax.management.MBeanPermission "com.bluemonkey.ServerInvocationHandler#MBeanServer[*:*]", "setAttribute"; -// -// // Some variation of the following might be needed if Remoting gets an MBean in place of an ordinary object. -// //permission javax.management.MBeanPermission *#*[*:*]", "invoke, registerMBean, unregisterMBean"; -// -// // For example, if a Connector is configured with an MBean ServerSocketFactory: -// //permission javax.management.MBeanPermission "com.bluemonkey.ServerSocketFactory#createServerSocket[acme:type=serversocketfactory]", "invoke"; +// // See below for examples. +// permission javax.management.MBeanPermission "*#*[*:*]", "getAttribute, setAttribute, invoke, registerMBean, unregisterMBean"; permission javax.management.MBeanTrustPermission "register"; - // Used by org.jboss.remoting.callback.ServerInvokerCallbackHandler - permission javax.management.MBeanPermission "*#SSLSocketBuilder[*:*]", "getAttribute"; - permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf"; +// // Some variation of the following is used by org.jboss.remoting.callback.ServerInvokerCallbackHandler +// // if it is configured with an MBean which is a ServerSocketFactory. +// permission javax.management.MBeanPermission "*#SSLSocketBuilder[*:*]", "getAttribute"; + +// // Some variation of the following may be used by org.jboss.remoting.callback.ServerInvokerCallbackHandler, +// // if it is configured with an MBean which is a ServerSocketFactory. +// permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf"; // Used by org.jboss.remoting.detection.AbstractDetector - permission javax.management.MBeanPermission "*#addServer[remoting:type=NetworkRegistry]", "invoke"; - permission javax.management.MBeanPermission "*#updateServer[remoting:type=NetworkRegistry]", "invoke"; - permission javax.management.MBeanPermission "*#removeServer[remoting:type=NetworkRegistry]", "invoke"; + permission javax.management.MBeanPermission "*#addServer[*:*]", "invoke"; + permission javax.management.MBeanPermission "*#updateServer[*:*]", "invoke"; + permission javax.management.MBeanPermission "*#removeServer[*:*]", "invoke"; permission javax.management.MBeanPermission "*#Servers[*:*]", "getAttribute"; // Used by org.jboss.remoting.detection.util.DetectorUtil @@ -123,14 +122,26 @@ permission javax.management.MBeanPermission "-#ServerDataDir[jboss.system:type=ServerConfig]", "getAttribute"; // Used by org.jboss.remoting.network.NetworkRegistryFinder + // (which is used by org.jboss.remoting.detection.AbstractDetector) permission javax.management.MBeanPermission "*#-[*:*]", "queryMBeans"; // Used by org.jboss.remoting.network.NetworkRegistryQuery - permission javax.management.MBeanPermission "org.jboss.remoting.network.NetworkRegistry#-[*:*]", "isInstanceOf"; - + // (which is used by org.jboss.remoting.network.NetworkRegistryFinder) + permission javax.management.MBeanPermission "*#-[*:*]", "isInstanceOf"; + // Used by org.jboss.remoting.transport.Connector permission javax.management.MBeanPermission "org.jboss.remoting.transport.*#-[jboss.remoting:service=invoker,*]", "registerMBean, unregisterMBean"; - + +// // Some variation of the following would be necessary for org.jboss.remoting.transport.Connector +// // if it is configured to use an MBean as an org.jboss.remoting.ServerInvocationHandler +// permission javax.management.MBeanPermission "*#Invoker[*:*]", "setAttribute"; +// permission javax.management.MBeanPermission "*#MBeanServer[*:*]", "setAttribute"; +// permission javax.management.MBeanPermission "*#*[*:*]", "invoke"; + +// // Some variation of the following would be necessary for subclasses of org.jboss.remoting.transport.ServerInvoker +// // if they are configured with an MBean which is a ServerSocketFactory +// permission javax.management.MBeanPermission "*#createServerSocket[*:*]", "invoke"; + // Used by org.jboss.remoting.transport.servlet.web.ServerInvokerServlet permission javax.management.MBeanServerPermission "findMBeanServer";