Author: jim.ma Date: 2009-12-09 23:11:49 -0500 (Wed, 09 Dec 2009) New Revision: 11248 Added: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/client.policy Removed: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/client.policy Modified: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/server.policy Log: [JBWS-2692]:Minimize the granted permission in client and server policy Added: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/client.policy =================================================================== --- stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/client.policy (rev 0) +++ stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/client.policy 2009-12-10 04:11:49 UTC (rev 11248) @@ -0,0 +1,71 @@ +// Permissions for jbossws cxf test suite + +// Trusted core Java code +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + +//for javac +grant codeBase "file:${java.home}/../lib" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + + +grant { + //allow surefire to read compiled class in target dir, WSConsumerTestCase javac needs execute permission + permission java.io.FilePermission "<<ALL FILES>>", "execute,read"; + permission java.util.PropertyPermission "*", "read,write"; + permission java.util.logging.LoggingPermission "control"; + //for test + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.net.SocketPermission "*", "connect,resolve"; + permission java.lang.RuntimePermission "createClassLoader"; + permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.lang.RuntimePermission "org.jboss.security.getSecurityContext"; + permission java.lang.RuntimePermission "org.jboss.security.plugins.JBossSecurityContext.getSubjectInfo"; + permission java.lang.RuntimePermission "setIO"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "modifyThreadGroup"; + + permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo"; + permission java.lang.RuntimePermission "org.jboss.security.plugins.JBossSecurityContext.setSubjectInfo"; + + permission org.jboss.metadata.spi.stack.MetaDataStackPermission "*"; + permission java.lang.RuntimePermission "org.jboss.security.setSecurityContext"; + permission java.lang.RuntimePermission "createSecurityManager"; + //AsymmetricBindingClientTestCase + permission java.security.SecurityPermission "insertProvider.BC"; + permission java.security.SecurityPermission "putProviderProperty.BC"; + permission java.lang.RuntimePermission "getClassLoader"; + + permission java.lang.RuntimePermission "accessClassInPackage.*"; + permission java.io.SerializablePermission "enableSubstitution"; + permission javax.xml.ws.WebServicePermission "publishEndpoint"; + permission java.lang.RuntimePermission "getenv.*"; + + permission java.io.FilePermission "${java.home}/-", "execute"; + + permission java.io.FilePermission "${jboss.home}/bin/-", "execute"; + + permission java.net.SocketPermission "*","accept,listen,resolve"; + permission java.security.SecurityPermission "getPolicy"; + permission java.security.SecurityPermission "getAccessControlContext"; + + permission java.io.FilePermission "${target.dir}/-", "write,delete"; + + //WSConsumerTestCase + permission java.io.FilePermission "./-", "write,delete"; + permission java.io.FilePermission "/tmp", "write,delete"; + permission java.io.FilePermission "/tmp/-", "write,delete"; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.lang.RuntimePermission "getProtectionDomain"; +}; + + + + Deleted: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/client.policy =================================================================== --- stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/client.policy 2009-12-10 03:16:35 UTC (rev 11247) +++ stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/client.policy 2009-12-10 04:11:49 UTC (rev 11248) @@ -1,62 +0,0 @@ -// Permissions for jbossws cxf test suite - -// Trusted core Java code -grant codeBase "file:${java.home}/lib/ext/-" { - permission java.security.AllPermission; -}; - -//for javac -grant codeBase "file:${java.home}/../lib" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${java.home}/lib/-" { - permission java.security.AllPermission; -}; - -//trust all jars in m2_repo -grant codeBase "file:${M2_REPO}/-" { - permission java.security.AllPermission; -}; - -grant { - //allow surefire to read compiled class in target dir, WSConsumerTestCase javac needs execute permission - permission java.io.FilePermission "<<ALL FILES>>", "execute, read"; - permission java.util.PropertyPermission "*", "read,write"; - permission java.util.logging.LoggingPermission "control"; - //for test - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.net.SocketPermission "*", "connect,resolve"; - permission java.lang.RuntimePermission "createClassLoader"; - permission java.lang.RuntimePermission "setContextClassLoader"; - //AsymmetricBindingClientTestCase - permission java.security.SecurityPermission "insertProvider.BC"; - permission java.security.SecurityPermission "putProviderProperty.BC"; - permission java.lang.RuntimePermission "getClassLoader"; - - permission java.lang.RuntimePermission "accessClassInPackage.*"; - permission java.io.SerializablePermission "enableSubstitution"; - permission javax.xml.ws.WebServicePermission "publishEndpoint"; - permission java.lang.RuntimePermission "getenv.*"; - - permission java.io.FilePermission "${java.home}/-", "execute"; - - permission java.io.FilePermission "${jboss.home}/bin/-", "execute"; - - permission java.net.SocketPermission "*","accept,listen,resolve"; - permission java.security.SecurityPermission "getPolicy"; - - permission java.io.FilePermission "${target.dir}/-", "write,delete"; - - //WSConsumerTestCase - permission java.io.FilePermission "./-", "write,delete"; - - permission java.io.FilePermission "/tmp/-", "write,delete"; - permission java.lang.RuntimePermission "shutdownHooks"; - permission java.lang.RuntimePermission "getProtectionDomain"; -}; - - - - Modified: stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/server.policy =================================================================== --- stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/server.policy 2009-12-10 03:16:35 UTC (rev 11247) +++ stack/cxf/trunk/modules/testsuite/src/test/resources/securityMgr/jboss-5.1.0.GA/server.policy 2009-12-10 04:11:49 UTC (rev 11248) @@ -266,95 +266,7 @@ permission java.security.AllPermission; }; -//*************************************************************** -// JBoss AS Test Suite Permissions (REAL URL Version) -//*************************************************************** -// Permissions for the WarPermissionsUnitTestCase -grant codeBase "file:${jboss.test.deploy.dir}/securitymgr/-" { - permission java.util.PropertyPermission "*", "read"; - permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","lookup"; -}; - -grant codeBase "file:${jboss.test.deploy.dir}/securitymgr/-" { - permission java.util.PropertyPermission "*", "read"; - permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; -}; - -grant codeBase "file:${jboss.test.deploy.dir}/jbosstest-web.ear/-" { - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","list,lookup"; - permission org.jboss.naming.JndiPermission "env","list"; - permission java.io.FilePermission "<<ALL FILES>>", "read"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; -}; - -grant codeBase "jar:file:${jboss.test.deploy.dir}/jbosstest-web.ear!/jbosstest-web.war" { - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","list,lookup"; - permission org.jboss.naming.JndiPermission "env","list"; - permission java.io.FilePermission "<<ALL FILES>>", "read"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; -}; -grant codeBase "jar:file:${jboss.test.deploy.dir}/jbosstest-web.ear!/lib/util.jar" { - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; -}; - - -grant codeBase "file:${jboss.test.deploy.dir}/-" { - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","listBindings,lookup"; -}; - -grant codeBase "file:${jboss.test.deploy.dir}/class-loading.war/WEB-INF/classes/" { - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; - permission javax.management.MBeanPermission "*", "getMBeanInfo"; -}; - -grant codeBase "file:${jboss.test.deploy.dir}/security-ejb3.jar" { - permission java.lang.RuntimePermission "createClassLoader"; -}; - -grant codeBase "jar:file:${jboss.test.deploy.dir}/security-ejb3.jar!/-" { - permission java.security.AllPermission; -}; - -//*************************************************************** -// JBoss AS Test Suite Permissions (VFS URL Version) -//*************************************************************** - -// Permissions for the WarPermissionsUnitTestCase -grant codeBase "vfszip:${jboss.test.deploy.dir}/securitymgr/-" { - permission java.util.PropertyPermission "*", "read"; - permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","lookup"; -}; - -grant codeBase "vfsfile:${jboss.test.deploy.dir}/securitymgr/-" { - permission java.util.PropertyPermission "*", "read"; - permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete"; -}; - -grant codeBase "vfszip:${jboss.test.deploy.dir}/jbosstest-web.ear/-" { - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","list,lookup"; - permission org.jboss.naming.JndiPermission "env","list"; - permission java.io.FilePermission "<<ALL FILES>>", "read"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; -}; - -grant codeBase "vfszip:${jboss.test.deploy.dir}/-" { - permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","listBindings,lookup"; -}; - -grant codeBase "vfszip:${jboss.test.deploy.dir}/class-loading.war/WEB-INF/classes/" { - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "getProtectionDomain"; - permission javax.management.MBeanPermission "*", "getMBeanInfo"; -}; - grant codeBase "vfsmemory://*" { permission java.security.AllPermission; }; @@ -411,16 +323,20 @@ permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; - //TODO: use codeBase permission //admin-console permission java.lang.RuntimePermission "getClassLoader"; - permission org.jboss.naming.JndiPermission "rebind"; + permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","rebind,createSubcontext"; permission java.util.logging.LoggingPermission "control"; + permission javax.management.MBeanPermission "javax.management.MBeanServerDelegate#-[JMImplementation:type=MBeanServerDelegate]", "addNotificationListener"; + // for org.jboss.test.ws.jaxws.cxf.webserviceref.WebServiceRefServletTestCase.testServletClient() permission java.io.FilePermission "<<ALL FILES>>", "read"; + + //CXF annotation vistor uses reflection to process annotation permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + // for frameworktest org.jboss.test.ws.jaxws.smoke.tools.WSRunClientTestCase.test() permission java.lang.RuntimePermission "org.jboss.security.plugins.JBossSecurityContext.getData";