[jboss-cvs] JBossAS SVN: r103054 - branches/JBPAPP_5_0_1/main/src/bin.

Fri Mar 26 13:10:56 EDT 2010

Author: anil.saldhana at jboss.com
Date: 2010-03-26 13:10:55 -0400 (Fri, 26 Mar 2010)
New Revision: 103054

Added:
   branches/JBPAPP_5_0_1/main/src/bin/server.policy.cert
Log:
JBPAPP-2163: server security manager policy to make use of signed jars

Added: branches/JBPAPP_5_0_1/main/src/bin/server.policy.cert
===================================================================

--- branches/JBPAPP_5_0_1/main/src/bin/server.policy.cert	                        (rev 0)
+++ branches/JBPAPP_5_0_1/main/src/bin/server.policy.cert	2010-03-26 17:10:55 UTC (rev 103054)
@@ -0,0 +1,64 @@
+// The Java2 security policy for EAP5 with signed jars
+// Install with -Djava.security.policy==server.policy.cert
+// and -Djboss.home.dir=path_to_jboss_distribution
+
+keystore "file:${java.home}/lib/security/cacerts";
+
+// ***************************************
+// Trusted core Java code
+//***************************************
+grant codeBase "file:${java.home}/lib/ext/-" {
+   permission java.security.AllPermission;
+};
+grant codeBase "file:${java.home}/lib/*" {
+   permission java.security.AllPermission;
+};
+// For java.home pointing to the JDK jre directory
+grant codeBase "file:${java.home}/../lib/*" {
+   permission java.security.AllPermission;
+};
+
+
+// ***************************************
+// Trusted core JBoss code
+//***************************************
+grant codeBase "file:${jboss.home.dir}/bin/run.jar" {
+   permission java.security.AllPermission;
+};
+
+grant signedBy "jboss" {
+   permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/quartz-ra.rar/-" {
+ permission java.security.AllPermission;
+};
+
+grant codeBase "file:${jboss.home.dir}/server/default/deploy/uuid-key-generator.sar/-" {
+   permission javax.management.MBeanTrustPermission "register";
+   permission javax.management.MBeanPermission "*", "getAttribute";
+   permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","lookup,rebind,unbind";
+   permission java.lang.RuntimePermission "getClassLoader";
+};
+
+grant codeBase "file:${jboss.server.home.dir}/deploy/http-invoker.sar/invoker.war/-" {
+   permission javax.management.MBeanPermission "*", "addNotificationListener,getAttribute";
+   permission javax.management.MBeanServerPermission "findMBeanServer";
+   permission java.lang.RuntimePermission "getClassLoader";
+};
+
+
+//****************************************************************
+//  Default block of permissions
+// Minimal permissions are allowed to everyone else
+//****************************************************************
+grant {
+   permission java.io.FilePermission "${jboss.server.home.dir}/tmp/-", "read";
+   permission java.io.FilePermission "${jboss.home.dir}/common/lib/quartz.jar/org/quartz/quartz.properties", "read";
+   permission java.io.FilePermission "${jboss.home.dir}/common/lib/quartz.jar", "read";
+   permission java.io.FilePermission "${jboss.home.dir}/common/lib", "read";
+   permission org.jboss.naming.JndiPermission "<<ALL BINDINGS>>","lookup";
+   permission java.io.FilePermission "quartz.properties", "read";
+   permission java.util.PropertyPermission "*", "read";
+   permission java.lang.RuntimePermission "queuePrintJob";
+};


