You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Cristian Roldan <ro...@yahoo.com.ar> on 2006/02/10 15:46:45 UTC
Security Policy
Hi All,
I enabled the Security Manager with these parameters "-Djava.security.manager -Djava.security.policy=geronimo.policy",
everything works ok, but the only problem that I saw was with the Application identification (number) , if you deploy
an application, Generimo creates a directory config-store/[NUMBER], you must use this number in the policy file, after a while
you undeploy and deploy a new version of that application in this case you obtain a new number, so you must change the policy file.
I think that using a [number] as a deployment directory is not the best solution from the administration perspective.
I'm sorry I just give an opinion from the administration point of view maybe there is a design/performace reason that I can't see.
// --------------------------------------------------------------------------------------
// Permissions for Geronimo V.1.0
// --------------------------------------------------------------------------------------
// Geronimo gets all permissions
grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
permission java.security.AllPermission;
};
//----------------------------------------------------------------------
// From here I set the minimun permissions for my Applications
// You must change "23" for you Application number, this number is created
// during deployment phase.
//----------------------------------------------------------------------
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
permission java.lang.RuntimePermission "accessClassInPackage.*";
};
// ---------------------------------------------------------------------
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/4/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/7/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/10/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/13/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/16/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/19/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/22/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/26/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/29/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/32/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/35/-" {
permission java.security.AllPermission;
};
---------------------------------
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abrí tu cuenta aquí
Re: Security Policy
Posted by David Jencks <da...@yahoo.com>.
I have no experience actually working with these grants etc but I
think we should look into making a default policy that knows about
and relates to the repository structure we use. Would it make sense
to add permissions to configurations?
thanks
david jencks
On Feb 13, 2006, at 2:38 AM, John Sisson wrote:
> If one requires fine grained security for applications /
> configurations that are deployed. E.G. what files they can access,
> what ports they can listen on etc.
>
> Some large enterprise sites may run under a security manager due to
> high security requirements, but running under a security manager
> incurs an overhead.
>
> FYI.. In section "1.4 Requirements" of the JACC spec it states in
> point 9 that the container must execute in an environment
> controlled by a J2SE security manager.
>
> The issue that Cristian raised needs to be discussed. A concern I
> have is that if we used names instead of numbers then we will most
> likely run into the Windows file path length (on JDK 1.4.2) issue
> discussed in the mail thread http://www.mail-archive.com/
> dev@geronimo.apache.org/msg15501.html
>
> Regards,
>
> John
>
> Vamsavardhana Reddy wrote:
>> When does one require to run the server under a Security Manager?
>>
>> Thanks,
>> Vamsi
>>
>> On 2/11/06, *Matt Hogstrom* <matt@hogstrom.org
>> <ma...@hogstrom.org>> wrote:
>>
>> Cristian,
>>
>> No apologies. This is good feedback as I think we can use as
>> much
>> administrative feedback as possible.
>>
>> Cristian Roldan wrote:
>> > Hi All,
>> > I enabled the Security Manager with these parameters
>> "-Djava.security.manager -Djava.security.policy=geronimo.policy",
>> > everything works ok, but the only problem that I saw was with
>> the Application identification (number) , if you deploy
>> > an application, Generimo creates a directory
>> config-store/[NUMBER], you must use this number in the policy
>> file, after a while
>> > you undeploy and deploy a new version of that application in
>> this case you obtain a new number, so you must change the
>> policy file.
>> > I think that using a [number] as a deployment directory is not
>> the best solution from the administration perspective.
>> > I'm sorry I just give an opinion from the administration point
>> of view maybe there is a design/performace reason that I can't
>> see.
>> >
>> >
>> > //
>>
>> ---------------------------------------------------------------------
>> -----------------
>> > // Permissions for Geronimo V.1.0
>> > //
>>
>> ---------------------------------------------------------------------
>> -----------------
>> > // Geronimo gets all permissions
>> > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/repository/-" {
>> > permission java.security.AllPermission;
>> > };
>>
>> > //------------------------------------------------------------
>> ----------
>>
>> > // From here I set the minimun permissions for my Applications
>> > // You must change "23" for you Application number, this number
>> is created
>> > // during deployment phase.
>> >
>> //---------------------------------------------------------------
>> -------
>>
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
>> > permission java.lang.RuntimePermission
>> "accessClassInPackage.*";
>> > };
>> > //
>>
>> ---------------------------------------------------------------------
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/4/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/7/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/10/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/13/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/16/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/19/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/22/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/26/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/29/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/32/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/35/-" {
>> > permission java.security.AllPermission;
>> > };
>> >
>> >
>> >
>> >
>> > ---------------------------------
>> > 1GB gratis, Antivirus y Antispam
>> > Correo Yahoo!, el mejor correo web del mundo
>> > Abrí tu cuenta aquí
>>
>>
>
Re: Security Policy
Posted by John Sisson <jr...@gmail.com>.
If one requires fine grained security for applications / configurations
that are deployed. E.G. what files they can access, what ports they can
listen on etc.
Some large enterprise sites may run under a security manager due to high
security requirements, but running under a security manager incurs an
overhead.
FYI.. In section "1.4 Requirements" of the JACC spec it states in point
9 that the container must execute in an environment controlled by a J2SE
security manager.
The issue that Cristian raised needs to be discussed. A concern I have
is that if we used names instead of numbers then we will most likely run
into the Windows file path length (on JDK 1.4.2) issue discussed in the
mail thread
http://www.mail-archive.com/dev@geronimo.apache.org/msg15501.html
Regards,
John
Vamsavardhana Reddy wrote:
> When does one require to run the server under a Security Manager?
>
> Thanks,
> Vamsi
>
> On 2/11/06, *Matt Hogstrom* <matt@hogstrom.org
> <ma...@hogstrom.org>> wrote:
>
> Cristian,
>
> No apologies. This is good feedback as I think we can use as much
> administrative feedback as possible.
>
> Cristian Roldan wrote:
> > Hi All,
> > I enabled the Security Manager with these parameters
> "-Djava.security.manager -Djava.security.policy=geronimo.policy",
> > everything works ok, but the only problem that I saw was with
> the Application identification (number) , if you deploy
> > an application, Generimo creates a directory
> config-store/[NUMBER], you must use this number in the policy
> file, after a while
> > you undeploy and deploy a new version of that application in
> this case you obtain a new number, so you must change the policy file.
> > I think that using a [number] as a deployment directory is not
> the best solution from the administration perspective.
> > I'm sorry I just give an opinion from the administration point
> of view maybe there is a design/performace reason that I can't see.
> >
> >
> > //
> --------------------------------------------------------------------------------------
> > // Permissions for Geronimo V.1.0
> > //
> --------------------------------------------------------------------------------------
> > // Geronimo gets all permissions
> > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/repository/-" {
> > permission java.security.AllPermission;
> > };
> >
> //----------------------------------------------------------------------
>
> > // From here I set the minimun permissions for my Applications
> > // You must change "23" for you Application number, this number
> is created
> > // during deployment phase.
> >
> //----------------------------------------------------------------------
>
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
> > permission java.lang.RuntimePermission "accessClassInPackage.*";
> > };
> > //
> ---------------------------------------------------------------------
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/4/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/7/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/10/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/13/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/16/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/19/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/22/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/26/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/29/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/32/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase
> "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${
> org.apache.geronimo.base.dir}/config-store/35/-" {
> > permission java.security.AllPermission;
> > };
> >
> >
> >
> >
> > ---------------------------------
> > 1GB gratis, Antivirus y Antispam
> > Correo Yahoo!, el mejor correo web del mundo
> > Abrí tu cuenta aquí
>
>
Re: Security Policy
Posted by Cristian Roldan <ro...@yahoo.com.ar>.
Do you want Application A have write/read access to properties files of Application B ? what about if both application were made by diferents providers ?
Another example ... Do you wana application A have read/write access to $GERONIMO_HOME/var/config or security files ?
Bye.
Vamsavardhana Reddy <c1...@gmail.com> escribió:
When does one require to run the server under a Security Manager?
Thanks,
Vamsi
On 2/11/06, Matt Hogstrom <ma...@hogstrom.org> wrote: Cristian,
No apologies. This is good feedback as I think we can use as much
administrative feedback as possible.
Cristian Roldan wrote:
> Hi All,
> I enabled the Security Manager with these parameters "-Djava.security.manager -Djava.security.policy=geronimo.policy",
> everything works ok, but the only problem that I saw was with the Application identification (number) , if you deploy
> an application, Generimo creates a directory config-store/[NUMBER], you must use this number in the policy file, after a while
> you undeploy and deploy a new version of that application in this case you obtain a new number, so you must change the policy file.
> I think that using a [number] as a deployment directory is not the best solution from the administration perspective.
> I'm sorry I just give an opinion from the administration point of view maybe there is a design/performace reason that I can't see.
>
>
> // --------------------------------------------------------------------------------------
> // Permissions for Geronimo V.1.0
> // --------------------------------------------------------------------------------------
> // Geronimo gets all permissions
> grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
> permission java.security.AllPermission;
> };
> //----------------------------------------------------------------------
> // From here I set the minimun permissions for my Applications
> // You must change "23" for you Application number, this number is created
> // during deployment phase.
> //----------------------------------------------------------------------
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
> permission java.lang.RuntimePermission "accessClassInPackage.*";
> };
> // ---------------------------------------------------------------------
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/4/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/7/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/10/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/13/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/16/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/19/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/22/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/26/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/29/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/32/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${ org.apache.geronimo.base.dir}/config-store/35/-" {
> permission java.security.AllPermission;
> };
>
>
>
>
> ---------------------------------
> 1GB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> Abrí tu cuenta aquí
__________________________________________________
Correo Yahoo!
Espacio para todos tus mensajes, antivirus y antispam ¡gratis!
¡Abrí tu cuenta ya! - http://correo.yahoo.com.ar
Re: Security Policy
Posted by Vamsavardhana Reddy <c1...@gmail.com>.
When does one require to run the server under a Security Manager?
Thanks,
Vamsi
On 2/11/06, Matt Hogstrom <ma...@hogstrom.org> wrote:
>
> Cristian,
>
> No apologies. This is good feedback as I think we can use as much
> administrative feedback as possible.
>
> Cristian Roldan wrote:
> > Hi All,
> > I enabled the Security Manager with these parameters "-
> Djava.security.manager -Djava.security.policy=geronimo.policy",
> > everything works ok, but the only problem that I saw was with the
> Application identification (number) , if you deploy
> > an application, Generimo creates a directory config-store/[NUMBER], you
> must use this number in the policy file, after a while
> > you undeploy and deploy a new version of that application in this case
> you obtain a new number, so you must change the policy file.
> > I think that using a [number] as a deployment directory is not the best
> solution from the administration perspective.
> > I'm sorry I just give an opinion from the administration point of view
> maybe there is a design/performace reason that I can't see.
> >
> >
> > //
> --------------------------------------------------------------------------------------
> > // Permissions for Geronimo V.1.0
> > //
> --------------------------------------------------------------------------------------
> > // Geronimo gets all permissions
> > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
> > permission java.security.AllPermission;
> > };
> >
> //----------------------------------------------------------------------
> > // From here I set the minimun permissions for my Applications
> > // You must change "23" for you Application number, this number is
> created
> > // during deployment phase.
> > //----------------------------------------------------------------------
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/23/-"
> {
> > permission java.lang.RuntimePermission "accessClassInPackage.*";
> > };
> > //
> ---------------------------------------------------------------------
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/1/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/4/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/7/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/10/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/11/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/12/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/13/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/14/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/15/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/16/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/17/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/18/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/19/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/20/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/21/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/22/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/24/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/25/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/26/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/27/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/28/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/29/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/30/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/31/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/32/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/33/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/34/-"
> {
> > permission java.security.AllPermission;
> > };
> > grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/35/-"
> {
> > permission java.security.AllPermission;
> > };
> >
> >
> >
> >
> > ---------------------------------
> > 1GB gratis, Antivirus y Antispam
> > Correo Yahoo!, el mejor correo web del mundo
> > Abrí tu cuenta aquí
>
Re: Security Policy
Posted by Matt Hogstrom <ma...@hogstrom.org>.
Cristian,
No apologies. This is good feedback as I think we can use as much
administrative feedback as possible.
Cristian Roldan wrote:
> Hi All,
> I enabled the Security Manager with these parameters "-Djava.security.manager -Djava.security.policy=geronimo.policy",
> everything works ok, but the only problem that I saw was with the Application identification (number) , if you deploy
> an application, Generimo creates a directory config-store/[NUMBER], you must use this number in the policy file, after a while
> you undeploy and deploy a new version of that application in this case you obtain a new number, so you must change the policy file.
> I think that using a [number] as a deployment directory is not the best solution from the administration perspective.
> I'm sorry I just give an opinion from the administration point of view maybe there is a design/performace reason that I can't see.
>
>
> // --------------------------------------------------------------------------------------
> // Permissions for Geronimo V.1.0
> // --------------------------------------------------------------------------------------
> // Geronimo gets all permissions
> grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
> permission java.security.AllPermission;
> };
> //----------------------------------------------------------------------
> // From here I set the minimun permissions for my Applications
> // You must change "23" for you Application number, this number is created
> // during deployment phase.
> //----------------------------------------------------------------------
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
> permission java.lang.RuntimePermission "accessClassInPackage.*";
> };
> // ---------------------------------------------------------------------
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/4/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/7/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/10/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/13/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/16/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/19/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/22/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/26/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/29/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/32/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${org.apache.geronimo.base.dir}/config-store/35/-" {
> permission java.security.AllPermission;
> };
>
>
>
>
> ---------------------------------
> 1GB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> Abrí tu cuenta aquí