You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by ch...@apache.org on 2013/05/13 16:34:15 UTC
svn commit: r1481877 - in /db/derby/docs/branches/10.10/src:
adminguide/tadminnetservbasic.dita adminguide/tadminnetservcustom.dita
devguide/cdevbabejgjd.dita devguide/rdevcsecure871406.dita
devguide/rdevcsecure871422.dita devguide/rdevcsecure871439.dita
Author: chaase3
Date: Mon May 13 14:34:15 2013
New Revision: 1481877
URL: http://svn.apache.org/r1481877
Log:
DERBY-6160 Fixes needed to documentation topics on security policy permissions
Merged patch DERBY-6160-4.diff to 10.10 doc branch from trunk revision 1481853.
Modified:
db/derby/docs/branches/10.10/src/adminguide/tadminnetservbasic.dita
db/derby/docs/branches/10.10/src/adminguide/tadminnetservcustom.dita
db/derby/docs/branches/10.10/src/devguide/cdevbabejgjd.dita
db/derby/docs/branches/10.10/src/devguide/rdevcsecure871406.dita
db/derby/docs/branches/10.10/src/devguide/rdevcsecure871422.dita
db/derby/docs/branches/10.10/src/devguide/rdevcsecure871439.dita
Modified: db/derby/docs/branches/10.10/src/adminguide/tadminnetservbasic.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/adminguide/tadminnetservbasic.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/adminguide/tadminnetservbasic.dita (original)
+++ db/derby/docs/branches/10.10/src/adminguide/tadminnetservbasic.dita Mon May 13 14:34:15 2013
@@ -55,136 +55,133 @@ you will want to restrict the server's l
let the server backup/restore and export/import to or from any location in the local file system.
For details on how to customize the Template policy, please see <xref href="tadminnetservcustom.dita"></xref>.
The following example is a copy of the Basic policy: </p>
-<codeblock>//
-// This template policy file gives examples of how to configure the
+<codeblock>// This template policy file gives examples of how to configure the
// permissions needed to run a Derby network server with the Java
// Security manager.
//
grant codeBase "${derby.install.url}derby.jar"
{
-//
-// These permissions are needed for everyday, embedded Derby usage.
-//
+ // These permissions are needed for everyday, embedded Derby usage.
+ //
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
- permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
- "write";
+
// The next two properties are used to determine if the VM is 32 or 64
// bit.
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
+
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
-//
-// This permission lets a DBA reload the policy file while the server
-// is still running. The policy file is reloaded by invoking the
-// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
-//
+ // This permission lets a DBA reload the policy file while the server
+ // is still running. The policy file is reloaded by invoking the
+ // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+ //
permission java.security.SecurityPermission "getPolicy";
-//
-// This permission lets you backup and restore databases
-// to and from arbitrary locations in your file system.
-//
-// This permission also lets you import/export data to and from
-// arbitrary locations in your file system.
-//
-// You may want to restrict this access to specific directories.
-//
+ // This permission lets you backup and restore databases
+ // to and from arbitrary locations in your file system.
+ //
+ // This permission also lets you import/export data to and from
+ // arbitrary locations in your file system.
+ //
+ // You may want to restrict this access to specific directories.
+ //
permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
-
-//
-// Permissions needed for JMX based management and monitoring, which is
-// only available for JVMs supporting "platform management", that is
-// Java SE 5.0 or better.
-//
-// Allows this code to create an MBeanServer:
-//
+ // Permissions needed for JMX based management and monitoring, which is
+ // only available for JVMs supporting "platform management", that is
+ // Java SE 5.0 or better.
+ //
+ // Allows this code to create an MBeanServer:
+ //
permission javax.management.MBeanServerPermission "createMBeanServer";
-//
-// Allows access to Derby's built-in MBeans, within the domain
-// org.apache.derby.
-// Derby must be allowed to register and unregister these MBeans.
-// It is possible to allow access only to specific MBeans, attributes or
-// operations. To fine tune this permission, see the javadoc of
-// javax.management.MBeanPermission or the JMX Instrumentation and Agent
-// Specification.
-//
+ //
+ // Allows access to Derby's built-in MBeans, within the domain
+ // org.apache.derby.
+ // Derby must be allowed to register and unregister these MBeans.
+ // It is possible to allow access only to specific MBeans, attributes
+ // or operations. To fine tune this permission, see the javadoc of
+ // javax.management.MBeanPermission or the JMX Instrumentation and
+ // Agent Specification.
+ //
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
-//
-// Trusts Derby code to be a source of MBeans and to register these in
-// the MBean server.
-//
+ //
+ // Trusts Derby code to be a source of MBeans and to register these in
+ // the MBean server.
+ //
permission javax.management.MBeanTrustPermission "register";
// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log
permission java.lang.RuntimePermission "getProtectionDomain";
- //
// The following permission must be granted for
// Connection.abort(Executor) to work. Note that this permission
// must also be granted to outer (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
+
+ // Needed by file permissions restriction system:
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derby.install.url}derbynet.jar"
{
-//
-// This permission lets the Network Server manage connections from
-// clients.
-//
-
-// Accept connections from any host. Derby is listening to the host
-// interface specified via the -h option to "NetworkServerControl
-// start" on the command line, via the address parameter to the
-// org.apache.derby.drda.NetworkServerControl constructor in the API
-// or via the property derby.drda.host; the default is localhost.
-// You may want to restrict allowed hosts, e.g. to hosts in a specific
-// subdomain, e.g. "*.example.com".
+ // This permission lets the Network Server manage connections from
+ // clients.
+ // Accept connections from any host. Derby is listening to the host
+ // interface specified via the -h option to "NetworkServerControl
+ // start" on the command line, via the address parameter to the
+ // org.apache.derby.drda.NetworkServerControl constructor in the API
+ // or via the property derby.drda.host; the default is localhost.
+ // You may want to restrict allowed hosts, e.g. to hosts in a specific
+ // subdomain, e.g. "*.example.com".
permission java.net.SocketPermission "*", "accept";
-//
-// Needed for server tracing.
-//
+ // Needed for server tracing.
+ //
permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-",
"read,write,delete";
-//
-// JMX: Uncomment this permission to allow the ping operation of the
-// NetworkServerMBean to connect to the Network Server.
-//permission java.net.SocketPermission "*", "connect,resolve";
-
-
-//
-// Needed by sysinfo. The file permission is needed to
-// check the existence of jars on the classpath. You can
-// limit this permission to just the locations which hold
-// your jar files.
-//
-// In this template file, this block of permissions is granted
-// to derbynet.jar under the assumption that derbynet.jar is
-// the first jar file in your classpath which contains the
-// sysinfo classes. If that is not the case, then you will want
-// to grant this block of permissions to the first jar file
-// in your classpath which contains the sysinfo classes.
-// Those classes are bundled into the following Derby
-// jar files:
-//
-// derbynet.jar
-// derby.jar
-// derbyclient.jar
-// derbytools.jar
-//
+ // Needed by file permissions restriction system:
+ //
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+ permission java.util.PropertyPermission
+ "derby.__serverStartedFromCmdLine", "read, write";
+
+ // JMX: Uncomment this permission to allow the ping operation of the
+ // NetworkServerMBean to connect to the Network Server.
+ //permission java.net.SocketPermission "*", "connect,resolve";
+
+ // Needed by sysinfo. The file permission is needed to
+ // check the existence of jars on the classpath. You can
+ // limit this permission to just the locations which hold
+ // your jar files.
+ //
+ // In this template file, this block of permissions is granted
+ // to derbynet.jar under the assumption that derbynet.jar is
+ // the first jar file in your classpath which contains the
+ // sysinfo classes. If that is not the case, then you will want
+ // to grant this block of permissions to the first jar file
+ // in your classpath which contains the sysinfo classes.
+ // Those classes are bundled into the following Derby
+ // jar files:
+ //
+ // derbynet.jar
+ // derby.jar
+ // derbyclient.jar
+ // derbytools.jar
+ //
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
Modified: db/derby/docs/branches/10.10/src/adminguide/tadminnetservcustom.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/adminguide/tadminnetservcustom.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/adminguide/tadminnetservcustom.dita (original)
+++ db/derby/docs/branches/10.10/src/adminguide/tadminnetservcustom.dita Mon May 13 14:34:15 2013
@@ -28,91 +28,209 @@ limitations under the License.
<context> <p> The Network Server's Basic security policy is documented in
the section <xref href="tadminnetservbasic.dita"></xref>. Most likely, you
will want to customize your own security policy. For example, you might want
-to restrict the server's liberal file i/o permissions which let the server
-backup/restore and export/import to or from any location in the local file system. Customizing
-the security policy is simple: </p> <ul>
-<li>A template policy lives in the Derby distribution at <i>demo/templates/server.policy</i>.
+to restrict the server's liberal file I/O permissions, which let the server
+backup/restore and export/import to or from any location in the local file
+system. Customizing the security policy is simple: </p>
+<ol>
+<li>A template policy lives in the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> distribution at
+<i>demo/templates/server.policy</i>.
Copy the file from this location to your own file, say <i>myCustomized.policy</i>.
All of the following edits take place in your custom file.</li>
<li>Replace the <i>${derby.install.url}</i> variable with the location of
-the Derby jars in your local file system.</li>
+the <ph conref="../conrefs.dita#prod/productshortname"></ph> jars in your local
+file system.</li>
<li>Replace the <i>${derby.system.home}</i> variable with the location of
-your Derby system directory. Alternatively, rather than replacing this variable,
-you can simply set the value of the <i>derby.system.home</i> system property
-when you boot the server.</li>
-<li>You must grant <i>java.net.SocketPermission</i> to
-<codeph>derby.jar</codeph> if you are using LDAP authentication, so
-that the Derby code is allowed to contact the LDAP server to perform
-the authentication.</li>
+your <ph conref="../conrefs.dita#prod/productshortname"></ph> system directory.
+Alternatively, rather than replacing this variable, you can simply set the value
+of the <i>derby.system.home</i> system property when you boot the server.</li>
+<li>Replace the <i>${derby.drda.traceDirectory}</i> variable with the location
+of your server trace file if you plan to use tracing.</li>
+<li>Grant <i>java.net.SocketPermission</i> to <codeph>derby.jar</codeph> if you
+are using LDAP authentication, so that the
+<ph conref="../conrefs.dita#prod/productshortname"></ph> code is allowed to
+contact the LDAP server to perform the authentication.</li>
<li>You may want to restrict the socket permission for <codeph>derbynet.jar</codeph>,
which by default accepts connections from any host (<codeph>"*"</codeph>).
Note that the special wildcard address <codeph>"0.0.0.0"</codeph> is not
-understood by SocketPermission, even though Derby accepts this wildcard as
-a valid value for accepting connections on all network interfaces (IPv4).</li>
+understood by SocketPermission, even though
+<ph conref="../conrefs.dita#prod/productshortname"></ph> accepts this wildcard
+as a valid value for accepting connections on all network interfaces
+(IPv4).</li>
<li>Refine the file permissions needed by backup/restore, import/export, and
the loading of application jars.</li>
-</ul> <p>The following example is a copy of a sample, customized policy file: </p>
+</ol>
+<p>The following example is a copy of a sample customized policy file: </p>
<codeblock>
grant codeBase "file:/usr/local/share/sw/derby/lib/derby.jar"
{
-//
-// These permissions are needed for everyday, embedded Derby usage.
-//
+ // These permissions are needed for everyday, embedded Derby usage.
+ //
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
- // The next two properties are used to determine if the VM is 32 or 64 bit.
+ permission java.util.PropertyPermission "user.dir", "read";
+
+ // The next two properties are used to determine if the VM is 32 or
+ // 64 bit.
+ //
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
- permission java.util.PropertyPermission "user.dir", "read";
- permission java.io.FilePermission "/usr/local/shoppingCartApp/databases","read";
- permission java.io.FilePermission "/usr/local/shoppingCartApp/databases/-",
- "read,write,delete";
- permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
- "write";
-
-//
-// This permission lets a DBA reload the policy file while the server
-// is still running. The policy file is reloaded by invoking the
-// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
-//
+
+ // Customized to actual location of derby.system.home:
+ //
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/databases", "read";
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/databases/-", "read,write,delete";
+
+ // This permission lets a DBA reload the policy file while the server
+ // is still running. The policy file is reloaded by invoking the
+ // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
+ //
permission java.security.SecurityPermission "getPolicy";
-//
-// This permission lets you backup and restore databases
-// to and from a selected branch of the local file system:
-//
- permission java.io.FilePermission "/usr/local/shoppingCartApp/backups/-", "read,write,delete";
-//
-// This permission lets you import data from
-// a selected branch of the local file system:
-//
- permission java.io.FilePermission "/usr/local/shoppingCartApp/imports/-", "read";
-//
-// This permission lets you export data to
-// a selected branch of the local file system:
-//
- permission java.io.FilePermission "/usr/local/shoppingCartApp/exports/-", "write";
-//
-// This permission lets you load your databases with jar files of
-// application code
-//
- permission java.io.FilePermission "/usr/local/shoppingCartApp/lib/*", "read";
+ // This permission lets you backup and restore databases
+ // to and from a selected branch of the local file system:
+ //
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/backups/-", "read,write,delete";
+
+ // This permission lets you import data from
+ // a selected branch of the local file system:
+ //
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/imports/-", "read";
-// LDAP server on localhost using default LDAP port 389:
- permission java.net.SocketPermission "localhost:389", "connect,resolve";
+ // This permission lets you export data to
+ // a selected branch of the local file system:
+ //
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/exports/-", "write";
+
+ // This permission lets you load your databases with jar files of
+ // application code
+ //
+ permission java.io.FilePermission "/usr/local/shoppingCartApp/lib/*",
+ "read";
+
+ // LDAP server on localhost using default LDAP port 389:
+ //
+ permission java.net.SocketPermission "localhost:389",
+ "connect,resolve";
+
+ // Permissions needed for JMX based management and monitoring.
+ // Uncomment the following MBeanServerPermission, MBeanPermission and
+ // MBeanTrustPermission if you need JMX monitoring. Consider the
+ // security implications before you open up for JMX
+ // monitoring.
+ //
+ // Allows this code to create an MBeanServer:
+ //
+ // permission javax.management.MBeanServerPermission
+ // "createMBeanServer";
+ //
+ // Allows access to Derby's built-in MBeans, within the domain
+ // org.apache.derby. Derby must be allowed to register and unregister
+ // these MBeans. It is possible to allow access only to specific
+ // MBeans, attributes or operations. To fine-tune this permission, see
+ // the API documentation for javax.management.MBeanPermission or the
+ // JMX Instrumentation and Agent Specification:
+ //
+ // permission javax.management.MBeanPermission
+ // "org.apache.derby.*#[org.apache.derby:*]",
+ // "registerMBean, unregisterMBean";
+ //
+ // Trusts Derby code to be a source of MBeans and to register these
+ // in the MBean server:
+ //
+ // permission javax.management.MBeanTrustPermission "register";
+
+ // getProtectionDomain is an optional permission needed for printing
+ // classpath information to derby.log. Consider if this could be a
+ // security risk before enabling it.
+ //
+ // permission java.lang.RuntimePermission "getProtectionDomain";
+
+ // The following permission must be granted for
+ // Connection.abort(Executor) to work. Note that this permission must
+ // also be granted to outer (application) code domains.
+ // Uncomment this permission if you plan to use Connection.abort.
+ //
+ // permission java.sql.SQLPermission "callAbort";
+
+ // Needed by file permissions restriction system (see the
+ // documentation for derby.storage.useDefaultFilePermissions in the
+ // Reference Manual). Consider restricting the database file-level
+ // permissions for security.
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "file:/usr/local/share/sw/derby/lib/derbynet.jar"
{
-//
-// This permission lets the Network Server manage connections from clients
-// originating from the localhost, on any port.
-//
+ // This permission lets the Network Server manage connections from
+ // clients originating from the localhost, on any port. Consider the
+ // security implications before you open up database connections
+ // from other hosts.
+ //
permission java.net.SocketPermission "localhost:0-", "accept";
+
+ // Needed for server tracing.
+ //
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/trace/-", "read,write,delete";
+
+ // Needed by file permissions restriction system:
+ //
+ permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
+
+ // Mandatory if running with a customized policy file.
+ //
+ permission java.util.PropertyPermission
+ "derby.__serverStartedFromCmdLine", "read, write";
+
+ //
+ // JMX: Uncomment this permission to allow the ping operation of the
+ // NetworkServerMBean to connect to the Network Server.
+ //
+ // permission java.net.SocketPermission "*", "connect,resolve";
+
+ // Needed by the sysinfo tool only. You may want to remove the
+ // block of permissions below if you don't plan to use it. The file
+ // permission is needed to check the existence of jars on the
+ // classpath. You can limit this permission to just the locations
+ // which hold your jar files.
+ //
+ // This block of permissions is granted to derbynet.jar under the
+ // assumption that derbynet.jar is the first jar file in your
+ // classpath which contains the sysinfo classes. If that is not the
+ // case, then you will want to grant this block of permissions to
+ // the first jar file in your classpath which contains the sysinfo
+ // classes. Those classes are bundled into the following Derby jar
+ // files:
+ //
+ // derbynet.jar
+ // derby.jar
+ // derbyclient.jar
+ // derbytools.jar
+ //
+ permission java.util.PropertyPermission "user.*", "read";
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.class.path", "read";
+ permission java.util.PropertyPermission "java.runtime.version", "read";
+ permission java.util.PropertyPermission "java.fullversion", "read";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.io.FilePermission
+ "/usr/local/shoppingCartApp/jars/-", "read";
+ permission java.io.FilePer mission "java.runtime.version", "read";
+ permission java.io.FilePermission "java.fullversion", "read";
};
</codeblock> <p> After customizing the Basic policy, you may bring up the
Network Server as follows: </p> <codeblock>
-java -Djava.security.manager -Djava.security.policy=/usr/local/shoppingCartApp/lib/myCustomized.policy org.apache.derby.drda.NetworkServerControl start -h localhost
+java -Djava.security.manager \
+-Djava.security.policy=/usr/local/shoppingCartApp/lib/myCustomized.policy \
+org.apache.derby.drda.NetworkServerControl start -h localhost
</codeblock> </context>
</taskbody>
</task>
Modified: db/derby/docs/branches/10.10/src/devguide/cdevbabejgjd.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/devguide/cdevbabejgjd.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/devguide/cdevbabejgjd.dita (original)
+++ db/derby/docs/branches/10.10/src/devguide/cdevbabejgjd.dita Mon May 13 14:34:15 2013
@@ -44,15 +44,6 @@ in the database.</dd>
individual <ph conref="../conrefs.dita#prod/productshortname"></ph> properties
set in the JVM machine's system set. If the action is denied, properties in the JVM machine's
system set are ignored.</dd>
-</dlentry><dlentry>
-<dt>permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
-"write"</dt>
-<dd>This property is used by Derby to prevent the accidental boot of the database
-by two class loaders. If the database is booted by two class loaders, database
-corruption can occur.
-If write permission for this property is not granted, a message is printed
-to the log file which indicates that the <ph conref="../conrefs.dita#prod/productshortname"></ph> database
-is not protected from dual boot and possible corruption.</dd>
</dlentry></dl></section>
<section><title>Database access permissions</title><dl><dlentry>
<dt>permission java.io.FilePermission "directory${/}/-", "read,write,delete"</dt>
@@ -117,6 +108,18 @@ errors and when the <i>derby.stream.erro
is set. See the documentation of this property in the
<ph conref="../conrefs.dita#pub/citref"></ph> for details.</dd>
</dlentry><dlentry>
+<dt>permission java.lang.RuntimePermission "accessUserInformation";</dt>
+<dt>permission java.lang.RuntimePermission "getFileStoreAttributes";</dt>
+<dd>These two permissions are needed when you are running with JDK 7 or higher
+and when the secure file mask settings are active (that is, when
+<i>derby.storage.useDefaultFilePermissions</i> is set to false, or when the
+server has been started from the command line (in which case secure file mask
+settings are active by default).</dd>
+</dlentry><dlentry>
+<dt>permission java.lang.RuntimePermission "getProtectionDomain";</dt>
+<dd>This permission is needed if you want classpath information to be printed to
+<i>derby.log</i>.</dd>
+</dlentry><dlentry>
<dt>permission javax.management.MBeanServerPermission "createMBeanServer";</dt>
<dd>Allows <ph conref="../conrefs.dita#prod/productshortname"></ph> to create an
MBean server. If the JVM running
Modified: db/derby/docs/branches/10.10/src/devguide/rdevcsecure871406.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/devguide/rdevcsecure871406.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/devguide/rdevcsecure871406.dita (original)
+++ db/derby/docs/branches/10.10/src/devguide/rdevcsecure871406.dita Mon May 13 14:34:15 2013
@@ -22,12 +22,12 @@ limitations under the License.
<title>Java security policy file example 1</title>
<prolog></prolog>
<refbody>
-<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access all */
-/* databases under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
-/* when it is specified by the system property */
-/* <ph conref="../conrefs.dita#prod/productshortname"></ph>.system.home */
+<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access all */
+/* databases under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
+/* when it is specified by the system property */
+/* derby.system.home */
-/* Note <ph conref="../conrefs.dita#prod/productshortname"></ph>.system.home must be an absolute pathname */</b>
+/* Note derby.system.home must be an absolute pathname */</b>
grant codeBase "file://f:/<ph conref="../conrefs.dita#prod/productlowercase"></ph>/lib/derby.jar" {
@@ -36,8 +36,6 @@ grant codeBase "file://f:/<ph conref="..
permission.java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${derby.system.home}${/}
-", "read,write,delete";
- permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
- "write";
};</codeblock></example>
</refbody>
</reference>
Modified: db/derby/docs/branches/10.10/src/devguide/rdevcsecure871422.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/devguide/rdevcsecure871422.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/devguide/rdevcsecure871422.dita (original)
+++ db/derby/docs/branches/10.10/src/devguide/rdevcsecure871422.dita Mon May 13 14:34:15 2013
@@ -22,10 +22,9 @@ limitations under the License.
<title>Java security policy file example 2</title>
<prolog></prolog>
<refbody>
-<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access all */
-/* databases under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
-/* when it defaults to the current directory */</b>
-
+<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access all */
+/* databases under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
+/* when it defaults to the current directory */</b>
grant codeBase "file://f:/<ph conref="../conrefs.dita#prod/productlowercase"></ph>/lib/derby.jar" {
permission java.lang.RuntimePermission "createClassLoader";
@@ -34,9 +33,6 @@ grant codeBase "file://f:/<ph conref="..
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${user.dir}${/}-",
"read,write,delete";
- permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
- "write";
-
};</codeblock></example>
</refbody>
</reference>
Modified: db/derby/docs/branches/10.10/src/devguide/rdevcsecure871439.dita
URL: http://svn.apache.org/viewvc/db/derby/docs/branches/10.10/src/devguide/rdevcsecure871439.dita?rev=1481877&r1=1481876&r2=1481877&view=diff
==============================================================================
--- db/derby/docs/branches/10.10/src/devguide/rdevcsecure871439.dita (original)
+++ db/derby/docs/branches/10.10/src/devguide/rdevcsecure871439.dita Mon May 13 14:34:15 2013
@@ -22,10 +22,10 @@ limitations under the License.
<title>Java security policy file example 3</title>
<prolog></prolog>
<refbody>
-<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access a single */
-/* database (salesdb) under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
+<example> <codeblock><b>/* Grants permission to run <ph conref="../conrefs.dita#prod/productshortname"></ph> and access a single */
+/* database (salesdb) under the <ph conref="../conrefs.dita#prod/productshortname"></ph> system home */
-/* Note <ph conref="../conrefs.dita#prod/productshortname"></ph>.system.home must be an absolute pathname */</b>
+/* Note derby.system.home must be an absolute pathname */</b>
grant codeBase "file://f:/<ph conref="../conrefs.dita#prod/productlowercase"></ph>/lib/derby.jar" {
@@ -36,10 +36,6 @@ grant codeBase "file://f:/<ph conref="..
"read,write,delete";
permission java.io.FilePermission "${derby.system.home}${/}
salesdb${/}-", "read,write,delete";
- permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
- "write";
-
-
}; </codeblock></example>
</refbody>
</reference>