You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@river.apache.org by Gus Heck <gu...@gmail.com> on 2014/07/06 06:26:44 UTC

What permissions are actually needed

The getting started page says: " In the interest of simplicity, we are
going to grant everything every permission. In the real world, this would
obviously not be recommended."

Ok fine, but where do I find the documentation of what is needed for what
when I DO eventually want to live in the real world :)

-Gus

-- 
http://www.the111shift.com

Re: What permissions are actually needed

Posted by Gus Heck <gu...@gmail.com>.

Thanks :)


On Sun, Jul 6, 2014 at 4:54 PM, Greg Trasuk <tr...@stratuscom.com> wrote:

>
> Basically, you want to grant as few permissions as you can - unfortunately
> that sometimes means trying things out, adding permissions until they work.
>
> As a starting point, the application class loader needs something like
> this (taken from river-container (
> https://github.com/trasukg/river-container)):
>
>     //java.security.AllPermission;
>     //java.io.FilePermission "${serviceArchive}" "read";
>     java.io.FilePermission "-" "read";
>     java.net.SocketPermission "*" "connect,listen,accept,resolve";
>
>     /* net.jini.security.Security requires createSecurityManager, but we
>     don't grant 'setSecurityManager'. */
>     java.lang.RuntimePermission "createSecurityManager";
>     java.lang.RuntimePermission "getProtectionDomain";
>     java.lang.RuntimePermission "setFactory";
>     java.lang.RuntimePermission "modifyThread";
>     java.lang.RuntimePermission "modifyThreadGroup";
>     java.security.SecurityPermission "getDomainCombiner";
>     java.security.SecurityPermission "createAccessControlContext";
>     java.security.SecurityPermission "getPolicy";
>
>     // BasicProxyPreparer requirements:
>     javax.security.auth.AuthPermission "getSubject";
>
>     net.jini.security.policy.UmbrellaGrantPermission;
>     com.sun.jini.thread.ThreadPoolPermission "getSystemThreadPool";
>     com.sun.jini.thread.ThreadPoolPermission "getUserThreadPool";
>     com.sun.jini.discovery.internal.EndpointInternalsPermission "set";
>     com.sun.jini.discovery.internal.EndpointInternalsPermission "get";
>     java.lang.reflect.ReflectPermission "suppressAccessChecks";
>     net.jini.export.ExportPermission "exportRemoteInterface.*";
>     net.jini.discovery.DiscoveryPermission "*";
>     java.lang.RuntimePermission "shutdownHooks";
>     java.util.PropertyPermission "*" "read";
>
>     java.lang.RuntimePermission "accessClassInPackage.com.sun.proxy";
>
>     // Only in client configuration - apps can call System.exit()
>     java.lang.RuntimePermission "exitVM.*”;
>
> Cheers,
>
> Greg Trasuk.
>
> On Jul 6, 2014, at 12:26 AM, Gus Heck <gu...@gmail.com> wrote:
>
> > The getting started page says: " In the interest of simplicity, we are
> > going to grant everything every permission. In the real world, this would
> > obviously not be recommended."
> >
> > Ok fine, but where do I find the documentation of what is needed for what
> > when I DO eventually want to live in the real world :)
> >
> > -Gus
> >
> > --
> > http://www.the111shift.com
>
>


-- 
http://www.the111shift.com

Re: What permissions are actually needed

Posted by Greg Trasuk <tr...@stratuscom.com>.

Basically, you want to grant as few permissions as you can - unfortunately that sometimes means trying things out, adding permissions until they work.

As a starting point, the application class loader needs something like this (taken from river-container (https://github.com/trasukg/river-container)):

    //java.security.AllPermission;
    //java.io.FilePermission "${serviceArchive}" "read";
    java.io.FilePermission "-" "read";
    java.net.SocketPermission "*" "connect,listen,accept,resolve";

    /* net.jini.security.Security requires createSecurityManager, but we
    don't grant 'setSecurityManager'. */
    java.lang.RuntimePermission "createSecurityManager";
    java.lang.RuntimePermission "getProtectionDomain";
    java.lang.RuntimePermission "setFactory";
    java.lang.RuntimePermission "modifyThread";
    java.lang.RuntimePermission "modifyThreadGroup";
    java.security.SecurityPermission "getDomainCombiner";
    java.security.SecurityPermission "createAccessControlContext";
    java.security.SecurityPermission "getPolicy";

    // BasicProxyPreparer requirements:
    javax.security.auth.AuthPermission "getSubject";
    
    net.jini.security.policy.UmbrellaGrantPermission;
    com.sun.jini.thread.ThreadPoolPermission "getSystemThreadPool";
    com.sun.jini.thread.ThreadPoolPermission "getUserThreadPool";
    com.sun.jini.discovery.internal.EndpointInternalsPermission "set";
    com.sun.jini.discovery.internal.EndpointInternalsPermission "get";
    java.lang.reflect.ReflectPermission "suppressAccessChecks";
    net.jini.export.ExportPermission "exportRemoteInterface.*";
    net.jini.discovery.DiscoveryPermission "*";
    java.lang.RuntimePermission "shutdownHooks";
    java.util.PropertyPermission "*" "read";

    java.lang.RuntimePermission "accessClassInPackage.com.sun.proxy";

    // Only in client configuration - apps can call System.exit()
    java.lang.RuntimePermission "exitVM.*”;

Cheers,

Greg Trasuk.

On Jul 6, 2014, at 12:26 AM, Gus Heck <gu...@gmail.com> wrote:

> The getting started page says: " In the interest of simplicity, we are
> going to grant everything every permission. In the real world, this would
> obviously not be recommended."
> 
> Ok fine, but where do I find the documentation of what is needed for what
> when I DO eventually want to live in the real world :)
> 
> -Gus
> 
> -- 
> http://www.the111shift.com