Menu Close
Settings Close

Language and Page Formatting Options

Red Hat Training

A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification

2.5.6. Guidance on Configuring Java Security Permissions

The system administrator for the operation of the certified system is expected to configure the security permissions for all enterprise applications that are deployed on the certified system, when the certified system runs in the security manager enabled mode.


This configuration is only necessary when running JBoss EAP with the Java Security Manager enabled. Refer to Section 4.2, “Enabling the Java Security Manager” for more details.
Please refer to the Java documentation for information on configuring permissions in the JVM:
A single entry in the Java Security Manager policy that is shipped with the certified system follows the standard Java Standard Edition model. More information is provided in the Java documentaion:
An example would be the following:
grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
This is defined by the certified system by default to provide all permissions to the jmx console web application shipping in the deploy directory.
So if the administrator needs to provide permissions to an enterprise application called as TestDeployment.ear in the deploy directory of the certified system, then an example entry would be the following:
grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
 permission java.util.PropertyPermission "*", "read";
 permission "createLoginContext.a_login";
 permission "getLoginConfiguration";
This entry provides the enterprise application called as TestDeployment.ear to read Java properties as well as the ability to create JAAS login context and obtain JAAS login configuration.
The certified system in the security manager enabled mode is a locked down system that forces the system administrator to configure the necessary security permissions for the operation of the user applications on the certified system.
Any interaction with the JBoss JMX Kernel (which is the standard Java MbeanServer) will require the appropriate as specified in the Java MbeanServer interface:
We strongly recommend administrators to NOT assign a to any of the user applications.