-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for JBoss Enterprise Application Platform Common Criteria Certification
6.5. Java Security Policy Statements
A policy file specifies permissions to modules and deployed applications. Permissions are applied to deployed applications via the
VFS protocol. See the following Oracle Java SE documentation page Default Policy Implementation and Policy File Syntax for further information at http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
The following is an example of policy statements.
// Grant all to the jboss-modules.jar
grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
permission java.security.AllPermission;
};
// Standard extensions get all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};
// Grant read PropertyPermission for all properties to a deployed EJB application
grant codeBase "vfs:/content/ejb-app.jar" {
permission java.util.PropertyPermission "*", "read";
};
// Grant read FilePermission for all files to a web application
grant codeBase "vfs:/content/myapp.war/-" {
permission java.io.FilePermission "/-", "read";
};
Note
On Microsoft Windows Server, when specifying a
FilePermission statement including a file path in a string, not a codeBase URL, you must replace single backslash characters with two backslash characters. This is because when file paths are parsed, a single backslash is interpreted as an escape character.
Note
Two VFS issues currently exist in JBoss EAP that require a workaround:
- If you define a grant for a deployment on Microsoft Windows, instead of:
grant codeBase "vfs:/content/..." {you must use:grant codeBase "vfs:/${user.dir}/content/..." { - If your application contains JSPs, then the permissions granted to the deployment using a VFS URL is not sufficient, and you will have to duplicate it with file-based URL. For example, if you have permission:
grant codeBase "vfs:/content/application.war/-" { permission java.util.PropertyPermission "*", "read"; };then you also need to add the following:grant codeBase "file:${jboss.home.dir}/standalone/tmp/work/jboss.web/default-host/application/-" { permission java.util.PropertyPermission "*", "read"; };
Module permissions are defined in
module.xml (version 1.2 or higher). The following example demonstrates specifying module permissions.
<module xmlns="urn:jboss:module:1.2" name="org.jboss.custom.module"> <permissions> <grant permission="java.io.FilePermission" name="/-" actions="read"/> <grant permission="java.lang.RuntimePermission" name="org.jboss.*"/> </permissions> <resources> <resource-root path="custom-module.jar" /> </resources> </module>
If there is no
<permissions/> element, then AllPermission permission is granted to the module. If there is an empty <permissions/> element, then no permission is granted.
