25.6. Authorization Using a SecurityManager
In Red Hat JBoss Data Grid's Remote Client-Server mode, authorization is able to work without a
SecurityManager
for basic cache operations. In Library mode, a SecurityManager
may also be used to perform some of the more complex tasks, such as distexec and query among others.
In order to enforce access restrictions, enable the
SecurityManager
in your JVM using one of the following methods:
Command Line
java -Djava.security.manager ...
Programmaticaly
System.setSecurityManager(new SecurityManager());
Using the JDK's default implementation is not required; however, an appropriate policy file must be supplied. The policy file defines a set of permissions, which the
SecurityManager
examines when an application performs an action. If the action is allowed by the policy file, then the SecurityManager
will permit the action to take place; however, if the action is not allowed by the policy then the SecurityManager
denies that action.
An example policy file, demonstrating the required syntax, is below:
// If the code is signed by "admin", grant it read/write access to all files grant signedBy "admin" { permission java.io.FilePermission "/*", "read,write"; }; // Grant everyone read permissions on specific environment variables: grant { permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.vendor", "read"; }; // Grant a specific codebase, example.jar, read and write access to "/tmp/*" grant codeBase "file:///path/to/example.jar" { permission java.io.FilePermission "/tmp/*", "read,write"; };