Show Table of Contents
2.4. Run JBoss EAP 6 Within the Java Security Manager
From JBoss EAP 6.4 and onwards, running JBoss EAP 6 within the Java Security Manager (JSM) is done using the
secmgr option.
Important
Direct usage of the
-Djava.security.manager Java system property is no longer possible. This previous method used in older versions of JBoss EAP 6 to enable the Java Security Manager is now only supported as a fallback mechanism in the JBoss EAP startup scripts.
Note
From JBoss EAP 6.4 and onwards, custom security managers cannot be used.
The following procedure guides you through the steps of configuring your JBoss EAP 6 instance to run within the Java Security Manager using a specified security policy.
Prerequisites
- Before you follow this procedure, you need to write a security policy using the
policytoolapplication which is included in the Java Development Kit (JDK). Alternatively, you can write a security policy using a text editor.Security policies will be needed for any user deployments that require permissions. This procedure assumes that your policy is located atEAP_HOME/bin/server.policy. - The domain or standalone server must be completely stopped before you edit any configuration files.
If you are using JBoss EAP 6 in a Managed Domain, you must perform the following procedure on each physical host or instance in your domain.
Procedure 2.2. Configure the Java Security Manager for JBoss EAP 6
Open the Configuration File
Open the configuration file for editing. The configuration file you need to edit depends on whether you use a Managed Domain or standalone server, as well as your operating system.Managed Domain
- For Linux:
EAP_HOME/bin/domain.conf - For Windows:
EAP_HOME\bin\domain.conf.bat
Standalone Server
- For Linux:
EAP_HOME/bin/standalone.conf - For Windows:
EAP_HOME\bin\standalone.conf.bat
Enable the Java Security Manager
Use one of the methods below to enable the Java Security Manager:- Use the
-secmgroption with your JBoss EAP 6 server startup script. - Uncomment the
SECMGR="true"line in the configuration file:On Linux:
# Uncomment this to run with a security manager enabled SECMGR="true"
On Windows:
rem # Uncomment this to run with a security manager enabled set "SECMGR=true"
Specify the Java Security Policy
You can use-Djava.security.policyto specify the exact location of your security policy. It should go onto one line only, with no line break. Using==when setting-Djava.security.policyspecifies that the security manager will use only the specified policy file. Using=specifies that the security manager will use the specified policy combined with the policy set in thepolicy.urlsection ofJAVA_HOME/lib/security/java.security.In your relevant JBoss EAP 6 configuration file, add your security policy Java options. If you are using a Managed Domain, ensure that this is inserted before wherePROCESS_CONTROLLER_JAVA_OPTSandHOST_CONTROLLER_JAVA_OPTSare set.On Linux:
JAVA_OPTS="$JAVA_OPTS -Djava.security.policy==$JBOSS_HOME/bin/server.policy -Djboss.home.dir=$JBOSS_HOME"
On Windows:
set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.policy==%JBOSS_HOME%\bin\server.policy -Djboss.home.dir=%JBOSS_HOME%"
Start the Domain or Server
Start the domain or server as normal.
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.