Red Hat Training

A Red Hat training course is available for Red Hat JBoss Enterprise Application Platform

2.4. Run JBoss EAP 6 Within the Java Security Manager

From JBoss EAP 6.4 and onwards, running JBoss EAP 6 within the Java Security Manager (JSM) is done using the secmgr option.

Important

Direct usage of the -Djava.security.manager Java system property is no longer possible. This previous method used in older versions of JBoss EAP 6 to enable the Java Security Manager is now only supported as a fallback mechanism in the JBoss EAP startup scripts.

Note

From JBoss EAP 6.4 and onwards, custom security managers cannot be used.
The following procedure guides you through the steps of configuring your JBoss EAP 6 instance to run within the Java Security Manager using a specified security policy.

Prerequisites

  • Before you follow this procedure, you need to write a security policy using the policytool application which is included in the Java Development Kit (JDK). Alternatively, you can write a security policy using a text editor.
    Security policies will be needed for any user deployments that require permissions. This procedure assumes that your policy is located at EAP_HOME/bin/server.policy.
  • The domain or standalone server must be completely stopped before you edit any configuration files.
If you are using JBoss EAP 6 in a Managed Domain, you must perform the following procedure on each physical host or instance in your domain.

Procedure 2.2. Configure the Java Security Manager for JBoss EAP 6

  1. Open the Configuration File

    Open the configuration file for editing. The configuration file you need to edit depends on whether you use a Managed Domain or standalone server, as well as your operating system.

    • Managed Domain

      • For Linux: EAP_HOME/bin/domain.conf
      • For Windows: EAP_HOME\bin\domain.conf.bat

    • Standalone Server

      • For Linux: EAP_HOME/bin/standalone.conf
      • For Windows: EAP_HOME\bin\standalone.conf.bat

  2. Enable the Java Security Manager

    Use one of the methods below to enable the Java Security Manager:
    • Use the -secmgr option with your JBoss EAP 6 server startup script.
    • Uncomment the SECMGR="true" line in the configuration file:

      • On Linux:

        # Uncomment this to run with a security manager enabled
SECMGR="true"

      • On Windows:

        rem # Uncomment this to run with a security manager enabled
set "SECMGR=true"

  3. Specify the Java Security Policy

    You can use -Djava.security.policy to specify the exact location of your security policy. It should go onto one line only, with no line break. Using == when setting -Djava.security.policy specifies that the security manager will use only the specified policy file. Using = specifies that the security manager will use the specified policy combined with the policy set in the policy.url section of JAVA_HOME/lib/security/java.security.
    In your relevant JBoss EAP 6 configuration file, add your security policy Java options. If you are using a Managed Domain, ensure that this is inserted before where PROCESS_CONTROLLER_JAVA_OPTS and HOST_CONTROLLER_JAVA_OPTS are set.

    • On Linux:

      JAVA_OPTS="$JAVA_OPTS -Djava.security.policy==$JBOSS_HOME/bin/server.policy -Djboss.home.dir=$JBOSS_HOME"

    • On Windows:

      set "JAVA_OPTS=%JAVA_OPTS% -Djava.security.policy==%JBOSS_HOME%\bin\server.policy -Djboss.home.dir=%JBOSS_HOME%"

  4. Start the Domain or Server

    Start the domain or server as normal.
Report a bug