A permission entry like:
permission java.io.FilePermission
"\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
will not work because the policy file parser needs to see a \\ for each \ in a path
string.
It is better to use the ${jboss.home} and ${/} properties in the path specification as
Vlada indicated to create platform/installation independent policy files.
The jboss.home property is automatically generated if it is not specified so that
you can write policy files without knowing what the deployment environment
looks like.
To determine all of the permissions that are required by a given configuration
its trivial to write a subclass of SecurityManager that simply logs what
permissions are being requested. Here is one I use:
public class TracingSecurityManager extends SecurityManager
{
private static boolean showStackTrace;
private static PrintWriter traceLog = new PrintWriter(new
OutputStreamWriter(System.out));
public static boolean getShowStackTrace()
{
return showStackTrace;
}
public static void setShowStackTrace(boolean showStackTrace)
{
TracingSecurityManager.showStackTrace = showStackTrace;
}
public static PrintWriter getTraceLog()
{
return traceLog;
}
public static void setTraceLog(PrintWriter traceLog)
{
TracingSecurityManager.traceLog = traceLog;
}
public void checkPermission(Permission perm)
{
traceLog.println("Need: "+perm);
if( showStackTrace )
{
SecurityException trace = new SecurityException();
trace.printStackTrace(traceLog);
}
}
}
----- Original Message -----
From: "Vladimir Blagojevic" <[EMAIL PROTECTED]>
To: "Guy Rouillier" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, April 30, 2001 12:11 PM
Subject: Re: [JBoss-user] java.io.FilePermission on jboss tmp dir?
> Hey,
>
> Ok so when you say
>
> grant <codebase>{
>
> ...permissions...
> }
>
> what you are saying is that this block of permissions is given to classes
> that come from location <codebase>. Cool..
>
> Since JVM running JBoss needs to read your application deployed in (/tmp/)
> it makes read write requests on your file system in /tmp.
>
> There is no physical client involved here. Only jboss and application
> classes.
>
> Ok , now try using this:
>
> grant{
>
> permission java.io.FilePermission "${jboss.home}${/}temp${/}-",
> "read,write"
> }
>
> meaning all code being loaded from anywhere (including jBoss classes)can
> read write in /tmp and its subdirectories. You don't want to be specific
> about exact file here. I forgot if jboss.home was declared anywhere but
> you can pass it as an argument to jvm I guess.
>
> HTH,
> Vlada
>
>
>
>
>
>
> So now try using
>
> On Mon, 30 Apr 2001, Guy Rouillier wrote:
>
> > The following is a repost of a message I sent out about a week ago that
> > received no responses. We are getting close to release, so this issue is
> > important to us. Is everyone just taking the easy way out and using grant {
> > permission java.security.AllPermission;};? Has no one actually figured out
> > the permissions that are required?
> >
> >
> > I'm developing on Windows 2000 with JBoss 2.2.1.
> >
> > As we are getting closer to shipping, I turned on security (more accurately,
> > I turned off my easy way out of simply granting all permissions to the
> > world.) Using just a command-line client (i.e., no Tomcat), I first
> > received a java.net.SocketPermission which I resolved with the following:
> >
> > permission java.net.SocketPermission "192.168.1.100:*",
> > "connect,resolve";
> >
> > Is there a better way of allocating this permission rather than opening up
> > all ports? I started with just 1099, but then immediately hit the
> > restriction on the port created for communication.
> >
> > But my current sticking point is the next error I hit:
> >
> > Exception caught: java.security.AccessControlException: access denied
> > (java.io.FilePermission \H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-
> > read)
> >
> > I tried to resolve this with the following:
> >
> > permission java.io.FilePermission
> > "\H:\JBoss-2.2.1\tmp\deploy\Default\DbTester.jar\-", "read";
> >
> > but got the same error again. Two questions:
> >
> > (1) Why doesn't the above permission address the error?
> > (2) I don't understand the required permission. Why is it asking for read
> > permission on a JBoss temp directory for the client? Notice that it has a
> > drive letter. This will be completely irrelevant when the client is run from
> > another computer (which I tried - it does indeed still ask for \H:\.) I
> > haven't implemented any method security in the bean or any logon
> > requirements.
> >
> > Everything works if I have the blanket all permissions.
> >
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-user
