Hi Luca,I've just been through the security gauntlet myself, and I can tell you it's an interesting but tough challenge to get an application to run with security enabled.
For starters, you can grant Jonas all permissions by explicitly putting the jonas jar file(s) into their own security domain, e.g.
grant <jonas jar> { permission java.security.AllPermission;}
You will quickly find that simple stuff like your application reading
java properties will trigger a security exception. So you add stuff to
the general grant. My application seemed to need a bunch of things
just to get to the interesting parts:
// All classes in the classpath
grant {
// c3p0 seems to require PropertyPermission of write (don't know why)
permission java.util.PropertyPermission "*", "read, write";
permission java.io.FilePermission "${user.home}${/}.maven/
repository${/}-", "read";
permission java.io.FilePermission "${jdo.tck.basedir}${/}target$
{/}-", "read, write";
// bug in security? needed for Derby to create tck2/target/database/
derby/../../logs
permission java.io.FilePermission "${jdo.tck.basedir}${/}-",
"read, write, delete";
// needed for JNDI FSContext
permission java.io.FilePermission "${/}", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.io.FilePermission "${user.dir}${/}-", "read";
And there is the requirement to wrap all calls to privileged
operations in the doPrivileged block:
public static Method getPublicPutMethodForResultClass(final Class resultClass)
{
return (Method)AccessController.doPrivileged(new
PrivilegedAction()
{
public Object run()
{
try {
return resultClass.getMethod("put",
classArrayObjectObject);
} catch (NoSuchMethodException ex) {
return null;
}
}
});
}
And the java reference material that I've found useful:
http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc6.html
Good luck,
Craig
On Jul 29, 2008, at 8:56 AM, luca80 wrote:
I found that Jonas reads his own policy file which, by default, is like this:grant { // Allow everything for now permission java.security.AllPermission; }; So it allow every permission to all and this is a problem, because it overrides the JSPWiki permissions that I try to add in the same file.I tried to comment the default Jonas permission, but, in this way, evenJonas can't run! >-( Anyone can help me? Thanks, Luca luca80 wrote:Hi All,I have a problem with JONAS that isn't reading the JSPWiki policy file.I'm using JSPWiki 2.6.2, JONAS 4.8.6 with Tomcat 5.5.17.I tried also JSPWiki 2.6.2 in Tomcat 5.5.26, without Jonas, and it works. Is there any setting that I'm missing? Is there any known problems withJonas? All I did is this:I simply moved some permissions from Authenticated group to a new Group called Test. I added some users to this group and when I log in as a user of this group I can see the differences in the permissions in Tomcat, butnot in Jonas. In Tomcat I modified this files: userdatabase.xml groupdatabase.xml jspwiki.policy jspwiki.properties In Jonas I had to add the classes defined in jspwiki.jaas in the jaas.config of Jonas.I see that there is also a java.policy in the conf dir of Jonas, is thatthe problem? Thanks for any suggestion, Luca.-- View this message in context: http://www.nabble.com/JONAS---Policy-problem-tp18713683p18715483.html Sent from the JspWiki - User mailing list archive at Nabble.com.
Craig L Russell Architect, Sun Java Enterprise System http://java.sun.com/products/jdo 408 276-5638 mailto:[EMAIL PROTECTED] P.S. A good JDO? O, Gasp!
smime.p7s
Description: S/MIME cryptographic signature
