subject:"\[JBoss\-user\] \[Security \& JAAS\/JBoss\] \- Re\: Running JBoss with the default sandbox"

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

2004-06-11 Thread [EMAIL PROTECTED]

The only issue with relying on ${user.home}/.java.policy is that this may not be 
configured to load in a given JDK/JRE installation so there is no guaretee it will be 
used.

The other problem with your policy file is that you are using the jboss.home.dir and 
jboss.server.home.dir system property references but you don't say if you are setting 
this in the jboss server start script. Policy files are read before jboss sets these 
properties so in order to use them they must be set on the server vm command line.


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3838529#3838529

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3838529


---
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

2004-06-09 Thread Marat

There is a third party solution available that allows you to run your J2EE client in 
the default "sandbox" secuirty model. In other words you don't need to change client's 
java policy at all.

Have a look at http://www.jproxy.com

Cheers,
Marat

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3838172#3838172

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3838172


---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

2004-06-07 Thread mtedone1

Scott, I took example from your policy file, with few differences. I'm trying to rely 
on the default security mechanism that the security model follows in order to find the 
security policy of an application, that is the intersection between the 
${java.home}/jre/lib/security.policy and ${user.home}/.java.policy files. Since I 
don't want to change the policy file under ${java.home}, I'm trying to configure the 
user's policy file in order to run JBoss. For this reason, I don't specify the 
property 
-Djava.security.policy==server.policy as suggested (is this a mistake? If so, why?). 
The only thing I do, I install the security manager in the run.bat file. 

This is the current user's policy file:

  | /* AUTOMATICALLY GENERATED ON Mon Jun 07 22:14:27 BST 2004*/
  | /* DO NOT EDIT */
  | 
  | keystore ".keystore";
  | 
  | grant codeBase "file:${java.home}/lib/ext/-" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant codeBase "file:${java.home}/lib/*" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant codeBase "file:${jboss.home.dir}/-" {
  |   permission java.io.FilePermission "D:\\OPENSOURCES\\jboss-snapshot\\-", "read, 
write, delete, execute";
  |   permission java.lang.RuntimePermission "*";
  |   permission javax.security.auth.AuthPermission "createLoginContext.HsqlDbRealm";
  |   permission java.util.PropertyPermission "axis.EngineConfigFactory", "read, 
write";
  |   permission java.util.PropertyPermission "catalina.*", "read, write";
  |   permission java.io.FilePermission "D:\\J2SE\\jre\\lib\\castor.properties", 
"read";
  |   permission java.net.SocketPermission "localhost:1024-", "accept, resolve";
  | };
  | 
  | grant codeBase "file:${jboss.home.dir}/bin/-" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant codeBase "file:${jboss.home.dir}/lib/-" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant codeBase "file:${jboss.server.home.dir}/lib/-" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
  |   permission java.security.AllPermission;
  | };
  | 
  | grant {
  |   permission java.util.PropertyPermission "*", "read";
  |   permission java.net.SocketPermission "*", "connect";
  |   permission javax.management.MBeanServerPermission "findMBeanServer";
  | };
  | 

The server executes the most (and at the end it starts). However, I get the following 
exception:


  | java.lang.SecurityException: Invalid authentication attempt, principal=null
  | at 
org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:647)
  | at 
org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:476)
  | at 
org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:814)
  | at 
org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:102)
  | at 
org.jboss.mq.pm.jdbc2.PersistenceManager.getConnection(PersistenceManager.java:1266)
  | at 
org.jboss.mq.pm.jdbc2.PersistenceManager.resolveAllUncommitedTXs(PersistenceManager.java:216)
  | at 
org.jboss.mq.pm.jdbc2.PersistenceManager.startService(PersistenceManager.java:1356)
  | at org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:192)
  | at sun.reflect.GeneratedMethodAccessor5.invoke(Unknown Source)
  | at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | at java.lang.reflect.Method.invoke(Method.java:324)
  | at 
org.jboss.mx.capability.ReflectedMBeanDispatcher.invoke(ReflectedMBeanDispatcher.java:284)
  | at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:546)
  | at 
org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:976)
  | at $Proxy14.start(Unknown Source)
  | at org.jboss.system.ServiceController.start(ServiceController.java:394)
  | at org.jboss.system.ServiceController.start(ServiceController.java:411)
  | ..
  | ..
  | 
  | 
  | How could I bypass this problem? It seems that somehow I should grant a permission 
for principal = null.
  | 
  | 

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3837862#3837862

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3837862


---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

2004-06-07 Thread [EMAIL PROTECTED]

I did some work in 3.2.4 to better isolate code that should be running as trusted 
jboss code (provided you mark it as trusted) from untrusted application component 
code. There were a number of places where trusted operations were running at the 
privilege level of the caller rather than that of the jboss codebase. A sample policy 
file I was using with testing when all user code was deployed in a secondary 
user-deploy directory was:


  | [EMAIL PROTECTED] buildmagic]$ cat /tmp/server.policy
  | // The Java2 security policy for the securitymgr tests
  | // Install with -Djava.security.policy==server.policy
  | // and -Djboss.home.dir=path_to_jboss_distribution and
  | // -Djboss.server.home.dir=path_to_jboss_server_config
  | 
  | // Trusted core Java code
  | grant codeBase "file:${java.home}/lib/ext/-" {
  |permission java.security.AllPermission;
  | };
  | grant codeBase "file:/C:/usr/java/j2sdk1.4.2_04/lib/*" {
  |permission java.security.AllPermission;
  | };
  | 
  | // Trusted core Jboss code
  | grant codeBase "file:${jboss.home.dir}/bin/-" {
  |permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.home.dir}/lib/-" {
  |permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.server.home.dir}/lib/-" {
  |permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
  |permission java.security.AllPermission;
  | };
  | 
  | // Minimal permissions are allowed to everyone else
  | grant {
  |permission java.util.PropertyPermission "*", "read";
  |permission java.lang.RuntimePermission "queuePrintJob";
  |permission java.net.SocketPermission "*", "connect";
  |permission javax.management.MBeanServerPermission "findMBeanServer";
  | };
  | 

You could work on further fine tunning the AllPermission granted to jboss code to the 
minimum needed for various usage scenarios.


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3837785#3837785

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3837785


---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

4 matches

Site Navigation

Mail list logo

Footer information