Re: Security Policy

Mon, 13 Feb 2006 09:30:02 -0800

I have no experience actually working with these grants etc but I think we should look into making a default policy that knows about and relates to the repository structure we use. Would it make sense to add permissions to configurations? 

thanks
david jencks

On Feb 13, 2006, at 2:38 AM, John Sisson wrote:
If one requires fine grained security for applications / configurations that are deployed. E.G. what files they can access, what ports they can listen on etc.
Some large enterprise sites may run under a security manager due to high security requirements, but running under a security manager incurs an overhead.
FYI.. In section "1.4 Requirements" of the JACC spec it states in point 9 that the container must execute in an environment controlled by a J2SE security manager.
The issue that Cristian raised needs to be discussed. A concern I have is that if we used names instead of numbers then we will most likely run into the Windows file path length (on JDK 1.4.2) issue discussed in the mail thread http://www.mail-archive.com/ dev@geronimo.apache.org/msg15501.html 

Regards,

John

Vamsavardhana Reddy wrote:

When does one require to run the server under a Security Manager?

Thanks,
Vamsi
On 2/11/06, *Matt Hogstrom* <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> wrote: 

    Cristian,
No apologies. This is good feedback as I think we can use as much 
    administrative feedback as possible.

    Cristian Roldan wrote:
    > Hi All,
    >           I  enabled the Security Manager with these parameters
    "-Djava.security.manager -Djava.security.policy=geronimo.policy",
    > everything works ok, but the only problem that  I saw was with
    the Application identification (number) , if you deploy
    > an application, Generimo creates a directory
    config-store/[NUMBER], you must use this number in the policy
    file, after a while
    > you undeploy and deploy a new version of that application in
this case you obtain a new number, so you must change the policy file. 
    > I think that using a [number] as a deployment directory is not
    the best solution from the administration perspective.
    > I'm sorry I just give an opinion from the administration point
of view maybe there is a design/performace reason that I can't see. 
    >
    >
    >   //
--------------------------------------------------------------------- ----------------- 
    > // Permissions for Geronimo V.1.0
    > //
--------------------------------------------------------------------- ----------------- 
    >   // Geronimo gets all permissions
    > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
    >   permission java.security.AllPermission;
    > };
    >   grant codeBase
    "file:${org.apache.geronimo.base.dir}/repository/-" {
    >   permission java.security.AllPermission;
    > };
> //------------------------------------------------------------ ---------- 

    > // From here I set the minimun permissions for my Applications
    > // You must change "23" for you Application number, this number
    is created
    > // during deployment phase.
    >
//--------------------------------------------------------------- ------- 

    >   grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
> permission java.lang.RuntimePermission "accessClassInPackage.*"; 
    > };
    >   //
--------------------------------------------------------------------- 
    >   grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/4/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/7/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/10/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/13/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/16/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/19/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/22/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/26/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/29/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/32/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase
    "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
    >   permission java.security.AllPermission;
    > };
    > grant codeBase "file:${
    org.apache.geronimo.base.dir}/config-store/35/-" {
    >   permission java.security.AllPermission;
    > };
    >
    >
    >
    >
    > ---------------------------------
    >  1GB gratis, Antivirus y Antispam
    >  Correo Yahoo!, el mejor correo web del mundo
    >  Abrí tu cuenta aquí

Reply via email to