Skip Headers
Oracle® Identity Manager Installation and Configuration Guide for Oracle WebLogic Server
Release 9.1.0.1

Part Number E14047-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

A Java 2 Security Permissions for Oracle WebLogic Server

This chapter describes the Java 2 security permissions required for Oracle WebLogic Server. This information is described in the following sections:

A.1 Java 2 Security Permissions for WebLogic Nonclustered Installation

To enable Java 2 Security for Oracle Identity Manager running on Oracle WebLogic Server:

Caution:

The application might fail to start because of syntax errors in the policy files. Therefore, you must exercise caution when you edit the policy files.

Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:

JAVA_HOME/jre/bin/policytool

  1. Go to the $BEA_HOME/user_projects/domains/$OIM_DOMAIN/ directory and then open the run script (xlStartWLS.bat for Microsoft Windows and xlStartWLS.sh for UNIX) in a text editor.

  2. Search for JAVA_OPTIONS and then add the following:

    -Djava.security.manager
    -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy
    -Dbea.home=$BEA_HOME
    -Dserver.name=$SERVER_NAME
    -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
    

    Note:

    Make the following changes in the lines that you copy:

    Change $WL_HOME to the actual Oracle WebLogic Server home directory location.Change $BEA_HOME to the actual BEA home directory location.Change $SERVER_NAME to the actual server name of Oracle WebLogic Server.Change $OIM_DOMAIN to the actual domain name where Oracle Identity Manager is deployed.

    The following table describes the options:

    Option Description
    -Djava.security.manager Enables the Java 2 Security manager.
    -Djava.security.policy Specifies the policy file to use for Java 2 Security.
    -Dbea.home Specifies the root of the WebLogic Server installation directory. Typically, it is /opt/bea or c:\bea.
    -Dserver.name Specifies the name of the server on which Oracle Identity Manager is installed. Typically, it is myserver.
    -Doim.domain Specifies the directory of the domain on which Oracle Identity Manager is installed.

  3. Check if the $WL_HOME/wlserver_10.3/server/lib/weblogic.policy file exists. If the file exists, then edit it and add the Java 2 Security permissions specified in "Policy File". If it does not exist, then create it.

  4. After making the changes mentioned in Steps 1 through 3, you must restart all the servers.

Policy File

Append the following code at the end of the weblogic.policy file:

Note:

The instructions to change the code in the policy file are given in comments, which are in bold font.

This weblogic.policy example is for a UNIX installation. For Microsoft Windows, ensure that you change the slash (/) character between the directory names to two backslash characters (\\) in every permission java.io.FilePermission property.

Ensure that you change the multicast IP address 231.167.157.106 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml file.

After you make these changes, restart the server to apply Java 2 Security.

   // *******************************************
    //  Default WebLogic Permissions ends
    // *******************************************
 
    grant codeBase "file:${java.home}/lib/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase "file:${java.home}/jre/lib/-" {
    permission java.security.AllPermission;
    };
    
    grant codebase "file:${oim.domain}/${server.name}/.internal/-" {
    permission java.security.AllPermission;
    };
    
 
    // *******************************************
    // From here, OIM application permissions start
    // *******************************************
    // OIM codebase permissions
    grant codeBase 
        "file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" {
          // File permissions
    
          // Need read,write,delete permissions on $OIM_HOME/config folder
          // to read various config files, write the
          // xlconfig.xml.{0,1,2..} files upon re-encryption and delete
          // the last xlconfig.xml if the numbers go above 9.
 
          permission java.io.FilePermission "${XL.HomeDir}/config/-",
            "read, write, delete";
          permission java.io.FilePermission "${XL.HomeDir}/-", "read";
 
          // Need read,write,delete permissions to generate adapter java
          // code, delete the .class file when the adapter is loaded into
          // the database      
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
            "read,write,delete";
 
          // This is required by the connectors and connector installer
          permission java.io.FilePermission     
            "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete";
          permission java.io.FilePermission                           
            "${XL.HomeDir}/connectorResources/-", "read,write,delete";
 
          // Need to read Globalization resource bundle files for various 
          // locales
          permission java.io.FilePermission 
            "${XL.HomeDir}/customResources/-", "read";
 
          // Read code from "JavaTasks", "ScheduleTask",
          // "ThirdParty", "EventHandlers" folder
          permission java.io.FilePermission 
            "${XL.HomeDir}/EventHandlers/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/JavaTasks/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/ScheduleTask/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/ThirdParty/-", "read";
 
          // Required by the Generic Technology connector
          permission java.io.FilePermission  "${XL.HomeDir}/GTC/-", "read";
    
          // OIM server codebase requires read permissions on the 
          // deploy directory, the .wlnotdelete directory, the 
          // "applications" folder, the "XLApplications" folder
          // and the Oracle WebLogic Server lib directory
          // All these permissions are specific to the Oracle WebLogic Server.
          permission java.io.FilePermission
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; 
          permission java.io.FilePermission
            "${oim.domain}/${server.name}/.wlnotdelete/-",
            "read,write,delete";
          permission java.io.FilePermission 
            "${oim.domain}/applications/-", "read";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/-", "read";
          permission java.io.FilePermission "http:${/}-", "read";
          permission java.io.FilePermission ".${/}http:${/}-", "read";
          permission java.io.FilePermission
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
          permission java.io.FilePermission
            "${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write";
          permission java.io.FilePermission 
            "${oim.domain}/${server.name}/-", "read,write,delete";
 
          // OIM server codebase requires read permissions on the 
          // $JAVA_HOME/lib directory
          permission java.io.FilePermission "${java.home}/lib/-", "read"; 
 
          // OIM server invokes the java compiler. You need "execute"
          // permissions on all files.
          permission java.io.FilePermission "<<ALL FILES>>", "execute";
          
          // Socket permissions
          // Basically you must allow all permissions on non-privileged sockets
          // The multicast address should be the same as the one in 
          // xlconfig.xml for javagroups communication
          permission java.net.SocketPermission "*:1024-",
            "connect,listen,resolve,accept";
          permission java.net.SocketPermission "231.167.157.106",
            "connect,accept,resolve";
    
          // Property permissions
          // Read and write OIM properties
          // Read XL.*, java.* and log4j.* properties
          permission java.util.PropertyPermission "XL.HomeDir", "read";
          permission java.util.PropertyPermission "XL.*", "read";
          permission java.util.PropertyPermission "XL.ConfigAutoReload",
            "read";
          permission java.util.PropertyPermission "log4j.*", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "weblogic.xml.debug",
            "read";   
          permission java.util.PropertyPermission "file.encoding", "read";
          permission java.util.PropertyPermission "java.class.path", "read";
          permission java.util.PropertyPermission "java.ext.dirs", "read";
          permission java.util.PropertyPermission "java.library.path",
            "read";
          permission java.util.PropertyPermission "sun.boot.class.path",
            "read";
          permission java.util.PropertyPermission "weblogic.*", "read";
    
          // Run time permissions
          // OIM server needs permissions to create its own class loader,
          // get the class loader, modify threads and register shutdown 
          // hooks
          permission java.lang.RuntimePermission "createClassLoader";
          permission java.lang.RuntimePermission "getClassLoader";
          permission java.lang.RuntimePermission "setContextClassLoader";
          permission java.lang.RuntimePermission  "setFactory";
          permission java.lang.RuntimePermission "modifyThread";
          permission java.lang.RuntimePermission "modifyThreadGroup";
          permission java.lang.RuntimePermission "shutdownHooks";
 
          // OIM server needs run time permissions to generate and load
          // classes in the following specified packages. Also access the
          // declared members of a class.
          // weblogic.kernelPermission is required by Oracle WebLogic Server
          permission java.lang.RuntimePermission 
            "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
          permission java.lang.RuntimePermission
            "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
          permission java.lang.RuntimePermission
            "defineClassInPackage.com.thortech.xl.adapterGlue";
          permission java.lang.RuntimePermission "accessDeclaredMembers";
          permission java.lang.RuntimePermission "weblogic.kernelPermission"; 
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.net.www.protocol.c";  
          permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; 
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.provider";  
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.action";  
                     
          // Reflection permissions
          // Give permissions to access and invoke fields/methods from
          // reflected classes.
          permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    
          // Security permissions for OIM server
          permission java.security.SecurityPermission "*";
          permission java.security.SecurityPermission "insertProvider.SunJCE";
          permission java.security.SecurityPermission "insertProvider.SUN";
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "doPrivileged";
          permission javax.security.auth.AuthPermission "getSubject";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
          permission javax.security.auth.AuthPermission "getLoginConfiguration";
          permission javax.security.auth.AuthPermission "setLoginConfiguration";
          permission java.security.SecurityPermission 
            "getProperty.policy.allowSystemProperty";
          permission java.security.SecurityPermission 
            "getProperty.login.config.url.1";
          permission javax.security.auth.AuthPermission 
            "refreshLoginConfiguration";
          
          // SSL permission (for remote manager)
          permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
    
          // Serializable permissions
          permission java.io.SerializablePermission "enableSubstitution";
    };
   
    
    // You must give the codebase in xlWebApp.war/WEB-INF/classes
    // the following permissions
    grant codeBase 
        "file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" {
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write";
    };
    
    // nexaweb-common.jar from WebLogic server/lib is given AllPermissions
    // The classes in this JAR must be loaded by WebLogic's classloader
    grant codeBase "file:${bea.home}/wlserver_10.3/server/lib/nexaweb-common.jar" {
          permission java.security.AllPermission;
    };
    
    // Permissions for nexaweb-common.jar from OIM_HOME/ext
    grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" {
          permission java.security.AllPermission;
    };
    
    // Permissions for xlCrypto.jar from $OIM_HOME/lib
    grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" {
          permission java.security.SecurityPermission "insertProvider.SunJCE";
          permission java.security.SecurityPermission "insertProvider.SUN";
    };
    
    // Permissions for xlUtils.jar from $OIM_HOME/lib
    grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" {
          permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
          permission java.io.FilePermission "${java.home}/jre/lib/-", "read";
    
          // Serializable permissions
          permission java.io.SerializablePermission "enableSubstitution";
    };
    
    // Permissions for log4j-1.2.8.jar from $OIM_HOME/ext
    grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" {
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar", 
            "read"; 
    };
    
    // Permissions for xlLogger.jar from $OIM_HOME/lib
    // The Filewatchdog class from this jar file must periodically scan
    // these directories for updated/new jar files.
    // You also scan the classes in xlAdapterUtilities.jar by default
    grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" {
          permission java.io.FilePermission "${XL.HomeDir}/EventHandlers", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty", 
            "read";      
          permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", 
            "read";      
          permission java.io.FilePermission 
            "${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read";      
    };
    
    // Permissions for .wlnotdelete folder
    grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" {
          permission java.security.AllPermission;
    };
    
    // Nexaweb server codebase permissions 
    grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" {
          // File permissions
          permission java.io.FilePermission "${user.home}", "read, write"; 
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
          permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
    
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
          permission java.io.FilePermission "<<ALL FILES>>", "execute";
    
          // Property permissions
          permission java.util.PropertyPermission "weblogic.xml.debug", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "*", "read,write";
          
          // Run time permissions
          permission java.lang.RuntimePermission "createClassLoader";
          permission java.lang.RuntimePermission "getClassLoader"; 
          permission java.lang.RuntimePermission "setContextClassLoader";
          permission java.lang.RuntimePermission  "setFactory";
 
          // Nexaweb server security permissions to load the Cryptix 
          // extension          
          permission java.security.SecurityPermission "insertProvider.Cryptix"; 
          permission java.lang.RuntimePermission "weblogic.kernelPermission";  
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.net.www.protocol.c";  
          
          // Socket permissions
          // Permissions on all non-privileged ports.
          permission java.net.SocketPermission "*:1024-", 
            "listen, connect, resolve";
    
          // Security permissions
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
    
    };
    
 
    // The following are permissions given to codebase in the OIM server 
    // directory    
    grant codeBase "file:${XL.HomeDir}/-" {
          // File permissions
          permission java.io.FilePermission "${XL.HomeDir}/config/-", "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
    
          // Socket permissions
          permission java.net.SocketPermission "*:1024-", 
            "connect,listen,resolve,accept";
    
          // Property permissions 
          permission java.util.PropertyPermission "XL.HomeDir", "read";
          permission java.util.PropertyPermission "XL.ConfigAutoReload", "read";
          permission java.util.PropertyPermission "XL.*", "read";
          permission java.util.PropertyPermission "log4j.*", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "weblogic.xml.debug", "read"; 
    
          // Security permissions
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
    
          // Run time Permissions
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.provider";  
    };
    
    // Minimal permissions are allowed to everyone else
    grant { 
    // "standard" properties that can be read by anyone
    
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";
    
    permission java.util.PropertyPermission "java.specification.version", 
            "read";
    permission java.util.PropertyPermission "java.specification.vendor", 
            "read";
    permission java.util.PropertyPermission "java.specification.name", 
            "read";
    permission java.util.PropertyPermission 
            "java.vm.specification.version", "read";
    permission java.util.PropertyPermission 
            "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", 
            "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";
    permission java.util.PropertyPermission "sun.boot.class.path", "read";
    permission java.util.PropertyPermission "weblogic.xml.debug", "read";
    
    
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; 
        permission java.lang.RuntimePermission "accessDeclaredMembers"; 
        permission java.util.PropertyPermission "XL.*", "read";
        permission java.util.PropertyPermission "user.dir", "read"; 
        permission java.util.PropertyPermission "*", "read,write";
    
        permission java.lang.RuntimePermission "weblogic.kernelPermission";  
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission "nexaweb.logs", "read,write";
       permission java.util.PropertyPermission 
            "sun.net.client.defaultConnectTimeout", "read,write"; 
        permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
        permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
        permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/weblogic.jar", "read";
        permission java.io.FilePermission 
            "${oim.domain}/${server.name}/.wlnotdelete/-", "read";
        permission java.io.FilePermission "${nexaweb.home}/-", "read"; 
    
        permission java.lang.RuntimePermission "loadLibrary.*";
        permission java.lang.RuntimePermission "queuePrintJob";
        permission java.net.SocketPermission    "*", "connect";
        permission java.io.FilePermission       "<<ALL FILES>>", "read,write,execute";
        permission java.lang.RuntimePermission   "modifyThreadGroup";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.io";  
        permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
};

A.2 Java 2 Security Permissions for WebLogic Cluster

To enable Java 2 Security for Oracle Identity Manager running on a Oracle WebLogic Server cluster:

Caution:

The application might fail to start because of syntax errors in the policy files. Therefore, you must exercise caution when you edit the policy files.

Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:

JAVA_HOME/jre/bin/policytool

  1. Go to the $BEA_HOME/user_projects/domains/$OIM_DOMAIN/ directory and then open the run script (xlStartWLS.bat for Microsoft Windows and xlStartWLS.sh for UNIX) in a text editor.

  2. Add the following:

    -Djava.security.manager
    -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy
    -Dbea.home=$BEA_HOME
    -Dserver.name=$SERVER_NAME
    -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
    

    Note:

    Make the following changes in the lines that you copy:

    Change $WL_HOME to the actual Oracle WebLogic Server home directory location.Change $BEA_HOME to the actual BEA home directory location.Change $SERVER_NAME to the actual first server name on which Oracle Identity Manager is deployed.Change $OIM_DOMAIN to the actual domain name where Oracle Identity Manager is deployed.

    The following table describes the options:

    Option Description
    -Djava.security.manager Enables the Java 2 Security manager.
    -Djava.security.policy Specifies the policy file to use for Java 2 Security.
    -Dbea.home Specifies the root of the WebLogic Server installation directory. Typically, it is /opt/bea or c:\bea.
    -Dserver.name Specifies the name of the server on which Oracle Identity Manager is installed. Typically, it is myserver.
    -Doim.domain Specifies the directory of the domain on which Oracle Identity Manager is installed.

  3. Check if the $WL_HOME/wlserver_10.3/server/lib/weblogic.policy file exists. If the file exists, then edit it and add the Java 2 Security permissions specified in "Policy File". If the file does not exist, then create it.

  4. For clustered nodes that are remotely managed:

    1. On the WebLogic Server Console, click Configure Servers, Server, Configuration, and then click Remote Start.

    2. Add the following to the Arguments field:

      -DXL.HomeDir=$OIM_HOME -Djava.security.auth.login.config=$OIM_HOME\config\authwl.conf
      -Dlog4j.configuration=file:/$OIM_HOME/config/log.properties
      -Djava.awt.headless=true
      -Djava.security.manager
      -Djava.security.policy==$BEA_HOME/wlserver_10.3/server/lib/weblogic.policy
      -Dbea.home=$BEA_HOME
      -Dserver.name=$SERVER_NAME
      -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
      

      Note:

      Make the following changes in the lines that you copy:

      Change $OIM_HOME to the actual Oracle Identity Manager home directory location.

      Change $BEA_HOME to the actual BEA home directory location.

      Change $SERVER_NAME to the actual server name of Oracle WebLogic Server.

      Change $OIM_DOMAIN to the actual domain name on which Oracle Identity Manager is deployed.

  5. After making the changes mentioned in Steps 1 through 4, you must restart all the servers.

Policy File

The weblogic.policy file contains the following code:

Note:

  • The instructions to change the code in the policy file are given in comments, which are in bold font.

  • This weblogic.policy example is for UNIX installation. For Microsoft Windows, change the slash (/) character between the directory names to two backslash characters (\\) in every permission java.io.FilePermission property.

  • Ensure that you change the multicast IP address 231.116.117.171 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml file.

  • After you make these changes, restart the server to apply Java 2 Security.

// *******************************************
    //  Default WebLogic Permissions
    // *******************************************
    //
    // To use this file you must turn on the Java security manager by 
    // defining java.security.manager and setting the java.security.policy 
    // property to point to the security policy which should be in the lib 
    // directory.
    // For example: 
    //   java -Djava.security.manager
    //  -Djava.security.policy==${/}opt${/}bea${/}wlserver_10.3/server/lib/weblogic.policy
    //           weblogic.Server
    //
    // You can edit this file and change the permissions for your 
    // applications or update the codeBase line to point to where your 
    // server is installed. 
    //
    // You should grant all permissions to classes in
    // .internal, and .wlnotdelete folders located in your server directory.
    // You can set 
    //   -Duser.domain=<user domain folder> 
    //   -Dweblogic.Name=<server name> 
    // command-line properties and use them in your policy file.
    // For example, the basic grant statements for servers in a user 
    // domain would be:
    // grant codeBase "file:${user.domain}/${weblogic.Name}/.internal/-" {
    //   permission java.security.AllPermission;
    // };
    // grant codeBase "file:${user.domain}/${weblogic.Name}/.wlnotdelete/-" 
    // {
    //   permission java.security.AllPermission;
    // };
    //
    // The codeBase location must be a URL, not a file path,
    // so Windows users beware of backslashes.
    //
    //
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/server/lib/-" {
  permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/server/ext/-" {
  permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/eval/pointbase/lib/-" {
  permission java.security.AllPermission;
};
 
// For the petstore demo
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/petstore/petstoreServer/.internal/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/petstore/petstoreServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/petstore/-" {
permission java.util.PropertyPermission "*", "read";
};
 
// For the examples
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.internal/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/stage/-" {
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write";
};
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/stage/examples/-" {
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}src${/}examples${/}-", "read";
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write";
};
 
// For the workshop
 
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/workshop/-" {
  permission java.security.AllPermission;
};
 
// These are for the three app types
 
// EJB default permissions
grant codebase "file:/weblogic/application/defaults/EJB" {
    permission java.lang.RuntimePermission "queuePrintJob"; 
    permission java.net.SocketPermission "*", "connect"; 
    permission java.util.PropertyPermission "*", "read";
};
 
// Web App default permissions
grant codebase "file:/weblogic/application/defaults/Web" {
    permission java.lang.RuntimePermission "loadLibrary"; 
    permission java.lang.RuntimePermission "queuePrintJob"; 
    permission java.net.SocketPermission "*", "connect"; 
    permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
    permission java.util.PropertyPermission "*", "read";
};
 
// Connector default permissions
grant codebase "file:/weblogic/application/defaults/Connector" {
    permission java.net.SocketPermission "*", "connect"; 
    permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
    permission java.util.PropertyPermission "*", "read";
};
 
 
// Standard extensions get all permissions by default
 
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
 
// default permissions granted to all domains
 
grant { 
// "standard" properties that can be read by anyone
 
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
 
 
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
 
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};
 
grant codeBase 
   "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/eval/pointbase/lib/-" {
permission java.security.AllPermission;
};

// For the petstore demo
 
grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/petstoreServer/.internal/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/petstoreServer/.wlnotdelete/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/-" {
    permission java.util.PropertyPermission "*", "read";
    };
    
    // For the examples
 
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.internal/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.wlnotdelete/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/stage/-" {
    permission java.util.PropertyPermission "*", "read";
    permission java.io.FilePermission 
            "${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write";
    };
    
    grant codeBase 
        "file:${/}opt${/}bea${/}wlserver_10.3/samples/server/stage/examples/-" {
    permission java.io.FilePermission 
            "${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}src${/}examples${/}-", "read";
    permission java.io.FilePermission 
            "${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}examplesServer${/}ldap", "read,write";
    };
    
    // For the workshop
 
    grant codeBase "file:${/}opt${/}bea${/}wlserver_10.3/samples/workshop/-" {
      permission java.security.AllPermission;
    };
    
    // These are for the three app types
 
    
    // EJB default permissions
    grant codebase "file:/weblogic/application/defaults/EJB" {
        permission java.lang.RuntimePermission "queuePrintJob"; 
        permission java.net.SocketPermission "*", "connect"; 
        permission java.util.PropertyPermission "*", "read";
    };
    
    // Web App default permissions
    grant codebase "file:/weblogic/application/defaults/Web" {
        permission java.lang.RuntimePermission "loadLibrary"; 
        permission java.lang.RuntimePermission "queuePrintJob"; 
        permission java.net.SocketPermission "*", "connect"; 
        permission java.io.FilePermission 
            "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
        permission java.util.PropertyPermission "*", "read";
    };
    
    // Connector default permissions
    grant codebase "file:/weblogic/application/defaults/Connector" {
        permission java.net.SocketPermission "*", "connect"; 
        permission java.io.FilePermission 
            "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
        permission java.util.PropertyPermission "*", "read";
    };
    
    
    // Standard extensions get all permissions by default
    grant codeBase "file:${java.home}/lib/ext/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase "file:${java.home}/lib/-" {
    permission java.security.AllPermission;
    };
    
    grant codeBase "file:${java.home}/jre/lib/-" {
    permission java.security.AllPermission;
    };
    
    grant codebase "file:${oim.domain}/${server.name}/.internal/-" {
    permission java.security.AllPermission;
    };
    
    // *******************************************
    //  Default WebLogic Permissions end
    // *******************************************
 
 
    // *******************************************
    // From here, OIM application permission starts
    // *******************************************
    // OIM codebase permissions
    grant codeBase 
        "file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" {
          // File permissions
    
          // Need read,write,delete permissions on $OIM_HOME/config folder
          // to read various config files, write the
          // xlconfig.xml.{0,1,2..} files upon re-encryption and delete
          // the last xlconfig.xml if the numbers go above 9.
 
          permission java.io.FilePermission "${XL.HomeDir}/config/-",
            "read, write, delete";
          permission java.io.FilePermission "${XL.HomeDir}/-", "read";
 
          // Need read,write,delete permissions to generate adapter java
          // code, delete the .class file when the adapter is loaded into
          // the database
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
            "read,write,delete";
 
          // This is required by the connectors and connector installer
          permission java.io.FilePermission     
            "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete";
          permission java.io.FilePermission                           
            "${XL.HomeDir}/connectorResources/-", "read,write,delete";
 
          // Need to read Globalization resource bundle files for various 
          // locales
          permission java.io.FilePermission 
            "${XL.HomeDir}/customResources/-", "read";
 
          // Need to read code from "JavaTasks", "ScheduleTask",
          // "ThirdParty", "EventHandlers" folder
          permission java.io.FilePermission 
            "${XL.HomeDir}/EventHandlers/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/JavaTasks/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/ScheduleTask/-", "read";
          permission java.io.FilePermission 
            "${XL.HomeDir}/ThirdParty/-", "read";
 
          // Required by the Generic Technology connector
          permission java.io.FilePermission  "${XL.HomeDir}/GTC/-", "read";
    
          // OIM server code base requires read permissions on the 
          // deploy directory, the .wlnotdelete directory, the 
          // "applications" folder, the "XLApplications" folder
          // and the WebLogic server lib directory
          // All these permissions are specific to the weblogic server.
          permission java.io.FilePermission
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; 
          permission java.io.FilePermission
            "${oim.domain}/${server.name}/.wlnotdelete/-",
            "read,write,delete";
          permission java.io.FilePermission 
            "${oim.domain}/applications/-", "read";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/-", "read";
          permission java.io.FilePermission "http:${/}-", "read";
          permission java.io.FilePermission ".${/}http:${/}-", "read";
          permission java.io.FilePermission
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
          permission java.io.FilePermission
            "${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write";
          permission java.io.FilePermission 
            "${oim.domain}/${server.name}/-", "read,write,delete";
 
          // OIM server codebase requires read permissions on the 
          // $JAVA_HOME/lib directory
          permission java.io.FilePermission "${java.home}/lib/-", "read"; 
 
          // OIM server invokes the java compiler. You need "execute"
          // permissions on all files.
          permission java.io.FilePermission "<<ALL FILES>>", "execute";
          
          // Socket permissions
          // Basically, all permissions are allowed on non-privileged sockets
          // The multicast address should be the same as the one in 
          // xlconfig.xml for javagroups communication
          permission java.net.SocketPermission "*:1024-",
            "connect,listen,resolve,accept";
          permission java.net.SocketPermission "231.116.117.171",
            "connect,accept,resolve";
    
          // Property permissions
          // Read and write OIM properties
          // Read XL.*, java.* and log4j.* properties
          permission java.util.PropertyPermission "XL.HomeDir", "read";
          permission java.util.PropertyPermission "XL.*", "read";
          permission java.util.PropertyPermission "XL.ConfigAutoReload",
            "read";
          permission java.util.PropertyPermission "log4j.*", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "weblogic.xml.debug",
            "read";   
          permission java.util.PropertyPermission "file.encoding", "read";
          permission java.util.PropertyPermission "java.class.path", "read";
          permission java.util.PropertyPermission "java.ext.dirs", "read";
          permission java.util.PropertyPermission "java.library.path",
            "read";
          permission java.util.PropertyPermission "sun.boot.class.path",
            "read";
          permission java.util.PropertyPermission "weblogic.*", "read";
    
          // Run time permissions
          // OIM server needs permissions to create its own class loader,
          // get the class loader, modify threads and register shutdown 
          // hooks
          permission java.lang.RuntimePermission "createClassLoader";
          permission java.lang.RuntimePermission "getClassLoader";
          permission java.lang.RuntimePermission "setContextClassLoader";
          permission java.lang.RuntimePermission  "setFactory";
          permission java.lang.RuntimePermission "modifyThread";
          permission java.lang.RuntimePermission "modifyThreadGroup";
          permission java.lang.RuntimePermission "shutdownHooks";
 
          // OIM server needs run time permissions to generate and load
          // classes in the following specified packages. Also access the
          // declared members of a class.
          // weblogic.kernelPermission is required by weblogic
          permission java.lang.RuntimePermission 
            "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
          permission java.lang.RuntimePermission
            "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
          permission java.lang.RuntimePermission
            "defineClassInPackage.com.thortech.xl.adapterGlue";
          permission java.lang.RuntimePermission "accessDeclaredMembers";
          permission java.lang.RuntimePermission "weblogic.kernelPermission"; 
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.net.www.protocol.c";  
          permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; 
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.provider";  
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.action";  
                     
          // Reflection permissions
          // Give permissions to access and invoke fields/methods from
          // reflected classes.
          permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    
          // Security permissions for OIM server
          permission java.security.SecurityPermission "*";
          permission java.security.SecurityPermission "insertProvider.SunJCE";
          permission java.security.SecurityPermission "insertProvider.SUN";
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "doPrivileged";
          permission javax.security.auth.AuthPermission "getSubject";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
          permission javax.security.auth.AuthPermission "getLoginConfiguration";
          permission javax.security.auth.AuthPermission "setLoginConfiguration";
          permission java.security.SecurityPermission 
            "getProperty.policy.allowSystemProperty";
          permission java.security.SecurityPermission 
            "getProperty.login.config.url.1";
          permission javax.security.auth.AuthPermission 
            "refreshLoginConfiguration";
 
          
          // SSL permission (for remote manager)
          permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
    
          // Serializable permissions
          permission java.io.SerializablePermission "enableSubstitution";
    };
   
    
    // You must give the codebase in xlWebApp.war/WEB-INF/classes
    // the following permissions
    grant codeBase 
        "file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" {
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write";
    };
    
    // nexaweb-common.jar from WebLogic server/lib is given AllPermissions
    // These classes in this jar can be loaded by WebLogic's classloader
    grant codeBase "file:${bea.home}/wlserver_10.3/server/lib/nexaweb-common.jar" {
          permission java.security.AllPermission;
    };
    
    // Permissions for nexaweb-common.jar from OIM_HOME/ext
    grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" {
          permission java.security.AllPermission;
    };
    
    // Permissions for xlCrypto.jar from $OIM_HOME/lib
    grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" {
          permission java.security.SecurityPermission "insertProvider.SunJCE";
          permission java.security.SecurityPermission "insertProvider.SUN";
    };
    
    // Permissions for xlUtils.jar from $OIM_HOME/lib
    grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" {
          permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
          permission java.io.FilePermission "${java.home}/jre/lib/-", "read";
    
          // Serializable permissions
          permission java.io.SerializablePermission "enableSubstitution";
    };
    
    // Permissions for log4j-1.2.8.jar from $OIM_HOME/ext
    grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" {
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar", 
            "read"; 
    };
    
    // Permissions for xlLogger.jar from $OIM_HOME/lib
    // The Filewatchdog class from this jar file must periodically scan
    // these directories for updated/new jar files.
    // We also scan the classes in xlAdapterUtilities.jar by default
    grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" {
          permission java.io.FilePermission "${XL.HomeDir}/EventHandlers", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty", 
            "read";      
          permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", 
            "read";      
          permission java.io.FilePermission 
            "${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read";      
    };
    
    // Permissions for .wlnotdelete folder
    grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" {
          permission java.security.AllPermission;
    };
    
    // Nexaweb server codebase permissions 
    grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" {
          // File permissions
          permission java.io.FilePermission "${user.home}", "read, write"; 
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
          permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
          permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/-", "read";
    
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
          permission java.io.FilePermission "<<ALL FILES>>", "execute";
    
          // Property permissions
          permission java.util.PropertyPermission "weblogic.xml.debug", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "*", "read,write";
          
          // Run time permissions
          permission java.lang.RuntimePermission "createClassLoader";
          permission java.lang.RuntimePermission "getClassLoader"; 
          permission java.lang.RuntimePermission "setContextClassLoader";
          permission java.lang.RuntimePermission  "setFactory";
 
          // Nexaweb server security permissions to load the Cryptix 
          // extension          
          permission java.security.SecurityPermission "insertProvider.Cryptix"; 
          permission java.lang.RuntimePermission "weblogic.kernelPermission";  
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.net.www.protocol.c";  
          
          // Socket permissions
          // Permissions on all non-privileged ports.
          permission java.net.SocketPermission "*:1024-", 
            "listen, connect, resolve";
    
          // Security permissions
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
    
    };
    
 
    // The following are permissions given to codebase in the OIM server 
    // directory    
    grant codeBase "file:${XL.HomeDir}/-" {
          // File permissions
          permission java.io.FilePermission "${XL.HomeDir}/config/-", "read";
          permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read";
          permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", 
            "read";
          permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
    
          // Socket permissions
          permission java.net.SocketPermission "*:1024-", 
            "connect,listen,resolve,accept";
    
          // Property permissions 
          permission java.util.PropertyPermission "XL.HomeDir", "read";
          permission java.util.PropertyPermission "XL.ConfigAutoReload", "read";
          permission java.util.PropertyPermission "XL.*", "read";
          permission java.util.PropertyPermission "log4j.*", "read";
          permission java.util.PropertyPermission "user.dir", "read";
          permission java.util.PropertyPermission "weblogic.xml.debug", "read"; 
    
          // Security permissions
          permission javax.security.auth.AuthPermission "doAs";
          permission javax.security.auth.AuthPermission "modifyPrincipals";
          permission javax.security.auth.AuthPermission "createLoginContext";
    
          // Run time Permissions
          permission java.lang.RuntimePermission 
            "accessClassInPackage.sun.security.provider";  
    };
    
    // Minimal permissions are allowed to everyone else
    grant { 
    // "standard" properties that can be read by anyone
 
// Socket permissions
          permission java.net.SocketPermission "*:1024-", 
            "connect,listen,resolve,accept";
 
//Change the following IP address to the same value as that of
//your WebLogic cluster multicast IP address
permission java.net.SocketPermission "237.0.0.1", "connect,accept,resolve";

//Change the following IP address to the same value as that of
//the multicast address in the xlConfig.xml file
permission java.net.SocketPermission "231.116.117.171", "connect,accept,resolve";
 
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setProperty.*";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.SerializablePermission "enableSubstitution";
permission javax.security.auth.AuthPermission "refreshLoginConfiguration";
permission java.util.logging.LoggingPermission "control";
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.SUN";
    
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";
    
    permission java.util.PropertyPermission "java.specification.version", 
            "read";
    permission java.util.PropertyPermission "java.specification.vendor", 
            "read";
    permission java.util.PropertyPermission "java.specification.name", 
            "read";
    permission java.util.PropertyPermission 
            "java.vm.specification.version", "read";
    permission java.util.PropertyPermission 
            "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", 
            "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";
    permission java.util.PropertyPermission "sun.boot.class.path", "read";
    permission java.util.PropertyPermission "weblogic.xml.debug", "read";
    
    
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; 
    permission java.lang.RuntimePermission "accessDeclaredMembers"; 
    permission java.util.PropertyPermission "XL.*", "read";
    permission java.util.PropertyPermission "user.dir", "read"; 
    permission java.util.PropertyPermission "*", "read,write";
    
    permission java.lang.RuntimePermission "weblogic.kernelPermission";  
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission "nexaweb.logs", "read,write";
    permission java.util.PropertyPermission 
            "sun.net.client.defaultConnectTimeout", "read,write"; 
    permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
    permission java.io.FilePermission 
            "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
    permission java.io.FilePermission 
            "${bea.home}/wlserver_10.3/server/lib/weblogic.jar", "read";
    permission java.io.FilePermission 
            "${oim.domain}/${server.name}/.wlnotdelete/-", "read";
    permission java.io.FilePermission "${nexaweb.home}/-", "read"; 
    
    permission java.lang.RuntimePermission "loadLibrary.*";
    permission java.lang.RuntimePermission "queuePrintJob";
    permission java.net.SocketPermission    "*", "connect";
    permission java.io.FilePermission       "<<ALL FILES>>", "read,write,execute";
    permission java.lang.RuntimePermission   "modifyThreadGroup";
    permission java.lang.RuntimePermission "accessClassInPackage.sun.io";  
    permission java.io.FilePermission "${XL.HomeDir}/adapters/-", 
            "read,write,delete";
};