Oracle® Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server Release 9.1.0.1 Part Number E14064-04 |
|
|
View PDF |
This appendix describes the following:
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when you edit the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
WAS_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager running on IBM WebSphere Application Server:
Log in to the WebSphere Administrative Console.
Expand the Security tab in the left navigation pane and then click Secure administration, applications, and infrastructure.
Click the Security Configuration Wizard button. The Security Configuration Wizard is displayed.
In the Specify Extent of Protection page of the Wizard, select the Use Java 2 security to restrict application access to local resources option and then click Next.
In the Select User Repository page of Wizard, click Next.
In the Configure User Repository page of the Wizard, enter XELSYSADM in the Primary administrative user name field. Click Next.
In the Summary page, click Finish.
To store the setting as Master Settings, click the Save link in the message.
Save this configuration and click Apply.
Check if the WAS_HOME
/profiles/AppSrv01/properties/server.policy
exists. If the file exists, edit it and add the Java 2 Security permissions provided in the "Policy File" section. If it does not exist, then create it.
Policy File
The server.policy
file consists of the following code:
Note:
- The instructions to change the code in the policy file are given in comments, which are in bold font.
- Ensure that you change the cell name in the code example to reflect the cell name on which you install Oracle Identity Manager. This example uses STDLPC28Node02Cell
as the cell name.
- This server.policy
example is for UNIX installation. For Windows, ensure that you change /
between the directories name to \\
in every permission java.io.FilePermission
property.
- Ensure that you change the multicast IP 231.167.157.106
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml
.
// ******************************************* // WebSphere Server Security Policy // ******************************************* // // Application client permissions are specified in client.policy // Warning: Deviating from this policy might result in unexpected // AccessControlExceptions if a more "fine grain" policy is // specified. // The application policy is specified in app.policy (per node) and was.policy // (per enterprise application). // // Allow to use sun tools grant codeBase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; // WebSphere system classes grant codeBase "file:${was.install.root}/plugins/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/classes/-" { permission java.security.AllPermission; }; // Allow the WebSphere deploy tool all permissions grant codeBase "file:${was.install.root}/deploytool/-" { permission java.security.AllPermission; }; // Allow Channel Framework classes all permissions grant codeBase "file:${was.install.root}/installedChannels/-" { permission java.security.AllPermission; }; // WebSphere optional runtime classes grant codeBase "file:${was.install.root}/optionalLibraries/-" { permission java.security.AllPermission; }; // // ******************************************* // From here, the Oracle Identity Manager application permissions start // ******************************************* // OIM codebase permissions // Change Cell "STDLPC28Node02Cell" Value in given code grant codeBase "file:${user.install.root}/installedApps/STDLPC28Node02Cell/Xellerate.ear/-" { permission java.security.AllPermission; }; // Change Cell "STDLPC28Node02Cell" Value in given code permission java.io.FilePermission "${user.install.root}/temp/STDLPC28Node02Cell/server1/-", "read,write,delete"; // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Must read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Must read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; permission java.io.FilePermission "${java.home}/lib/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // This IP address is a multicast address of the computer. Ensure // it is the same as that defined in xlConfig.xml. permission java.net.SocketPermission "231.167.157.106", "connect,accept,resolve"; // Property permissions // Read and write Oracle Identity Manager properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; // Runtime permissions // The Oracle Identity Mamager server needs permissions // to create its own class loader, get the class loader, // modify threads and register shutdown hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // The Oracle Identity Manager server needs runtime // permissions to generate and load classes in the // following packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for Oracle Identity Manager server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.IBMJCE"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Grant AllPermission to nexaweb-common.jar grant codeBase "file:${was.install.root}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Grant AllPermission to wssec.jar grant codeBase "file:${was.install.root}/lib/wssec.jar" { permission java.security.AllPermission; }; // Nexaweb server codebase permissions // Change Cell "STDLPC28Node02Cell" Value in given code grant codeBase "file:${user.install.root}/installedApps/STDLPC28Node02Cell/Nexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.install.root}/temp/STDLPC28Node02Cell/server1/-","read,write,delete"; permission java.io.FilePermission "${user.install.root}/installedApps/STDLPC28Node02Cell/Xellerate.ear/-", "read"; permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${user.install.root}/installedApps/STDLPC28Node02Cell/Nexaweb.ear/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "shutdownHooks"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // The following are permissions given to codebase in the // Oracle Identity Manager server directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // Default permissions granted to all domains grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission javax.security.auth.AuthPermission "doAs"; permission java.lang.RuntimePermission "modifyThread"; };
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when editing the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
WAS_HOME
/jre/bin/policytool
This section describes the Java 2 Security permissions for WebSphere in a clustered environment. To enable Java 2 Security for Oracle Identity Manager running on a WebSphere cluster:
Log in to the WebSphere Administrative Console.
Expand the Security tab in the left navigation pane and then click Secure administration, applications, and then infrastructure.
Click the Security Configuration Wizard button. The Security Configuration Wizard is displayed.
In the Specify Extent of Protection page of the Wizard, select the Use Java 2 security to restrict application access to local resources option.
In the Select User Repository page of Wizard, click Next.
In the Configure User Repository page of the Wizard, enter XELSYSADM in the Primary administrative user name field. Click Next.
In the Summary page, click Finish.
To store the setting as Master Settings, click Save Link in the message and click Apply.
Check if the WAS_HOME
/profiles/<PROFILE_NAME>/properties/server.policy
file exists. If the file exists, edit it and add the Java 2 Security permissions provided in the "Policy File" section. If it does not exist, then create it. You must do this in every node in which Oracle Identity Manager is deployed.
Policy File
The server.policy
file consists of the following code:
Note:
- The instructions to change the code in the policy file are given in comments, which are in bold font.
- Ensure that you change the cell name in the code example to reflect the cell name on which you install Oracle Identity Manager. This example uses XL_CELL
as the cell name, XL_NODE1
as the node name, and XL_SERVER_ON_NODE_1
as the server name.
- This server.policy
example is for UNIX installation. For Windows, ensure that you change /
between the directories name to \\
in every permission java.io.FilePermission
property.
- Ensure that you change the multicast IP 231.145.165.117
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml
.
// WebSphere Server Security Policy // // Application client permissions are specified in client.policy // Warning: Deviating from this policy might result in unexpected // AccessControlExceptions if a more "fine grain" policy is // specified. // The application policy is specified in app.policy (per node) and was.policy // (per enterprise application). // // Allow to use sun tools grant codeBase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; // WebSphere system classes grant codeBase "file:${was.install.root}/plugins/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/classes/-" { permission java.security.AllPermission; }; // Allow the WebSphere deploy tool all permissions grant codeBase "file:${was.install.root}/deploytool/-" { permission java.security.AllPermission; }; // Allow Channel Framework classes all permission grant codeBase "file:${was.install.root}/installedChannels/-" { permission java.security.AllPermission; }; // WebSphere optional runtime classes grant codeBase "file:${was.install.root}/optionalLibraries/-" { permission java.security.AllPermission; }; // ***************************************************************** // From here, Oracle Identity Manager application permission start // ***************************************************************** // OIM codebase permissions // Change Cell "XL_CELL" Value to the one in your installation grant codeBase "file:${user.install.root}/installedApps/XL_CELL/Xellerate.ear/-" { // File permissions // Change Nodes "XL_NODE1" Value and Server "XL_SERVER_ON_NODE1" value // to the one in your installation permission java.io.FilePermission "${user.install.root}/temp/XL_NODE1/XL_SERVER_ON_NODE_1/-", "read,write,delete"; // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read, write, and delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Must read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Must read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; permission java.io.FilePermission "${java.home}/lib/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // This IP address is a multicast address on which cluster // communication takes place. Ensure that it is same as defined in // xlConfig.xml permission java.net.SocketPermission "231.145.165.117", "connect,accept,resolve"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the following packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.IBMJCE"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Grant AllPermission to nexaweb-common.jar grant codeBase "file:${was.install.root}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Grant AllPermission to wssec.jar grant codeBase "file:${was.install.root}/lib/wssec.jar" { permission java.security.AllPermission; }; // Nexaweb codebase permissions // Change Cell "XL_CELL", Node "XL_NODE1" and Server "XL_SERVER_ON_NODE1" // values to the one in your install grant codeBase "file:${user.install.root}/installedApps/XL_CELL/Nexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.install.root}/temp/XL_NODE1/XL_SERVER_ON_NODE_1/-", "read,write,delete"; permission java.io.FilePermission "${user.install.root}/installedApps/XL_CELL/Xellerate.ear/-", "read"; permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${user.install.root}/installedApps/XL_CELL/Nexaweb.ear/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "shutdownHooks"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // default permissions granted to all domains grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission javax.security.auth.AuthPermission "doAs"; permission java.lang.RuntimePermission "modifyThread"; permission com.ibm.websphere.security.WebSphereRuntimePermission "AdminPermission"; };