Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

OpenSSO Enterprise Security Permissions for Geronimo Application Server

ProcedureTo Enable the Java Security Manager for Geronimo Application Server

  1. Create a new security policy file named geronimo.policy in the following directory:

    geronimo_home/bin

    Add the security permissions in the geronimo.policy file, as shown in Example 2–7.

  2. In the geronimo.sh script, add following two lines under the start block:

    -Djava.security.manager \
    -Djava.security.policy=geronimo.policy \

    For example, the start block will look like:

    elif [ "$1" = "start" ] ; then
      shift
      touch "$GERONIMO_OUT"
      $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \
        $JAVA_AGENT_OPTS \
        -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \
        -Djava.endorsed.dirs="$ENDORSED_DIRS" \
        -Djava.ext.dirs="$EXT_DIRS" \
        -Djava.io.tmpdir="$GERONIMO_TMPDIR" \
        -Djava.security.manager \
        -Djava.security.policy=geronimo.policy \
        -XX:MaxPermSize=512M \
        -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \
           $GERONIMO_OUT 2>&1 &
        echo ""
        echo "Geronimo started in background. PID: $!"
        if [ ! -z "$GERONIMO_PID" ]; then
          echo $! > $GERONIMO_PID
        fi
  3. Restart Geronimo Application Server.


Example 2–7 OpenSSO Enterprise Security Permissions for Geronimo Application Server

// ----------------------------------------------------------------------------
// Permissions for Geronimo Application Server
// ----------------------------------------------------------------------------
// Geronimo gets all permissions
grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
permission java.security.AllPermission;
};

grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
permission java.security.AllPermission;
};

grant {
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getenv.*";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createSecurityManager";

permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.security.auth.AuthPermission "setReadOnly";
permission java.security.SecurityPermission "setPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "createAccessControlContext";
permission java.security.SecurityPermission "getProperty.package.definition";
permission java.security.SecurityPermission "setProperty.package.definition";
permission java.security.SecurityPermission "getProperty.package.access";
permission java.security.SecurityPermission "setProperty.package.access";
permission org.apache.geronimo.security.GeronimoSecurityPermission "getContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "setContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "configure";

permission java.util.PropertyPermission "Xorg.apache.geronimo.gbean.NoProxy", "read";
permission java.util.PropertyPermission "Xorg.apache.geronimo.kernel.config.Marshaler", "read";
};

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
};