Oracle® Identity Manager Installation and Configuration Guide for Oracle Application Server Release 9.1.0.1 Part Number E14062-01 |
|
|
View PDF |
This appendix describes the following:
Java 2 Security Permissions for Oracle Application Server Noncluster
Java 2 Security Permissions for Oracle Application Server Cluster
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when you edit the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
JAVA_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager running on Oracle Application Server:
Modify the Oracle Application Server run configuration and add the -Djava.security.manager
as a JVM option. This change must be done in $OC4J_HOME/opmn/conf/opmn.xml
.
Add the following option to Oracle Application Server:
-Djava.security.manager
This option enables the Java 2 Security manager.
Check if the $ORACLE_HOME
/j2ee/home/config/java2.policy
file exists. If it exists, then edit it and add the Java 2 Security permissions listed in the "Policy File" section. If the java2.policy
file does not exist, then you have to create it.
Policy File
Perform the following in the java2.policy
file:
Note:
- The instructions to change the code in the policy file are given in comments, which are in bold font.
- This java2.policy
example is for Windows installation. For UNIX, ensure that you change \\ between the directories name to / in every permission java.io.FilePermission
property.
- Make sure to change the multicast IP 231.184.202.110
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml
.
- You must update the path to the correct value for the location where GTC-RECON connector files are located. This example uses C:\\file1\\file1
for the location of these files.
Find the following:
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; };
Add the following to the preceding code:
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
Find /*Default Grants copied from the JDK default system policy*/
and add the following code to the grant:
//Added for OIM permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * the GTC-RECON connector. Update the path to the correct value prior to * running the server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";
In Custom Application Permissions, append the following code:
// Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" { // File permissions // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "application-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.184.202.110", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs";permission javax.security.auth.AuthPermission "modifyPrincipals";permission javax.security.auth.AuthPermission "createLoginContext";permission javax.security.auth.AuthPermission "createLoginContext.*";permission java.util.logging.LoggingPermission "control";permission java.io.SerializablePermission "enableSubclassImplementation";permission java.io.SerializablePermission "enableSubstitution";permission javax.security.auth.AuthPermission "getPolicy";permission java.net.SocketPermission "*:*", "connect,resolve";permission java.lang.RuntimePermission "createClassLoader";permission java.lang.RuntimePermission "getClassLoader";permission java.util.PropertyPermission "*", "read";permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";permission java.util.PropertyPermission "javax.*", "read,write";}; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs";permission javax.security.auth.AuthPermission "modifyPrincipals";permission javax.security.auth.AuthPermission "createLoginContext";permission java.io.SerializablePermission "enableSubclassImplementation";permission java.io.SerializablePermission "enableSubstitution";permission java.util.logging.LoggingPermission "control";permission javax.security.auth.AuthPermission "createLoginContext.*";permission java.security.SecurityPermission "*";permission javax.security.auth.AuthPermission "getLoginConfiguration";permission javax.security.auth.AuthPermission "getPolicy";permission javax.security.auth.AuthPermission "setLoginConfiguration";permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
Policy File
The following is the sample java2.policy
file after Oracle Identity Manager policy has been added:
/* * Standard policy file for Oracle Application Server * * When this file is in use the System property ${oracle.home} must * be set to $ORACLE_HOME or to the value of $ORACLE_HOME. * * When this file is in use via OPMN the System property * ${oracle.oc4j.instancename} * is used to identify the instance-level connector jars. * * This file grants AllPermission to "oc4j code" * oc4j code is code used either directly or indirectly by the app server * itself. Including code generated for ejb wrappers. * See oc4j.jar!boot.xml for a complete list. Currently this file * only lists jars that need permissions. Others can be * added if neccessary. * * In a future release the grants will be refined so that * only the Permissions actually needed by Oracle Application Server * code will be granted. * * Calls to accessController.doPrivileged have been added to Oracle * Application Server with the intention that the application code only * be granted the Permissions needed by actions it performs directly. * It should not be granted Permissions required by J2EE * operations. * * For example if a Servlet (or jsp) forwards to a .jsp it does not * need Permission to read and compile the .jsp. Similarly the * application code associated with an ejb that specifies container * managed persistence does not need Permission to create a socket * talking to the database holding the underlying data. But an EJB * using bean managed persistence does need such Permission. */ grant codebase "file:${oracle.home}/j2ee/home/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jlib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/bc4j/jlib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/toplink/jlib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dms/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/diagnostics/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dbjava/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/sqlj/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/javacache/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/uddi/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/xdk/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/opmn/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/javavm/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/*" { permission java.security.AllPermission; }; /** EJB skeleton/tie & BCEL proxy support **/ grant codeBase "file:generated/by/proxy" { permission java.security.AllPermission; }; grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" { permission java.security.AllPermission; }; * Miscellaneous grants to jars distributed as part of oc4j that might be used * in various ways */ grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" { permission java.security.AllPermission; }; /* GRANTS TO DEFAULT APPLICATIONS */ grant codebase "file:${oracle.home}/j2ee/home/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ; grant { permission java.util.PropertyPermission "java.home", "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ; grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ; //Added for GTC grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ; grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ; grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; }; grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ; grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ; grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ; grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ; grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ; grant { permission java.util.PropertyPermission "user.home" , "read"; } ; grant { permission java.util.PropertyPermission "user.name" , "read"; } ; grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ; grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; }; grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; }; grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; }; grant { permission java.util.PropertyPermission "SQLLog", "read"; }; grant { permission java.util.PropertyPermission "USE_JAAS", "read"; }; grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; }; grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "debug", "read"; }; grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; }; grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; }; grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "http.proxyHost", "read"; }; grant { permission java.util.PropertyPermission "http.proxyPort", "read"; }; grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; }; grant { permission java.util.PropertyPermission "java.class.path", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; }; grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configuration", "read"; }; grant { permission java.util.PropertyPermission "log4j.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; }; grant { permission java.util.PropertyPermission "log4j.disable", "read"; }; grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; }; grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; }; grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; }; grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.level", "read"; }; grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; }; grant { permission java.util.PropertyPermission "upload.buflen", "read"; }; grant { permission java.util.PropertyPermission "user.dir", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";}; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";}; /* JDK */ grant codebase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/*" { permission java.security.AllPermission; }; /* Default Grants copied from the JDK default system policy. */ grant { // "standard" properties that can be read by anyone. permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; /* The following are granted by the default jdk policy but are considered * unsafe and are omitted by this policy file */ // permission java.lang.RuntimePermission "stopThread"; // permission java.net.SocketPermission "localhost:1024-", "listen"; // Added for Oracle Identity Manager permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; //Change this to the original directory where logs are being created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * GTC-RECON connector. Update the path to correct value prior to runnung the * server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";}; /** ** Add Custom Application Permission Grants Below **/ // Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "application-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.184.202.110", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all nonprivileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
Note:
The application might fail to start because of syntax errors in the policy files.Be careful when editing the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:
JAVA_HOME
/jre/bin/policytool
To enable Java 2 Security for Oracle Identity Manager running on Oracle Application Server:
Modify the Oracle Application Server run configuration and add the -Djava.security.manager
as a JVM option of the Oracle Application Server instance where Oracle Identity Manager is deployed. This change should be done in $OC4J_HOME/opmn/conf/opmn.xml
.
Pass the following option to Oracle Application Server:
-Djava.security.manager
This option enables the Java 2 Security manager.
Check if the $ORACLEAS_HOME
/j2ee/
<OC4J instance>
/config/java2.policy
file exists. If it exists, edit it and add the Java 2 Security permissions listed in the "Policy File" section.
Note:
If thejava2.policy
file does not exist, you have to create it.Policy File
Perform the following in the java2.policy
file:
Note:
- The instructions to change the code in the policy file are given in comments, which are in bold font.
- Make sure to change the Oracle Application Server instance name in the example below to reflect the Oracle Application Server on which you install Oracle Identity Manager. This example uses xlClusterMember for the instance name where Oracle Identity Manager is deployed.
- This java2.policy
example is for Windows installation. For UNIX, ensure that you change \\
between the directories name to /
in every permission java.io.FilePermission
property.
- Make sure to change the multicast IP 231.111.153.118
in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml
.
- You must update the path to the correct value for the location where GTC-RECON connector files are located. This example uses C:\\file1\\file1
for the location of these files.
Find the following:
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; };
Add the following to the preceding code:
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
Find /*Default Grants copied from the JDK default system policy*/
and add the following code to the grant:
//Added for OIM permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*"; permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; //This is added for the GTC-Recon Connector /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * GTC-RECON connector . Update the path to correct value prior to * running the server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers";
In Custom Application Permissions, append the following code:
// Java code and extensions // Trust java extensions java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" { // File permissions // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "applicatin-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.111.153.118", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.util.PropertyPermission "javax.*", "read,write"; permission oracle.security.jazn.JAZNPermission "getRealmManager"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
Policy File
The following is the sample java2.policy
file after Oracle Identity Manager policy has been added:
/* * Standard policy file for Oracle Application Server * * When this file is in use the System property ${oracle.home} must * be set to $ORACLE_HOME or to the value of $ORACLE_HOME. * * When this file is in use via OPMN the System property * ${oracle.oc4j.instancename} * is used to identify the instance-level connector jars. * * This file grants AllPermission to "oc4j code" * oc4j code is code used either directly or indirectly by the app server * itself. Including code generated for ejb wrappers. * See oc4j.jar!boot.xml for a complete list. Currently this file * only lists jars that need permissions. Others can be * added if neccessary. * * In a future release the grants will be refined so that * only the Permissions actually needed by Oracle Application Server * code will be granted. * * Calls to accessController.doPrivileged have been added to Oracle * Application Server with the intention that the application code only * be granted the Permissions needed by actions it performs directly. * It should not be granted Permissions required by J2EE * operations. * * For example if a Servlet (or jsp) forwards to a .jsp it does not * need Permission to read and compile the .jsp. Similarly the * application code associated with an ejb that specifies container * managed persistence does not need Permission to create a socket * talking to the database holding the underlying data. But an EJB * using bean managed persistence does need such Permission. */ grant codebase "file:${oracle.home}/j2ee/home/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jlib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/bc4j/jlib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/toplink/jlib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dms/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/diagnostics/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dbjava/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/sqlj/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/javacache/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/uddi/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/xdk/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/opmn/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/javavm/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/*" { permission java.security.AllPermission; }; /** EJB skeleton/tie & BCEL proxy support **/ grant codeBase "file:generated/by/proxy" { permission java.security.AllPermission; }; grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" { permission java.security.AllPermission; }; /** * Miscellaneous grants to jars distributed as part of oc4j that can be used * in various ways */ grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" { permission java.security.AllPermission; }; /* GRANTS TO DEFAULT APPLICATIONS */ grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ; grant { permission java.util.PropertyPermission "java.home", "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ; grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ; grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ; grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; }; grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ; grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ; grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ; grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ; grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ; grant { permission java.util.PropertyPermission "user.home" , "read"; } ; grant { permission java.util.PropertyPermission "user.name" , "read"; } ; grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ; grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; }; grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; }; grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; }; grant { permission java.util.PropertyPermission "SQLLog", "read"; }; grant { permission java.util.PropertyPermission "USE_JAAS", "read"; }; grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; }; grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "debug", "read"; }; grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; }; grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; }; grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "http.proxyHost", "read"; }; grant { permission java.util.PropertyPermission "http.proxyPort", "read"; }; grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; }; grant { permission java.util.PropertyPermission "java.class.path", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; }; grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configuration", "read"; }; grant { permission java.util.PropertyPermission "log4j.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; }; grant { permission java.util.PropertyPermission "log4j.disable", "read"; }; grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; }; grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; }; grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; }; grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.level", "read"; }; grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; }; grant { permission java.util.PropertyPermission "upload.buflen", "read"; }; grant { permission java.util.PropertyPermission "user.dir", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";}; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";}; /* JDK */ grant codebase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/*" { permission java.security.AllPermission; }; /* Default Grants copied from the JDK default system policy. */ grant { // "standard" properties that can be read by anyone. permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; /* The following are granted by the default jdk policy but are considered * unsafe and are omitted by this policy file */ //permission java.lang.RuntimePermission "stopThread"; //permission java.net.SocketPermission "localhost:1024-", "listen"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*"; permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; //This is added for the GTC-Recon Connector permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; }; /** ** Add Custom Application Permission Grants Below **/ // Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "applicatin-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.111.153.118", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.util.PropertyPermission "javax.*", "read,write"; permission oracle.security.jazn.JAZNPermission "getRealmManager"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };