Skip Headers
Oracle® Identity Manager Installation and Configuration Guide for Oracle Application Server
Release 9.1.0.1

Part Number E14062-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

A Java 2 Security for Oracle Application Server

This appendix describes the following:

Note:

The application might fail to start because of syntax errors in the policy files.

Be careful when you edit the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:

JAVA_HOME/jre/bin/policytool

A.1 Java 2 Security Permissions for Oracle Application Server Noncluster

To enable Java 2 Security for Oracle Identity Manager running on Oracle Application Server:

  1. Modify the Oracle Application Server run configuration and add the -Djava.security.manager as a JVM option. This change must be done in $OC4J_HOME/opmn/conf/opmn.xml.

  2. Add the following option to Oracle Application Server:

    -Djava.security.manager
    

    This option enables the Java 2 Security manager.

  3. Check if the $ORACLE_HOME/j2ee/home/config/java2.policy file exists. If it exists, then edit it and add the Java 2 Security permissions listed in the "Policy File" section. If the java2.policy file does not exist, then you have to create it.

Policy File

Perform the following in the java2.policy file:

Note:

- The instructions to change the code in the policy file are given in comments, which are in bold font.

- This java2.policy example is for Windows installation. For UNIX, ensure that you change \\ between the directories name to / in every permission java.io.FilePermission property.

- Make sure to change the multicast IP 231.184.202.110 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml.

- You must update the path to the correct value for the location where GTC-RECON connector files are located. This example uses C:\\file1\\file1 for the location of these files.

  1. Find the following:

    grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; 
    };
    

    Add the following to the preceding code:

    grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; 
    };
    
  2. Find /*Default Grants copied from the JDK default system policy*/ and add the following code to the grant:

    //Added for OIM
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "*", "write";
    permission java.lang.RuntimePermission "queuePrintJob";
    permission java.net.SocketPermission "*", "connect";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission javax.management.MBeanServerPermission "findMBeanServer";
    permission javax.security.auth.AuthPermission "createLoginContext.*";
    
    //Added for AQ
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    
    // For Nexaweb
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission "nexaweb.logs", "read,write";
    permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write";
    permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write";
    permission java.lang.RuntimePermission "loadLibrary.*";
    permission java.lang.RuntimePermission "queuePrintJob";
    permission java.net.SocketPermission "*", "connect";
    permission java.io.FilePermission "<<ALL FILES>>", "read";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*";
    
    //Change this to the original directory where logs are being geting created
    //If logs are getting created in more then one directory ensure that you have two entries for them here.
    permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete";
    
    /*
    * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; 
    * property has been added for the path of directory where files are kept for 
    * the GTC-RECON connector. Update the path to the correct value prior to 
    * running the server.
    */
    permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";
    
  3. In Custom Application Permissions, append the following code:

    // Java code and extensions
    // Trust java extensions
    grant codeBase "file:${java.home}/lib/ext/-" {
    permission java.security.AllPermission;
    };
    
    /*grant codeBase "file:${XL.HomeDir}/logs/-" {
    permission java.security.AllPermission;
      };
    */
    
    // Trust core java code
    grant codeBase "file:${java.home}/lib/*" {
    permission java.security.AllPermission;
    };
    
    // For java.home pointing to the JDK jre directory
    grant codeBase "file:${java.home}/jre/lib/-" {
    permission java.security.AllPermission;
    };
     
    // Grant All permissions to nexaweb commons jar file to be loaded from
    grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" {
    permission java.security.AllPermission;
    };
    
    // OIM codebase permissions
    grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" {
    
    // File permissions
    // Need read, write, and delete permissions on $OIM_HOME/config folder
    // to read various config files, write the
    // xlconfig.xml.{0,1,2..} files upon re-encryption and delete
    // the last xlconfig.xml if the numbers go above 9.
    permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
     "read, write, delete";
    permission java.io.FilePermission "${XL.HomeDir}\\-", "read";
    
    // Need read,write,delete permissions to generate adapter java
    // code, delete the .class file when the adapter is loaded into
    // the database
    permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
         "read,write,delete";
    
    // This is required by the connectors and connector installer
    permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-",
      "read,write,delete";
    permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-",
      "read,write,delete";
    
    // Read Globalization resource bundle files for various
    // locales
    permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read";
    
    // Read code from "JavaTasks", "ScheduleTask",
    // "ThirdParty", "EventHandlers" folder
    permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read";
    permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read";
    permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read";
    permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read";
    
    // Required by the Generic Technology connector
    permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
     
    // Server needs read permissions on Nexaweb home directory
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
     
    // Read permissions on the "application-deployments" folder, the OIM deploy
    // directory 
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete";
    
    // OIM server invokes the java compiler. You need "execute"
    // permissions on all files.
    permission java.io.FilePermission "<<ALL FILES>>", "execute";
     
    // Socket permissions
    // Basically you allow all permissions on nonprivileged sockets
    // The multicast address should be the same as the one in
    // xlconfig.xml for javagroups communication
            permission java.net.SocketPermission "*",
            "connect,listen,resolve,accept";
            permission java.net.SocketPermission "231.184.202.110",
            "connect,accept";
     
    // Property permissions
    // Read and write OIM properties
    // Read XL.*, java.* and log4j.* properties
    permission java.util.PropertyPermission "XL.*", "read,write";
    permission java.util.PropertyPermission "*", "read, write";
    permission java.util.PropertyPermission "java.*", "read";
    permission java.util.PropertyPermission "log4j.", "read";
    permission java.util.PropertyPermission "user.dir", "read";
    
    // Runtime permissions
    // OIM server needs permissions to create its own class loader,
    // get the class loader, modify threads and register shutdown
    // hooks
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "modifyThread";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "shutdownHooks";
    
    // OIM server needs runtime permissions to generate and load
    // classes in the below specified packages. Also access the
    // declared members of a class.
    permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
    permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
    permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    
    // Reflection permissions
    // Give permissions to access and invoke fields/methods from
    // reflected classes.
            permission java.lang.reflect.ReflectPermission
                    "suppressAccessChecks";
     
    // Security permissions for OIM server
    permission java.security.SecurityPermission "*";
    permission javax.security.auth.AuthPermission "doAs";
    permission javax.security.auth.AuthPermission "doPrivileged";
    permission javax.security.auth.AuthPermission "getSubject";
    permission javax.security.auth.AuthPermission "modifyPrincipals";
    permission javax.security.auth.AuthPermission "createLoginContext";
    permission javax.security.auth.AuthPermission "createLoginContext.*";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";
     
    // SSL permission (for remote manager)
    permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
    permission java.net.SocketPermission "*:1024-", "listen";
    permission java.util.logging.LoggingPermission "control";
    permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
    permission java.io.SerializablePermission "enableSubclassImplementation";
    permission java.io.SerializablePermission "enableSubstitution";        
    permission java.net.SocketPermission "*:*", "connect,resolve";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";        
    permission javax.security.auth.AuthPermission "getPolicy";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete";
    permission java.util.PropertyPermission "javax.*", "read,write";
    };
     
    // Nexaweb server codebase permissions
    grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" {
    // File permissions
    permission java.io.FilePermission "${user.home}", "read, write";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete";
    
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
     
    // Property permissions
    permission java.util.PropertyPermission "*", "read,write";
     
    // Runtime permissions
    // Nexaweb server needs permissions to create its own class loader,
    // get the class loader etc.
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.lang.RuntimePermission  "setFactory";
    
    // Nexaweb server security permissions to load the Cryptix
    // extension
            permission java.security.SecurityPermission
            "insertProvider.Cryptix";
     
    // Socket permissions
    // Permissions on all non-privileged ports.
            permission java.net.SocketPermission "*:1024-",
                    "listen, connect, resolve";
     
    // Security permissions
    permission javax.security.auth.AuthPermission "doAs";permission javax.security.auth.AuthPermission "modifyPrincipals";permission javax.security.auth.AuthPermission "createLoginContext";permission javax.security.auth.AuthPermission "createLoginContext.*";permission java.util.logging.LoggingPermission "control";permission java.io.SerializablePermission "enableSubclassImplementation";permission java.io.SerializablePermission "enableSubstitution";permission javax.security.auth.AuthPermission "getPolicy";permission java.net.SocketPermission "*:*", "connect,resolve";permission java.lang.RuntimePermission "createClassLoader";permission java.lang.RuntimePermission "getClassLoader";permission java.util.PropertyPermission "*", "read";permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";          permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";permission java.util.PropertyPermission "javax.*", "read,write";};
     
    // The following are permissions given to codebase in the OIM server
    // directory
    grant codeBase "file:${XL.HomeDir}/-" {
    // File permissions
    permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
          "read";
    permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-",
          "read";
    permission java.io.FilePermission
          "${XL.HomeDir}\\ScheduleTasks\\-", "read";
    permission java.io.FilePermission
          "${XL.HomeDir}\\ThirdParty\\-", "read";
    permission java.io.FilePermission
          "${XL.HomeDir}\\adapters\\-", "read,write,delete";
            
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
    // Socket permissions
            permission java.net.SocketPermission "*", "listen";
     
    // Property permissions
    // Read XL.* and log4j.* properties
            permission java.util.PropertyPermission "XL.*", "read";
            permission java.util.PropertyPermission "log*", "read";
     
    // Security permissions
    permission javax.security.auth.AuthPermission "doAs";permission javax.security.auth.AuthPermission "modifyPrincipals";permission javax.security.auth.AuthPermission "createLoginContext";permission java.io.SerializablePermission "enableSubclassImplementation";permission java.io.SerializablePermission "enableSubstitution";permission java.util.logging.LoggingPermission "control";permission javax.security.auth.AuthPermission "createLoginContext.*";permission java.security.SecurityPermission "*";permission javax.security.auth.AuthPermission                "getLoginConfiguration";permission javax.security.auth.AuthPermission                "getPolicy";permission javax.security.auth.AuthPermission                "setLoginConfiguration";permission java.security.SecurityPermission             "insertProvider.Cryptix";   
    
    // Socket permissions
    // Permissions on all non-privileged ports.
    permission java.net.SocketPermission "*:1024-","listen, connect, resolve";
    permission java.net.SocketPermission "*:*", "connect,resolve";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
    permission java.util.PropertyPermission "javax.*", "read,write";
    };
    

Policy File

The following is the sample java2.policy file after Oracle Identity Manager policy has been added:

/*
 * Standard policy file for Oracle Application Server
 *
 *    When this file is in use the System property ${oracle.home} must
 *    be set to $ORACLE_HOME or to the value of $ORACLE_HOME.
 *
 *    When this file is in use via OPMN the System property 
 *    ${oracle.oc4j.instancename}
 *    is used to identify the instance-level connector jars.
 *
 *    This file grants AllPermission to "oc4j code"
 *    oc4j code is code used either directly or indirectly by the app server
 *    itself. Including code generated for ejb wrappers.
 *    See oc4j.jar!boot.xml for a complete list. Currently this file
 *    only lists jars that need permissions. Others can be
 *    added if neccessary.
 *
 *    In a future release the grants will be refined so that
 *    only the Permissions actually needed by Oracle Application Server 
 *    code will be granted.
 *
 *    Calls to accessController.doPrivileged have been added to Oracle
 *    Application Server with the intention that the application code only
 *    be granted the Permissions needed by actions it performs directly.
 *    It should not be granted Permissions required by J2EE
 *    operations.
 *
 *    For example if a Servlet (or jsp) forwards to a .jsp it does not
 *    need Permission to read and compile the .jsp.  Similarly the
 *    application code associated with an ejb that specifies container
 *    managed persistence does not need Permission to create a socket
 *    talking to the database holding the underlying data. But an EJB
 *    using bean managed persistence does need such Permission.
 */
 
grant codebase "file:${oracle.home}/j2ee/home/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/lib/*" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/jlib/-" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/bc4j/jlib/*" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${oracle.home}/toplink/jlib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/dms/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/diagnostics/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/dbjava/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/sqlj/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/javacache/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/uddi/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/xdk/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/opmn/lib/*" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/webservices/lib/*" {
    permission java.security.AllPermission;
};
 
 
 
grant codeBase "file:${oracle.home}/javavm/lib/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/jsp/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/lib/*" {
    permission java.security.AllPermission;
};

/** EJB skeleton/tie & BCEL proxy support **/
grant codeBase "file:generated/by/proxy" {
    permission java.security.AllPermission;
};
 
grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" {
    permission java.security.AllPermission;
};

* Miscellaneous grants to jars distributed as part of oc4j that might be used
* in various ways
*/
grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" {
    permission java.security.AllPermission;
};
 
/* GRANTS TO DEFAULT APPLICATIONS */
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/JMXSoapAdapter-web/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" {
    permission java.security.AllPermission;
};
 
 
grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ;
grant { permission java.util.PropertyPermission "java.home", "read"; } ;
grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ;
grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ;


//Added for GTC
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
 
grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ;
grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ;
grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ;
grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ;
grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; };
grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ;
grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ;
grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ;
grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ;
grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ;
grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "user.home" , "read"; } ;
grant { permission java.util.PropertyPermission "user.name" , "read"; } ;
grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ;
grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; };
grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; };
grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; };
grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; };
grant { permission java.util.PropertyPermission "SQLLog", "read"; };
grant { permission java.util.PropertyPermission "USE_JAAS", "read"; };
grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; };
grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; };
grant { permission java.util.PropertyPermission "debug", "read"; };
grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; };
grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; };
grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; };
grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; };
grant { permission java.util.PropertyPermission "http.proxyHost", "read"; };
grant { permission java.util.PropertyPermission "http.proxyPort", "read"; };
grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; };
grant { permission java.util.PropertyPermission "java.class.path", "read"; };
grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; };
grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; };
grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; };
grant { permission java.util.PropertyPermission "log4j.configuration", "read"; };
grant { permission java.util.PropertyPermission "log4j.debug", "read"; };
grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; };
grant { permission java.util.PropertyPermission "log4j.disable", "read"; };
grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; };
grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; };
grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; };
grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; };
grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; };
grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; };
grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; };
grant { permission java.util.PropertyPermission "toplink.log.level", "read"; };
grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; };
grant { permission java.util.PropertyPermission "upload.buflen", "read"; };
grant { permission java.util.PropertyPermission "user.dir", "read"; };
grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";};
grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";};

/* JDK  */
 
grant codebase "file:${java.home}/../lib/tools.jar" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};

/* Default Grants copied from the JDK default system policy. */
 
grant {
// "standard" properties that can be read by anyone.
 
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
 
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
 
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";

/* The following are granted by the default jdk policy but are considered
* unsafe and are omitted by this policy file */
 
// permission java.lang.RuntimePermission "stopThread";
// permission java.net.SocketPermission "localhost:1024-", "listen";
 
// Added for Oracle Identity Manager
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "*", "write";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.security.auth.AuthPermission "createLoginContext.*";

//Added for AQ
permission java.lang.RuntimePermission "accessDeclaredMembers";

// For Nexaweb
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "nexaweb.logs", "read,write";
permission java.util.PropertyPermission
"sun.net.client.defaultConnectTimeout", "read,write";
permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission    "*", "connect";
permission java.io.FilePermission       "<<ALL FILES>>", "read";
permission java.lang.RuntimePermission   "modifyThreadGroup";
permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly";
permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*";

//Change this to the original directory where logs are being created
//If logs are getting created in more then one directory ensure that you have two entries for them here.
permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete";

/*
*  permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; 
*  property has been added for the path of directory where files are kept for 
*  GTC-RECON connector. Update the path to correct value prior to runnung the
*  server.
*/
permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";};

/**
** Add Custom Application Permission Grants Below
**/
// Java code and extensions
// Trust java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};

/*grant codeBase "file:${XL.HomeDir}/logs/-" {
permission java.security.AllPermission;
  };
*/

// Trust core java code
grant codeBase "file:${java.home}/lib/*" {
permission java.security.AllPermission;
};
 
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
 
 
// Grant All permissions to nexaweb commons jar file to be loaded from
grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" {
permission java.security.AllPermission;
};

// OIM codebase permissions
grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" {
 
// File permissions
// Need read,write,delete permissions on $OIM_HOME/config folder
// to read various config files, write the
// xlconfig.xml.{0,1,2..} files upon re-encryption and delete
// the last xlconfig.xml if the numbers go above 9.
permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
 "read, write, delete";
permission java.io.FilePermission "${XL.HomeDir}\\-", "read";

// Need read,write,delete permissions to generate adapter java
// code, delete the .class file when the adapter is loaded into
// the database
permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
        "read,write,delete";

// This is required by the connectors and connector installer
permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-",
          "read,write,delete";
permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-",
          "read,write,delete";

// Read Globalization resource bundle files for various
// locales
        permission java.io.FilePermission
        "${XL.HomeDir}\\adapters\\customResources\\-", "read";
 
// Read code from "JavaTasks", "ScheduleTask",
// "ThirdParty", "EventHandlers" folder
permission java.io.FilePermission
       "${XL.HomeDir}\\EventHandlers\\-", "read";
permission java.io.FilePermission
       "${XL.HomeDir}\\JavaTasks\\-", "read";
permission java.io.FilePermission
       "${XL.HomeDir}\\ScheduleTask\\-", "read";
permission java.io.FilePermission
       "${XL.HomeDir}\\ThirdParty\\-", "read";

// Required by the Generic Technology connector
        permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
 
// Server needs read permissions on Nexaweb home directory
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
// Read permissions on the "application-deployments" folder, the OIM deploy
// directory 
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete";

// OIM server invokes the java compiler. You need "execute"
// permissions on all files.
        permission java.io.FilePermission "<<ALL FILES>>", "execute";
 
// Socket permissions
// Basically you allow all permissions on nonprivileged sockets
// The multicast address should be the same as the one in
// xlconfig.xml for javagroups communication
        permission java.net.SocketPermission "*",
        "connect,listen,resolve,accept";
        permission java.net.SocketPermission "231.184.202.110",
        "connect,accept";
 
// Property permissions
// Read and write OIM properties
// Read XL.*, java.* and log4j.* properties
        permission java.util.PropertyPermission "XL.*", "read,write";
        permission java.util.PropertyPermission "*", "read, write";
        permission java.util.PropertyPermission "java.*", "read";
        permission java.util.PropertyPermission "log4j.", "read";
        permission java.util.PropertyPermission "user.dir", "read";
          
// Runtime permissions
// OIM server needs permissions to create its own class loader,
// get the class loader, modify threads and register shutdown
// hooks
        permission java.lang.RuntimePermission "createClassLoader";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "modifyThread";
        permission java.lang.RuntimePermission "modifyThreadGroup";
        permission java.lang.RuntimePermission "shutdownHooks";
 
// OIM server needs runtime permissions to generate and load
// classes in the below specified packages. Also access the
// declared members of a class.
permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.adapterGlue";
permission java.lang.RuntimePermission "accessDeclaredMembers";

// Reflection permissions
// Give permissions to access and invoke fields/methods from
// reflected classes.
        permission java.lang.reflect.ReflectPermission
                "suppressAccessChecks";
 
// Security permissions for OIM server
permission java.security.SecurityPermission "*";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission
                "createLoginContext";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission javax.security.auth.AuthPermission
                "getLoginConfiguration";
permission javax.security.auth.AuthPermission
                "setLoginConfiguration";

// SSL permission (for remote manager)
permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
permission java.net.SocketPermission "*:1024-", "listen";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";        
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";        
permission javax.security.auth.AuthPermission
                "getPolicy";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete";
permission java.util.PropertyPermission "javax.*", "read,write";
};

// Nexaweb server codebase permissions
grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" {
// File permissions
permission java.io.FilePermission "${user.home}", "read, write";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete";

//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
// Property permissions
permission java.util.PropertyPermission "*", "read,write";
 
// Runtime permissions
// Nexaweb server needs permissions to create its own class loader,
// get the class loader etc.
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission  "setFactory";
 
// Nexaweb server security permissions to load the Cryptix
// extension
permission java.security.SecurityPermission "insertProvider.Cryptix";
 
// Socket permissions
// Permissions on all non-privileged ports.
permission java.net.SocketPermission "*:1024-", "listen, connect, resolve";

// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.util.logging.LoggingPermission "control";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission javax.security.auth.AuthPermission "getPolicy";
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";          
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
permission java.util.PropertyPermission "javax.*", "read,write";
};
// The following are permissions given to codebase in the OIM server
// directory
grant codeBase "file:${XL.HomeDir}/-" {
// File permissions
permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read";
permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read";
permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read";
permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read";
permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete";

//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
// Socket permissions
permission java.net.SocketPermission "*", "listen";
 
// Property permissions
// Read XL.* and log4j.* properties
permission java.util.PropertyPermission "XL.*", "read";
permission java.util.PropertyPermission "log*", "read";
 
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission java.util.logging.LoggingPermission "control";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.security.SecurityPermission "*";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "getPolicy";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission java.security.SecurityPermission "insertProvider.Cryptix";

// Socket permissions
// Permissions on all nonprivileged ports.
permission java.net.SocketPermission "*:1024-","listen, connect, resolve";
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
permission java.util.PropertyPermission "javax.*", "read,write";
};

A.2 Java 2 Security Permissions for Oracle Application Server Cluster

Note:

The application might fail to start because of syntax errors in the policy files.

Be careful when editing the policy files. Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:

JAVA_HOME/jre/bin/policytool

To enable Java 2 Security for Oracle Identity Manager running on Oracle Application Server:

  1. Modify the Oracle Application Server run configuration and add the -Djava.security.manager as a JVM option of the Oracle Application Server instance where Oracle Identity Manager is deployed. This change should be done in $OC4J_HOME/opmn/conf/opmn.xml.

  2. Pass the following option to Oracle Application Server:

    -Djava.security.manager
    

    This option enables the Java 2 Security manager.

  3. Check if the $ORACLEAS_HOME/j2ee/<OC4J instance>/config/java2.policy file exists. If it exists, edit it and add the Java 2 Security permissions listed in the "Policy File" section.

    Note:

    If the java2.policy file does not exist, you have to create it.

Policy File

Perform the following in the java2.policy file:

Note:

- The instructions to change the code in the policy file are given in comments, which are in bold font.

- Make sure to change the Oracle Application Server instance name in the example below to reflect the Oracle Application Server on which you install Oracle Identity Manager. This example uses xlClusterMember for the instance name where Oracle Identity Manager is deployed.

- This java2.policy example is for Windows installation. For UNIX, ensure that you change \\ between the directories name to / in every permission java.io.FilePermission property.

- Make sure to change the multicast IP 231.111.153.118 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in xlconfig.xml.

- You must update the path to the correct value for the location where GTC-RECON connector files are located. This example uses C:\\file1\\file1 for the location of these files.

  1. Find the following:

    grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; 
    };
    

    Add the following to the preceding code:

    grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; 
    };
    
  2. Find /*Default Grants copied from the JDK default system policy*/ and add the following code to the grant:

    //Added for OIM
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "*", "write";
    permission java.lang.RuntimePermission "queuePrintJob";
    permission java.net.SocketPermission "*", "connect";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission javax.management.MBeanServerPermission "findMBeanServer";
    permission javax.security.auth.AuthPermission "createLoginContext.*";
     
    // For Nexaweb
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.lang.RuntimePermission "setContextClassLoader";
    permission java.util.PropertyPermission "nexaweb.logs", "read,write";
    permission java.util.PropertyPermission
    "sun.net.client.defaultConnectTimeout", "read,write";
    permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write";
    permission java.lang.RuntimePermission "loadLibrary.*";
    permission java.lang.RuntimePermission "queuePrintJob";
    permission java.net.SocketPermission    "*", "connect";
    permission java.io.FilePermission       "<<ALL FILES>>", "read";
    permission java.lang.RuntimePermission   "modifyThreadGroup";
    permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*";
    permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*";
    permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*";
    
    //Change this to the original directory where logs are being geting created
    //If logs are getting created in more then one directory ensure that you have two entries for them here.
    permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete";
    //This is added for the GTC-Recon Connector
    /*
    *  permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; 
    *  property has been added for the path of directory where files are kept for 
    * GTC-RECON connector . Update the path to correct value prior to 
    * running the server.
    */
    permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";
    
    //Added for AQ
    permission java.lang.RuntimePermission "accessDeclaredMembers";
    
  3. In Custom Application Permissions, append the following code:

    // Java code and extensions
    // Trust java extensions
    java.home}/lib/ext/-" {
    permission java.security.AllPermission;
    };
     
    /*grant codeBase "file:${XL.HomeDir}/logs/-" {
    permission java.security.AllPermission;
      };
    */
    
    // Trust core java code
    grant codeBase "file:${java.home}/lib/*" {
    permission java.security.AllPermission;
    };
     
    // For java.home pointing to the JDK jre directory
    grant codeBase "file:${java.home}/jre/lib/-" {
    permission java.security.AllPermission;
    };
     
     
    // Grant All permissions to nexaweb commons jar file to be loaded from
    grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" {
    permission java.security.AllPermission;
    };
     
    // OIM codebase permissions
    grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" {
     
    // File permissions
    // Need read, write, and delete permissions on $OIM_HOME/config folder
    // to read various config files, write the
    // xlconfig.xml.{0,1,2..} files upon re-encryption and delete
    // the last xlconfig.xml if the numbers go above 9.
            permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
            "read, write, delete";
            permission java.io.FilePermission "${XL.HomeDir}\\-", "read";
     
            // Need read,write,delete permissions to generate adapter java
            // code, delete the .class file when the adapter is loaded into
            // the database
            permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
     "read,write,delete";
     
            // This is required by the connectors and connector installer
            permission java.io.FilePermission
            "${XL.HomeDir}\\ConnectorDefaultDirectory\\-",
                    "read,write,delete";
            permission java.io.FilePermission
                    "${XL.HomeDir}\\adapters\\connectorResources\\-",
                    "read,write,delete";
     
    // Read Globalization resource bundle files for various
    // locales
            permission java.io.FilePermission
            "${XL.HomeDir}\\adapters\\customResources\\-", "read";
     
    // Read code from "JavaTasks", "ScheduleTask",
    // "ThirdParty", "EventHandlers" folder
            permission java.io.FilePermission
            "${XL.HomeDir}\\EventHandlers\\-", "read";
            permission java.io.FilePermission
            "${XL.HomeDir}\\JavaTasks\\-", "read";
            permission java.io.FilePermission
                    "${XL.HomeDir}\\ScheduleTask\\-", "read";
            permission java.io.FilePermission
            "${XL.HomeDir}\\ThirdParty\\-", "read";
     
    // Required by the Generic Technology connector
            permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
     
    // Server needs read permissions on Nexaweb home directory
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
     
    // Read permissions on the "applicatin-deployments" folder, the OIM deploy
    // directory 
    permission java.io.FilePermission
    "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
    permission java.io.FilePermission
            "${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete";
     
    // OIM server invokes the java compiler. You need "execute"
    // permissions on all files.
            permission java.io.FilePermission "<<ALL FILES>>", "execute";
     
    // Socket permissions
    // Basically we allow all permissions on nonprivileged sockets
    // The multicast address should be the same as the one in
    // xlconfig.xml for javagroups communication
            permission java.net.SocketPermission "*",
            "connect,listen,resolve,accept";
            permission java.net.SocketPermission "231.111.153.118",
            "connect,accept";
     
    // Property permissions
    // Read and write OIM properties
    // Read XL.*, java.* and log4j.* properties
            permission java.util.PropertyPermission "XL.*", "read,write";
            permission java.util.PropertyPermission "*", "read, write";
            permission java.util.PropertyPermission "java.*", "read";
            permission java.util.PropertyPermission "log4j.", "read";
            permission java.util.PropertyPermission "user.dir", "read";
              
    // Runtime permissions
    // OIM server needs permissions to create its own class loader,
    // get the class loader, modify threads and register shutdown
    // hooks
            permission java.lang.RuntimePermission "createClassLoader";
            permission java.lang.RuntimePermission "getClassLoader";
            permission java.lang.RuntimePermission "modifyThread";
            permission java.lang.RuntimePermission "modifyThreadGroup";
            permission java.lang.RuntimePermission "shutdownHooks";
     
    // OIM server needs runtime permissions to generate and load
    // classes in the below specified packages. Also access the
    // declared members of a class.
            permission java.lang.RuntimePermission
            "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
            permission java.lang.RuntimePermission
                    "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
            permission java.lang.RuntimePermission
                    "defineClassInPackage.com.thortech.xl.adapterGlue";
            permission java.lang.RuntimePermission "accessDeclaredMembers";
    
              
    // Reflection permissions
    // Give permissions to access and invoke fields/methods from
    // reflected classes.
            permission java.lang.reflect.ReflectPermission
                    "suppressAccessChecks";
     
    // Security permissions for OIM server
            permission java.security.SecurityPermission "*";
            permission javax.security.auth.AuthPermission "doAs";
            permission javax.security.auth.AuthPermission "doPrivileged";
            permission javax.security.auth.AuthPermission "getSubject";
            permission javax.security.auth.AuthPermission "modifyPrincipals";
            permission javax.security.auth.AuthPermission
                    "createLoginContext";
            permission javax.security.auth.AuthPermission "createLoginContext.*";
            permission javax.security.auth.AuthPermission
                    "getLoginConfiguration";
            permission javax.security.auth.AuthPermission
                    "setLoginConfiguration";
     
    // SSL permission (for remote manager)
           permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
           permission java.net.SocketPermission "*:1024-", "listen";
           permission java.util.logging.LoggingPermission "control";
           permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
           permission java.io.SerializablePermission "enableSubclassImplementation";
           permission java.io.SerializablePermission "enableSubstitution";    
    permission java.net.SocketPermission "*:*", "connect,resolve";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";           
    permission javax.security.auth.AuthPermission
                    "getPolicy";
    permission java.util.PropertyPermission "javax.*", "read,write";
    permission oracle.security.jazn.JAZNPermission "getRealmManager";
    };
     
     
    // Nexaweb server codebase permissions
    grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" {
    // File permissions
            permission java.io.FilePermission "${user.home}", "read, write";
            permission java.io.FilePermission
    "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete";
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
     
    // Property permissions
    permission java.util.PropertyPermission "*", "read,write";
     
    // Runtime permissions
    // Nexaweb server needs permissions to create its own class loader,
    // get the class loader etc.
            permission java.lang.RuntimePermission "createClassLoader";
            permission java.lang.RuntimePermission "getClassLoader";
            permission java.lang.RuntimePermission "setContextClassLoader";
            permission java.lang.RuntimePermission  "setFactory";
     
    // Nexaweb server security permissions to load the Cryptix
    // extension
            permission java.security.SecurityPermission
            "insertProvider.Cryptix";
     
    // Socket permissions
    // Permissions on all non-privileged ports.
            permission java.net.SocketPermission "*:1024-",
                    "listen, connect, resolve";
     
    // Security permissions
            permission javax.security.auth.AuthPermission "doAs";
            permission javax.security.auth.AuthPermission "modifyPrincipals";
            permission javax.security.auth.AuthPermission "createLoginContext";
            permission javax.security.auth.AuthPermission "createLoginContext.*";
            permission java.util.logging.LoggingPermission "control";
            permission java.io.SerializablePermission "enableSubclassImplementation";
            permission java.io.SerializablePermission "enableSubstitution";
            permission javax.security.auth.AuthPermission
            "getPolicy";
    permission java.net.SocketPermission "*:*", "connect,resolve";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";          
    permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
    permission java.util.PropertyPermission "javax.*", "read,write";
    };
     
    // The following are permissions given to codebase in the OIM server
    // directory
    grant codeBase "file:${XL.HomeDir}/-" {
    // File permissions
            permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
                    "read";
            permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-",
                    "read";
            permission java.io.FilePermission
                    "${XL.HomeDir}\\ScheduleTasks\\-", "read";
            permission java.io.FilePermission
                    "${XL.HomeDir}\\ThirdParty\\-", "read";
            permission java.io.FilePermission
                    "${XL.HomeDir}\\adapters\\-", "read,write,delete";          
            
    //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
    // Socket permissions
            permission java.net.SocketPermission "*", "listen";
     
    // Property permissions
    // Read XL.* and log4j.* properties
            permission java.util.PropertyPermission "XL.*", "read";
            permission java.util.PropertyPermission "log*", "read";
     
    // Security permissions
            permission javax.security.auth.AuthPermission "doAs";
            permission javax.security.auth.AuthPermission "modifyPrincipals";
            permission javax.security.auth.AuthPermission "createLoginContext";
    permission java.io.SerializablePermission "enableSubclassImplementation";
           permission java.io.SerializablePermission "enableSubstitution";
    permission java.util.logging.LoggingPermission "control";
    permission javax.security.auth.AuthPermission "createLoginContext.*";
    permission java.security.SecurityPermission "*";
    permission javax.security.auth.AuthPermission
            "getLoginConfiguration";
    permission javax.security.auth.AuthPermission 
    "getPolicy";
            permission javax.security.auth.AuthPermission
                    "setLoginConfiguration";
    permission java.security.SecurityPermission
    "insertProvider.Cryptix";
       
    // Socket permissions
    // Permissions on all non-privileged ports.
    permission java.net.SocketPermission "*:1024-","listen, connect, resolve";
    permission java.net.SocketPermission "*:*", "connect,resolve";
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.lang.RuntimePermission "getClassLoader";
    permission java.util.PropertyPermission "*", "read";
    permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";
    permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
    permission java.util.PropertyPermission "javax.*", "read,write";
    };
    

Policy File

The following is the sample java2.policy file after Oracle Identity Manager policy has been added:

/*
 * Standard policy file for Oracle Application Server
 *
 *    When this file is in use the System property ${oracle.home} must
 *    be set to $ORACLE_HOME or to the value of $ORACLE_HOME.
 *
 *    When this file is in use via OPMN the System property 
 *    ${oracle.oc4j.instancename}
 *    is used to identify the instance-level connector jars.
 *
 *    This file grants AllPermission to "oc4j code"
 *    oc4j code is code used either directly or indirectly by the app server
 *    itself. Including code generated for ejb wrappers.
 *    See oc4j.jar!boot.xml for a complete list. Currently this file
 *    only lists jars that need permissions. Others can be
 *    added if neccessary.
 *
 *    In a future release the grants will be refined so that
 *    only the Permissions actually needed by Oracle Application Server 
 *    code will be granted.
 *
 *    Calls to accessController.doPrivileged have been added to Oracle
 *    Application Server with the intention that the application code only
 *    be granted the Permissions needed by actions it performs directly.
 *    It should not be granted Permissions required by J2EE
 *    operations.
 *
 *    For example if a Servlet (or jsp) forwards to a .jsp it does not
 *    need Permission to read and compile the .jsp.  Similarly the
 *    application code associated with an ejb that specifies container
 *    managed persistence does not need Permission to create a socket
 *    talking to the database holding the underlying data. But an EJB
 *    using bean managed persistence does need such Permission.
 */
grant codebase "file:${oracle.home}/j2ee/home/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/lib/*" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/jlib/-" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/bc4j/jlib/*" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${oracle.home}/toplink/jlib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/dms/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/diagnostics/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/dbjava/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/sqlj/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/javacache/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/uddi/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/xdk/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/opmn/lib/*" {
    permission java.security.AllPermission;
};
 
 
grant codebase "file:${oracle.home}/webservices/lib/*" {
    permission java.security.AllPermission;
};
 
 
 
grant codeBase "file:${oracle.home}/javavm/lib/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/jsp/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/lib/*" {
    permission java.security.AllPermission;
};
 
 
/** EJB skeleton/tie & BCEL proxy support **/
 
grant codeBase "file:generated/by/proxy" {
    permission java.security.AllPermission;
};
 
grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" {
    permission java.security.AllPermission;
};
 
/**
* Miscellaneous grants to jars distributed as part of oc4j that can be used
* in various ways
*/

grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" {
    permission java.security.AllPermission;
};
 
/* GRANTS TO DEFAULT APPLICATIONS */
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/JMXSoapAdapter-web/-" {
    permission java.security.AllPermission;
};
 
grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" {
    permission java.security.AllPermission;
};
 
 
grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ;
grant { permission java.util.PropertyPermission "java.home", "read"; } ;
grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ;
grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ;
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ;
grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ;
grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ;
grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ;
grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ;
grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; };
grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ;
grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ;
grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ;
grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ;
grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ;
grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ;
grant { permission java.util.PropertyPermission "user.home" , "read"; } ;
grant { permission java.util.PropertyPermission "user.name" , "read"; } ;
grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ;
grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; };
grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; };
grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; };
grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; };
grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; };
grant { permission java.util.PropertyPermission "SQLLog", "read"; };
grant { permission java.util.PropertyPermission "USE_JAAS", "read"; };
grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; };
grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; };
grant { permission java.util.PropertyPermission "debug", "read"; };
grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; };
grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; };
grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; };
grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; };
grant { permission java.util.PropertyPermission "http.proxyHost", "read"; };
grant { permission java.util.PropertyPermission "http.proxyPort", "read"; };
grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; };
grant { permission java.util.PropertyPermission "java.class.path", "read"; };
grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; };
grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; };
grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; };
grant { permission java.util.PropertyPermission "log4j.configuration", "read"; };
grant { permission java.util.PropertyPermission "log4j.debug", "read"; };
grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; };
grant { permission java.util.PropertyPermission "log4j.disable", "read"; };
grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; };
grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; };
grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; };
grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; };
grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; };
grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; };
grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; };
grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; };
grant { permission java.util.PropertyPermission "toplink.log.level", "read"; };
grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; };
grant { permission java.util.PropertyPermission "upload.buflen", "read"; };
grant { permission java.util.PropertyPermission "user.dir", "read"; };
grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";};
grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";};
 
 
/* JDK  */
 
grant codebase "file:${java.home}/../lib/tools.jar" {
    permission java.security.AllPermission;
};
 
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
 
/* Default Grants copied from the JDK default system policy. */
 
grant {
// "standard" properties that can be read by anyone.
 
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
 
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
 
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";


/* The following are granted by the default jdk policy but are considered
* unsafe and are omitted by this policy file */
 
//permission java.lang.RuntimePermission "stopThread";
//permission java.net.SocketPermission "localhost:1024-", "listen";
 
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "*", "write";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "accessClassInPackage.*";  
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.security.auth.AuthPermission "createLoginContext.*";
 
// For Nexaweb
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "nexaweb.logs", "read,write";
permission java.util.PropertyPermission
"sun.net.client.defaultConnectTimeout", "read,write";
permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission    "*", "connect";
permission java.io.FilePermission       "<<ALL FILES>>", "read";
permission java.lang.RuntimePermission   "modifyThreadGroup";
permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly";
permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*";
permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke";
permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*";
permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*";
permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*";
permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*";

//Change this to the original directory where logs are being geting created
//If logs are getting created in more then one directory ensure that you have two entries for them here.
permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete";
//This is added for the GTC-Recon Connector
permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";

 
};
 
/**
** Add Custom Application Permission Grants Below
**/
// Java code and extensions
// Trust java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
 
/*grant codeBase "file:${XL.HomeDir}/logs/-" {
permission java.security.AllPermission;
  };
*/

// Trust core java code
grant codeBase "file:${java.home}/lib/*" {
permission java.security.AllPermission;
};
 
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
 
 
// Grant All permissions to nexaweb commons jar file to be loaded from
grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" {
permission java.security.AllPermission;
};
 
// OIM codebase permissions
grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" {
 
// File permissions
// Need read,write,delete permissions on $OIM_HOME/config folder
// to read various config files, write the
// xlconfig.xml.{0,1,2..} files upon re-encryption and delete
// the last xlconfig.xml if the numbers go above 9.
        permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
        "read, write, delete";
        permission java.io.FilePermission "${XL.HomeDir}\\-", "read";
 
// Need read,write,delete permissions to generate adapter java
// code, delete the .class file when the adapter is loaded into
// the database
        permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
"read,write,delete";
 
// This is required by the connectors and connector installer
        permission java.io.FilePermission
        "${XL.HomeDir}\\ConnectorDefaultDirectory\\-",
                "read,write,delete";
        permission java.io.FilePermission
                "${XL.HomeDir}\\adapters\\connectorResources\\-",
                "read,write,delete";
 
// Read Globalization resource bundle files for various
// locales
        permission java.io.FilePermission
        "${XL.HomeDir}\\adapters\\customResources\\-", "read";
 
// Read code from "JavaTasks", "ScheduleTask",
// "ThirdParty", "EventHandlers" folder
        permission java.io.FilePermission
        "${XL.HomeDir}\\EventHandlers\\-", "read";
        permission java.io.FilePermission
        "${XL.HomeDir}\\JavaTasks\\-", "read";
        permission java.io.FilePermission
                "${XL.HomeDir}\\ScheduleTask\\-", "read";
        permission java.io.FilePermission
        "${XL.HomeDir}\\ThirdParty\\-", "read";
 
// Required by the Generic Technology connector
        permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
 
// Server needs read permissions on Nexaweb home directory
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
// Read permissions on the "applicatin-deployments" folder, the OIM deploy
// directory 
permission java.io.FilePermission
"${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete";
permission java.io.FilePermission
"${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete";
 
// OIM server invokes the java compiler. You need "execute"
// permissions on all files.
        permission java.io.FilePermission "<<ALL FILES>>", "execute";
 
// Socket permissions
// Basically you allow all permissions on nonprivileged sockets
// The multicast address should be the same as the one in
// xlconfig.xml for javagroups communication
        permission java.net.SocketPermission "*",
        "connect,listen,resolve,accept";
        permission java.net.SocketPermission "231.111.153.118",
        "connect,accept";
 
// Property permissions
// Read and write OIM properties
// Read XL.*, java.* and log4j.* properties
        permission java.util.PropertyPermission "XL.*", "read,write";
        permission java.util.PropertyPermission "*", "read, write";
        permission java.util.PropertyPermission "java.*", "read";
        permission java.util.PropertyPermission "log4j.", "read";
        permission java.util.PropertyPermission "user.dir", "read";
          
// Runtime permissions
// OIM server needs permissions to create its own class loader,
// get the class loader, modify threads and register shutdown
// hooks
        permission java.lang.RuntimePermission "createClassLoader";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "modifyThread";
        permission java.lang.RuntimePermission "modifyThreadGroup";
        permission java.lang.RuntimePermission "shutdownHooks";
 
// OIM server needs runtime permissions to generate and load
// classes in the below specified packages. Also access the
// declared members of a class.
        permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
        permission java.lang.RuntimePermission
                "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
        permission java.lang.RuntimePermission
                "defineClassInPackage.com.thortech.xl.adapterGlue";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
 
          
// Reflection permissions
// Give permissions to access and invoke fields/methods from
// reflected classes.
        permission java.lang.reflect.ReflectPermission
                "suppressAccessChecks";
 
// Security permissions for OIM server
        permission java.security.SecurityPermission "*";
        permission javax.security.auth.AuthPermission "doAs";
        permission javax.security.auth.AuthPermission "doPrivileged";
        permission javax.security.auth.AuthPermission "getSubject";
        permission javax.security.auth.AuthPermission "modifyPrincipals";
        permission javax.security.auth.AuthPermission
                "createLoginContext";
        permission javax.security.auth.AuthPermission "createLoginContext.*";
        permission javax.security.auth.AuthPermission
                "getLoginConfiguration";
        permission javax.security.auth.AuthPermission
                "setLoginConfiguration";
 
// SSL permission (for remote manager)
        permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
permission java.net.SocketPermission "*:1024-", "listen";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "enableContextClassLoaderOverride";
permission java.io.SerializablePermission "enableSubclassImplementation";
        permission java.io.SerializablePermission "enableSubstitution";    
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";           
        permission javax.security.auth.AuthPermission
                "getPolicy";
permission java.util.PropertyPermission "javax.*", "read,write";
permission oracle.security.jazn.JAZNPermission "getRealmManager";
};
 
 
// Nexaweb server codebase permissions
grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" {
// File permissions
        permission java.io.FilePermission "${user.home}", "read, write";
        permission java.io.FilePermission
        "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete";
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
// Property permissions
permission java.util.PropertyPermission "*", "read,write";
 
// Runtime permissions
// Nexaweb server needs permissions to create its own class loader,
// get the class loader etc.
        permission java.lang.RuntimePermission "createClassLoader";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "setContextClassLoader";
        permission java.lang.RuntimePermission  "setFactory";
 
// Nexaweb server security permissions to load the Cryptix
// extension
        permission java.security.SecurityPermission
        "insertProvider.Cryptix";
 
// Socket permissions
// Permissions on all non-privileged ports.
        permission java.net.SocketPermission "*:1024-",
                "listen, connect, resolve";
 
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.util.logging.LoggingPermission "control";
permission java.io.SerializablePermission "enableSubclassImplementation";
permission java.io.SerializablePermission "enableSubstitution";
permission javax.security.auth.AuthPermission "getPolicy";
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";          
permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
permission java.util.PropertyPermission "javax.*", "read,write";
};

// The following are permissions given to codebase in the OIM server
// directory
grant codeBase "file:${XL.HomeDir}/-" {
// File permissions
        permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
                "read";
        permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-",
                "read";
        permission java.io.FilePermission
                "${XL.HomeDir}\\ScheduleTasks\\-", "read";
        permission java.io.FilePermission
                "${XL.HomeDir}\\ThirdParty\\-", "read";
        permission java.io.FilePermission
                "${XL.HomeDir}\\adapters\\-", "read,write,delete";          
        
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
// Socket permissions
        permission java.net.SocketPermission "*", "listen";
 
// Property permissions
// Read XL.* and log4j.* properties
        permission java.util.PropertyPermission "XL.*", "read";
        permission java.util.PropertyPermission "log*", "read";
 
// Security permissions
        permission javax.security.auth.AuthPermission "doAs";
        permission javax.security.auth.AuthPermission "modifyPrincipals";
        permission javax.security.auth.AuthPermission "createLoginContext";
permission java.io.SerializablePermission "enableSubclassImplementation";
        permission java.io.SerializablePermission "enableSubstitution";
permission java.util.logging.LoggingPermission "control";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.security.SecurityPermission "*";
        permission javax.security.auth.AuthPermission
        "getLoginConfiguration";
        permission javax.security.auth.AuthPermission
                "getPolicy";
        permission javax.security.auth.AuthPermission
                "setLoginConfiguration";
permission java.security.SecurityPermission
"insertProvider.Cryptix";
   
// Socket permissions
// Permissions on all non-privileged ports.
permission java.net.SocketPermission "*:1024-","listen, connect, resolve";
permission java.net.SocketPermission "*:*", "connect,resolve";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.util.PropertyPermission "*", "read";
permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write";
permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete";
permission java.util.PropertyPermission "javax.*", "read,write";
};