Skip Headers
Oracle® Identity Manager Installation and Configuration Guide for JBoss Application Server
Release 9.1.0.1
Part Number E14046-01
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us
Go to previous page
Previous		 Go to next page
Next
View PDF

A Java 2 Security for JBoss Application Server

Caution:

This appendix describes changes to be made in the policy files. The application might fail to start because of syntax errors in the policy files. Therefore, you must exercise caution when you edit the files.

Oracle recommends that you use the policy tool provided by the JDK for editing the policy files. The tool is available in the following directory:

JAVA_HOME/jre/bin/policytool

To enable Java 2 Security for Oracle Identity Manager:

  1. Go to the $JBOSS_HOME/bin/ directory, and then open the run script (run.bat for Microsoft Windows and run.sh for UNIX) in a test editor.

  2. Search for JAVA_OPTS in the file and then add the following JVM option after -Dprogram.name=%PROGNAME%:

    For a nonclustered installation:

    Note:

    Change $JBOSS_HOME to the actual JBoss Application Server directory location.
    -Djava.security.manager
-Djava.security.policy= $JBOSS_HOME/server/default/conf/server.policy
-Djboss.home.dir=$JBOSS_HOME
-Djboss.server.home.dir=$JBOSS_HOME/server/default

    For a clustered installation:

    Note:

    Change $JBOSS_HOME to the actual JBoss Application Server directory location.
    -Djava.security.manager
-Djava.security.policy= $JBOSS_HOME/server/all/conf/server.policy
-Djboss.home.dir=$JBOSS_HOME
-Djboss.server.home.dir=$JBOSS_HOME/server/all

    The following table explains the options:

    Option Description
    -Djava.security.manager Enables the Java 2 Security manager.
    -Djava.security.policy Specifies the policy file that is to be used for Java 2 Security.
    -Djboss.home.dir Specifies the home directory of the JBoss Application Server installation. Typically, it is /opt/bea or c:\bea.
    -Djboss.server.home.dir Specifies the location of the JBoss Application Server configuration where Oracle Identity Manager is installed.

  3. Go to the JBOSS_HOME/server/default/conf directory, and then modify the server.policy file by copying the Java 2 Security permissions from the policy file. See one of the following sections for more information:

    Note:

    If the server.policy file does not exist, you must create it.

Policy File for Nonclustered JBoss Application Server Installation

The server.policy file consists of the following code:

Note:

  • The instructions to change the code in the policy file are given in comments, which are in bold font.

  • This server.policy example is for a Microsoft Windows installation. For UNIX, you must change \\ between the directories name to / in every permission java.io.FilePermission property.

  • Ensure that you change the multicast IP address 231.165.168.131 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml file.

  • After you make these changes, restart the server to apply Java 2 Security.

// Oracle Identity Manager Java2 security policy file
// Use -Djava.security.policy=server.policy
// and -Djboss.home.dir=c:/jboss
// and -Djboss.server.home.dir=c:/jboss/server/default
 
// *******************************************
// Java code and extensions
// *******************************************
// Trust java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
 
// Trust core java code
grant codeBase "file:${java.home}/lib/*" {
permission java.security.AllPermission;
};
 
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
 
// *******************************************
// Java code and extensions ends
// *******************************************
 
// *******************************************
// JBoss Application Server code
// *******************************************
 
// Trust core JBoss Application Server code
grant codeBase "file:${jboss.home.dir}/bin/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:${jboss.home.dir}/lib/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:${jboss.server.home.dir}/lib/-" {
permission java.security.AllPermission;
};
 
// *******************************************
// JBoss Application Server code ends
// *******************************************
 
// *******************************************
// JBoss Application Server deployed applications
// *******************************************
 
// Grant all permissions to the default applications deployed on
// JBoss Application Server. Please change the list depending on whether 
// you are deploying on a single or clustered JBoss Application Server
//install.
// ----------------------------------------------
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-aop.deployer/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:${jboss.server.home.dir}/deploy/jms/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/http-invoker.sar/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jbossweb-tomcat55.sar/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-ws4ee.sar/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
permission java.security.AllPermission;
};
 
grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" {
permission java.security.AllPermission;
};
 
grant codeBase 
"file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" {
permission java.security.AllPermission;
};
 
grant codeBase "file:${jboss.server.home.dir}/deploy/mail-ra.rar" {
permission java.security.AllPermission;
};
 
// *******************************************
// JBoss Application Server deployed applications ends
// *******************************************
 
// ******************************************************************
// From here, Oracle Identity Manager application permissions start
// ******************************************************************
 
// Grant All permissions to nexaweb commons jar file to be loaded from
// $JBOSS_HOME/default/lib/
grant codeBase "file:${jboss.server.home.dir}/lib/nexaweb-common.jar" {
permission java.security.AllPermission;
};
 
 
// OIM codebase permissions
grant codeBase "file:${jboss.server.home.dir}/deploy/XellerateFull.ear" {
  // File permissions
 
  // Need read,write,delete permissions on $OIM_HOME/config folder
  // to read various config files, write the
  // xlconfig.xml.{0,1,2..} files upon re-encryption and delete
  // the last xlconfig.xml if the numbers go above 9.
  permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
             "read, write, delete";
  permission java.io.FilePermission "${XL.HomeDir}\\-", "read";
 
  // Need read,write,delete permissions to generate adapter java
  // code, delete the .class file when the adapter is loaded into
  // the database      
  permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
  "read,write,delete";
 
  // This is required by the connectors and connector installer
  permission java.io.FilePermission 
        "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", 
        "read,write,delete";
  permission java.io.FilePermission
        "${XL.HomeDir}\\connectorResources\\-", 
        "read,write,delete";
 
  // Need to read Globalization resource bundle files for various 
  // locales
  permission java.io.FilePermission
        "${XL.HomeDir}\\customResources\\-", "read";
 
  // Need to read code from "JavaTasks", "ScheduleTask",
  // "ThirdParty", "EventHandlers" folder
  permission java.io.FilePermission 
        "${XL.HomeDir}\\EventHandlers\\-", "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\JavaTasks\\-", "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\ScheduleTask\\-", "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\ThirdParty\\-", "read";      
 
  // Required by the Generic Technology connector
  permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
 
  // Server needs read permissions on Nexaweb home directory
  //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
  // Read permissions on the jboss "tmp" folder, the OIM deploy
  // directory and the jboss server "lib" folder.
  permission java.io.FilePermission 
        "${jboss.server.home.dir}\\tmp\\-", "read";
  permission java.io.FilePermission 
        "${jboss.server.home.dir}\\deploy\\XellerateFull.ear\\-", 
        "read,write";
  permission java.io.FilePermission 
        "${jboss.server.home.dir}\\lib\\-", "read";
 
  // OIM server invokes the java compiler. We need "execute"
  // permissions on all files.
  permission java.io.FilePermission "<<ALL FILES>>", "execute";
  
  // Socket permissions
  // Basically we allow all permissions on non-privileged sockets
  // The multicast address should be the same as the one in 
  // xlconfig.xml for javagroups communication
  permission java.net.SocketPermission "*:1024-", 
        "connect,listen,resolve,accept";
  permission java.net.SocketPermission "231.165.168.131", 
        "connect,accept";
 
  // Property permissions
  // Read and write OIM properties
  // Read XL.*, java.* and log4j.* properties
  permission java.util.PropertyPermission "XL.*", "read,write";
  permission java.util.PropertyPermission "*", "read, write";
  permission java.util.PropertyPermission "java.*", "read";
  permission java.util.PropertyPermission "log4j.", "read";
  permission java.util.PropertyPermission "user.dir", "read";
 
  // Runtime permissions
  // OIM server needs permissions to create its own class loader,
  // get the class loader, modify threads and register shutdown 
  // hooks
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "shutdownHooks";
 
  // OIM server needs runtime permissions to generate and load
  // classes in the packages specified below. Also access the
  // declared members of a class.
  permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
  permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
  permission java.lang.RuntimePermission
        "defineClassInPackage.com.thortech.xl.adapterGlue";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
 
  // The following run-time permissions are JBoss specific and will 
  // differ between appservers. OIM server needs ability to see 
  // current thread caller and credentials, and set the 'Run As' 
  // role.
  permission java.lang.RuntimePermission 
        "org.jboss.security.SecurityAssociation.getPrincipalInfo";
  permission java.lang.RuntimePermission 
        "org.jboss.security.SecurityAssociation.setPrincipalInfo";
  permission java.lang.RuntimePermission 
        "org.jboss.security.SecurityAssociation.setRunAsRole";
  
  // Reflection permissions
  // Give permissions to access and invoke fields/methods from
  // reflected classes.
  permission java.lang.reflect.ReflectPermission 
        "suppressAccessChecks";
 
  // Security permissions for OIM server
  permission java.security.SecurityPermission "*";
  permission javax.security.auth.AuthPermission "doAs";
  permission javax.security.auth.AuthPermission "doPrivileged";
  permission javax.security.auth.AuthPermission "getSubject";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
  permission javax.security.auth.AuthPermission 
        "createLoginContext";
  permission javax.security.auth.AuthPermission 
        "getLoginConfiguration";
  permission javax.security.auth.AuthPermission 
        "setLoginConfiguration";
  
  // SSL permission (for remote manager)
  permission javax.net.ssl.SSLPermission  "getSSLSessionContext";
};
 
 
// Nexaweb server codebase permissions
grant codeBase "file:${jboss.server.home.dir}/deploy/Nexaweb.ear" {
  // File permissions
  permission java.io.FilePermission "${user.home}", "read, write";
  permission java.io.FilePermission 
        "${jboss.server.home.dir}\\tmp\\-", "read";
  //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
  // Property permissions
  permission java.util.PropertyPermission "*", "read,write";
  
  // Runtime permissions
  // Nexaweb server needs permissions to create its own class loader,
  // get the class loader, and so on
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission  "setFactory";
 
  // Nexaweb server security permissions to load the Cryptix 
  // extension
  permission java.security.SecurityPermission 
        "insertProvider.Cryptix";     
  
  // Socket permissions
  // Permissions on all non-privileged ports.
  permission java.net.SocketPermission "*:1024-", 
        "listen, connect, resolve";
 
  // Security permissions
  permission javax.security.auth.AuthPermission "doAs";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
  permission javax.security.auth.AuthPermission 
        "createLoginContext";
};
 
// The following are permissions given to codebase in the OIM server 
// directory
grant codeBase "file:${XL.HomeDir}/-" {
  // File permissions
  permission java.io.FilePermission "${XL.HomeDir}\\config\\-", 
        "read";
  permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", 
        "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\ScheduleTasks\\-", "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\ThirdParty\\-", "read";
  permission java.io.FilePermission 
        "${XL.HomeDir}\\adapters\\-", "read,write,delete";
  permission java.io.FilePermission 
        "${jboss.server.home.dir}\\tmp\\-", "read";
  //permission java.io.FilePermission "${nexaweb.home}\\-", "read";
 
  // Socket permissions
  permission java.net.SocketPermission "*:1024-", "listen";
 
  // Property permissions
  // Read XL.* and log4j.* properties
  permission java.util.PropertyPermission "XL.*", "read";
  permission java.util.PropertyPermission "log*", "read";
 
  // Security permissions
  permission javax.security.auth.AuthPermission "doAs";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
  permission javax.security.auth.AuthPermission "createLoginContext";
};
 
// Minimal permissions are allowed to everyone else
grant {
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission 
    "org.jboss.security.SecurityAssociation.getSubject";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.management.MBeanPermission 
    "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
permission javax.security.auth.AuthPermission "createLoginContext.*";
 
permission java.io.FilePermission 
    "${jboss.server.home.dir}\\tmp\\-", "read,write";
 
// For Nexaweb
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "nexaweb.logs", "read,write";
permission java.util.PropertyPermission 
    "sun.net.client.defaultConnectTimeout", "read,write";
permission java.util.PropertyPermission 
    "sun.net.client.defaultReadTimeout", "read,write";
 
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission    "*", "connect";
permission java.io.FilePermission       "<<ALL FILES>>", "read,write";
permission java.lang.RuntimePermission   "modifyThreadGroup";
 
};

Note:

  • After you make these changes, restart the server to apply Java 2 Security.

  • Exceptions related to permissions are displayed in the following format on the server console. For example, the following message indicates an insufficient permission to execute the method:

    java.security.AccessControlException: access denied  (PERMISSION METHOD)

    To grant the required permission to execute the method, add the following lines in the server.policy file:

    grant{
        permission PERMISSION "METHOD";
    };

Policy File for Clustered JBoss Application Server Installation

The server.policy file consists of the following code:

Note:

  • The instructions to change the code in the policy file are given in comments, which are in bold font.

  • This server.policy example is for a Microsoft Windows installation. For UNIX, you must change \\ between the directories name to / in every permission java.io.FilePermission property.

  • Ensure that you change the multicast IP address 231.165.168.131 in this example to reflect the multicast IP address of the Oracle Identity Manager installation. You can find the Oracle Identity Manager multicast IP address in the xlconfig.xml file.

  • After you make these changes, restart the server to apply Java 2 Security.

// Oracle Identity Manager Java2 security policy file
// Use -Djava.security.policy=server.policy
// and -Djboss.home.dir=C:/jbcl186013/jboss-4.2.3.GA
// and -Djboss.server.home.dir=C:/jbcl186013/jboss-4.2.3.GA/server/all
// *******************************************
// Java code and extensions
// *******************************************
// Trust java extensions
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// Trust core java code
grant codeBase "file:${java.home}/lib/*" {
permission java.security.AllPermission;
};
// For java.home pointing to the JDK jre directory
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
// *******************************************
// Java code and extensions ends
// *******************************************
// *******************************************
// JBoss Application Server code
// *******************************************
// Trust core JBoss Application Server code
grant codeBase "file:${jboss.home.dir}/bin/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.home.dir}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/tmp/-" {
  permission java.io.FilePermission "${jboss.server.home.dir}/-", "read,write,delete";
  permission java.io.FilePermission "${java.io.tmpdir}", "read,write,delete";
 
  permission java.io.FilePermission "<<ALL FILES>>", "read";
 
  // MBean permissions
  permission javax.management.MBeanTrustPermission "*";
  permission javax.management.MBeanServerPermission "findMBeanServer";
  permission javax.management.MBeanPermission "*", "*";
 
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole";
  permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
  permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
 
  permission java.net.NetPermission "specifyStreamHandler";
 
  permission java.util.PropertyPermission "*", "read,write";
  permission java.security.SecurityPermission "getProperty.package.definition";
  permission java.security.SecurityPermission "setProperty.package.definition";
  permission java.security.SecurityPermission "getProperty.package.access";
  permission java.security.SecurityPermission "setProperty.package.access";
  permission java.security.SecurityPermission "setPolicy";
  permission java.security.SecurityPermission "putProviderProperty.JBossSX";
  permission java.security.SecurityPermission "insertProvider.JBossSX";
 
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
 
  // TODO: specify exact ports
  permission java.net.SocketPermission "*:1024-", "accept,listen";
  permission java.util.logging.LoggingPermission "control";
 
  permission javax.security.auth.AuthPermission "doAsPrivileged";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
 
  permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"", "read";
 
  // experimental
  //permission java.lang.RuntimePermission "createSecurityManager";
  //permission java.lang.RuntimePermission "setSecurityManager";
 
  permission java.security.SecurityPermission "getPolicy";
  permission java.lang.RuntimePermission "accessClassInPackage.*";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject";
 
  permission javax.security.auth.AuthPermission "createLoginContext.*";
  permission javax.security.auth.AuthPermission "getLoginConfiguration";
 
};
// *******************************************
// JBoss Application Server code ends
// *******************************************
// *******************************************
// JBoss Application Server deployed applications
// *******************************************
// Grant all permissions to the default applications deployed on
// JBoss Application Server. Please change the list depending on whether
// you are deploying on a single or clustered JBoss Application Server
//install.
// ----------------------------------------------
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-aop-jdk50.deployer/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/jms/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/http-invoker.sar/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jbossweb-tomcat55.sar/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-web.deployer/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-web-cluster.sar/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jbossws.sar/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jmx-console.war/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" {
permission java.security.AllPermission;
};
grant codeBase
"file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/mail-ra.rar" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/ejb3.deployer" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/snmp-adaptor.sar" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/quartz-ra.rar" {
permission java.security.AllPermission;
};
grant codeBase "file:${jboss.server.home.dir}/deploy/httpha-invoker.sar" {
permission java.security.AllPermission;
};
// *******************************************
// JBoss Application Server deployed applications ends
// *******************************************
// ******************************************************************
// From here, Oracle Identity Manager application permissions start
// ******************************************************************
// Grant All permissions to nexaweb commons jar file to be loaded from
// $JBOSS_HOME/default/lib/
grant codeBase "file:${jboss.server.home.dir}/lib/nexaweb-common.jar" {
permission java.security.AllPermission;
};
// OIM codebase permissions
grant codeBase "file:${jboss.server.home.dir}/farm/XellerateFull.ear" {
// File permissions
// Need read,write,delete permissions on $OIM_HOME/config folder
// to read various config files, write the
// xlconfig.xml.{0,1,2..} files upon re-encryption and delete
// the last xlconfig.xml if the numbers go above 9.
permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
"read, write, delete";
permission java.io.FilePermission "${XL.HomeDir}\\-", "read";
// Need read,write,delete permissions to generate adapter Java
// code, delete the .class file when the adapter is loaded into
// the database
permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-",
"read,write,delete";
// This is required by the connectors and connector installer
permission java.io.FilePermission
"${XL.HomeDir}\\ConnectorDefaultDirectory\\-",
"read,write,delete";
permission java.io.FilePermission
"${XL.HomeDir}\\connectorResources\\-",
"read,write,delete";
// Need to read Globalization resource bundle files for various
// locales
permission java.io.FilePermission
"${XL.HomeDir}\\customResources\\-", "read";
// Need to read code from "JavaTasks", "ScheduleTask",
// "ThirdParty", "EventHandlers" folder
permission java.io.FilePermission
"${XL.HomeDir}\\EventHandlers\\-", "read";
permission java.io.FilePermission
"${XL.HomeDir}\\JavaTasks\\-", "read";
permission java.io.FilePermission
"${XL.HomeDir}\\ScheduleTask\\-", "read";
permission java.io.FilePermission
"${XL.HomeDir}\\ThirdParty\\-", "read";
// Required by the Generic Technology connector
permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read";
// Server needs read permissions on Nexaweb home directory
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
// Read permissions on the jboss "tmp" folder, the OIM deploy
// directory and the jboss server "lib" folder.
permission java.io.FilePermission
"${jboss.server.home.dir}\\tmp\\-", "read";
permission java.io.FilePermission
"${jboss.server.home.dir}\\farm\\XellerateFull.ear\\-",
"read,write";
permission java.io.FilePermission
"${jboss.server.home.dir}\\lib\\-", "read";
// OIM server invokes the Java compiler. You need "execute"
// permissions on all files.
permission java.io.FilePermission "<<ALL FILES>>", "execute";
// Socket permissions
// Basically we allow all permissions on non-privileged sockets
// The multicast address should be the same as the one in
// xlconfig.xml for Javagroups communication
permission java.net.SocketPermission "*:1024-",
"connect,listen,resolve,accept";
permission java.net.SocketPermission "231.109.185.189",
"connect,accept";
// Property permissions
// Read and write OIM properties
// Read XL.*, java.* and log4j.* properties
permission java.util.PropertyPermission "XL.*", "read,write";
permission java.util.PropertyPermission "*", "read, write";
permission java.util.PropertyPermission "java.*", "read";
permission java.util.PropertyPermission "log4j.", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "catalina.ext.dirs", "write";
// Run-time permissions
// OIM server needs permissions to create its own class loader,
// get the class loader, modify threads and register shutdown
// hooks
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// OIM server needs run-time permissions to generate and load
// classes in the packages specified below. Also access the
// declared members of a class.
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.adapterGlue";
permission java.lang.RuntimePermission "accessDeclaredMembers";
// The following run-time permissions are JBoss specific and will
// differ between appservers. OIM server needs ability to see
// current thread caller and credentials, and set the 'Run As'
// role.
permission java.lang.RuntimePermission
"org.jboss.security.SecurityAssociation.getPrincipalInfo";
permission java.lang.RuntimePermission
"org.jboss.security.SecurityAssociation.setPrincipalInfo";
permission java.lang.RuntimePermission
"org.jboss.security.SecurityAssociation.setRunAsRole";
// Reflection permissions
// Give permissions to access and invoke fields/methods from
// reflected classes.
permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";
// Security permissions for OIM server
permission java.security.SecurityPermission "*";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission
"createLoginContext";
permission javax.security.auth.AuthPermission
"getLoginConfiguration";
permission javax.security.auth.AuthPermission
"setLoginConfiguration";
// Secure Sockets Layer (SSL) permission (for remote manager)
permission javax.net.ssl.SSLPermission "getSSLSessionContext";
};
// Nexaweb server codebase permissions
grant codeBase "file:${jboss.server.home.dir}/farm/Nexaweb.ear" {
// File permissions
permission java.io.FilePermission "${user.home}", "read, write";
permission java.io.FilePermission
"${jboss.server.home.dir}\\tmp\\-", "read";
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
// Property permissions
permission java.util.PropertyPermission "*", "read,write";
// Run-time permissions
// Nexaweb server needs permissions to create its own class loader,
// get the class loader, and so on
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
// Nexaweb server security permissions to load the Cryptix
// extension
permission java.security.SecurityPermission
"insertProvider.Cryptix";
// Socket permissions
// Permissions on all non-privileged ports.
permission java.net.SocketPermission "*:1024-",
"listen, connect, resolve";
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission
"createLoginContext";
};
// The following are permissions given to codebase in the OIM server
// directory
grant codeBase "file:${XL.HomeDir}/-" {
// File permissions
permission java.io.FilePermission "${XL.HomeDir}\\config\\-",
"read";
permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-",
"read";
permission java.io.FilePermission
"${XL.HomeDir}\\ScheduleTasks\\-", "read";
permission java.io.FilePermission
"${XL.HomeDir}\\ThirdParty\\-", "read";
permission java.io.FilePermission
"${XL.HomeDir}\\adapters\\-", "read,write,delete";
permission java.io.FilePermission
"${jboss.server.home.dir}\\tmp\\-", "read";
//permission java.io.FilePermission "${nexaweb.home}\\-", "read";
// Socket permissions
permission java.net.SocketPermission "*:1024-", "listen";
// Property permissions
// Read XL.* and log4j.* properties
permission java.util.PropertyPermission "XL.*", "read";
permission java.util.PropertyPermission "log*", "read";
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
};
// Minimal permissions are allowed to everyone else
grant {
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission
"org.jboss.security.SecurityAssociation.getSubject";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.management.MBeanPermission
"org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission
"${jboss.server.home.dir}\\tmp\\-", "read,write";
// For Nexaweb
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "nexaweb.logs", "read,write";
permission java.util.PropertyPermission
"sun.net.client.defaultConnectTimeout", "read,write";
permission java.util.PropertyPermission
"sun.net.client.defaultReadTimeout", "read,write";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.io.SerializablePermission "enableSubclassImplementation";
};

Note:

  • After you make these changes, restart the server to apply Java 2 Security.

  • Exceptions related to permissions are displayed in the following format on the server console. For example, the following message indicates an insufficient permission to execute the method:

    java.security.AccessControlException: access denied  (PERMISSION METHOD)

    To grant the required permission to execute the method, add the following lines in the server.policy file:

    grant{
        permission PERMISSION "METHOD";
    };
Go to previous page
Previous		 Go to next page
Next
Go to Documentation Home
Home		 Go to Book List
Book List		 Go to Table of Contents
Contents		 Go to Index
Index		 Go to Feedback page
Contact Us