OpenSSO Enterprise Security Permissions for Geronimo Application Server (Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide)

Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

OpenSSO Enterprise Security Permissions for Geronimo Application Server

To Enable the Java Security Manager for Geronimo Application Server

Create a new security policy file named geronimo.policy in the following directory:

geronimo_home/bin

Add the security permissions in the geronimo.policy file, as shown in Example 2–7.

In the geronimo.sh script, add following two lines under the start block:

-Djava.security.manager \
-Djava.security.policy=geronimo.policy \

For example, the start block will look like:

elif [ "$1" = "start" ] ; then
  shift
  touch "$GERONIMO_OUT"
  $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \
    $JAVA_AGENT_OPTS \
    -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \
    -Djava.endorsed.dirs="$ENDORSED_DIRS" \
    -Djava.ext.dirs="$EXT_DIRS" \
    -Djava.io.tmpdir="$GERONIMO_TMPDIR" \
    -Djava.security.manager \
    -Djava.security.policy=geronimo.policy \
    -XX:MaxPermSize=512M \
    -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \
       $GERONIMO_OUT 2>&1 &
    echo ""
    echo "Geronimo started in background. PID: $!"
    if [ ! -z "$GERONIMO_PID" ]; then
      echo $! > $GERONIMO_PID
    fi

Restart Geronimo Application Server.

Example 2–7 OpenSSO Enterprise Security Permissions for Geronimo Application Server

// ----------------------------------------------------------------------------
// Permissions for Geronimo Application Server
// ----------------------------------------------------------------------------
// Geronimo gets all permissions
grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
permission java.security.AllPermission;
};

grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" {
permission java.security.AllPermission;
};

grant {
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "getenv.*";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createSecurityManager";

permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.security.auth.AuthPermission "setReadOnly";
permission java.security.SecurityPermission "setPolicy";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "createAccessControlContext";
permission java.security.SecurityPermission "getProperty.package.definition";
permission java.security.SecurityPermission "setProperty.package.definition";
permission java.security.SecurityPermission "getProperty.package.access";
permission java.security.SecurityPermission "setProperty.package.access";
permission org.apache.geronimo.security.GeronimoSecurityPermission "getContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "setContext";
permission org.apache.geronimo.security.GeronimoSecurityPermission "configure";

permission java.util.PropertyPermission "Xorg.apache.geronimo.gbean.NoProxy", "read";
permission java.util.PropertyPermission "Xorg.apache.geronimo.kernel.config.Marshaler", "read";
};

grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission javax.management.MBeanPermission "*" , "*" ;
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write";
permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";
permission java.net.NetPermission "getProxySelector";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission javax.security.auth.AuthPermission "doAsPrivileged";
permission javax.security.auth.AuthPermission "modifyPublicCredentials";
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM";
permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM";
permission java.security.SecurityPermission "getProperty.ocsp.*";
};