Create a new security policy file named geronimo.policy in the following directory:
geronimo_home/bin
Add the security permissions in the geronimo.policy file, as shown in Example 2–7.
In the geronimo.sh script, add following two lines under the start block:
-Djava.security.manager \ -Djava.security.policy=geronimo.policy \
For example, the start block will look like:
elif [ "$1" = "start" ] ; then shift touch "$GERONIMO_OUT" $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \ $JAVA_AGENT_OPTS \ -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \ -Djava.endorsed.dirs="$ENDORSED_DIRS" \ -Djava.ext.dirs="$EXT_DIRS" \ -Djava.io.tmpdir="$GERONIMO_TMPDIR" \ -Djava.security.manager \ -Djava.security.policy=geronimo.policy \ -XX:MaxPermSize=512M \ -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \ $GERONIMO_OUT 2>&1 & echo "" echo "Geronimo started in background. PID: $!" if [ ! -z "$GERONIMO_PID" ]; then echo $! > $GERONIMO_PID fi
Restart Geronimo Application Server.
// ---------------------------------------------------------------------------- // Permissions for Geronimo Application Server // ---------------------------------------------------------------------------- // Geronimo gets all permissions grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${org.apache.geronimo.base.dir}/repository/-" { permission java.security.AllPermission; }; grant { permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "getenv.*"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createSecurityManager"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "setReadOnly"; permission java.security.SecurityPermission "setPolicy"; permission java.security.SecurityPermission "getPolicy"; permission java.security.SecurityPermission "createAccessControlContext"; permission java.security.SecurityPermission "getProperty.package.definition"; permission java.security.SecurityPermission "setProperty.package.definition"; permission java.security.SecurityPermission "getProperty.package.access"; permission java.security.SecurityPermission "setProperty.package.access"; permission org.apache.geronimo.security.GeronimoSecurityPermission "getContext"; permission org.apache.geronimo.security.GeronimoSecurityPermission "setContext"; permission org.apache.geronimo.security.GeronimoSecurityPermission "configure"; permission java.util.PropertyPermission "Xorg.apache.geronimo.gbean.NoProxy", "read"; permission java.util.PropertyPermission "Xorg.apache.geronimo.kernel.config.Marshaler", "read"; }; grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission javax.management.MBeanPermission "*" , "*" ; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; permission java.security.SecurityPermission "getProperty.ocsp.*"; };