| Oracle Identity Manager JBoss Application Server用インストレーションおよび構成ガイド リリース9.1.0.1 B52972-02 |
|
 戻る |
 次へ |
| Oracle Identity Manager JBoss Application Server用インストレーションおよび構成ガイド リリース9.1.0.1 B52972-02 |
|
戻る |
次へ |
|
注意: この付録では、ポリシー・ファイルで行う変更について説明します。ポリシー・ファイルに構文エラーがあると、アプリケーションの起動に失敗することがあります。このため、ファイルの編集には注意する必要があります。ポリシー・ファイルの編集には、JDKで提供されているポリシー・ツールを使用することをお薦めします。このツールへは、次のディレクトリからアクセスできます。
|
Oracle Identity ManagerのためにJava 2セキュリティを有効にするには、次のようにします。
$JBOSS_HOME/bin/ディレクトリに移動し、runスクリプト(Microsoft Windowsの場合はrun.bat、UNIXの場合はrun.sh)をテキスト・エディタで開きます。
このファイルでJAVA_OPTSを探し、次のJVMオプションを-Dprogram.name=%PROGNAME%の後に追加します。
非クラスタ・インストールの場合:
|
注意: $JBOSS_HOMEを実際のJBoss Application Serverのディレクトリの場所に変更してください。 |
-Djava.security.manager -Djava.security.policy= $JBOSS_HOME/server/default/conf/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.server.home.dir=$JBOSS_HOME/server/default
クラスタ・インストールの場合:
|
注意: $JBOSS_HOMEを実際のJBoss Application Serverのディレクトリの場所に変更してください。 |
-Djava.security.manager -Djava.security.policy= $JBOSS_HOME/server/all/conf/server.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.server.home.dir=$JBOSS_HOME/server/all
次の表に、オプションの説明を示します。
| オプション | 説明 |
|---|---|
-Djava.security.manager |
Java 2セキュリティ・マネージャを有効にします。 |
-Djava.security.policy |
Java 2セキュリティに使用されるポリシー・ファイルを指定します。 |
-Djboss.home.dir |
JBoss Application Serverインストールのホーム・ディレクトリを指定します。通常は、/opt/beaまたはc:\beaです。 |
-Djboss.server.home.dir |
Oracle Identity ManagerをインストールしたJBoss Application Server構成の場所を指定します。 |
JBOSS_HOME/server/default/confディレクトリに移動し、ポリシー・ファイルからJava 2セキュリティ権限をコピーしてserver.policyファイルを変更します。詳細は、次のいずれかの項を参照してください。
|
注意: server.policyファイルが存在しない場合は、作成する必要があります。 |
server.policyファイルは、次のコードで構成されています。
|
注意:
|
// Oracle Identity Manager Java2 security policy file // Use -Djava.security.policy=server.policy // and -Djboss.home.dir=c:/jboss // and -Djboss.server.home.dir=c:/jboss/server/default // ******************************************* // Java code and extensions // ******************************************* // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // ******************************************* // Java code and extensions ends // ******************************************* // ******************************************* // JBoss Application Server code // ******************************************* // Trust core JBoss Application Server code grant codeBase "file:${jboss.home.dir}/bin/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/lib/-" { permission java.security.AllPermission; }; // ******************************************* // JBoss Application Server code ends // ******************************************* // ******************************************* // JBoss Application Server deployed applications // ******************************************* // Grant all permissions to the default applications deployed on // JBoss Application Server. Please change the list depending on whether // you are deploying on a single or clustered JBoss Application Server //install. // ---------------------------------------------- grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-aop.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jms/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/http-invoker.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jbossweb-tomcat55.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ws4ee.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/mail-ra.rar" { permission java.security.AllPermission; }; // ******************************************* // JBoss Application Server deployed applications ends // ******************************************* // ****************************************************************** // From here, Oracle Identity Manager application permissions start // ****************************************************************** // Grant All permissions to nexaweb commons jar file to be loaded from // $JBOSS_HOME/default/lib/ grant codeBase "file:${jboss.server.home.dir}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${jboss.server.home.dir}/deploy/XellerateFull.ear" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\connectorResources\\-", "read,write,delete"; // Need to read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\customResources\\-", "read"; // Need to read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the jboss "tmp" folder, the OIM deploy // directory and the jboss server "lib" folder. permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; permission java.io.FilePermission "${jboss.server.home.dir}\\deploy\\XellerateFull.ear\\-", "read,write"; permission java.io.FilePermission "${jboss.server.home.dir}\\lib\\-", "read"; // OIM server invokes the java compiler. We need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.165.168.131", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the packages specified below. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // The following run-time permissions are JBoss specific and will // differ between appservers. OIM server needs ability to see // current thread caller and credentials, and set the 'Run As' // role. permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; }; // Nexaweb server codebase permissions grant codeBase "file:${jboss.server.home.dir}/deploy/Nexaweb.ear" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader, and so on permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*:1024-", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // Minimal permissions are allowed to everyone else grant { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read,write"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; };
|
注意:
|
server.policyファイルは、次のコードで構成されています。
|
注意:
|
// Oracle Identity Manager Java2 security policy file // Use -Djava.security.policy=server.policy // and -Djboss.home.dir=C:/jbcl186013/jboss-4.2.3.GA // and -Djboss.server.home.dir=C:/jbcl186013/jboss-4.2.3.GA/server/all // ******************************************* // Java code and extensions // ******************************************* // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // ******************************************* // Java code and extensions ends // ******************************************* // ******************************************* // JBoss Application Server code // ******************************************* // Trust core JBoss Application Server code grant codeBase "file:${jboss.home.dir}/bin/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/tmp/-" { permission java.io.FilePermission "${jboss.server.home.dir}/-", "read,write,delete"; permission java.io.FilePermission "${java.io.tmpdir}", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "read"; // MBean permissions permission javax.management.MBeanTrustPermission "*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "*", "*"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole"; permission java.lang.RuntimePermission "loadLibrary.tcnative-1"; permission java.lang.RuntimePermission "loadLibrary.libtcnative-1"; permission java.net.NetPermission "specifyStreamHandler"; permission java.util.PropertyPermission "*", "read,write"; permission java.security.SecurityPermission "getProperty.package.definition"; permission java.security.SecurityPermission "setProperty.package.definition"; permission java.security.SecurityPermission "getProperty.package.access"; permission java.security.SecurityPermission "setProperty.package.access"; permission java.security.SecurityPermission "setPolicy"; permission java.security.SecurityPermission "putProviderProperty.JBossSX"; permission java.security.SecurityPermission "insertProvider.JBossSX"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // TODO: specify exact ports permission java.net.SocketPermission "*:1024-", "accept,listen"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.PrivateCredentialPermission " javax.resource.spi.security.PasswordCredential * \"*\"", "read"; // experimental //permission java.lang.RuntimePermission "createSecurityManager"; //permission java.lang.RuntimePermission "setSecurityManager"; permission java.security.SecurityPermission "getPolicy"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; }; // ******************************************* // JBoss Application Server code ends // ******************************************* // ******************************************* // JBoss Application Server deployed applications // ******************************************* // Grant all permissions to the default applications deployed on // JBoss Application Server. Please change the list depending on whether // you are deploying on a single or clustered JBoss Application Server //install. // ---------------------------------------------- grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-aop-jdk50.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-bean.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jms/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/http-invoker.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jbossweb-tomcat55.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-web.deployer/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-web-cluster.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jbossws.sar/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/management/-" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/uuid-key-generator.sar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-ha-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-local-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jboss-xa-jdbc.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/mail-ra.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/ejb3.deployer" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/juddi-service.sar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/jmx-console.war" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/snmp-adaptor.sar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/quartz-ra.rar" { permission java.security.AllPermission; }; grant codeBase "file:${jboss.server.home.dir}/deploy/httpha-invoker.sar" { permission java.security.AllPermission; }; // ******************************************* // JBoss Application Server deployed applications ends // ******************************************* // ****************************************************************** // From here, Oracle Identity Manager application permissions start // ****************************************************************** // Grant All permissions to nexaweb commons jar file to be loaded from // $JBOSS_HOME/default/lib/ grant codeBase "file:${jboss.server.home.dir}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${jboss.server.home.dir}/farm/XellerateFull.ear" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter Java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\connectorResources\\-", "read,write,delete"; // Need to read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\customResources\\-", "read"; // Need to read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the jboss "tmp" folder, the OIM deploy // directory and the jboss server "lib" folder. permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; permission java.io.FilePermission "${jboss.server.home.dir}\\farm\\XellerateFull.ear\\-", "read,write"; permission java.io.FilePermission "${jboss.server.home.dir}\\lib\\-", "read"; // OIM server invokes the Java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for Javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.109.185.189", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "catalina.ext.dirs", "write"; // Run-time permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // OIM server needs run-time permissions to generate and load // classes in the packages specified below. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // The following run-time permissions are JBoss specific and will // differ between appservers. OIM server needs ability to see // current thread caller and credentials, and set the 'Run As' // role. permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // Secure Sockets Layer (SSL) permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; }; // Nexaweb server codebase permissions grant codeBase "file:${jboss.server.home.dir}/farm/Nexaweb.ear" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Run-time permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader, and so on permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*:1024-", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // Minimal permissions are allowed to everyone else grant { permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getSubject"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.management.MBeanPermission "org.jboss.mx.modelmbean.XMBean#*[JMImplementation:type=MBeanRegistry]", "*"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "${jboss.server.home.dir}\\tmp\\-", "read,write"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.io.SerializablePermission "enableSubclassImplementation"; };
|
注意:
|
