| Oracle Identity Manager Oracle WebLogic Server用インストレーションおよび構成ガイド リリース9.1.0.1 B52973-03 |
|
 戻る |
 次へ |
この章では、Oracle WebLogic Serverで必要なJava 2セキュリティ権限を示します。次の項でこの情報を説明します。
Oracle WebLogic Server 10.3上で稼働しているOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
|
注意: ポリシー・ファイルに構文エラーがあると、アプリケーションの起動に失敗することがあります。このため、ポリシー・ファイルの編集には注意する必要があります。ポリシー・ファイルの編集には、JDKで提供されているポリシー・ツールを使用することをお薦めします。このツールへは、次のディレクトリからアクセスできます。
|
$BEA_HOME/user_projects/domains/$OIM_DOMAIN/ディレクトリに移動し、実行スクリプト(Microsoft Windowsの場合はxlStartWLS.bat、UNIXの場合はxlStartWLS.sh)をテキスト・エディタで開きます。
JAVA_OPTIONSを特定し、次の追加を行います。
-Djava.security.manager -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
|
注意: コピーする行を次のように変更します。
|
次の表でオプションを説明します。
| オプション | 説明 |
|---|---|
-Djava.security.manager |
Java 2セキュリティ・マネージャを有効にします。 |
-Djava.security.policy |
Java 2セキュリティに使用するポリシー・ファイルを指定します。 |
-Dbea.home |
WebLogic Serverのインストール・ディレクトリのルートを指定します。通常は、/opt/beaまたはc:\beaです。 |
-Dserver.name |
Oracle Identity Managerがインストールされているサーバーの名前を指定します。通常は、myserverです。 |
-Doim.domain |
Oracle Identity Managerがインストールされているドメインのディレクトリを指定します。 |
$WL_HOME/wlserver_10.3/server/lib/weblogic.policyファイルが存在するかどうか確認します。ファイルが存在する場合は、これを編集し、「ポリシー・ファイル」で指定されているJava 2セキュリティ権限を追加します。存在しない場合は作成します。
手順1から3で説明した変更を行った後、すべてのサーバーを再起動する必要があります。
ポリシー・ファイル
weblogic.policyファイルの末尾に、次のコードを追加します。
|
注意: ポリシー・ファイルのコードを変更する手順は、ボールドのコメントで示します。この この例のマルチキャストIPアドレス( これらの変更を行った後で、サーバーを再起動してJava 2セキュリティを適用します。 |
// ******************************************* // Default WebLogic Permissions ends // ******************************************* grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oim.domain}/${server.name}/.internal/-" { permission java.security.AllPermission; }; // ******************************************* // From here, OIM application permissions start // ******************************************* // OIM codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Need to read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; // OIM server codebase requires read permissions on the // deploy directory, the .wlnotdelete directory, the // "applications" folder, the "XLApplications" folder // and the Oracle WebLogic Server lib directory // All these permissions are specific to the Oracle WebLogic Server. permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read,write,delete"; permission java.io.FilePermission "${oim.domain}/applications/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/-", "read"; permission java.io.FilePermission "http:${/}-", "read"; permission java.io.FilePermission ".${/}http:${/}-", "read"; permission java.io.FilePermission "${bea.home}/wlserver_10.3/server/lib/-", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/${server.name}/-", "read,write,delete"; // OIM server codebase requires read permissions on the // $JAVA_HOME/lib directory permission java.io.FilePermission "${java.home}/lib/-", "read"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you must allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.167.157.106", "connect,accept,resolve"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.*", "read"; // Run time permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs run time permissions to generate and load // classes in the following specified packages. Also access the // declared members of a class. // weblogic.kernelPermission is required by Oracle WebLogic Server permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // You must give the codebase in xlWebApp.war/WEB-INF/classes // the following permissions grant codeBase "file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write"; }; // nexaweb-common.jar from WebLogic server/lib is given AllPermissions // The classes in this JAR must be loaded by WebLogic's classloader grant codeBase "file:${bea.home}/wlserver_10.3/server/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for nexaweb-common.jar from OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" { permission java.security.AllPermission; }; // Permissions for xlCrypto.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" { permission java.security.SecurityPermission "insertProvider.SunJCE"; permission java.security.SecurityPermission "insertProvider.SUN"; }; // Permissions for xlUtils.jar from $OIM_HOME/lib grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" { permission java.io.FilePermission "${bea.home}/wlserver_10.3/server/lib/-", "read"; permission java.io.FilePermission "${java.home}/jre/lib/-", "read"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Permissions for log4j-1.2.8.jar from $OIM_HOME/ext grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" { permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar", "read"; }; // Permissions for xlLogger.jar from $OIM_HOME/lib // The Filewatchdog class from this jar file must periodically scan // these directories for updated/new jar files. // You also scan the classes in xlAdapterUtilities.jar by default grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" { permission java.io.FilePermission "${XL.HomeDir}/EventHandlers", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty", "read"; permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read"; }; // Permissions for .wlnotdelete folder grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" { permission java.security.AllPermission; }; // Nexaweb server codebase permissions grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/wlserver_10.3/server/lib/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Run time permissions permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.c"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; // Run time Permissions permission java.lang.RuntimePermission "accessClassInPackage.sun.security.provider"; }; // Minimal permissions are allowed to everyone else grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.util.PropertyPermission "sun.boot.class.path", "read"; permission java.util.PropertyPermission "weblogic.xml.debug", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "weblogic.kernelPermission"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLNexaweb.ear/-", "read"; permission java.io.FilePermission "${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read"; permission java.io.FilePermission "${bea.home}/wlserver_10.3/server/lib/weblogic.jar", "read"; permission java.io.FilePermission "${oim.domain}/${server.name}/.wlnotdelete/-", "read"; permission java.io.FilePermission "${nexaweb.home}/-", "read"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "accessClassInPackage.sun.io"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; };
Oracle WebLogic Server 10.3クラスタ上で稼働しているOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
|
注意: ポリシー・ファイルに構文エラーがあると、アプリケーションの起動に失敗することがあります。このため、ポリシー・ファイルの編集には注意する必要があります。ポリシー・ファイルの編集には、JDKで提供されているポリシー・ツールを使用することをお薦めします。このツールへは、次のディレクトリからアクセスできます。
|
$BEA_HOME/user_projects/domains/$OIM_DOMAIN/ディレクトリに移動し、実行スクリプト(Microsoft Windowsの場合はxlStartWLS.bat、UNIXの場合はxlStartWLS.sh)をテキスト・エディタで開きます。
次の追加を行います。
-Djava.security.manager -Djava.security.policy=$WL_HOME/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
|
注意: コピーする行を次のように変更します。
|
次の表でオプションを説明します。
| オプション | 説明 |
|---|---|
-Djava.security.manager |
Java 2セキュリティ・マネージャを有効にします。 |
-Djava.security.policy |
Java 2セキュリティに使用するポリシー・ファイルを指定します。 |
-Dbea.home |
WebLogic Serverのインストール・ディレクトリのルートを指定します。通常は、/opt/beaまたはc:\beaです。 |
-Dserver.name |
Oracle Identity Managerがインストールされているサーバーの名前を指定します。通常は、myserverです。 |
-Doim.domain |
Oracle Identity Managerがインストールされているドメインのディレクトリを指定します。 |
$WL_HOME/wlserver_10.3/server/lib/weblogic.policyファイルが存在するかどうか確認します。ファイルが存在する場合は、これを編集し、「ポリシー・ファイル」で指定されているJava 2セキュリティ権限を追加します。存在しない場合は作成します。
リモートで管理されるクラスタ・ノードの場合は、次のようにします。
WebLogicサーバー・コンソールで、「サーバーのコンフィグレーション」→「サーバー」→「構成」をクリックし、「リモート・スタート」をクリックします。
引数フィールドに次の追加を行います。
-DXL.HomeDir=$OIM_HOME -Djava.security.auth.login.config=$OIM_HOME\config\authwl.conf -Dlog4j.configuration=file:/$OIM_HOME/config/log.properties -Djava.awt.headless=true -Djava.security.manager -Djava.security.policy==$BEA_HOME/wlserver_10.3/server/lib/weblogic.policy -Dbea.home=$BEA_HOME -Dserver.name=$SERVER_NAME -Doim.domain=$BEA_HOME/user_projects/domains/$OIM_DOMAIN
|
注意: コピーする行を次のように変更します。
|
手順1から4で説明した変更を行った後、すべてのサーバーを再起動する必要があります。
ポリシー・ファイル
weblogic.policyファイルには、次のコードが含まれます。
|
注意:
|
// *******************************************
// Default WebLogic Permissions
// *******************************************
//
// To use this file you must turn on the Java security manager by
// defining java.security.manager and setting the java.security.policy
// property to point to the security policy which should be in the lib
// directory.
// For example:
// java -Djava.security.manager
// -Djava.security.policy==${/}opt${/}bea${/}wlserver_10.3/server/lib/weblogic.policy
// weblogic.Server
//
// You can edit this file and change the permissions for your
// applications or update the codeBase line to point to where your
// server is installed.
//
// You should grant all permissions to classes in
// .internal, and .wlnotdelete folders located in your server directory.
// You can set
// -Duser.domain=<user domain folder>
// -Dweblogic.Name=<server name>
// command-line properties and use them in your policy file.
// For example, the basic grant statements for servers in a user
// domain would be:
// grant codeBase "file:${user.domain}/${weblogic.Name}/.internal/-" {
// permission java.security.AllPermission;
// };
// grant codeBase "file:${user.domain}/${weblogic.Name}/.wlnotdelete/-"
// {
// permission java.security.AllPermission;
// };
//
// The codeBase location must be a URL, not a file path,
// so Windows users beware of backslashes.
//
//
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/server/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/server/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/eval/pointbase/lib/-" {
permission java.security.AllPermission;
};
// For the petstore demo
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/pets
tore/petstoreServer/.internal/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/pets
tore/petstoreServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/petstore/-" {
permission java.util.PropertyPermission "*", "read";
};
// For the examples
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/exam
plesServer/.internal/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/exam
plesServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/config/examples/exam
plesServer/stage/-" {
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}exampl
es${/}examplesServer${/}ldap", "read,write";
};
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/server/stage/examples/-" {
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}src${/}examples$
{/}-", "read";
permission java.io.FilePermission "D:${/}wl_cluster${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}
examples${/}examplesServer${/}ldap", "read,write";
};
// For the workshop
grant codeBase "file:D:${/}wl_cluster${/}bea${/}wlserver_10.3/samples/workshop/-" {
permission java.security.AllPermission;
};
// These are for the three app types
// EJB default permissions
grant codebase "file:/weblogic/application/defaults/EJB" {
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
// Web App default permissions
grant codebase "file:/weblogic/application/defaults/Web" {
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// Connector default permissions
grant codebase "file:/weblogic/application/defaults/Connector" {
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// default permissions granted to all domains
grant {
// "standard" properties that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/eval/pointbase/lib/-" {
permission java.security.AllPermission;
};
// For the petstore demo
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/pets
toreServer/.internal/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/pets
toreServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/petstore/-" {
permission java.util.PropertyPermission "*", "read";
};
// For the examples
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.internal/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/.wlnotdelete/-" {
permission java.security.AllPermission;
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/config/examples/examplesServer/stage/-" {
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission
"${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}exa
mplesServer${/}ldap", "read,write";
};
grant codeBase
"file:${/}opt${/}bea${/}wlserver_10.3/samples/server/stage/examples/-" {
permission java.io.FilePermission
"${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}src${/}examples${/}-",
"read";
permission java.io.FilePermission
"${/}opt${/}bea${/}wlserver_10.3${/}samples${/}server${/}config${/}examples${/}exa
mplesServer${/}ldap", "read,write";
};
// For the workshop
grant codeBase "file:${/}opt${/}bea${/}wlserver_10.3/samples/workshop/-" {
permission java.security.AllPermission;
};
// These are for the three app types
// EJB default permissions
grant codebase "file:/weblogic/application/defaults/EJB" {
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.util.PropertyPermission "*", "read";
};
// Web App default permissions
grant codebase "file:/weblogic/application/defaults/Web" {
permission java.lang.RuntimePermission "loadLibrary";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission
"WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// Connector default permissions
grant codebase "file:/weblogic/application/defaults/Connector" {
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission
"WEBLOGIC-APPLICATION-ROOT${/}-", "read,write";
permission java.util.PropertyPermission "*", "read";
};
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/jre/lib/-" {
permission java.security.AllPermission;
};
grant codebase "file:${oim.domain}/${server.name}/.internal/-" {
permission java.security.AllPermission;
};
// *******************************************
// Default WebLogic Permissions end
// *******************************************
// *******************************************
// From here, OIM application permission starts
// *******************************************
// OIM codebase permissions
grant codeBase
"file:${oim.domain}/XLApplications/WLXellerateFull.ear/-" {
// File permissions
// Need read,write,delete permissions on $OIM_HOME/config folder
// to read various config files, write the
// xlconfig.xml.{0,1,2..} files upon re-encryption and delete
// the last xlconfig.xml if the numbers go above 9.
permission java.io.FilePermission "${XL.HomeDir}/config/-",
"read, write, delete";
permission java.io.FilePermission "${XL.HomeDir}/-", "read";
// Need read,write,delete permissions to generate adapter java
// code, delete the .class file when the adapter is loaded into
// the database
permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
"read,write,delete";
// This is required by the connectors and connector installer
permission java.io.FilePermission
"${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete";
permission java.io.FilePermission
"${XL.HomeDir}/connectorResources/-", "read,write,delete";
// Need to read Globalization resource bundle files for various
// locales
permission java.io.FilePermission
"${XL.HomeDir}/customResources/-", "read";
// Need to read code from "JavaTasks", "ScheduleTask",
// "ThirdParty", "EventHandlers" folder
permission java.io.FilePermission
"${XL.HomeDir}/EventHandlers/-", "read";
permission java.io.FilePermission
"${XL.HomeDir}/JavaTasks/-", "read";
permission java.io.FilePermission
"${XL.HomeDir}/ScheduleTask/-", "read";
permission java.io.FilePermission
"${XL.HomeDir}/ThirdParty/-", "read";
// Required by the Generic Technology connector
permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read";
// OIM server code base requires read permissions on the
// deploy directory, the .wlnotdelete directory, the
// "applications" folder, the "XLApplications" folder
// and the WebLogic server lib directory
// All these permissions are specific to the weblogic server.
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
permission java.io.FilePermission
"${oim.domain}/${server.name}/.wlnotdelete/-",
"read,write,delete";
permission java.io.FilePermission
"${oim.domain}/applications/-", "read";
permission java.io.FilePermission
"${oim.domain}/XLApplications/-", "read";
permission java.io.FilePermission "http:${/}-", "read";
permission java.io.FilePermission ".${/}http:${/}-", "read";
permission java.io.FilePermission
"${bea.home}/wlserver_10.3/server/lib/-", "read";
permission java.io.FilePermission
"${oim.domain}/${server.name}/ldap/ldapfiles/-", "read,write";
permission java.io.FilePermission
"${oim.domain}/${server.name}/-", "read,write,delete";
// OIM server codebase requires read permissions on the
// $JAVA_HOME/lib directory
permission java.io.FilePermission "${java.home}/lib/-", "read";
// OIM server invokes the java compiler. You need "execute"
// permissions on all files.
permission java.io.FilePermission "<<ALL FILES>>", "execute";
// Socket permissions
// Basically, all permissions are allowed on non-privileged sockets
// The multicast address should be the same as the one in
// xlconfig.xml for javagroups communication
permission java.net.SocketPermission "*:1024-",
"connect,listen,resolve,accept";
permission java.net.SocketPermission "231.116.117.171",
"connect,accept,resolve";
// Property permissions
// Read and write OIM properties
// Read XL.*, java.* and log4j.* properties
permission java.util.PropertyPermission "XL.HomeDir", "read";
permission java.util.PropertyPermission "XL.*", "read";
permission java.util.PropertyPermission "XL.ConfigAutoReload",
"read";
permission java.util.PropertyPermission "log4j.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "weblogic.xml.debug",
"read";
permission java.util.PropertyPermission "file.encoding", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.ext.dirs", "read";
permission java.util.PropertyPermission "java.library.path",
"read";
permission java.util.PropertyPermission "sun.boot.class.path",
"read";
permission java.util.PropertyPermission "weblogic.*", "read";
// Run time permissions
// OIM server needs permissions to create its own class loader,
// get the class loader, modify threads and register shutdown
// hooks
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "shutdownHooks";
// OIM server needs run time permissions to generate and load
// classes in the following specified packages. Also access the
// declared members of a class.
// weblogic.kernelPermission is required by weblogic
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents";
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.dataobj.rulegenerators";
permission java.lang.RuntimePermission
"defineClassInPackage.com.thortech.xl.adapterGlue";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "weblogic.kernelPermission";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.www.protocol.c";
permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.provider";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.action";
// Reflection permissions
// Give permissions to access and invoke fields/methods from
// reflected classes.
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
// Security permissions for OIM server
permission java.security.SecurityPermission "*";
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "doPrivileged";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission java.security.SecurityPermission
"getProperty.policy.allowSystemProperty";
permission java.security.SecurityPermission
"getProperty.login.config.url.1";
permission javax.security.auth.AuthPermission
"refreshLoginConfiguration";
// SSL permission (for remote manager)
permission javax.net.ssl.SSLPermission "getSSLSessionContext";
// Serializable permissions
permission java.io.SerializablePermission "enableSubstitution";
};
// You must give the codebase in xlWebApp.war/WEB-INF/classes
// the following permissions
grant codeBase
"file:${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/WEB-INF/classes/-" {
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/styles/-", "read,write";
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/xlWebApp.war/cabo/images/-", "read,write";
};
// nexaweb-common.jar from WebLogic server/lib is given AllPermissions
// These classes in this jar can be loaded by WebLogic's classloader
grant codeBase "file:${bea.home}/wlserver_10.3/server/lib/nexaweb-common.jar" {
permission java.security.AllPermission;
};
// Permissions for nexaweb-common.jar from OIM_HOME/ext
grant codeBase "file:${XL.HomeDir}/ext/nexaweb-common.jar" {
permission java.security.AllPermission;
};
// Permissions for xlCrypto.jar from $OIM_HOME/lib
grant codeBase "file:${XL.HomeDir}/lib/xlCrypto.jar" {
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.SUN";
};
// Permissions for xlUtils.jar from $OIM_HOME/lib
grant codeBase "file:${XL.HomeDir}/lib/xlUtils.jar" {
permission java.io.FilePermission
"${bea.home}/wlserver_10.3/server/lib/-", "read";
permission java.io.FilePermission "${java.home}/jre/lib/-", "read";
// Serializable permissions
permission java.io.SerializablePermission "enableSubstitution";
};
// Permissions for log4j-1.2.8.jar from $OIM_HOME/ext
grant codeBase "file:${XL.HomeDir}/ext/log4j-1.2.8.jar" {
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/xlVO.jar",
"read";
};
// Permissions for xlLogger.jar from $OIM_HOME/lib
// The Filewatchdog class from this jar file must periodically scan
// these directories for updated/new jar files.
// We also scan the classes in xlAdapterUtilities.jar by default
grant codeBase "file:${XL.HomeDir}/lib/xlLogger.jar" {
permission java.io.FilePermission "${XL.HomeDir}/EventHandlers",
"read";
permission java.io.FilePermission "${XL.HomeDir}/JavaTasks", "read";
permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask",
"read";
permission java.io.FilePermission "${XL.HomeDir}/ThirdParty",
"read";
permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-",
"read";
permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-",
"read";
permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-",
"read";
permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-",
"read";
permission java.io.FilePermission
"${XL.HomeDir}/lib/xlAdapterUtilities.jar", "read";
};
// Permissions for .wlnotdelete folder
grant codeBase "file:${oim.domain}/${server.name}/.wlnotdelete/-" {
permission java.security.AllPermission;
};
// Nexaweb server codebase permissions
grant codeBase "file:${oim.domain}/XLApplications/WLNexaweb.ear/-" {
// File permissions
permission java.io.FilePermission "${user.home}", "read, write";
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
permission java.io.FilePermission
"${bea.home}/wlserver_10.3/server/lib/-", "read";
permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
"read,write,delete";
permission java.io.FilePermission "<<ALL FILES>>", "execute";
// Property permissions
permission java.util.PropertyPermission "weblogic.xml.debug", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "*", "read,write";
// Run time permissions
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
// Nexaweb server security permissions to load the Cryptix
// extension
permission java.security.SecurityPermission "insertProvider.Cryptix";
permission java.lang.RuntimePermission "weblogic.kernelPermission";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.net.www.protocol.c";
// Socket permissions
// Permissions on all non-privileged ports.
permission java.net.SocketPermission "*:1024-",
"listen, connect, resolve";
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
};
// The following are permissions given to codebase in the OIM server
// directory
grant codeBase "file:${XL.HomeDir}/-" {
// File permissions
permission java.io.FilePermission "${XL.HomeDir}/config/-", "read";
permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read";
permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-",
"read";
permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-",
"read";
permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
"read,write,delete";
// Socket permissions
permission java.net.SocketPermission "*:1024-",
"connect,listen,resolve,accept";
// Property permissions
permission java.util.PropertyPermission "XL.HomeDir", "read";
permission java.util.PropertyPermission "XL.ConfigAutoReload", "read";
permission java.util.PropertyPermission "XL.*", "read";
permission java.util.PropertyPermission "log4j.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "weblogic.xml.debug", "read";
// Security permissions
permission javax.security.auth.AuthPermission "doAs";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext";
// Run time Permissions
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.provider";
};
// Minimal permissions are allowed to everyone else
grant {
// "standard" properties that can be read by anyone
// Socket permissions
permission java.net.SocketPermission "*:1024-",
"connect,listen,resolve,accept";
//Change the following IP address to the same value as that of
//your WebLogic cluster multicast IP address
permission java.net.SocketPermission "237.0.0.1", "connect,accept,resolve";
//Change the following IP address to the same value as that of
//the multicast address in the xlConfig.xml file
permission java.net.SocketPermission "231.116.117.171", "connect,accept,resolve";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.security.SecurityPermission "getPolicy";
permission java.security.SecurityPermission "setPolicy";
permission java.lang.RuntimePermission "createSecurityManager";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setProperty.*";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.io.SerializablePermission "enableSubstitution";
permission javax.security.auth.AuthPermission "refreshLoginConfiguration";
permission java.util.logging.LoggingPermission "control";
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.SUN";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version",
"read";
permission java.util.PropertyPermission "java.specification.vendor",
"read";
permission java.util.PropertyPermission "java.specification.name",
"read";
permission java.util.PropertyPermission
"java.vm.specification.version", "read";
permission java.util.PropertyPermission
"java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name",
"read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
permission java.util.PropertyPermission "sun.boot.class.path", "read";
permission java.util.PropertyPermission "weblogic.xml.debug", "read";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.util.PropertyPermission "XL.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "weblogic.kernelPermission";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.util.PropertyPermission "nexaweb.logs", "read,write";
permission java.util.PropertyPermission
"sun.net.client.defaultConnectTimeout", "read,write";
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLNexaweb.ear/-", "read";
permission java.io.FilePermission
"${oim.domain}/XLApplications/WLXellerateFull.ear/-", "read";
permission java.io.FilePermission
"${bea.home}/wlserver_10.3/server/lib/weblogic.jar", "read";
permission java.io.FilePermission
"${oim.domain}/${server.name}/.wlnotdelete/-", "read";
permission java.io.FilePermission "${nexaweb.home}/-", "read";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "accessClassInPackage.sun.io";
permission java.io.FilePermission "${XL.HomeDir}/adapters/-",
"read,write,delete";
};
