| Oracle Identity Manager IBM WebSphere Application Server用インストレーションおよび構成ガイド リリース9.1.0.1 B53901-01 |
|
 戻る |
 次へ |
| Oracle Identity Manager IBM WebSphere Application Server用インストレーションおよび構成ガイド リリース9.1.0.1 B53901-01 |
|
戻る |
次へ |
この付録の内容は次のとおりです。
|
注意: ポリシー・ファイルの構文エラーによってアプリケーションを起動できない場合があります。ポリシー・ファイルを編集する際には注意が必要です。ポリシー・ファイルの編集には、JDKで提供されるポリシー・ツールを使用することをお薦めします。このツールは次のディレクトリで入手できます。
|
IBM WebSphere Application Serverで稼働するOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
WebSphere管理コンソールにログインします。
左側のナビゲーション・ペインで「Security」タブを開き、「Secure administration」→「applications」→「infrastructure」をクリックします。
「Security Configuration Wizard」ボタンをクリックします。Security Configuration Wizardが表示されます。
ウィザードの「Specify Extent of Protection」ページで「Use Java 2 security to restrict application access to local resources」オプションを選択し、「Next」をクリックします。
ウィザードの「Select User Repository」ページで「Next」をクリックします。
ウィザードの「Configure User Repository」ページの「Primary administrative user name」フィールドにXELSYSADMを入力します。「Next」をクリックします。
「Summary」ページで「Finish」をクリックします。
この設定をマスター設定として保存するには、メッセージの「Save」リンクをクリックします。
この構成を保存して「Apply」をクリックします。
WAS_HOME/profiles/AppSrv01/properties/server.policyが存在するかどうか確認します。このファイルが存在する場合は、「ポリシー・ファイル」を参照してファイルを編集し、Java 2セキュリティ権限を追加します。このファイルが存在しない場合は作成します。
ポリシー・ファイル
server.policyファイルは次のコードで構成されます。
|
注意: - ポリシー・ファイルのコード変更の指示は、ボールド・フォントのコメントで示されています。 - コード例のセル名は、Oracle Identity Managerをインストールするセル名を反映するように変更してください。この例では、セル名として - この - この例のマルチキャストIP |
// ******************************************* // WebSphere Server Security Policy // ******************************************* // // Application client permissions are specified in client.policy // Warning: Deviating from this policy might result in unexpected // AccessControlExceptions if a more "fine grain" policy is // specified. // The application policy is specified in app.policy (per node) and was.policy // (per enterprise application). // // Allow to use sun tools grant codeBase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; // WebSphere system classes grant codeBase "file:${was.install.root}/plugins/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/classes/-" { permission java.security.AllPermission; }; // Allow the WebSphere deploy tool all permissions grant codeBase "file:${was.install.root}/deploytool/-" { permission java.security.AllPermission; }; // Allow Channel Framework classes all permissions grant codeBase "file:${was.install.root}/installedChannels/-" { permission java.security.AllPermission; }; // WebSphere optional runtime classes grant codeBase "file:${was.install.root}/optionalLibraries/-" { permission java.security.AllPermission; }; // // ******************************************* // From here, the Oracle Identity Manager application permissions start // ******************************************* // OIM codebase permissions // Change Cell "STDLPC28Node02Cell" Value in given code grant codeBase "file:${user.install.root}/installedApps/STDLPC28Node02Cell/Xellerate.ear/-" { permission java.security.AllPermission; }; // Change Cell "STDLPC28Node02Cell" Value in given code permission java.io.FilePermission "${user.install.root}/temp/STDLPC28Node02Cell/server1/-", "read,write,delete"; // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Must read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Must read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; permission java.io.FilePermission "${java.home}/lib/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // This IP address is a multicast address of the computer. Ensure // it is the same as that defined in xlConfig.xml. permission java.net.SocketPermission "231.167.157.106", "connect,accept,resolve"; // Property permissions // Read and write Oracle Identity Manager properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; // Runtime permissions // The Oracle Identity Mamager server needs permissions // to create its own class loader, get the class loader, // modify threads and register shutdown hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // The Oracle Identity Manager server needs runtime // permissions to generate and load classes in the // following packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for Oracle Identity Manager server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.IBMJCE"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Grant AllPermission to nexaweb-common.jar grant codeBase "file:${was.install.root}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Grant AllPermission to wssec.jar grant codeBase "file:${was.install.root}/lib/wssec.jar" { permission java.security.AllPermission; }; // Nexaweb server codebase permissions // Change Cell "STDLPC28Node02Cell" Value in given code grant codeBase "file:${user.install.root}/installedApps/STDLPC28Node02Cell/Nexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.install.root}/temp/STDLPC28Node02Cell/server1/-","read,write,delete"; permission java.io.FilePermission "${user.install.root}/installedApps/STDLPC28Node02Cell/Xellerate.ear/-", "read"; permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${user.install.root}/installedApps/STDLPC28Node02Cell/Nexaweb.ear/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "shutdownHooks"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // The following are permissions given to codebase in the // Oracle Identity Manager server directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // Default permissions granted to all domains grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission javax.security.auth.AuthPermission "doAs"; permission java.lang.RuntimePermission "modifyThread"; };
|
注意: ポリシー・ファイルの構文エラーによってアプリケーションを起動できない場合があります。ポリシー・ファイルを編集する際には注意が必要です。ポリシー・ファイルの編集には、JDKで提供されるポリシー・ツールを使用することをお薦めします。このツールは次のディレクトリで入手できます。
|
ここでは、クラスタ環境でのWebSphereに対するJava 2セキュリティ権限について説明します。WebSphereクラスタで稼働するOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
WebSphere管理コンソールにログインします。
左側のナビゲーション・ペインで「Security」タブを開き、「Secure administration」、「applications」、「infrastructure」の順にクリックします。
「Security Configuration Wizard」ボタンをクリックします。Security Configuration Wizardが表示されます。
ウィザードの「Specify Extent of Protection」ページで「Use Java 2 security to restrict application access to local resources」オプションを選択します。
ウィザードの「Select User Repository」ページで「Next」をクリックします。
ウィザードの「Configure User Repository」ページの「Primary administrative user name」フィールドにXELSYSADMを入力します。「Next」をクリックします。
「Summary」ページで「Finish」をクリックします。
この設定をマスター設定として保存するには、メッセージ内の「Save Link」をクリックして「Apply」をクリックします。
WAS_HOME/profiles/<PROFILE_NAME>/properties/server.policyファイルが存在するかどうか確認します。このファイルが存在する場合は、「ポリシー・ファイル」を参照してファイルを編集し、Java 2セキュリティ権限を追加します。このファイルが存在しない場合は作成します。この作業は、Oracle Identity Managerがデプロイされているすべてのノードで行う必要があります。
ポリシー・ファイル
server.policyファイルは次のコードで構成されます。
|
注意: - ポリシー・ファイルのコード変更の指示は、ボールド・フォントのコメントで示されています。 - コード例のセル名は、Oracle Identity Managerをインストールするセル名を反映するように変更してください。この例では、セル名として - この - この例のマルチキャストIP |
// WebSphere Server Security Policy // // Application client permissions are specified in client.policy // Warning: Deviating from this policy might result in unexpected // AccessControlExceptions if a more "fine grain" policy is // specified. // The application policy is specified in app.policy (per node) and was.policy // (per enterprise application). // // Allow to use sun tools grant codeBase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; // WebSphere system classes grant codeBase "file:${was.install.root}/plugins/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/lib/-" { permission java.security.AllPermission; }; grant codeBase "file:${was.install.root}/classes/-" { permission java.security.AllPermission; }; // Allow the WebSphere deploy tool all permissions grant codeBase "file:${was.install.root}/deploytool/-" { permission java.security.AllPermission; }; // Allow Channel Framework classes all permission grant codeBase "file:${was.install.root}/installedChannels/-" { permission java.security.AllPermission; }; // WebSphere optional runtime classes grant codeBase "file:${was.install.root}/optionalLibraries/-" { permission java.security.AllPermission; }; // ***************************************************************** // From here, Oracle Identity Manager application permission start // ***************************************************************** // OIM codebase permissions // Change Cell "XL_CELL" Value to the one in your installation grant codeBase "file:${user.install.root}/installedApps/XL_CELL/Xellerate.ear/-" { // File permissions // Change Nodes "XL_NODE1" Value and Server "XL_SERVER_ON_NODE1" value // to the one in your installation permission java.io.FilePermission "${user.install.root}/temp/XL_NODE1/XL_SERVER_ON_NODE_1/-", "read,write,delete"; // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}/config/-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}/-", "read"; // Need read, write, and delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}/ConnectorDefaultDirectory/-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}/connectorResources/-", "read,write,delete"; // Must read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}/customResources/-", "read"; // Must read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}/EventHandlers/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTask/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}/GTC/-", "read"; permission java.io.FilePermission "${java.home}/lib/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on non-privileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // This IP address is a multicast address on which cluster // communication takes place. Ensure that it is same as defined in // xlConfig.xml permission java.net.SocketPermission "231.145.165.117", "connect,accept,resolve"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "file.encoding", "read"; permission java.util.PropertyPermission "java.class.path", "read"; permission java.util.PropertyPermission "java.ext.dirs", "read"; permission java.util.PropertyPermission "java.library.path", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the following packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission java.security.SecurityPermission "insertProvider.IBMJCE"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "getProperty.policy.allowSystemProperty"; permission java.security.SecurityPermission "getProperty.login.config.url.1"; permission javax.security.auth.AuthPermission "refreshLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; // Serializable permissions permission java.io.SerializablePermission "enableSubstitution"; }; // Grant AllPermission to nexaweb-common.jar grant codeBase "file:${was.install.root}/lib/nexaweb-common.jar" { permission java.security.AllPermission; }; // Grant AllPermission to wssec.jar grant codeBase "file:${was.install.root}/lib/wssec.jar" { permission java.security.AllPermission; }; // Nexaweb codebase permissions // Change Cell "XL_CELL", Node "XL_NODE1" and Server "XL_SERVER_ON_NODE1" // values to the one in your install grant codeBase "file:${user.install.root}/installedApps/XL_CELL/Nexaweb.ear/-" { // File permissions permission java.io.FilePermission "${user.install.root}/temp/XL_NODE1/XL_SERVER_ON_NODE_1/-", "read,write,delete"; permission java.io.FilePermission "${user.install.root}/installedApps/XL_CELL/Xellerate.ear/-", "read"; permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${user.install.root}/installedApps/XL_CELL/Nexaweb.ear/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Property permissions permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "shutdownHooks"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}/config/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/JavaTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ScheduleTasks/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/ThirdParty/-", "read"; permission java.io.FilePermission "${XL.HomeDir}/adapters/-", "read,write,delete"; // Socket permissions permission java.net.SocketPermission "*:1024-", "connect,listen,resolve,accept"; // Property permissions permission java.util.PropertyPermission "XL.HomeDir", "read"; permission java.util.PropertyPermission "XL.ConfigAutoReload", "read"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log4j.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action"; }; // default permissions granted to all domains grant { // "standard" properties that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "user.dir", "read"; permission java.util.PropertyPermission "*", "read,write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission javax.security.auth.AuthPermission "doAs"; permission java.lang.RuntimePermission "modifyThread"; permission com.ibm.websphere.security.WebSphereRuntimePermission "AdminPermission"; };
