注意: ポリシー・ファイルに構文エラーがあると、アプリケーションの起動に失敗することがあります。ポリシー・ファイルの編集は十分注意して行ってください。ポリシー・ファイルの編集には、JDKで提供されているポリシー・ツールを使用することをお薦めします。このツールへは、次のディレクトリからアクセスできます。
|
Oracle Application Server上で稼働しているOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
Oracle Application Server実行構成を変更し、-Djava.security.manager
をJVMオプションとして追加します。この変更を$OC4J_HOME/opmn/conf/opmn.xml
で実行する必要があります。
Oracle Application Serverに次のオプションを追加します。
-Djava.security.manager
このオプションにより、Java 2セキュリティ・マネージャが有効になります。
$ORACLE_HOME
/j2ee/home/config/java2.policy
ファイルが存在するか確認します。存在する場合は、これを編集し、「ポリシー・ファイル」でリストされているJava 2セキュリティ権限を追加します。java2.policy
ファイルが存在しない場合は、作成する必要があります。
ポリシー・ファイル
java2.policy
ファイルで次の手順を実行します。
注意: ポリシー・ファイルのコードの変更手順は、コメント内に記述されています。コメントは太字フォントで表示されています。 - この - この例のマルチキャストIPの - パスを更新して、GTC-RECON接続ファイルがある場所に対する正しい値を設定する必要があります。次の例では、これらのファイルの場所に |
次の行を探します。
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; };
このコードに次を追加します。
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
/*Default Grants copied from the JDK default system policy*/
を検索し、grantに次のコードを追加します。
//Added for OIM permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * the GTC-RECON connector. Update the path to the correct value prior to * running the server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";
カスタム・アプリケーション権限で、次のコードを追加します。
// Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" { // File permissions // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "application-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.184.202.110", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write";}; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
ポリシー・ファイル
Oracle Identity Managerポリシーを追加した後のjava2.policy
ファイルの例を次に示します。
/* * Standard policy file for Oracle Application Server * * When this file is in use the System property ${oracle.home} must * be set to $ORACLE_HOME or to the value of $ORACLE_HOME. * * When this file is in use via OPMN the System property * ${oracle.oc4j.instancename} * is used to identify the instance-level connector jars. * * This file grants AllPermission to "oc4j code" * oc4j code is code used either directly or indirectly by the app server * itself. Including code generated for ejb wrappers. * See oc4j.jar!boot.xml for a complete list. Currently this file * only lists jars that need permissions. Others can be * added if neccessary. * * In a future release the grants will be refined so that * only the Permissions actually needed by Oracle Application Server * code will be granted. * * Calls to accessController.doPrivileged have been added to Oracle * Application Server with the intention that the application code only * be granted the Permissions needed by actions it performs directly. * It should not be granted Permissions required by J2EE * operations. * * For example if a Servlet (or jsp) forwards to a .jsp it does not * need Permission to read and compile the .jsp. Similarly the * application code associated with an ejb that specifies container * managed persistence does not need Permission to create a socket * talking to the database holding the underlying data. But an EJB * using bean managed persistence does need such Permission. */ grant codebase "file:${oracle.home}/j2ee/home/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jlib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/bc4j/jlib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/toplink/jlib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dms/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/diagnostics/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dbjava/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/sqlj/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/javacache/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/uddi/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/xdk/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/opmn/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/javavm/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/*" { permission java.security.AllPermission; }; /** EJB skeleton/tie & BCEL proxy support **/ grant codeBase "file:generated/by/proxy" { permission java.security.AllPermission; }; grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" { permission java.security.AllPermission; }; * Miscellaneous grants to jars distributed as part of oc4j that might be used * in various ways */ grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" { permission java.security.AllPermission; }; /* GRANTS TO DEFAULT APPLICATIONS */ grant codebase "file:${oracle.home}/j2ee/home/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ; grant { permission java.util.PropertyPermission "java.home", "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ; grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ; //Added for GTC grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ; grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ; grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; }; grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ; grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ; grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ; grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ; grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ; grant { permission java.util.PropertyPermission "user.home" , "read"; } ; grant { permission java.util.PropertyPermission "user.name" , "read"; } ; grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ; grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; }; grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; }; grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; }; grant { permission java.util.PropertyPermission "SQLLog", "read"; }; grant { permission java.util.PropertyPermission "USE_JAAS", "read"; }; grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; }; grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "debug", "read"; }; grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; }; grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; }; grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "http.proxyHost", "read"; }; grant { permission java.util.PropertyPermission "http.proxyPort", "read"; }; grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; }; grant { permission java.util.PropertyPermission "java.class.path", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; }; grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configuration", "read"; }; grant { permission java.util.PropertyPermission "log4j.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; }; grant { permission java.util.PropertyPermission "log4j.disable", "read"; }; grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; }; grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; }; grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; }; grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.level", "read"; }; grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; }; grant { permission java.util.PropertyPermission "upload.buflen", "read"; }; grant { permission java.util.PropertyPermission "user.dir", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";}; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";}; /* JDK */ grant codebase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/*" { permission java.security.AllPermission; }; /* Default Grants copied from the JDK default system policy. */ grant { // "standard" properties that can be read by anyone. permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; /* The following are granted by the default jdk policy but are considered * unsafe and are omitted by this policy file */ // permission java.lang.RuntimePermission "stopThread"; // permission java.net.SocketPermission "localhost:1024-", "listen"; // Added for Oracle Identity Manager permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; //Change this to the original directory where logs are being created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * GTC-RECON connector. Update the path to correct value prior to runnung the * server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete";}; /** ** Add Custom Application Permission Grants Below **/ // Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/home/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Xellerate/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "application-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.184.202.110", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\Xellerate.err", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/home/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all nonprivileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
注意: ポリシー・ファイルに構文エラーがあると、アプリケーションの起動に失敗することがあります。ポリシー・ファイルの編集は十分注意して行ってください。ポリシー・ファイルの編集には、JDKで提供されているポリシー・ツールを使用することをお薦めします。このツールへは、次のディレクトリからアクセスできます。
|
Oracle Application Server上で稼働しているOracle Identity Managerに対してJava 2セキュリティを有効にするには、次のようにします。
Oracle Application Server実行構成を変更し、-Djava.security.manager
をOracle Identity ManagerがデプロイされたOracle Application ServerインスタンスのJVMオプションとして追加します。この変更を$OC4J_HOME/opmn/conf/opmn.xml
で実行する必要があります。
Oracle Application Serverに次のオプションを渡します。
-Djava.security.manager
このオプションにより、Java 2セキュリティ・マネージャが有効になります。
$ORACLEAS_HOME
/j2ee/
<OC4J instance>
/config/java2.policy
ファイルが存在するか確認します。存在する場合は、これを編集し、「ポリシー・ファイル」でリストされているJava 2セキュリティ権限を追加します。
注意: java2.policy ファイルが存在しない場合は、作成する必要があります。 |
ポリシー・ファイル
java2.policy
ファイルで次の手順を実行します。
注意: ポリシー・ファイルのコードの変更手順は、コメント内に記述されています。コメントは太字フォントで表示されています。 - 次の例のOracle Application Serverインスタンス名を、Oracle Identity ManagerをインストールしたOracle Application Serverを反映するように変更してください。この例では、Oracle Identity Managerがデプロイされたインスタンス名としてxlClusterMemberを使用しています。 - この - この例のマルチキャストIPの - パスを更新して、GTC-RECON接続ファイルがある場所に対する正しい値を設定する必要があります。次の例では、これらのファイルの場所に |
次の行を探します。
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; };
このコードに次を追加します。
grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; };
/*Default Grants copied from the JDK default system policy*/
を検索し、grantに次のコードを追加します。
//Added for OIM permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*"; permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; //This is added for the GTC-Recon Connector /* * permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; * property has been added for the path of directory where files are kept for * GTC-RECON connector . Update the path to correct value prior to * running the server. */ permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; //Added for AQ permission java.lang.RuntimePermission "accessDeclaredMembers";
カスタム・アプリケーション権限で、次のコードを追加します。
// Java code and extensions // Trust java extensions java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" { // File permissions // Need read, write, and delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "applicatin-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically we allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.111.153.118", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.util.PropertyPermission "javax.*", "read,write"; permission oracle.security.jazn.JAZNPermission "getRealmManager"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };
ポリシー・ファイル
Oracle Identity Managerポリシーを追加した後のjava2.policy
ファイルの例を次に示します。
/* * Standard policy file for Oracle Application Server * * When this file is in use the System property ${oracle.home} must * be set to $ORACLE_HOME or to the value of $ORACLE_HOME. * * When this file is in use via OPMN the System property * ${oracle.oc4j.instancename} * is used to identify the instance-level connector jars. * * This file grants AllPermission to "oc4j code" * oc4j code is code used either directly or indirectly by the app server * itself. Including code generated for ejb wrappers. * See oc4j.jar!boot.xml for a complete list. Currently this file * only lists jars that need permissions. Others can be * added if neccessary. * * In a future release the grants will be refined so that * only the Permissions actually needed by Oracle Application Server * code will be granted. * * Calls to accessController.doPrivileged have been added to Oracle * Application Server with the intention that the application code only * be granted the Permissions needed by actions it performs directly. * It should not be granted Permissions required by J2EE * operations. * * For example if a Servlet (or jsp) forwards to a .jsp it does not * need Permission to read and compile the .jsp. Similarly the * application code associated with an ejb that specifies container * managed persistence does not need Permission to create a socket * talking to the database holding the underlying data. But an EJB * using bean managed persistence does need such Permission. */ grant codebase "file:${oracle.home}/j2ee/home/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jlib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/bc4j/jlib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/toplink/jlib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dms/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/diagnostics/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jdbc/lib/ojdbc14dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dbjava/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/sqlj/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/javacache/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/uddi/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/xdk/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/opmn/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/*" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/javavm/lib/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/*" { permission java.security.AllPermission; }; /** EJB skeleton/tie & BCEL proxy support **/ grant codeBase "file:generated/by/proxy" { permission java.security.AllPermission; }; grant codeBase "file://generated/by/oracle.j2ee.connector.proxy.BCELProxyClassLoader" { permission java.security.AllPermission; }; /** * Miscellaneous grants to jars distributed as part of oc4j that can be used * in various ways */ grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/connectors/datasources/datasources/datasources.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" { permission java.security.AllPermission; }; /* GRANTS TO DEFAULT APPLICATIONS */ grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/ascontrol/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/default/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/javasso/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/usermbean/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/applications/admin_ejb/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/xlClusterMember/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/${oracle.oc4j.instancename}/application-deployments/JMXSoapAdapter-web/-" { permission java.security.AllPermission; }; grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ; grant { permission java.util.PropertyPermission "java.home", "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ; grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory", "write"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ; grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ; grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; }; grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ; grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ; grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ; grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ; grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ; grant { permission java.util.PropertyPermission "user.home" , "read"; } ; grant { permission java.util.PropertyPermission "user.name" , "read"; } ; grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ; grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; }; grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; }; grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; }; grant { permission java.util.PropertyPermission "SQLLog", "read"; }; grant { permission java.util.PropertyPermission "USE_JAAS", "read"; }; grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; }; grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "debug", "read"; }; grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; }; grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; }; grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "http.proxyHost", "read"; }; grant { permission java.util.PropertyPermission "http.proxyPort", "read"; }; grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; }; grant { permission java.util.PropertyPermission "java.class.path", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; }; grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configuration", "read"; }; grant { permission java.util.PropertyPermission "log4j.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; }; grant { permission java.util.PropertyPermission "log4j.disable", "read"; }; grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; }; grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; }; grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; }; grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.level", "read"; }; grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; }; grant { permission java.util.PropertyPermission "upload.buflen", "read"; }; grant { permission java.util.PropertyPermission "user.dir", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";}; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";}; /* JDK */ grant codebase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/lib/ext/*" { permission java.security.AllPermission; }; /* Default Grants copied from the JDK default system policy. */ grant { // "standard" properties that can be read by anyone. permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; /* The following are granted by the default jdk policy but are considered * unsafe and are omitted by this policy file */ //permission java.lang.RuntimePermission "stopThread"; //permission java.net.SocketPermission "localhost:1024-", "listen"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "*", "write"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission javax.management.MBeanServerPermission "findMBeanServer"; permission javax.security.auth.AuthPermission "createLoginContext.*"; // For Nexaweb permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.util.PropertyPermission "nexaweb.logs", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultConnectTimeout", "read,write"; permission java.util.PropertyPermission "sun.net.client.defaultReadTimeout", "read,write"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "queuePrintJob"; permission java.net.SocketPermission "*", "connect"; permission java.io.FilePermission "<<ALL FILES>>", "read"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission oracle.oc4j.security.OC4JRuntimePermission "oracle.oc4j.OC4JOnly"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.jmx.server.mbeans.model.DefaultModelMBeanImpl#fireXMLConfigEvent[default:j2eeType=OracleASJMSRouter]", "invoke"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSPersistence#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMSQueue#-", "*"; permission javax.management.MBeanPermission "oracle.oc4j.admin.management.mbeans.JMS#-", "*"; permission javax.management.MBeanPermission "oracle.j2ee.ws.server.mgmt.runtime.mbean.ServerInterceptorGlobalRuntime#-","*"; //Change this to the original directory where logs are being geting created //If logs are getting created in more then one directory ensure that you have two entries for them here. permission java.io.FilePermission "${oracle.home}\\opmn\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\logs\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\velocity.log", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\velocity.log", "read,write,delete"; //This is added for the GTC-Recon Connector permission java.io.FilePermission "C:\\files\\file1\\-", "read,write,delete"; }; /** ** Add Custom Application Permission Grants Below **/ // Java code and extensions // Trust java extensions grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; /*grant codeBase "file:${XL.HomeDir}/logs/-" { permission java.security.AllPermission; }; */ // Trust core java code grant codeBase "file:${java.home}/lib/*" { permission java.security.AllPermission; }; // For java.home pointing to the JDK jre directory grant codeBase "file:${java.home}/jre/lib/-" { permission java.security.AllPermission; }; // Grant All permissions to nexaweb commons jar file to be loaded from grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applib/nexaweb-common.jar" { permission java.security.AllPermission; }; // OIM codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Xellerate/-" { // File permissions // Need read,write,delete permissions on $OIM_HOME/config folder // to read various config files, write the // xlconfig.xml.{0,1,2..} files upon re-encryption and delete // the last xlconfig.xml if the numbers go above 9. permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read, write, delete"; permission java.io.FilePermission "${XL.HomeDir}\\-", "read"; // Need read,write,delete permissions to generate adapter java // code, delete the .class file when the adapter is loaded into // the database permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; // This is required by the connectors and connector installer permission java.io.FilePermission "${XL.HomeDir}\\ConnectorDefaultDirectory\\-", "read,write,delete"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\connectorResources\\-", "read,write,delete"; // Read Globalization resource bundle files for various // locales permission java.io.FilePermission "${XL.HomeDir}\\adapters\\customResources\\-", "read"; // Read code from "JavaTasks", "ScheduleTask", // "ThirdParty", "EventHandlers" folder permission java.io.FilePermission "${XL.HomeDir}\\EventHandlers\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTask\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; // Required by the Generic Technology connector permission java.io.FilePermission "${XL.HomeDir}\\GTC\\-", "read"; // Server needs read permissions on Nexaweb home directory //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Read permissions on the "applicatin-deployments" folder, the OIM deploy // directory permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Xellerate\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\home\\-", "read,write,delete"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\applications\\Xellerate\\-", "read,write,delete"; // OIM server invokes the java compiler. You need "execute" // permissions on all files. permission java.io.FilePermission "<<ALL FILES>>", "execute"; // Socket permissions // Basically you allow all permissions on nonprivileged sockets // The multicast address should be the same as the one in // xlconfig.xml for javagroups communication permission java.net.SocketPermission "*", "connect,listen,resolve,accept"; permission java.net.SocketPermission "231.111.153.118", "connect,accept"; // Property permissions // Read and write OIM properties // Read XL.*, java.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read,write"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.*", "read"; permission java.util.PropertyPermission "log4j.", "read"; permission java.util.PropertyPermission "user.dir", "read"; // Runtime permissions // OIM server needs permissions to create its own class loader, // get the class loader, modify threads and register shutdown // hooks permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "shutdownHooks"; // OIM server needs runtime permissions to generate and load // classes in the below specified packages. Also access the // declared members of a class. permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue.ScheduleItemEvents"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.dataobj.rulegenerators"; permission java.lang.RuntimePermission "defineClassInPackage.com.thortech.xl.adapterGlue"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Reflection permissions // Give permissions to access and invoke fields/methods from // reflected classes. permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; // Security permissions for OIM server permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "doPrivileged"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; // SSL permission (for remote manager) permission javax.net.ssl.SSLPermission "getSSLSessionContext"; permission java.net.SocketPermission "*:1024-", "listen"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "enableContextClassLoaderOverride"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.util.PropertyPermission "javax.*", "read,write"; permission oracle.security.jazn.JAZNPermission "getRealmManager"; }; // Nexaweb server codebase permissions grant codeBase "file:${oracle.home}/j2ee/xlClusterMember/applications/Nexaweb/-" { // File permissions permission java.io.FilePermission "${user.home}", "read, write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\application-deployments\\Nexaweb\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Property permissions permission java.util.PropertyPermission "*", "read,write"; // Runtime permissions // Nexaweb server needs permissions to create its own class loader, // get the class loader etc. permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "setFactory"; // Nexaweb server security permissions to load the Cryptix // extension permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-", "listen, connect, resolve"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.util.logging.LoggingPermission "control"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission javax.security.auth.AuthPermission "getPolicy"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; }; // The following are permissions given to codebase in the OIM server // directory grant codeBase "file:${XL.HomeDir}/-" { // File permissions permission java.io.FilePermission "${XL.HomeDir}\\config\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\JavaTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ScheduleTasks\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\ThirdParty\\-", "read"; permission java.io.FilePermission "${XL.HomeDir}\\adapters\\-", "read,write,delete"; //permission java.io.FilePermission "${nexaweb.home}\\-", "read"; // Socket permissions permission java.net.SocketPermission "*", "listen"; // Property permissions // Read XL.* and log4j.* properties permission java.util.PropertyPermission "XL.*", "read"; permission java.util.PropertyPermission "log*", "read"; // Security permissions permission javax.security.auth.AuthPermission "doAs"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext"; permission java.io.SerializablePermission "enableSubclassImplementation"; permission java.io.SerializablePermission "enableSubstitution"; permission java.util.logging.LoggingPermission "control"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.security.SecurityPermission "*"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "getPolicy"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission java.security.SecurityPermission "insertProvider.Cryptix"; // Socket permissions // Permissions on all non-privileged ports. permission java.net.SocketPermission "*:1024-","listen, connect, resolve"; permission java.net.SocketPermission "*:*", "connect,resolve"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.util.PropertyPermission "*", "read"; permission java.util.PropertyPermission "LoadBalanceOnLookup", "read,write"; permission java.io.FilePermission "${oracle.home}\\j2ee\\xlClusterMember\\-", "read,write,delete"; permission java.util.PropertyPermission "javax.*", "read,write"; };