db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Embretsen <John.Embret...@Sun.COM>
Subject Customizing the Network Server's security policy (docs vs. reality)
Date Tue, 15 Jan 2008 14:03:39 GMT
In relation to DERBY-2109 (System privileges) I decided to apply the principle
of "learning by doing", and started to experiment with a customized version of
the template policy file for the network server.

This is described in the Server and Administration guide at

In trunk, the template policy file is at

I found that we might be able to simplify the documentation somewhat, if the
following is correct:

--- ---

The docs say:

"Replace the ${derby.system.home} variable with the location of your Derby
system directory. Alternatively, rather than replacing this variable, you can
simply set the value of the derby.system.home system property when you boot the

I found that my custom policy worked (starting server, connecting, creating
database, writing and reading data, shutting down...) even if I did not set
derby.system.home (explicitly) and did not replace ${derby.system.home} in my
policy file. Does this mean that we may remove this bullet from the docs?

The docs say:

"Replace the ${derby.security.host} variable with the address of the network
interface on which the server is listening. Note that the special wildcard
address "" is not understood by SocketPermission, even though Derby
accepts this wildcard as a valid value for the -h option of the Network Server
startup command. If you must grant blanket permission to this wildcard address,
specify "*" in the policy file."

I found no reference to ${derby.security.host} in the template policy file; the
default value was already "*" for permission java.net.SocketPermission. Should
we remove this bullet from the docs?

--- ---

Also, I suspect that some users may find it easier to set the property
derby.install.url when starting the server instead of replacing it with a fixed
value in the policy file (as recommended by the docs). Could this have any



View raw message