geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Security Policy
Date Mon, 13 Feb 2006 17:29:35 GMT
I have no experience actually working with these grants etc but I  
think we should look into making a default policy that knows about  
and relates to the repository structure we use.  Would it make sense  
to add permissions to configurations?

thanks
david jencks

On Feb 13, 2006, at 2:38 AM, John Sisson wrote:

> If one requires fine grained security for applications /  
> configurations that are deployed.  E.G. what files they can access,  
> what ports they can listen on etc.
>
> Some large enterprise sites may run under a security manager due to  
> high security requirements, but running under a security manager  
> incurs an overhead.
>
> FYI.. In section "1.4 Requirements" of the JACC spec it states in  
> point 9 that the container must execute in an environment  
> controlled by a J2SE security manager.
>
> The issue that Cristian raised needs to be discussed.  A concern I  
> have is that if we used names instead of numbers then we will most  
> likely run into the Windows file path length (on JDK 1.4.2) issue  
> discussed in the mail thread http://www.mail-archive.com/ 
> dev@geronimo.apache.org/msg15501.html
>
> Regards,
>
> John
>
> Vamsavardhana Reddy wrote:
>> When does one require to run the server under a Security Manager?
>>
>> Thanks,
>> Vamsi
>>
>> On 2/11/06, *Matt Hogstrom* <matt@hogstrom.org  
>> <mailto:matt@hogstrom.org>> wrote:
>>
>>     Cristian,
>>
>>     No apologies.  This is good feedback as I think we can use as  
>> much
>>     administrative feedback as possible.
>>
>>     Cristian Roldan wrote:
>>     > Hi All,
>>     >           I  enabled the Security Manager with these parameters
>>     "-Djava.security.manager -Djava.security.policy=geronimo.policy",
>>     > everything works ok, but the only problem that  I saw was with
>>     the Application identification (number) , if you deploy
>>     > an application, Generimo creates a directory
>>     config-store/[NUMBER], you must use this number in the policy
>>     file, after a while
>>     > you undeploy and deploy a new version of that application in
>>     this case you obtain a new number, so you must change the  
>> policy file.
>>     > I think that using a [number] as a deployment directory is not
>>     the best solution from the administration perspective.
>>     > I'm sorry I just give an opinion from the administration point
>>     of view maybe there is a design/performace reason that I can't  
>> see.
>>     >
>>     >
>>     >   //
>>      
>> --------------------------------------------------------------------- 
>> -----------------
>>     > // Permissions for Geronimo V.1.0
>>     > //
>>      
>> --------------------------------------------------------------------- 
>> -----------------
>>     >   // Geronimo gets all permissions
>>     > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     >   grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/repository/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>      
>> >      //------------------------------------------------------------ 
>> ----------
>>
>>     > // From here I set the minimun permissions for my Applications
>>     > // You must change "23" for you Application number, this number
>>     is created
>>     > // during deployment phase.
>>     >
>>     //--------------------------------------------------------------- 
>> -------
>>
>>     >   grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
>>     >   permission java.lang.RuntimePermission  
>> "accessClassInPackage.*";
>>     > };
>>     >   //
>>      
>> ---------------------------------------------------------------------
>>     >   grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/4/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/7/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/10/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/13/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/16/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/19/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/22/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/26/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/29/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/32/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase
>>     "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     > grant codeBase "file:${
>>     org.apache.geronimo.base.dir}/config-store/35/-" {
>>     >   permission java.security.AllPermission;
>>     > };
>>     >
>>     >
>>     >
>>     >
>>     > ---------------------------------
>>     >  1GB gratis, Antivirus y Antispam
>>     >  Correo Yahoo!, el mejor correo web del mundo
>>     >  Abrí tu cuenta aquí
>>
>>
>


Mime
View raw message