I have no experience actually working with these grants etc but I
think we should look into making a default policy that knows about
and relates to the repository structure we use. Would it make sense
to add permissions to configurations?
thanks
david jencks
On Feb 13, 2006, at 2:38 AM, John Sisson wrote:
> If one requires fine grained security for applications /
> configurations that are deployed. E.G. what files they can access,
> what ports they can listen on etc.
>
> Some large enterprise sites may run under a security manager due to
> high security requirements, but running under a security manager
> incurs an overhead.
>
> FYI.. In section "1.4 Requirements" of the JACC spec it states in
> point 9 that the container must execute in an environment
> controlled by a J2SE security manager.
>
> The issue that Cristian raised needs to be discussed. A concern I
> have is that if we used names instead of numbers then we will most
> likely run into the Windows file path length (on JDK 1.4.2) issue
> discussed in the mail thread http://www.mail-archive.com/
> dev@geronimo.apache.org/msg15501.html
>
> Regards,
>
> John
>
> Vamsavardhana Reddy wrote:
>> When does one require to run the server under a Security Manager?
>>
>> Thanks,
>> Vamsi
>>
>> On 2/11/06, *Matt Hogstrom* <matt@hogstrom.org
>> <mailto:matt@hogstrom.org>> wrote:
>>
>> Cristian,
>>
>> No apologies. This is good feedback as I think we can use as
>> much
>> administrative feedback as possible.
>>
>> Cristian Roldan wrote:
>> > Hi All,
>> > I enabled the Security Manager with these parameters
>> "-Djava.security.manager -Djava.security.policy=geronimo.policy",
>> > everything works ok, but the only problem that I saw was with
>> the Application identification (number) , if you deploy
>> > an application, Generimo creates a directory
>> config-store/[NUMBER], you must use this number in the policy
>> file, after a while
>> > you undeploy and deploy a new version of that application in
>> this case you obtain a new number, so you must change the
>> policy file.
>> > I think that using a [number] as a deployment directory is not
>> the best solution from the administration perspective.
>> > I'm sorry I just give an opinion from the administration point
>> of view maybe there is a design/performace reason that I can't
>> see.
>> >
>> >
>> > //
>>
>> ---------------------------------------------------------------------
>> -----------------
>> > // Permissions for Geronimo V.1.0
>> > //
>>
>> ---------------------------------------------------------------------
>> -----------------
>> > // Geronimo gets all permissions
>> > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/repository/-" {
>> > permission java.security.AllPermission;
>> > };
>>
>> > //------------------------------------------------------------
>> ----------
>>
>> > // From here I set the minimun permissions for my Applications
>> > // You must change "23" for you Application number, this number
>> is created
>> > // during deployment phase.
>> >
>> //---------------------------------------------------------------
>> -------
>>
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/23/-" {
>> > permission java.lang.RuntimePermission
>> "accessClassInPackage.*";
>> > };
>> > //
>>
>> ---------------------------------------------------------------------
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/1/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/2/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/3/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/4/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/5/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/6/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/7/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/8/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/9/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/10/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/11/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/12/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/13/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/14/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/15/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/16/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/17/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/18/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/19/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/20/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/21/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/22/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/24/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/25/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/26/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/27/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/28/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/29/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/30/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/31/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/32/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/33/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase
>> "file:${org.apache.geronimo.base.dir}/config-store/34/-" {
>> > permission java.security.AllPermission;
>> > };
>> > grant codeBase "file:${
>> org.apache.geronimo.base.dir}/config-store/35/-" {
>> > permission java.security.AllPermission;
>> > };
>> >
>> >
>> >
>> >
>> > ---------------------------------
>> > 1GB gratis, Antivirus y Antispam
>> > Correo Yahoo!, el mejor correo web del mundo
>> > Abrí tu cuenta aquí
>>
>>
>
|