From user-return-2210-apmail-geronimo-user-archive=geronimo.apache.org@geronimo.apache.org Mon Feb 13 10:39:28 2006 Return-Path: Delivered-To: apmail-geronimo-user-archive@www.apache.org Received: (qmail 76838 invoked from network); 13 Feb 2006 10:39:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 13 Feb 2006 10:39:28 -0000 Received: (qmail 32478 invoked by uid 500); 13 Feb 2006 10:39:24 -0000 Delivered-To: apmail-geronimo-user-archive@geronimo.apache.org Received: (qmail 32458 invoked by uid 500); 13 Feb 2006 10:39:23 -0000 Mailing-List: contact user-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: user@geronimo.apache.org List-Id: Delivered-To: mailing list user@geronimo.apache.org Received: (qmail 32447 invoked by uid 99); 13 Feb 2006 10:39:23 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 02:39:23 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of jrsisson@gmail.com designates 64.233.162.207 as permitted sender) Received: from [64.233.162.207] (HELO zproxy.gmail.com) (64.233.162.207) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2006 02:39:22 -0800 Received: by zproxy.gmail.com with SMTP id 13so970916nzn for ; Mon, 13 Feb 2006 02:39:02 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=RBGuSpfJc0tpey/I8TzW5dz05Mo7S+UVjOyyETiwsNFhn7vkgOLwPqKSPFYmmwKH5Xkk6XkcYNSUTgikBpw7/yZpj+4sEkzkfpWPA7+fZdOFu3soTFTq0sNHLDUE6+ptvph1AqgbotkBvIqBjFScRBFq405M4f7tlj/5I7blMZ0= Received: by 10.37.20.41 with SMTP id x41mr2940890nzi; Mon, 13 Feb 2006 02:39:01 -0800 (PST) Received: from ?192.168.0.21? ( [59.167.2.95]) by mx.gmail.com with ESMTP id 7sm7568957nzn.2006.02.13.02.39.00; Mon, 13 Feb 2006 02:39:01 -0800 (PST) Message-ID: <43F061B7.6040705@gmail.com> Date: Mon, 13 Feb 2006 21:38:47 +1100 From: John Sisson User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: user@geronimo.apache.org Subject: Re: Security Policy References: <20060210144645.87917.qmail@web54302.mail.yahoo.com> <43ED0818.90308@hogstrom.org> <22d56c4d0602122208g262f1be0h8edcb4b9dd7de38@mail.gmail.com> In-Reply-To: <22d56c4d0602122208g262f1be0h8edcb4b9dd7de38@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N If one requires fine grained security for applications / configurations that are deployed. E.G. what files they can access, what ports they can listen on etc. Some large enterprise sites may run under a security manager due to high security requirements, but running under a security manager incurs an overhead. FYI.. In section "1.4 Requirements" of the JACC spec it states in point 9 that the container must execute in an environment controlled by a J2SE security manager. The issue that Cristian raised needs to be discussed. A concern I have is that if we used names instead of numbers then we will most likely run into the Windows file path length (on JDK 1.4.2) issue discussed in the mail thread http://www.mail-archive.com/dev@geronimo.apache.org/msg15501.html Regards, John Vamsavardhana Reddy wrote: > When does one require to run the server under a Security Manager? > > Thanks, > Vamsi > > On 2/11/06, *Matt Hogstrom* > wrote: > > Cristian, > > No apologies. This is good feedback as I think we can use as much > administrative feedback as possible. > > Cristian Roldan wrote: > > Hi All, > > I enabled the Security Manager with these parameters > "-Djava.security.manager -Djava.security.policy=geronimo.policy", > > everything works ok, but the only problem that I saw was with > the Application identification (number) , if you deploy > > an application, Generimo creates a directory > config-store/[NUMBER], you must use this number in the policy > file, after a while > > you undeploy and deploy a new version of that application in > this case you obtain a new number, so you must change the policy file. > > I think that using a [number] as a deployment directory is not > the best solution from the administration perspective. > > I'm sorry I just give an opinion from the administration point > of view maybe there is a design/performace reason that I can't see. > > > > > > // > -------------------------------------------------------------------------------------- > > // Permissions for Geronimo V.1.0 > > // > -------------------------------------------------------------------------------------- > > // Geronimo gets all permissions > > grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/repository/-" { > > permission java.security.AllPermission; > > }; > > > //---------------------------------------------------------------------- > > > // From here I set the minimun permissions for my Applications > > // You must change "23" for you Application number, this number > is created > > // during deployment phase. > > > //---------------------------------------------------------------------- > > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/23/-" { > > permission java.lang.RuntimePermission "accessClassInPackage.*"; > > }; > > // > --------------------------------------------------------------------- > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/1/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/2/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/3/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/4/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/5/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/6/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/7/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/8/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/9/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/10/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/11/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/12/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/13/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/14/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/15/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/16/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/17/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/18/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/19/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/20/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/21/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/22/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/24/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/25/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/26/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/27/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/28/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/29/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/30/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/31/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/32/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/33/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase > "file:${org.apache.geronimo.base.dir}/config-store/34/-" { > > permission java.security.AllPermission; > > }; > > grant codeBase "file:${ > org.apache.geronimo.base.dir}/config-store/35/-" { > > permission java.security.AllPermission; > > }; > > > > > > > > > > --------------------------------- > > 1GB gratis, Antivirus y Antispam > > Correo Yahoo!, el mejor correo web del mundo > > Abrí tu cuenta aquí > >