Rick Hillegas wrote:
I found that my custom policy worked (starting server, connecting,
creating
database, writing and reading data, shutting down...) even if I did
not set
derby.system.home (explicitly) and did not replace
${derby.system.home} in my
policy file. Does this mean that we may remove this bullet from the docs?
Probably not. You may end up having all the permissions that you need
because, later on in the template file, read/write/delete permission is
blanket-granted to all locations in the file system. If the customer
actually restricts that blanket grant (as we recommend), then they will
need the specific grants to locations under ${derby.system.home}. The
very first call to the permissions-checker will fault in the policy
file. At that time, the security manager needs to be able to resolve
derby.system.home in order to give Derby the file permissions it needs.
Ah, I see. I removed the blanket FilePermissions from my policy file, and was
able to confirm this.
I found no reference to ${derby.security.host} in the template policy
file; the
default value was already "*" for permission
java.net.SocketPermission. Should
we remove this bullet from the docs?
Thanks for finding this. The bullet should be rewritten to refer to
what's actually in the template file. We should still tell the customer
that they may want to adjust the socket permission based on their server
startup settings.
This is already explained in the template policy, but we could of course keep it
in the docs as well.
I can file a new jira for this doc adjustment.
--- ---
Also, I suspect that some users may find it easier to set the property
derby.install.url when starting the server instead of replacing it
with a fixed
value in the policy file (as recommended by the docs). Could this have
any
side-effects?
I'm not smart enough to know whether this will open up any wormholes. I
think that the user guide's silence is fine and maybe prudent.
I agree (that the doc's silence is appropriate). Just wanted to check if anyone
had uncovered any wormholes in this area that I was not aware of.
Thanks!
--
John
