Greg, the message I got from you previously was you wanted tools to make life
easier for new develooers, that you weren't concerned about security as your
code ran behind the firewall on local networks?
I'm trying to find common ground with you, to salvage what's left of the
project.
It would be relatively simple to modify the tool, to allow a user developer to
approve or dissaprove permission calls. But if you don't like, what do you
want? Tell us your goals, inspire us.
Deserialization gadget attacks, google it, our security model is broken. Our
cyphers are out of date, attackers can use them to steal your keys. We must be
honest with our users, river is presently insecure.
One of my dissapointments was not doing enought to fix security.
Are we living in fear of change?
Peter.
Sent from my Samsung device.
Include original message
---- Original message ----
From: Greg Trasuk <tras...@stratuscom.com>
Sent: 07/04/2016 03:50:55 am
To: dev@river.apache.org
Subject: Re: Tools to make life easier for new users.
I don’t know - personally I don’t like the idea of just running a program and
hoping it doesn’t do anything malicious. By using a tool like this, you’re
basically running the system unprotected for some period of time, to find out
what permissions are needed.
When I was writing the Harvester container, I toyed with having the application
provide a file that lists its “required” security permissions. I ended up
rejecting the idea, because it real question was what permissions the container
owner wanted to allow, not what the application wanted to use.
Unpleasant as it is, I think it’s probably best to lock down the security
manager, then when the app throws a security exception, you make a decision as
to whether you want to open up that permission, or whether you want to give up
on running that app. Ditto with a proxy - start with granting as few
permissions as possible after Proxy verification, and then if you see failures,
make a decision.
In passing, a while ago I investigated the deserialization flaws that everyone
was excited about. I verified that with the proper classloader and security
setup, a proxy is loaded into a zero-privilege environment. So for instance,
it isn’t possible to call System.setSecurityManager(…) in a proxy’s constructor
or unmarshalling code. I didn’t look deeply into whether it was possible to
return a malicious class from a remote method call, but I don’t see any reason
to think the unmarshalling would be significantly different. Wouldn’t want to
say conclusively without further investigation, though.
Cheers,
Greg Trasuk
> On Apr 6, 2016, at 8:14 AM, Peter <j...@zeus.net.au> wrote:
>
> Example of security policy generation. In this case I didn't have aliases
>for the JCE provider certs, but you get the picture, you'll not it also
>includes whatever Principals your code is running with.
>
> You run your program, use each process and the permission required will be
>generated into a policy file. It conforms to least privilege principles:
>
> grant signedBy "null,null", codebase
>"file:/C:/Program%20Files/Java/jdk1.8.0/jre/lib/ext/sunjce_provider.jar"
> {
> permission java.security.SecurityPermission "putProviderProperty.SunJCE";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-lib.jar"
>
> {
> permission org.apache.river.thread.ThreadPoolPermission
>"getSystemThreadPool";
> permission java.net.SocketPermission "medusa", "resolve";
> permission java.lang.RuntimePermission "getClassLoader";
> permission java.lang.RuntimePermission "modifyThread";
> permission java.lang.RuntimePermission "modifyThreadGroup";
> permission java.lang.RuntimePermission "setContextClassLoader";
> permission java.lang.RuntimePermission "shutdownHooks";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission netjini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jerissl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=clientDSA"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.securityauth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"orgapache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Program%20Files/jtreg-4.1-bin-b05_29_nov_2012/jtreg/lib/javatest.jar"
>
> {
> permission java.lang.RuntimePermission "exitVM.97";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javaxsecurity.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar"
>
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant signedBy "null,null", codebase
>"file:/C:/Program%20Files/Java/jdk1.80/jre/lib/ext/sunec.jar"
> {
> permission java.security.SecurityPermission "putProviderProperty.SunEC";
> permission java.io.FilePermission
>"C:\Program%20Files\Java\jdk1.8.0\jre\lib\ext\sunec.dll", "read";
> permission java.io.FilePermission
>"C:\Program%20Files\Java\jdk1.8.0\jre\lib\ext\x86\sunec.dll", "read";
> permission java.lang.RuntimePermission
>"accessClassInPackage.sun.security.action";
> permission java.lang.RuntimePermission
>"accessClassInPackage.sun.security.util";
> permission java.lang.RuntimePermission "loadLibrary.sunec";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar"
>
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javaxsecurity.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar"
>
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=clientDSA"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jerissl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=clientDSA"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/"
>
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=clientRSA1,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=clientRSA2\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> permission java.security.SecurityPermission "getPolicy";
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.util.PropertyPermission "*", "read,write";
> permission javax.security.auth.AuthPermission "doAs";
> permission javax.security.auth.AuthPermission "doAsPrivileged";
> permission javax.security.auth.AuthPermission "modifyPrincipals";
> permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
> permission javax.security.auth.AuthPermission "modifyPublicCredentials";
> permission javax.security.auth.AuthPermission "setReadOnly";
> permission java.ioFilePermission
>"C:\Users\peter\Documents\NetBeansProjects\river-internet\qa\jtreg\net\jini\jeri\ssl\UnitTests\keystore",
> "read";
> permission java.net.SocketPermission "localhost:0", "listen,resolve";
> permission javax.security.auth.PrivateCredentialPermission
>"javax.security.auth.x500.X500PrivateCredential", "read";
> permission javax.security.auth.PrivateCredentialPermission
>"sun.security.provider.DSAPrivateKey", "read";
> permission java.lang.RuntimePermission "accessDeclaredMembers";
> permission java.lang.RuntimePermission "getProtectionDomain";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US"
> {
> permission java.util.PropertyPermission
>"org.apache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US",
> principal javax.security.auth.x500.X500Principal "CN=serverRSA",
> principal TestUtilities.TestPrincipal "testServer"
> {
> permission netjini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar",
>
> principal javax.security.auth.x500.X500Principal "CN=serverDSA,C=US"
> {
> permission java.util.PropertyPermission
>"orgapache.river.jeri.ssl.maxServerSessionDuration", "read";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTwork/classes/net/jini/jeri/ssl/UnitTests/",
>
> principal javax.security.auth.x500.X500Principal "CN=serverRSA2"
> {
> permission net.jini.security..AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA2\"", "listen";
> };
>
> grant codebase
>"file:/C:/Users/peter/Documents/NetBeansProjects/river-internet/qa/jtreg/JTlib-tmp/jsk-platform.jar"
>
> {
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=clientRSA1,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=clientRSA2\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverDSA,C=US\"", "listen";
> permission net.jini.security.AuthenticationPermission
>"javax.security.auth.x500.X500Principal \"CN=serverRSA\"", "listen";
> permission java.security.SecurityPermission "createAccessControlContext";
> permission java.security.SecurityPermission "getDomainCombiner";
> permission java.security.SecurityPermission "getPolicy";
> permission java.security.SecurityPermission
>"getProperty.auth.policy.provider";
> permission java.security.SecurityPermission
>"getProperty.jdk.certpath.disabledAlgorithms";
> permission java.security.SecurityPermission
>"getProperty.jdk.tls.disabledAlgorithms";
> permission java.security.SecurityPermission "getProperty.keystore.type";
> permission java.security.SecurityPermission
>"getProperty.ssl.KeyManagerFactory.algorithm";
> permission java.security.SecurityPermission
>"getProperty.ssl.SocketFactory.provider";
> permission java.security.SecurityPermission
>"getProperty.ssl.TrustManagerFactory.algorithm";
> permission java.security.SecurityPermission "putProviderProperty.SUN";
> permission java.security.SecurityPermission "putProviderProperty.SunEC";
> permission java.security.SecurityPermission "putProviderProperty.SunJCE";
> permission java.util.logging.LoggingPermission "control";
> permission org.apache.river.discovery.internal.EndpointInternalsPermission
>"set";
> permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
> permission java.util.PropertyPermission "*", "read,write";
> permission org.apache.river.thread.ThreadPoolPermission
>"getSystemThreadPool";
> permission javax.security.auth.AuthPermission "doAs";
> permission javax.security.auth.AuthPermission "doAsPrivileged";
> permission javax.security.auth.AuthPermission "getSubject";
> permission javax.security.auth.AuthPermission
>"getSubjectFromDomainCombiner";
> permission javax.security.auth.AuthPermission "modifyPrincipals";
> permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
> permission javax.security.auth.AuthPermission "modifyPublicCredentials";
> permission javax.security.auth.AuthPermission "setReadOnly";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\bin\net.dll", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\bin\sunec.dll", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\classes", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\charsets.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\cldrdata.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\localedata.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\sunec.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\sunjce_provider.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\sunmscapi.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\ext\sunpkcs11.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\jce.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\jfr.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\jsse.jar", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\logging.properties", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\management\usagetracker.properties", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\meta-index", "read";
> permission java.io.FilePermission "C:\Program
>Files\Java\jdk1.8.0\jre\lib\resources.jar", "read";
