[JBoss-user] [Security & JAAS/JBoss] - Re: Running JBoss with the default sandbox

Mon, 07 Jun 2004 09:28:39 -0700 

I did some work in 3.2.4 to better isolate code that should be running as trusted 
jboss code (provided you mark it as trusted) from untrusted application component 
code. There were a number of places where trusted operations were running at the 
privilege level of the caller rather than that of the jboss codebase. A sample policy 
file I was using with testing when all user code was deployed in a secondary 
user-deploy directory was:


  | [EMAIL PROTECTED] buildmagic]$ cat /tmp/server.policy
  | // The Java2 security policy for the securitymgr tests
  | // Install with -Djava.security.policy==server.policy
  | // and -Djboss.home.dir=path_to_jboss_distribution and
  | // -Djboss.server.home.dir=path_to_jboss_server_config
  | 
  | // Trusted core Java code
  | grant codeBase "file:${java.home}/lib/ext/-" {
  |    permission java.security.AllPermission;
  | };
  | grant codeBase "file:/C:/usr/java/j2sdk1.4.2_04/lib/*" {
  |    permission java.security.AllPermission;
  | };
  | 
  | // Trusted core Jboss code
  | grant codeBase "file:${jboss.home.dir}/bin/-" {
  |    permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.home.dir}/lib/-" {
  |    permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.server.home.dir}/lib/-" {
  |    permission java.security.AllPermission;
  | };
  | grant codeBase "file:${jboss.server.home.dir}/deploy/-" {
  |    permission java.security.AllPermission;
  | };
  | 
  | // Minimal permissions are allowed to everyone else
  | grant {
  |    permission java.util.PropertyPermission "*", "read";
  |    permission java.lang.RuntimePermission "queuePrintJob";
  |    permission java.net.SocketPermission "*", "connect";
  |    permission javax.management.MBeanServerPermission "findMBeanServer";
  | };
  | 

You could work on further fine tunning the AllPermission granted to jboss code to the 
minimum needed for various usage scenarios.


View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3837785#3837785

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3837785


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to