Re: Start EJBServer with Jeremie

Mon, 14 Feb 2000 02:48:26 -0800 

Jonathan Whitehead wrote:
> 
> I've finally got to the bottom of this problem. The socket permission
> exception was being thrown by Jonathan, not Jonas.
> 
> Thus it would seem "registry" now needs a liberal security policy as
> well as EJBServer. Everything works fine if you have ".java.policy" in
> your home directory, but not if you were using the rather more secure
> method of "EJBServer -Djava.security.policy=..."

Yes, it's actually a security problem with the Jeremie registry: the 
latter needs more permissions than rmiregistry. If you downlaod Jonathan
and its examples, you will see that we run the examples with a policy
file that has the following permissions:

 grant {

  permission java.net.SocketPermission "*:1024-65535", 
             "accept, connect, listen, resolve";

  permission java.net.SocketPermission "*:80", "connect,resolve";

  permission java.io.FilePermission "<<ALL FILES>>", "read";
  permission java.util.PropertyPermission "*", "read, write";

  permission java.io.SerializablePermission "enableSubstitution";

  permission java.lang.reflect.ReflectPermission 
              "suppressAccessChecks";

  permission java.lang.RuntimePermission "accessDeclaredMembers";

};


The first three authorize communications with the registry including 
http and file connections for stub classes and serializable classes.
The last three permissions are to do with how we implemented the 
Jeremie registry.


> The $JONAS_ROOT/bin/registry script would need modifying to allow java
> flags like "-D" as well as the port number parameter. Or maybe hardcode
> the policy file into the script. Since JDK 1.1 is no longer being
> supported maybe security policy files could become built-in rather than
> an optional extra in the Installation Guide.

Yes, this will be be done in the next CVS version of Jonas.

Regards,
Kathleen
 

==============================================================
Kathleen Milsted
France Telecom CNET
Distributed Systems Architecture department (DTL/ASR)
28 chemin du Vieux Chene
BP 98, 38243 Meylan Cedex
FRANCE
Tel: +33 4 76 76 45 94
Fax: +33 4 76 76 45 57
E-mail: [EMAIL PROTECTED]
----
To unsubscribe, send email to [EMAIL PROTECTED] and
include in the body of the message "unsubscribe jonas-users".
For general help, send email to [EMAIL PROTECTED] and
include in the body of the message "help".

Reply via email to