Hi,
Here's a basic security policy for JRun 2.3.3. I wish I could have put this out
a long time ago, but I've never had the time in the face of so many other
obligations. This has always been the sort of thing anyone could do on their
own, but I always thought it would make a good knowledge base article and would
just be a good thing to be able to guide our customers on a little bit.
To use the policy file, copy it out of this email (hopefully the line breaks are
preserved) and give it a name, read the documentation and customize it for your
use. Any feedback on it is extremely welcome. The next step will be to write
one for JRun 3.0 that's more restrictive (right now the policy files in 3.0 are
wide open). One limitation I've found with this one so far is that I can't stop
JRun using the jsm command. I can try with the little Windows-applet thing, but
the Win-applet just goes away and leaves the jsm and Javaw processes running.
So the most reliable way to use this so far is to start and stop JRun using the
command line or a bat/shell script.
There's nothing flawed about not having a tight security manager and policy file
set up for JRun. Nevertheless, for Internet Service Providers doing servlet/JSP
hosting it really is highly recommended. And for tightening the security on
your intranet or in your server-side Java application, you can benefit from
using the security mechanisms in Java. On the other hand, there's no
replacement for the standard security measures of firewalls, OS-level security,
and other traditional means.
Scott Stirling
Allaire
/**
* This policy file is designed to give you the permissions necessary for
* basic functionality with JRun 2.3.3, including the ability to process JSPs,
* dynamically reload servlets, read system and JRun properties, write to
* the logs, and use sendRedirect and RequestDispatcher in your servlets/JSPs.
*
* What it doesn't provide are any provisions for more advanced or complex
* configurations, such as policies for multiple users, permissions for
* connecting to your database with a JDBC driver, or loading native libraries
* for JNI. It also does not include permissions for changing JRun's
* properties files via the JRun admin console. This would be easy to add (just
* add write permissions for all the files under all the properties
* directories), but for brevity and due to the fact that many people prefer
* to administer JRun 2.3.3 by hand, I omitted it.
*
* For customizing this policy file, creating your own, and
* understanding the Java Security architecture, please refer to the Java
* documentation and a good book such as this one: "Inside Java 2 Platform
Security:
* Architecture, API Design, and Implementation," by Li Gong, 1999, Sun
Microsystems
*/
/** To use this file, naturally, change all the directories and ports to match
your file
* system and JRun installation. I've used the default port configuration
* for admin, JWS and proxyport (57860, 8000, 8081), but you can change the
* ports to match your setup.
*
* Protect this file by keeping it somewhere on the file system where the JRun
* process does not have permission to read or write it.
*
* Next, add a policy.url for this file in your JRE's
* {java.home}jre/lib/security/java.security file, like so:
* policy.url.1=file:${java.home}/lib/security/java.policy
* policy.url.2=file:${user.home}/.java.policy
* policy.url.3=file:/D:/path/to/this-jrun.policy
*
* Pass the location of
* this file as a property in the java.args property of JRun's jsm.properties,
like so:
*
*
java.args=-Djava.security.manager -Djava.security.policy=D:\\path\\to\\this-jrun
.policy
*/
grant {
permission java.io.FilePermission "D:\\JRun233", "read";
permission java.io.FilePermission "D:\\JRun233\\-", "read";
permission java.io.FilePermission "D:\\JRun233\\jsm-default\\logs\\*", "read,
write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jse\\logs\\*", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jseweb\\logs\\*", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jse\\servlets", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jse\\servlets\\-", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jseweb\\servlets", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jseweb\\servlets\\-", "read, write";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jws\\-", "read, write";
permission java.io.FilePermission "C:\\jdk1.2.2\\jre\\lib\\-", "read";
permission java.io.FilePermission "C:\\jdk1.2.2\\lib\\tools.jar", "read";
permission java.io.FilePermission
"D:\\JRun233\\jsm-default\\services\\jseweb\\servlets\\jsp\\-", "delete";
permission java.io.FilePermission "<<ALL FILES>>", "execute";
/* make sure the following permission is uncommented and matches your web
server's document
root if you want to serve documents, such as JSPs, from your native web
server via JRun. */
// permission java.io.FilePermission "C:\\Inetpub\\wwwroot\\-", "read";
permission java.net.SocketPermission "127.0.0.1:8081", "accept, listen,
resolve";
permission java.net.SocketPermission "127.0.0.1:8000", "accept, listen,
resolve";
permission java.net.SocketPermission "127.0.0.1:1024-", "accept, resolve";
permission java.net.SocketPermission "127.0.0.1:57860", "accept, listen,
resolve";
permission java.net.SocketPermission "*.com", "connect, resolve";
permission java.net.SocketPermission "*.org", "connect, resolve";
permission java.net.SocketPermission "*.net", "connect, resolve";
permission java.net.SocketPermission "*.net", "connect, resolve";
permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "exitVM";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "createClassLoader";
};
------------------------------------------------------------------------------
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
body.
