Re: [Resin-interest] Fwd: Re: Security Manager

Thu, 09 Aug 2007 10:51:00 -0700 

Hi,

I was able to get someone to send me the file, and basically it is  
something like this:
-------------------------------------------------------------------------
// Permissions allowed for everyone.
grant {
   permission java.util.PropertyPermission "*", "read";
   permission java.lang.RuntimePermission "accessClassInPackage.*";
   permission java.lang.RuntimePermission "getClassLoader";
};

// Give the system and Resin classes all permissions
grant codeBase "file:${resin.home}/lib/-" {
         permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/../lib/-" {
         permission java.security.AllPermission;
};
grant codeBase "file:${java.home}/lib/-" {
         permission java.security.AllPermission;
};

// Repeat this block for each application

// web/AppX is the directory where the app is deployed
// web/WorkX is the directory where resin has been configured to put
// its temporary files. It is outside the app. directory so users cannot
// mess with those files through FTP.
// Give a web-app specific permissions.
grant codeBase "file:${user.home}/web/AppX/-" {
         permission java.io.FilePermission "${resin.home}/WEB-INF/-", "read";
         permission java.io.FilePermission "${user.home}/web/WorkX/-", "read,
write";
         permission java.io.FilePermission "${user.home}/web/WorkX/", "read,w
rite";
};
grant codeBase "file:${user.home}/web/WorkX/-" {
         permission java.io.FilePermission "${resin.home}/WEB-INF/-", "read";
         permission java.io.FilePermission "${user.home}/web/WorkX/-", "read,
write";
         permission java.io.FilePermission "${user.home}/web/WorkX/", "read,w
rite";
};
...
-------------------------------------------------------------------------
One could further refine the permissions given to Resin and one might  
also require to add more permission to each application (if it  
connects to a DB, for example), but that's the minimum. One need to  
add specific permissions for the temporary files as that includes the  
compiled JSPs, XSLTs etc. so if you don't give them permissions, they  
can do nothing.

Salute!
D.

S'està citant "Mktg. Incorporate Fast" <[EMAIL PROTECTED]>:

> Hi Daniel,
>
> Thank you for the response.  In the new version of resin we are using the
> <jvm-arg> </jvm-arg> to pass in a path to the resin.policy file.  As you
> mentioned, we are not able to supply it as an input from the script of
> command line.
>
> If you could forward any part of your policy file to me to help me get
> started, I would be much appreciated.
>
> I haven't yet resolved why things appear to work when they apparently should
> not.
>
> Joey
>


----------------------------------------------------------------





_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest

Reply via email to