If one requires fine grained security for applications / configurations
that are deployed. E.G. what files they can access, what ports they can
listen on etc.
Some large enterprise sites may run under a security manager due to high
security requirements, but running under a security manager incurs an
overhead.
FYI.. In section "1.4 Requirements" of the JACC spec it states in point
9 that the container must execute in an environment controlled by a J2SE
security manager.
The issue that Cristian raised needs to be discussed. A concern I have
is that if we used names instead of numbers then we will most likely run
into the Windows file path length (on JDK 1.4.2) issue discussed in the
mail thread
http://www.mail-archive.com/[email protected]/msg15501.html
Regards,
John
Vamsavardhana Reddy wrote:
When does one require to run the server under a Security Manager?
Thanks,
Vamsi
On 2/11/06, *Matt Hogstrom* <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Cristian,
No apologies. This is good feedback as I think we can use as much
administrative feedback as possible.
Cristian Roldan wrote:
> Hi All,
> I enabled the Security Manager with these parameters
"-Djava.security.manager -Djava.security.policy=geronimo.policy",
> everything works ok, but the only problem that I saw was with
the Application identification (number) , if you deploy
> an application, Generimo creates a directory
config-store/[NUMBER], you must use this number in the policy
file, after a while
> you undeploy and deploy a new version of that application in
this case you obtain a new number, so you must change the policy file.
> I think that using a [number] as a deployment directory is not
the best solution from the administration perspective.
> I'm sorry I just give an opinion from the administration point
of view maybe there is a design/performace reason that I can't see.
>
>
> //
--------------------------------------------------------------------------------------
> // Permissions for Geronimo V.1.0
> //
--------------------------------------------------------------------------------------
> // Geronimo gets all permissions
> grant codeBase "file:${org.apache.geronimo.base.dir}/lib/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/repository/-" {
> permission java.security.AllPermission;
> };
>
//----------------------------------------------------------------------
> // From here I set the minimun permissions for my Applications
> // You must change "23" for you Application number, this number
is created
> // during deployment phase.
>
//----------------------------------------------------------------------
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/23/-" {
> permission java.lang.RuntimePermission "accessClassInPackage.*";
> };
> //
---------------------------------------------------------------------
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/1/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/2/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/3/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/4/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/5/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/6/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/7/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/8/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/9/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/10/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/11/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/12/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/13/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/14/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/15/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/16/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/17/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/18/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/19/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/20/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/21/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/22/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/24/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/25/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/26/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/27/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/28/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/29/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/30/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/31/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/32/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/33/-" {
> permission java.security.AllPermission;
> };
> grant codeBase
"file:${org.apache.geronimo.base.dir}/config-store/34/-" {
> permission java.security.AllPermission;
> };
> grant codeBase "file:${
org.apache.geronimo.base.dir}/config-store/35/-" {
> permission java.security.AllPermission;
> };
>
>
>
>
> ---------------------------------
> 1GB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> Abrí tu cuenta aquí
