Red Hat Summit6.5. Java Security Policy Statements
A policy file specifies permissions to modules and deployed applications. Permissions are applied to deployed applications via the
VFS protocol. See the following Oracle Java SE documentation page Default Policy Implementation and Policy File Syntax for further information at http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
The following is an example of policy statements.
Note
On Microsoft Windows Server, when specifying a
FilePermission statement including a file path in a string, not a codeBase URL, you must replace single backslash characters with two backslash characters. This is because when file paths are parsed, a single backslash is interpreted as an escape character.
Note
Two VFS issues currently exist in JBoss EAP that require a workaround:
- If you define a grant for a deployment on Microsoft Windows, instead of:
grant codeBase "vfs:/content/..." {grant codeBase "vfs:/content/..." {Copy to Clipboard Copied! Toggle word wrap Toggle overflow you must use:grant codeBase "vfs:/${user.dir}/content/..." {grant codeBase "vfs:/${user.dir}/content/..." {Copy to Clipboard Copied! Toggle word wrap Toggle overflow - If your application contains JSPs, then the permissions granted to the deployment using a VFS URL is not sufficient, and you will have to duplicate it with file-based URL. For example, if you have permission:
grant codeBase "vfs:/content/application.war/-" { permission java.util.PropertyPermission "*", "read"; };grant codeBase "vfs:/content/application.war/-" { permission java.util.PropertyPermission "*", "read"; };Copy to Clipboard Copied! Toggle word wrap Toggle overflow then you also need to add the following:grant codeBase "file:${jboss.home.dir}/standalone/tmp/work/jboss.web/default-host/application/-" { permission java.util.PropertyPermission "*", "read"; };grant codeBase "file:${jboss.home.dir}/standalone/tmp/work/jboss.web/default-host/application/-" { permission java.util.PropertyPermission "*", "read"; };Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Module permissions are defined in
module.xml (version 1.2 or higher). The following example demonstrates specifying module permissions.
If there is no
<permissions/> element, then AllPermission permission is granted to the module. If there is an empty <permissions/> element, then no permission is granted.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}