5.4.2. Java Security Manager Policy File

Procedure 5.3. Install Common Criteria-evaluated Security Manager Policy

1. Create the Common Criteria-evaluated Policy File

   Copy the following text into a text editor and save it in EAP_HOME/bin/ directory. The suggested file name is jbosseap62.policy.

   // Grant all to the jboss-modules.jar
   grant codeBase "file:${jboss.home.dir}/jboss-modules.jar" {
     permission java.security.AllPermission;
   };
   
   // Standard extensions get all permissions by default
   grant codeBase "file:${java.home}/lib/ext/*" {
     permission java.security.AllPermission;
   };
   

   Copy to Clipboard Toggle word wrap

   Note

   The CC-evaluated policy file may need additional permissions configured, such as permissions to database drivers. These permissions are site-specific.

2. Configure the Java Parameters

   Add the following Java command line parameters to the JBoss EAP start-up configuration scripts (standalone.conf, domain.conf, standalone.conf.bat, domain.conf.bat):

   -Djava.security.manager

   Enables the security manager

   -Djava.security.policy==/path/to/security.policy

   Specify the path to the security policy file.

   -Djboss.home.dir=/path/to/JBOSS_EAP_HOME

   Define the system property that is used in the policy file.

   -Djboss.modules.policy-permissions=true

   Enables deployment level security permissions.

   Example 5.1. standalone.conf

   JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy==$JBOSS_HOME/bin/jbosseap62.policy -Djboss.home.dir=$JBOSS_HOME -Djboss.modules.policy-permissions=true"

   Copy to Clipboard Toggle word wrap

   Note

   The JBOSS_HOME environment variable is not defined when domain.conf is processed. It can be used only in standalone.conf.

3. Configure the Java Security Manager to use the policy file

   See Java Security Manager in the Security Guide.