////////////////////////////////////////////////////////////////////////////////// // User WEBAPP permissions // grant codeBase "file:/home/-" { // Seems some XML processing uses this.. permission java.io.SerializablePermission "enableSubclassImplementation"; // Logging Permissions .. permission java.util.logging.LoggingPermission "control"; // Grant Read access to things outside of home directory, // this is needed because some 3rd parties look for files in // other parts of the class path permission java.io.FilePermission "<>", "read"; // Allow user Servlets to full access their home directory... permission java.io.FilePermission "/home/-", "read, write, delete"; // Allow customers to change permissions on there own files // this is needed if their servlets create files so they can access them permission java.io.FilePermission "/bin/chmod", "read, execute"; // Some Servlet IO uses the Temp folder... permission java.io.FilePermission "/tmp/*", "read, write, delete"; // Deny Permission to change default Locale permission java.util.PropertyPermission "user.language", "read"; }; ////////////////////////////////////////////////////////////////////////////////// // Restrictions for code execute from the Resin home folder.. // grant codeBase "file:/usr/local/resin/-" { permission java.security.AllPermission; }; ////////////////////////////////////////////////////////////////////////////////// // JDK permissions // // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to javac grant codeBase "file:${java.home}/../bin/-" { permission java.security.AllPermission; }; grant codeBase "file:${java.home}/bin/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; ////////////////////////////////////////////////////////////////////////////////// // General Settings, Applied system wide. // // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission grant { permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Allow net Access... permission java.net.SocketPermission "*:*", "accept, connect, listen, resolve"; // Servlets MUST have access to the JDK and the Resin directory .. permission java.io.FilePermission "/usr/local/java/jdk1.6.0_04/bin/-", "read, write, execute"; permission java.io.FilePermission "/usr/local/java/jdk1.6.0_04/-", "read, write"; permission java.io.FilePermission "/usr/local/java/jdk1.6.0_04/jre/-", "read, write"; permission java.io.FilePermission "/usr/local/resin/-", "read, write"; //permission java.io.FilePermission "<>", "read"; // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.lang.RuntimePermission "*"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "loadLibrary.*"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "stopThread"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.util.PropertyPermission "*", "read, write"; permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for getting BeanInfo permission java.lang.RuntimePermission "accessClassInPackage.sun.beans.*"; // Required for running servlets generated by JSPC permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; }; grant codeBase "file:/home/egwdemo/-" { permission java.io.FilePermission "/home/egwdemo/-", "read, write, delete"; };