Skip to main content

manipulating server.policy after deployment

2 replies [Last post]
nasseria
Offline
Joined: 2010-09-14
Points: 0

I have a question about server.policy and its permissions.

We have deployed our EJB application in glassfish and after that we require to add a .class file that itself require a new permission to operate. When we add this new permission in granted.policy which is located in ${com.sun.aas.instanceRoot}/generated/policy/our-application/module1 it works perfectly. But because our application has about 14 module, we do not want to copy the same granted.polcy in each folder.
One another solution as mentioned in http://docs.sun.com/app/docs/doc/820-4496/beabx?l=en&a=view is to change ${com.sun.aas.instanceRoot}/config/server.policy file to have that permission. It's also allowable to use wildcard character (-) to address a sepcial directory and all its files and subdirectories in security.policy.
After doing that, it's expected to work after restarting our domain.
But, I've tried every path with its wildcard characters, but it didn't work.
Although it looks very simple method, I still have no idea either any other action is required or any security problem in reading security.policy file? (I set permission as 777)
Please give any idea you think can be helpful,

Thanks in advance,
Nasser Fard

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Kumar Jayanti

glassfish@javadesktop.org wrote:
> I have a question about server.policy and its permissions.
>
> We have deployed our EJB application in glassfish and after that we require to add a .class file that itself require a new permission to operate. When we add this new permission in granted.policy which is located in ${com.sun.aas.instanceRoot}/generated/policy/our-application/module1 it works perfectly. But because our application has about 14 module, we do not want to copy the same granted.polcy in each folder.
> One another solution as mentioned in http://docs.sun.com/app/docs/doc/820-4496/beabx?l=en&a=view is to change ${com.sun.aas.instanceRoot}/config/server.policy file to have that permission. It's also allowable to use wildcard character (-) to address a sepcial directory and all its files and subdirectories in security.policy.
> After doing that, it's expected to work after restarting our domain.
> But, I've tried every path with its wildcard characters, but it didn't work.
> Although it looks very simple method, I still have no idea either any other action is required or any security problem in reading security.policy file? (I set permission as 777)
> Please give any idea you think can be helpful,
>
It should work. Not sure why you are seeing a problem. Infact by
putting permissions such as AllPermission in server.policy you can
override what is present in granted.policy (which is ofcourse dangerous).

The following might be useful to you :
http://blogs.sun.com/monzillo/entry/policy_files_the_securitymanager_and
> Thanks in advance,
> Nasser Fard
> [Message sent by forum member 'nasseria']
>
> http://forums.java.net/jive/thread.jspa?messageID=482789
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

nasseria
Offline
Joined: 2010-09-14
Points: 0

Thanks Kumar for the reply and link, I did not know a lot about JAAC actually.
I managed to work with it,

When I add the belolw entry in security.policy, it perfectly worked without the need to redeploy the

whole application, so restarting the domain is fine.

grant codeBase "file:/our-application/-" {
permission java.security.AllPermission;
};

As it's clear, it's just enough to put /our-application/ as path value. We tested it many times and

found out that giving the path as absolute from ${instanceRoot} will not work. We were using the below

link from glassfish documentation that explicitly stated to address that path from ${instanceRoot}.
http://docs.sun.com/app/docs/doc/820-4496/beabx?l=en&a=view

it strangely will not work!
grant codeBase "file:${com.sun.aas.instanceRoot}/applications/j2ee-apps/-" {
permission java.security.AllPermission;
};

It was against our experience, but it worked finally BTW.

Thanks Kumar,
Nasser Fard