We've been working on a new project at work. Using Grails after an exhaustive search for a new platform. And it was my duty to lock it up with a security policy file. It took some doing. I ended up using VirtualBox to install Ubuntu on my Win7 box to simulate our deployment environment better. It took some doing but in the end it was best to start with the default catalina.policy file and add to it. So we created our own security.policy file and started with the defaults then we added below and now it works! Took forever. Hope this helps someone.
grant codeBase "file:${example.webapp.root}/WEB-INF/-" {
permission java.io.FilePermission "${example.webapp.root}${/}-", "read";
permission java.io.FilePermission "${/}WEB-INF${/}-", "read";
permission java.io.FilePermission "${example.java.home}${/}..${/}-", "read";
permission java.io.FilePermission "${example.catalina.home}${/}log${/}-", "read,write,delete";
permission java.io.FilePermission "velocity.log", "read,write,delete";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "reflectionFactoryAccess";
permission java.util.PropertyPermission "*", "read";
};
grant codeBase "file:${file.separator}groovy${file.separator}script" {
// grails 1.1 + jdk 1.6.0_13
permission java.lang.RuntimePermission "defineClassInPackage.java.io";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
permission java.lang.RuntimePermission "defineClassInPackage.java.net";
permission java.lang.RuntimePermission "defineClassInPackage.java.util";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.util.PropertyPermission "grails.env", "read";
};
grant {
// basic grails stuff incl. groovy magic
permission groovy.security.GroovyCodeSourcePermission "${file.separator}groovy${file.separator}script";
permission java.io.FilePermission "file:${example.webapp.root}${file.separator}WEB-INF${file.separator}grails-app${file.separator}-", "read";
permission java.io.FilePermission "${file.separator}groovy${file.separator}script", "read";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers.*";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.util.PropertyPermission "*", "read,write";
permission java.util.PropertyPermission "ANTLR_DO_NOT_EXIT", "read";
permission java.util.PropertyPermission "ANTLR_USE_DIRECT_CLASS_LOADING", "read";
permission java.util.PropertyPermission "groovyjarjarantlr.ast", "read";
permission java.util.PropertyPermission "groovy.ast", "read";
permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory.HashtableImpl", "read";
// grails 1.1
permission java.io.FilePermission "file:${example.webapp.root}${file.separator}WEB-INF${file.separator}grails-app${file.separator}*", "read";
permission java.lang.RuntimePermission "setIO";
// grails 1.1: various jars incl ant use ${file.separator}bin${file.separator}env
permission java.io.FilePermission "${file.separator}bin${file.separator}env", "read,execute";
};
grant {
permission java.net.SocketPermission "*", "accept,connect,resolve,listen";
permission java.util.PropertyPermission "*", "read";
permission javax.management.MBeanPermission "*", "registerMBean";
permission javax.management.MBeanPermission "*", "invoke";
permission javax.management.MBeanPermission "*", "getAttribute";
permission javax.management.MBeanPermission "*", "queryMBeans";
permission javax.management.MBeanPermission "*", "queryMBeans";
permission java.lang.RuntimePermission "accessDeclaredMembers", "";
permission java.lang.RuntimePermission "getenv.*", "";
};
Great information,
ReplyDeleteThis kind of doc is hard to find ...
Thanks !
Someone was bound to need that someday right? Glad my notes could help someone else out. :-)
Delete