...
| Code Block | ||
|---|---|---|
| ||
/* grant the klib library AllPermission */
grant codebase "file:${klib.home}/j2ee/home/klib.jar" {
permission java.security.AllPermission;
};
|
Compliant Solution
The This compliant solution shows a policy file that can be signed and made to provide more restrictive used to enforce fine-grained permissions.
| Code Block | ||
|---|---|---|
| ||
grant codeBase "file:${klib.home}/j2ee/home/klib.jar", signedBy "Admin" {
permission java.io.FilePermission "/tmp/*", "read";
permission java.io.SocketPermission "*", "connect";
};
|
Always assign appropriate permissions to code. This can be achieved by extending any of the permission classes. The next solution shows how to implement restrictive permissions within the code.
To check whether the caller has the requisite permissions, use the following check within the code:
| Code Block | ||
|---|---|---|
| Code Block | ||
| ||
//security manager code
perm = new java.io.FilePermission("/tmp/JavaFile","read");
//other code
|
Always assign appropriate permissions to code. When more control is required over the granularity of permissions, define custom permissions. (SEC11-J. Define custom security permissions for fine grained security)
Exceptions
SEC31-EX1: It may be necessary to grant AllPermission to trusted library code so that callbacks will work. For example, it is common practice to grant AllPermission to the Java system code:
| Code Block |
|---|
// Standard extensions get all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};
|
...