diff options
author | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-05-05 15:29:01 +0000 |
---|---|---|
committer | mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> | 2010-05-05 15:29:01 +0000 |
commit | b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd (patch) | |
tree | 0883f08a408f89f758e9a1be629232e3dd055c3a /BKUOnline/src/main/policy | |
parent | 83a9b613836910f7edc370c2fe60fa2268dc4461 (diff) | |
download | mocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.tar.gz mocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.tar.bz2 mocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.zip |
Merged feature branch mocca-1.2.13-id@r724 back to trunk.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@725 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src/main/policy')
-rw-r--r-- | BKUOnline/src/main/policy/50mocca.policy | 229 | ||||
-rw-r--r-- | BKUOnline/src/main/policy/catalina.policy | 411 |
2 files changed, 502 insertions, 138 deletions
diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy index 2d6bc13d..8cda9eb6 100644 --- a/BKUOnline/src/main/policy/50mocca.policy +++ b/BKUOnline/src/main/policy/50mocca.policy @@ -18,8 +18,7 @@ // || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION // ========================================================================= // -// (set -Djava.security.debug=access,failure and search for "FAILED") -// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) // // ========== MOCCA CODE PERMISSIONS ======================================= // @@ -27,9 +26,11 @@ // with ${catalina.base}/webapps/<mocca_context> // replace ${catalina.base}/work/Catalina/localhost/bkuonline // with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) -// replace version info in utils-1.2.10.jar and bkucommon-1.2.10.jar +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar // with current version -// replace apps.egiz.gv.at +// replace www.sozialversicherung.gv.at:443 // with <DataURL_host:DataURL_port> // replace localhost:8080 // with <StylesheetURL_host:StylesheetURL_port> @@ -40,7 +41,7 @@ // // replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at // with <idLink_template_download_URL> -// replace ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80 +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 // with <certificate_revocation_authority_endpoint> (OCSP, CRLs) // @@ -49,6 +50,8 @@ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + // permission java.lang.RuntimePermission "setContextClassLoader"; }; grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { @@ -58,47 +61,25 @@ grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { // =========== MOCCA grants // -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { - permission java.security.AllPermission; -// permission java.io.FilePermission "${catalina.base}/logs", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; -// permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; -// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/-" { - // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log +grant codeBase "file:${catalina.base}/webapps/bkuonline/-" { permission java.io.FilePermission "${catalina.base}/logs", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.10.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; -// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.10.jar" { - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; - permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.io.FilePermission "../conf/secret.xml", "read"; + // DataURLs permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; // permission java.net.SocketPermission "localhost:8080", "connect, resolve"; - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.util.PropertyPermission "*", "read, write"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; @@ -111,143 +92,127 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1. // XMLDSig is moved backwards by XSECT permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar" { + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_ecc_signed-2.15.jar" { - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; +grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_xsect-1.14.jar" { permission java.util.PropertyPermission "*", "read, write"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; - permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; - permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; - permission java.net.NetPermission "specifyStreamHandler"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar" { permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/serializer-2.7.1.jar" { - permission java.util.PropertyPermission "*", "read"; - permission java.lang.RuntimePermission "getClassLoader"; + //permission java.lang.RuntimePermission "getClassLoader"; }; // allow xsl:include from the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { - permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; // allow XSLT document function to reference the specified URL -grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { - permission java.io.FilePermission "../conf/secret.xml", "read"; -}; +//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; // use tomcat/jre endorsed xerces instead grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xercesImpl-2.9.1.jar" { permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; // permission java.io.FilePermission "../conf/secret.xml", "read"; // permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; - permission java.util.PropertyPermission "*", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-logging-1.1.1.jar" { - permission java.util.PropertyPermission "org.apache.commons.logging.*", "read"; - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/log4j-1.2.12.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/log4j.properties", "read"; - // allow log4j to read its own properties - permission java.util.PropertyPermission "log4j.*", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-core-2.5.5.jar" { - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-web-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; - permission java.lang.RuntimePermission "getProtectionDomain"; + //permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; }; + grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-beans-2.5.5.jar" { permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; @@ -257,19 +222,8 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; - permission java.security.SecurityPermission "insertProvider.IAIK"; - permission java.security.SecurityPermission "putProviderProperty.IAIK"; - permission java.security.SecurityPermission "removeProvider.IAIK"; - permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; - permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; - permission java.security.SecurityPermission "insertProvider.XSECT"; - permission java.security.SecurityPermission "putProviderProperty.XSECT"; - permission java.security.SecurityPermission "insertProvider.STAL"; - permission java.security.SecurityPermission "putProviderProperty.STAL"; - permission java.security.SecurityPermission "insertProvider.XMLDSig"; - permission java.security.SecurityPermission "removeProvider.XMLDSig"; permission java.util.PropertyPermission "*", "read, write"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.RuntimePermission "modifyThread"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "getProtectionDomain"; @@ -280,20 +234,21 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1.5.jar" { // need write access to set disableCaptureStackTrace and HttpAdapter.dump permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; - permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; - permission java.util.PropertyPermission "javax.xml.soap.*", "read"; - permission java.util.PropertyPermission "javax.activation.*", "read"; - permission java.util.PropertyPermission "xml.catalog.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; - permission java.util.PropertyPermission "user.home", "read"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; permission java.io.FilePermission "${user.home}/.mailcap", "read"; permission java.io.FilePermission "basename", "read"; permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; - permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.RuntimePermission "setContextClassLoader"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; @@ -302,18 +257,16 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1 }; grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; - permission java.lang.RuntimePermission "accessDeclaredMembers"; - permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; - permission java.util.PropertyPermission "user.dir", "read"; -}; - -grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-httpclient-3.1.jar" { - permission java.util.PropertyPermission "*", "read"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; }; // ======== NETBEANS -//grant codeBase "file:${catalina.base}/nblib/-" { -// permission java.security.AllPermission; -//};
\ No newline at end of file +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +};
\ No newline at end of file diff --git a/BKUOnline/src/main/policy/catalina.policy b/BKUOnline/src/main/policy/catalina.policy new file mode 100644 index 00000000..2dfb198f --- /dev/null +++ b/BKUOnline/src/main/policy/catalina.policy @@ -0,0 +1,411 @@ +// Copyright 2008 Federal Chancellery Austria and +// Graz University of Technology +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +// ========================================================================= +// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION +// ========================================================================= +// +// ========================================================================= +// || This file contains all default permissions from $CATALINA_HOME/conf/catalina.policy +// || and codebase paths to development dirs (for in-place deployment of IDEs) +// ========================================================================= +// +// (set -Djava.security.debug=access,failure and search for "denied" (failed)) +// (-Djava.net.preferIPv4Stack=true) +// +// ========== MOCCA CODE PERMISSIONS ======================================= +// +// replace ${catalina.base}/webapps/bkuonline +// with ${catalina.base}/webapps/<mocca_context> +// replace ${catalina.base}/work/Catalina/localhost/bkuonline +// with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/) +// replace version info in +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/BKUViewer-1.2.12.jar" { +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and +// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar +// with current version +// replace www.sozialversicherung.gv.at:443 +// with <DataURL_host:DataURL_port> +// replace localhost:8080 +// with <StylesheetURL_host:StylesheetURL_port> +// replace www.xslt-stylesheet-include-url.org:80 +// with <XSL_include_URL> +// replace ../conf/secret.xml +// with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to> +// +// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at +// with <idLink_template_download_URL> +// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80 +// with <certificate_revocation_authority_endpoint> (OCSP, CRLs) +// + +// ========== SYSTEM CODE PERMISSIONS ========================================= + + +// These permissions apply to javac +grant codeBase "file:${java.home}/lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions +grant codeBase "file:${java.home}/jre/lib/ext/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/../lib/-" { + permission java.security.AllPermission; +}; + +// These permissions apply to all shared system extensions when +// ${java.home} points at $JAVA_HOME/jre +grant codeBase "file:${java.home}/lib/ext/-" { + permission java.security.AllPermission; +}; + + +// ========== CATALINA CODE PERMISSIONS ======================================= + + +// These permissions apply to the daemon code +grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the logging API +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.util.PropertyPermission "java.util.logging.config.class", "read"; + permission java.util.PropertyPermission "java.util.logging.config.file", "read"; + permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; + permission java.lang.RuntimePermission "shutdownHooks"; + permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; + permission java.util.PropertyPermission "catalina.base", "read"; + permission java.util.logging.LoggingPermission "control"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; + permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; + permission java.lang.RuntimePermission "getClassLoader"; + + // added by clemenso (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + + // To enable per context logging configuration, permit read access to the appropriate file. + // Be sure that the logging configuration is secure before enabling such access + // eg for the examples web application: + // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; +}; + +// These permissions apply to the server startup code +grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +// These permissions apply to the servlet API classes +// and those that are shared across all class loaders +// located in the "lib" directory +grant codeBase "file:${catalina.home}/lib/-" { + permission java.security.AllPermission; +}; + + +// ========== WEB APPLICATION PERMISSIONS ===================================== + + +// These permissions are granted by default to all web applications +// In addition, a web application will be given a read FilePermission +// and JndiPermission for all files and directories in its document root. +grant { + // Required for JNDI lookup of named JDBC DataSource's and + // javamail named MimePart DataSource used to send mail + permission java.util.PropertyPermission "java.home", "read"; + permission java.util.PropertyPermission "java.naming.*", "read"; + permission java.util.PropertyPermission "javax.sql.*", "read"; + + // OS Specific properties to allow read access + permission java.util.PropertyPermission "os.name", "read"; + permission java.util.PropertyPermission "os.version", "read"; + permission java.util.PropertyPermission "os.arch", "read"; + permission java.util.PropertyPermission "file.separator", "read"; + permission java.util.PropertyPermission "path.separator", "read"; + permission java.util.PropertyPermission "line.separator", "read"; + + // JVM properties to allow read access + permission java.util.PropertyPermission "java.version", "read"; + permission java.util.PropertyPermission "java.vendor", "read"; + permission java.util.PropertyPermission "java.vendor.url", "read"; + permission java.util.PropertyPermission "java.class.version", "read"; + permission java.util.PropertyPermission "java.specification.version", "read"; + permission java.util.PropertyPermission "java.specification.vendor", "read"; + permission java.util.PropertyPermission "java.specification.name", "read"; + + permission java.util.PropertyPermission "java.vm.specification.version", "read"; + permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; + permission java.util.PropertyPermission "java.vm.specification.name", "read"; + permission java.util.PropertyPermission "java.vm.version", "read"; + permission java.util.PropertyPermission "java.vm.vendor", "read"; + permission java.util.PropertyPermission "java.vm.name", "read"; + + // Required for OpenJMX + permission java.lang.RuntimePermission "getAttribute"; + + // Allow read of JAXP compliant XML parser debug + permission java.util.PropertyPermission "jaxp.debug", "read"; + + // Precompiled JSPs need access to this package. + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; + + // Precompiled JSPs need access to this system property. + permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; + +}; + + + + + + + + +// =========== container grants required by MOCCA +// +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/logging.properties", "read"; + // (for manager webapp) + permission java.lang.RuntimePermission "setContextClassLoader"; +}; + +grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" { + permission java.io.FilePermission "/helpfiles/-", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime"; +}; + +// =========== MOCCA grants +// +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/-" { + permission java.io.FilePermission "${catalina.base}/logs", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "read, write"; + permission java.io.FilePermission "${catalina.base}/logs/*", "delete"; + + // DataURLs + permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve"; + permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve"; + + // other resources (crls, persb.xsl, ...) + permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve"; + permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve"; + permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve"; + permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve"; +// permission java.net.SocketPermission "localhost:8080", "connect, resolve"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + + permission java.security.SecurityPermission "insertProvider.IAIK"; + permission java.security.SecurityPermission "putProviderProperty.IAIK"; + permission java.security.SecurityPermission "removeProvider.IAIK"; + permission java.security.SecurityPermission "insertProvider.IAIK_ECC"; + permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC"; + permission java.security.SecurityPermission "insertProvider.XSECT"; + permission java.security.SecurityPermission "putProviderProperty.XSECT"; + permission java.security.SecurityPermission "insertProvider.STAL"; + permission java.security.SecurityPermission "putProviderProperty.STAL"; + // XMLDSig is moved backwards by XSECT + permission java.security.SecurityPermission "insertProvider.XMLDSig"; + permission java.security.SecurityPermission "removeProvider.XMLDSig"; + + permission java.util.PropertyPermission "*", "read"; + permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "getClassLoader"; + permission java.lang.RuntimePermission "getProtectionDomain"; + //bkucommon,pki + permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; + //jax-ws jaxb + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + //permission java.lang.RuntimePermission "modifyThread"; + //permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; + permission java.net.NetPermission "specifyStreamHandler"; + + //jaxb + //permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/-" { +// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write"; +// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write"; + + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/utils-1.2.12-pinguin-1-SNAPSHOT.jar" { +// permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/bkucommon-1.2.12-pinguin-1-SNAPSHOT.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.io.FilePermission "${catalina.base}/temp/*", "read, write"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; + permission java.util.PropertyPermission "*", "read, write"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" { + permission java.util.PropertyPermission "*", "read, write"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + //permission java.net.NetPermission "specifyStreamHandler"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read"; + //permission java.lang.RuntimePermission "getClassLoader"; +}; + +// allow xsl:include from the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" { +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; +//}; + +// allow XSLT document function to reference the specified URL +//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" { +// permission java.io.FilePermission "../conf/secret.xml", "read"; +//}; + +// use tomcat/jre endorsed xerces instead +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" { + permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read"; +// permission java.io.FilePermission "../conf/secret.xml", "read"; +// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; + permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" { + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/log4j.properties", "read"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" { + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + //permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" { + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write"; + permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete"; + permission java.util.PropertyPermission "*", "read, write"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + permission java.lang.RuntimePermission "modifyThread"; + permission java.lang.RuntimePermission "setFactory"; + permission java.lang.RuntimePermission "getProtectionDomain"; + permission java.lang.RuntimePermission "defineClassInPackage.java.lang"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" { + // need write access to set disableCaptureStackTrace and HttpAdapter.dump + permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write"; + //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read"; + //permission java.util.PropertyPermission "javax.xml.soap.*", "read"; + //permission java.util.PropertyPermission "javax.activation.*", "read"; + //permission java.util.PropertyPermission "xml.catalog.*", "read"; + //permission java.util.PropertyPermission "user.dir", "read"; + //permission java.util.PropertyPermission "user.home", "read"; + permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read"; + permission java.io.FilePermission "${java.home}/lib/mailcap", "read"; + permission java.io.FilePermission "${user.home}/.mailcap", "read"; + permission java.io.FilePermission "basename", "read"; + permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read"; + permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; + //permission java.lang.RuntimePermission "accessDeclaredMembers"; + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.RuntimePermission "setContextClassLoader"; + permission javax.management.MBeanServerPermission "createMBeanServer"; + permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean"; + permission javax.management.MBeanTrustPermission "register"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +}; + +grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" { + //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; + permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; +// permission java.lang.RuntimePermission "accessDeclaredMembers"; +// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read"; +// permission java.util.PropertyPermission "user.dir", "read"; + permission java.io.FilePermission "/WEB-INF/classes/-", "read"; +}; + +// ======== NETBEANS + +grant codeBase "file:${catalina.base}/nblib/-" { + permission java.security.AllPermission; +};
\ No newline at end of file |