summaryrefslogtreecommitdiff
path: root/BKUOnline/src/main/policy
diff options
context:
space:
mode:
authormcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-05-05 15:29:01 +0000
committermcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>2010-05-05 15:29:01 +0000
commitb1c8641a63a67e3c64d948f9e8dce5c01e11e2dd (patch)
tree0883f08a408f89f758e9a1be629232e3dd055c3a /BKUOnline/src/main/policy
parent83a9b613836910f7edc370c2fe60fa2268dc4461 (diff)
downloadmocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.tar.gz
mocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.tar.bz2
mocca-b1c8641a63a67e3c64d948f9e8dce5c01e11e2dd.zip
Merged feature branch mocca-1.2.13-id@r724 back to trunk.
git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@725 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
Diffstat (limited to 'BKUOnline/src/main/policy')
-rw-r--r--BKUOnline/src/main/policy/50mocca.policy229
-rw-r--r--BKUOnline/src/main/policy/catalina.policy411
2 files changed, 502 insertions, 138 deletions
diff --git a/BKUOnline/src/main/policy/50mocca.policy b/BKUOnline/src/main/policy/50mocca.policy
index 2d6bc13d..8cda9eb6 100644
--- a/BKUOnline/src/main/policy/50mocca.policy
+++ b/BKUOnline/src/main/policy/50mocca.policy
@@ -18,8 +18,7 @@
// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION
// =========================================================================
//
-// (set -Djava.security.debug=access,failure and search for "FAILED")
-//
+// (set -Djava.security.debug=access,failure and search for "denied" (failed))
//
// ========== MOCCA CODE PERMISSIONS =======================================
//
@@ -27,9 +26,11 @@
// with ${catalina.base}/webapps/<mocca_context>
// replace ${catalina.base}/work/Catalina/localhost/bkuonline
// with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/)
-// replace version info in utils-1.2.10.jar and bkucommon-1.2.10.jar
+// replace version info in
+// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and
+// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar
// with current version
-// replace apps.egiz.gv.at
+// replace www.sozialversicherung.gv.at:443
// with <DataURL_host:DataURL_port>
// replace localhost:8080
// with <StylesheetURL_host:StylesheetURL_port>
@@ -40,7 +41,7 @@
//
// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
// with <idLink_template_download_URL>
-// replace ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80
+// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80
// with <certificate_revocation_authority_endpoint> (OCSP, CRLs)
//
@@ -49,6 +50,8 @@
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/logging.properties", "read";
+ // (for manager webapp)
+ // permission java.lang.RuntimePermission "setContextClassLoader";
};
grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" {
@@ -58,47 +61,25 @@ grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" {
// =========== MOCCA grants
//
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" {
- permission java.security.AllPermission;
-// permission java.io.FilePermission "${catalina.base}/logs", "read, write";
-// permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
-// permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
-// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
-// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";
-};
-
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/-" {
- // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log
+grant codeBase "file:${catalina.base}/webapps/bkuonline/-" {
permission java.io.FilePermission "${catalina.base}/logs", "read, write";
permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
-};
-
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.10.jar" {
- permission java.util.PropertyPermission "*", "read";
- permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
- permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
-// permission java.net.SocketPermission "localhost:8080", "connect, resolve";
- permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
- permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-};
-
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.10.jar" {
- permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
- permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
- permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
- permission java.io.FilePermission "../conf/secret.xml", "read";
+ // DataURLs
permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve";
+
+ // other resources (crls, persb.xsl, ...)
permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve";
permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
// permission java.net.SocketPermission "localhost:8080", "connect, resolve";
- permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
- permission java.net.NetPermission "specifyStreamHandler";
- permission java.util.PropertyPermission "*", "read, write";
+// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
@@ -111,143 +92,127 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.
// XMLDSig is moved backwards by XSECT
permission java.security.SecurityPermission "insertProvider.XMLDSig";
permission java.security.SecurityPermission "removeProvider.XMLDSig";
+
+ permission java.util.PropertyPermission "*", "read";
permission java.lang.RuntimePermission "accessDeclaredMembers";
- permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "getProtectionDomain";
+ //bkucommon,pki
permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+ //jax-ws jaxb
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ //permission java.lang.RuntimePermission "modifyThread";
+ //permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+ permission java.net.NetPermission "specifyStreamHandler";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" {
+// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
+// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";
+
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+ permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" {
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar" {
+// permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar" {
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ permission java.io.FilePermission "${catalina.base}/temp/*", "read, write";
+// permission java.io.FilePermission "../conf/secret.xml", "read";
permission java.util.PropertyPermission "*", "read, write";
- permission java.security.SecurityPermission "insertProvider.IAIK";
- permission java.security.SecurityPermission "putProviderProperty.IAIK";
- permission java.security.SecurityPermission "removeProvider.IAIK";
- permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
- permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_ecc_signed-2.15.jar" {
- permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
- permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" {
+ permission java.util.PropertyPermission "*", "read, write";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_xsect-1.14.jar" {
permission java.util.PropertyPermission "*", "read, write";
- permission java.security.SecurityPermission "insertProvider.IAIK";
- permission java.security.SecurityPermission "putProviderProperty.IAIK";
- permission java.security.SecurityPermission "removeProvider.IAIK";
- permission java.security.SecurityPermission "insertProvider.XSECT";
- permission java.security.SecurityPermission "putProviderProperty.XSECT";
- permission java.security.SecurityPermission "insertProvider.XMLDSig";
- permission java.security.SecurityPermission "removeProvider.XMLDSig";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" {
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
- permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
- permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
- permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
- permission java.net.NetPermission "specifyStreamHandler";
- permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+ //permission java.net.NetPermission "specifyStreamHandler";
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar" {
permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read";
- permission java.util.PropertyPermission "*", "read";
- permission java.lang.RuntimePermission "getClassLoader";
-};
-
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/serializer-2.7.1.jar" {
- permission java.util.PropertyPermission "*", "read";
- permission java.lang.RuntimePermission "getClassLoader";
+ //permission java.lang.RuntimePermission "getClassLoader";
};
// allow xsl:include from the specified URL
-grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
- permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
-};
+//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
+// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+//};
// allow XSLT document function to reference the specified URL
-grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
- permission java.io.FilePermission "../conf/secret.xml", "read";
-};
+//grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
+// permission java.io.FilePermission "../conf/secret.xml", "read";
+//};
// use tomcat/jre endorsed xerces instead
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xercesImpl-2.9.1.jar" {
permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read";
// permission java.io.FilePermission "../conf/secret.xml", "read";
// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
- permission java.util.PropertyPermission "*", "read";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
- permission java.lang.RuntimePermission "getClassLoader";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-logging-1.1.1.jar" {
- permission java.util.PropertyPermission "org.apache.commons.logging.*", "read";
- permission java.util.PropertyPermission "log4j.*", "read";
- permission java.util.PropertyPermission "catalina.base", "read";
- permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/log4j-1.2.12.jar" {
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/log4j.properties", "read";
- // allow log4j to read its own properties
- permission java.util.PropertyPermission "log4j.*", "read";
- permission java.util.PropertyPermission "catalina.base", "read";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-core-2.5.5.jar" {
- permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "modifyThread";
};
+
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-web-2.5.5.jar" {
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
- permission java.security.SecurityPermission "insertProvider.IAIK";
- permission java.security.SecurityPermission "putProviderProperty.IAIK";
- permission java.security.SecurityPermission "removeProvider.IAIK";
- permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
- permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
- permission java.security.SecurityPermission "insertProvider.XSECT";
- permission java.security.SecurityPermission "putProviderProperty.XSECT";
- permission java.security.SecurityPermission "insertProvider.STAL";
- permission java.security.SecurityPermission "putProviderProperty.STAL";
- permission java.security.SecurityPermission "insertProvider.XMLDSig";
- permission java.security.SecurityPermission "removeProvider.XMLDSig";
permission java.util.PropertyPermission "*", "read, write";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setFactory";
- permission java.lang.RuntimePermission "getProtectionDomain";
+ //permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
+
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-beans-2.5.5.jar" {
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
- permission java.security.SecurityPermission "insertProvider.IAIK";
- permission java.security.SecurityPermission "putProviderProperty.IAIK";
- permission java.security.SecurityPermission "removeProvider.IAIK";
- permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
- permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
- permission java.security.SecurityPermission "insertProvider.XSECT";
- permission java.security.SecurityPermission "putProviderProperty.XSECT";
- permission java.security.SecurityPermission "insertProvider.STAL";
- permission java.security.SecurityPermission "putProviderProperty.STAL";
- permission java.security.SecurityPermission "insertProvider.XMLDSig";
- permission java.security.SecurityPermission "removeProvider.XMLDSig";
permission java.util.PropertyPermission "*", "read, write";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
@@ -257,19 +222,8 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
- permission java.security.SecurityPermission "insertProvider.IAIK";
- permission java.security.SecurityPermission "putProviderProperty.IAIK";
- permission java.security.SecurityPermission "removeProvider.IAIK";
- permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
- permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
- permission java.security.SecurityPermission "insertProvider.XSECT";
- permission java.security.SecurityPermission "putProviderProperty.XSECT";
- permission java.security.SecurityPermission "insertProvider.STAL";
- permission java.security.SecurityPermission "putProviderProperty.STAL";
- permission java.security.SecurityPermission "insertProvider.XMLDSig";
- permission java.security.SecurityPermission "removeProvider.XMLDSig";
permission java.util.PropertyPermission "*", "read, write";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "getProtectionDomain";
@@ -280,20 +234,21 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-conte
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1.5.jar" {
// need write access to set disableCaptureStackTrace and HttpAdapter.dump
permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write";
- permission java.util.PropertyPermission "com.sun.xml.bind.*", "read";
- permission java.util.PropertyPermission "javax.xml.soap.*", "read";
- permission java.util.PropertyPermission "javax.activation.*", "read";
- permission java.util.PropertyPermission "xml.catalog.*", "read";
- permission java.util.PropertyPermission "user.dir", "read";
- permission java.util.PropertyPermission "user.home", "read";
+ //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read";
+ //permission java.util.PropertyPermission "javax.xml.soap.*", "read";
+ //permission java.util.PropertyPermission "javax.activation.*", "read";
+ //permission java.util.PropertyPermission "xml.catalog.*", "read";
+ //permission java.util.PropertyPermission "user.dir", "read";
+ //permission java.util.PropertyPermission "user.home", "read";
permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read";
permission java.io.FilePermission "${java.home}/lib/mailcap", "read";
permission java.io.FilePermission "${user.home}/.mailcap", "read";
permission java.io.FilePermission "basename", "read";
permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read";
- permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
- permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.RuntimePermission "setContextClassLoader";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean";
@@ -302,18 +257,16 @@ grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1
};
grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxb-impl-2.1.9.jar" {
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
- permission java.lang.RuntimePermission "accessDeclaredMembers";
- permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
- permission java.util.PropertyPermission "user.dir", "read";
-};
-
-grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-httpclient-3.1.jar" {
- permission java.util.PropertyPermission "*", "read";
+// permission java.lang.RuntimePermission "accessDeclaredMembers";
+// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
+// permission java.util.PropertyPermission "user.dir", "read";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
};
// ======== NETBEANS
-//grant codeBase "file:${catalina.base}/nblib/-" {
-// permission java.security.AllPermission;
-//}; \ No newline at end of file
+grant codeBase "file:${catalina.base}/nblib/-" {
+ permission java.security.AllPermission;
+}; \ No newline at end of file
diff --git a/BKUOnline/src/main/policy/catalina.policy b/BKUOnline/src/main/policy/catalina.policy
new file mode 100644
index 00000000..2dfb198f
--- /dev/null
+++ b/BKUOnline/src/main/policy/catalina.policy
@@ -0,0 +1,411 @@
+// Copyright 2008 Federal Chancellery Austria and
+// Graz University of Technology
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+// =========================================================================
+// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION
+// =========================================================================
+//
+// =========================================================================
+// || This file contains all default permissions from $CATALINA_HOME/conf/catalina.policy
+// || and codebase paths to development dirs (for in-place deployment of IDEs)
+// =========================================================================
+//
+// (set -Djava.security.debug=access,failure and search for "denied" (failed))
+// (-Djava.net.preferIPv4Stack=true)
+//
+// ========== MOCCA CODE PERMISSIONS =======================================
+//
+// replace ${catalina.base}/webapps/bkuonline
+// with ${catalina.base}/webapps/<mocca_context>
+// replace ${catalina.base}/work/Catalina/localhost/bkuonline
+// with ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/)
+// replace version info in
+// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/BKUViewer-1.2.12.jar" {
+// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and
+// ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar
+// with current version
+// replace www.sozialversicherung.gv.at:443
+// with <DataURL_host:DataURL_port>
+// replace localhost:8080
+// with <StylesheetURL_host:StylesheetURL_port>
+// replace www.xslt-stylesheet-include-url.org:80
+// with <XSL_include_URL>
+// replace ../conf/secret.xml
+// with <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to>
+//
+// replace www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
+// with <idLink_template_download_URL>
+// replace ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80
+// with <certificate_revocation_authority_endpoint> (OCSP, CRLs)
+//
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+ permission java.security.AllPermission;
+};
+
+
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the daemon code
+grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the logging API
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+ permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+ permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+ permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
+ permission java.lang.RuntimePermission "shutdownHooks";
+ permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+ permission java.util.PropertyPermission "catalina.base", "read";
+ permission java.util.logging.LoggingPermission "control";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+ permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+ permission java.lang.RuntimePermission "getClassLoader";
+
+ // added by clemenso (for manager webapp)
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+
+ // To enable per context logging configuration, permit read access to the appropriate file.
+ // Be sure that the logging configuration is secure before enabling such access
+ // eg for the examples web application:
+ // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+ permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+ permission java.security.AllPermission;
+};
+
+
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant {
+ // Required for JNDI lookup of named JDBC DataSource's and
+ // javamail named MimePart DataSource used to send mail
+ permission java.util.PropertyPermission "java.home", "read";
+ permission java.util.PropertyPermission "java.naming.*", "read";
+ permission java.util.PropertyPermission "javax.sql.*", "read";
+
+ // OS Specific properties to allow read access
+ permission java.util.PropertyPermission "os.name", "read";
+ permission java.util.PropertyPermission "os.version", "read";
+ permission java.util.PropertyPermission "os.arch", "read";
+ permission java.util.PropertyPermission "file.separator", "read";
+ permission java.util.PropertyPermission "path.separator", "read";
+ permission java.util.PropertyPermission "line.separator", "read";
+
+ // JVM properties to allow read access
+ permission java.util.PropertyPermission "java.version", "read";
+ permission java.util.PropertyPermission "java.vendor", "read";
+ permission java.util.PropertyPermission "java.vendor.url", "read";
+ permission java.util.PropertyPermission "java.class.version", "read";
+ permission java.util.PropertyPermission "java.specification.version", "read";
+ permission java.util.PropertyPermission "java.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.specification.name", "read";
+
+ permission java.util.PropertyPermission "java.vm.specification.version", "read";
+ permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.specification.name", "read";
+ permission java.util.PropertyPermission "java.vm.version", "read";
+ permission java.util.PropertyPermission "java.vm.vendor", "read";
+ permission java.util.PropertyPermission "java.vm.name", "read";
+
+ // Required for OpenJMX
+ permission java.lang.RuntimePermission "getAttribute";
+
+ // Allow read of JAXP compliant XML parser debug
+ permission java.util.PropertyPermission "jaxp.debug", "read";
+
+ // Precompiled JSPs need access to this package.
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+
+ // Precompiled JSPs need access to this system property.
+ permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+
+};
+
+
+
+
+
+
+
+
+// =========== container grants required by MOCCA
+//
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/logging.properties", "read";
+ // (for manager webapp)
+ permission java.lang.RuntimePermission "setContextClassLoader";
+};
+
+grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" {
+ permission java.io.FilePermission "/helpfiles/-", "read";
+ permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
+};
+
+// =========== MOCCA grants
+//
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/-" {
+ permission java.io.FilePermission "${catalina.base}/logs", "read, write";
+ permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
+ permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
+
+ // DataURLs
+ permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve";
+ permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve";
+
+ // other resources (crls, persb.xsl, ...)
+ permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
+ permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
+ permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve";
+ permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+// permission java.net.SocketPermission "localhost:8080", "connect, resolve";
+// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+
+ permission java.security.SecurityPermission "insertProvider.IAIK";
+ permission java.security.SecurityPermission "putProviderProperty.IAIK";
+ permission java.security.SecurityPermission "removeProvider.IAIK";
+ permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+ permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+ permission java.security.SecurityPermission "insertProvider.XSECT";
+ permission java.security.SecurityPermission "putProviderProperty.XSECT";
+ permission java.security.SecurityPermission "insertProvider.STAL";
+ permission java.security.SecurityPermission "putProviderProperty.STAL";
+ // XMLDSig is moved backwards by XSECT
+ permission java.security.SecurityPermission "insertProvider.XMLDSig";
+ permission java.security.SecurityPermission "removeProvider.XMLDSig";
+
+ permission java.util.PropertyPermission "*", "read";
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ //bkucommon,pki
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+ //jax-ws jaxb
+ permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ //permission java.lang.RuntimePermission "modifyThread";
+ //permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+ permission java.net.NetPermission "specifyStreamHandler";
+
+ //jaxb
+ //permission java.io.FilePermission "/WEB-INF/classes/-", "read";
+
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/-" {
+// permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
+// permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";
+
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+ permission java.util.PropertyPermission "*", "read, write";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/utils-1.2.12-pinguin-1-SNAPSHOT.jar" {
+// permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/bkucommon-1.2.12-pinguin-1-SNAPSHOT.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ permission java.io.FilePermission "${catalina.base}/temp/*", "read, write";
+// permission java.io.FilePermission "../conf/secret.xml", "read";
+ permission java.util.PropertyPermission "*", "read, write";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" {
+ permission java.util.PropertyPermission "*", "read, write";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" {
+ permission java.util.PropertyPermission "*", "read, write";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ //permission java.net.NetPermission "specifyStreamHandler";
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" {
+ permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read";
+ //permission java.lang.RuntimePermission "getClassLoader";
+};
+
+// allow xsl:include from the specified URL
+//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
+// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+//};
+
+// allow XSLT document function to reference the specified URL
+//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
+// permission java.io.FilePermission "../conf/secret.xml", "read";
+//};
+
+// use tomcat/jre endorsed xerces instead
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" {
+ permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read";
+// permission java.io.FilePermission "../conf/secret.xml", "read";
+// permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+ permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" {
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/log4j.properties", "read";
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" {
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ permission java.util.PropertyPermission "*", "read, write";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
+ //permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ permission java.util.PropertyPermission "*", "read, write";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" {
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+ permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+ permission java.util.PropertyPermission "*", "read, write";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ permission java.lang.RuntimePermission "modifyThread";
+ permission java.lang.RuntimePermission "setFactory";
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" {
+ // need write access to set disableCaptureStackTrace and HttpAdapter.dump
+ permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write";
+ //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read";
+ //permission java.util.PropertyPermission "javax.xml.soap.*", "read";
+ //permission java.util.PropertyPermission "javax.activation.*", "read";
+ //permission java.util.PropertyPermission "xml.catalog.*", "read";
+ //permission java.util.PropertyPermission "user.dir", "read";
+ //permission java.util.PropertyPermission "user.home", "read";
+ permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read";
+ permission java.io.FilePermission "${java.home}/lib/mailcap", "read";
+ permission java.io.FilePermission "${user.home}/.mailcap", "read";
+ permission java.io.FilePermission "basename", "read";
+ permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read";
+ permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
+ //permission java.lang.RuntimePermission "accessDeclaredMembers";
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ permission javax.management.MBeanServerPermission "createMBeanServer";
+ permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean";
+ permission javax.management.MBeanTrustPermission "register";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" {
+ //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+ permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+// permission java.lang.RuntimePermission "accessDeclaredMembers";
+// permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
+// permission java.util.PropertyPermission "user.dir", "read";
+ permission java.io.FilePermission "/WEB-INF/classes/-", "read";
+};
+
+// ======== NETBEANS
+
+grant codeBase "file:${catalina.base}/nblib/-" {
+ permission java.security.AllPermission;
+}; \ No newline at end of file