MOCCA 1.2.11 with SHA-2 enabled.

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/branches/mocca-1.2.11-sha2@599 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
author: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2010-01-26 16:22:56 +0000
committer: mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4> 2010-01-26 16:22:56 +0000
commit: d89f36b67ea1d838a78523538a24e044518f3587 (patch)
tree: 6a8f6195d36ffa4971d47616ee674439a7e8a16d /mocca-1.2.11/BKUOnline/src/main/policy
parent: f550e15e55aff5c2cd813e8be90efc9b1120bb13 (diff)
download: mocca-d89f36b67ea1d838a78523538a24e044518f3587.tar.gz
mocca-d89f36b67ea1d838a78523538a24e044518f3587.tar.bz2
mocca-d89f36b67ea1d838a78523538a24e044518f3587.zip
1 files changed, 319 insertions, 0 deletions
diff --git a/mocca-1.2.11/BKUOnline/src/main/policy/50mocca.policy b/mocca-1.2.11/BKUOnline/src/main/policy/50mocca.policy
new file mode 100644
index 00000000..2d6bc13d
--- /dev/null
+++ b/mocca-1.2.11/BKUOnline/src/main/policy/50mocca.policy
@@ -0,0 +1,319 @@
+//  Copyright 2008 Federal Chancellery Austria and
+//  Graz University of Technology
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+//
+//
+// =========================================================================
+// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION
+// =========================================================================
+//
+// (set -Djava.security.debug=access,failure and search for "FAILED")
+//
+//
+// ========== MOCCA CODE PERMISSIONS =======================================
+//
+// replace  ${catalina.base}/webapps/bkuonline
+//    with  ${catalina.base}/webapps/<mocca_context>
+// replace  ${catalina.base}/work/Catalina/localhost/bkuonline
+//    with  ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/)
+// replace  version info in utils-1.2.10.jar and bkucommon-1.2.10.jar
+//    with  current version
+// replace  apps.egiz.gv.at
+//    with  <DataURL_host:DataURL_port>
+// replace  localhost:8080
+//    with  <StylesheetURL_host:StylesheetURL_port>
+// replace  www.xslt-stylesheet-include-url.org:80
+//    with  <XSL_include_URL>
+// replace  ../conf/secret.xml
+//    with  <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to>
+//
+// replace  www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
+//    with  <idLink_template_download_URL>
+// replace  ldap.a-trust.at:389 and ocsp.ecard.sozialversicherung.at:80
+//    with  <certificate_revocation_authority_endpoint> (OCSP, CRLs)
+//
+
+// =========== container grants required by MOCCA
+//
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+      permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/logging.properties", "read";
+};
+
+grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" {
+      permission java.io.FilePermission "/helpfiles/-", "read";
+      permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
+};
+
+// =========== MOCCA grants
+//
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/classes/-" {
+      permission java.security.AllPermission;
+//      permission java.io.FilePermission "${catalina.base}/logs", "read, write";
+//      permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
+//      permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
+//      permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
+//      permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/-" {
+      // the log4j configuration might want to write logs to ${catalina.base}/logs/bkuonline.log
+      permission java.io.FilePermission "${catalina.base}/logs", "read, write";
+      permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
+      permission java.io.FilePermission "${catalina.base}/logs/*", "delete";
+
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.10.jar" {
+      permission java.util.PropertyPermission "*", "read";
+      permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
+      permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
+//      permission java.net.SocketPermission "localhost:8080", "connect, resolve";
+      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.10.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+      permission java.io.FilePermission "../conf/secret.xml", "read";
+      permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
+      permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
+      permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
+      permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+      permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+//      permission java.net.SocketPermission "localhost:8080", "connect, resolve";
+      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+      permission java.net.NetPermission "specifyStreamHandler";
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+      permission java.security.SecurityPermission "insertProvider.XSECT";
+      permission java.security.SecurityPermission "putProviderProperty.XSECT";
+      permission java.security.SecurityPermission "insertProvider.STAL";
+      permission java.security.SecurityPermission "putProviderProperty.STAL";
+      // XMLDSig is moved backwards by XSECT
+      permission java.security.SecurityPermission "insertProvider.XMLDSig";
+      permission java.security.SecurityPermission "removeProvider.XMLDSig";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "setFactory";
+      permission java.lang.RuntimePermission "getProtectionDomain";
+      permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+      permission java.lang.RuntimePermission "modifyThread";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" {
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+      permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_ecc_signed-2.15.jar" {
+      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_xsect-1.14.jar" {
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.security.SecurityPermission "insertProvider.XSECT";
+      permission java.security.SecurityPermission "putProviderProperty.XSECT";
+      permission java.security.SecurityPermission "insertProvider.XMLDSig";
+      permission java.security.SecurityPermission "removeProvider.XMLDSig";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+      permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
+      permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
+      permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
+      permission java.net.NetPermission "specifyStreamHandler";
+      permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar" {
+      permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read";
+      permission java.util.PropertyPermission "*", "read";
+      permission java.lang.RuntimePermission "getClassLoader";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/serializer-2.7.1.jar" {
+      permission java.util.PropertyPermission "*", "read";
+      permission java.lang.RuntimePermission "getClassLoader";
+};
+
+// allow xsl:include from the specified URL
+grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
+      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+};
+
+// allow XSLT document function to reference the specified URL
+grant codeBase "jar:file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
+      permission java.io.FilePermission "../conf/secret.xml", "read";
+};
+
+// use tomcat/jre endorsed xerces instead
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/xercesImpl-2.9.1.jar" {
+      permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read";
+//      permission java.io.FilePermission "../conf/secret.xml", "read";
+//      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
+      permission java.util.PropertyPermission "*", "read";
+      permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
+      permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
+      permission java.lang.RuntimePermission "getClassLoader";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-logging-1.1.1.jar" {
+      permission java.util.PropertyPermission "org.apache.commons.logging.*", "read";
+      permission java.util.PropertyPermission "log4j.*", "read";
+      permission java.util.PropertyPermission "catalina.base", "read";
+      permission java.lang.RuntimePermission "getClassLoader";
+      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/log4j-1.2.12.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/log4j.properties", "read";
+      // allow log4j to read its own properties
+      permission java.util.PropertyPermission "log4j.*", "read";
+      permission java.util.PropertyPermission "catalina.base", "read";
+      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-core-2.5.5.jar" {
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "modifyThread";
+};
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-web-2.5.5.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+      permission java.security.SecurityPermission "insertProvider.XSECT";
+      permission java.security.SecurityPermission "putProviderProperty.XSECT";
+      permission java.security.SecurityPermission "insertProvider.STAL";
+      permission java.security.SecurityPermission "putProviderProperty.STAL";
+      permission java.security.SecurityPermission "insertProvider.XMLDSig";
+      permission java.security.SecurityPermission "removeProvider.XMLDSig";
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "modifyThread";
+      permission java.lang.RuntimePermission "setFactory";
+      permission java.lang.RuntimePermission "getProtectionDomain";
+      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-beans-2.5.5.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+      permission java.security.SecurityPermission "insertProvider.XSECT";
+      permission java.security.SecurityPermission "putProviderProperty.XSECT";
+      permission java.security.SecurityPermission "insertProvider.STAL";
+      permission java.security.SecurityPermission "putProviderProperty.STAL";
+      permission java.security.SecurityPermission "insertProvider.XMLDSig";
+      permission java.security.SecurityPermission "removeProvider.XMLDSig";
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "setFactory";
+      permission java.lang.RuntimePermission "getProtectionDomain";
+      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/spring-context-2.5.5.jar" {
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
+      permission java.io.FilePermission "${catalina.base}/webapps/bkuonline/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
+      permission java.security.SecurityPermission "insertProvider.IAIK";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK";
+      permission java.security.SecurityPermission "removeProvider.IAIK";
+      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
+      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
+      permission java.security.SecurityPermission "insertProvider.XSECT";
+      permission java.security.SecurityPermission "putProviderProperty.XSECT";
+      permission java.security.SecurityPermission "insertProvider.STAL";
+      permission java.security.SecurityPermission "putProviderProperty.STAL";
+      permission java.security.SecurityPermission "insertProvider.XMLDSig";
+      permission java.security.SecurityPermission "removeProvider.XMLDSig";
+      permission java.util.PropertyPermission "*", "read, write";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "modifyThread";
+      permission java.lang.RuntimePermission "setFactory";
+      permission java.lang.RuntimePermission "getProtectionDomain";
+      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxws-rt-2.1.5.jar" {
+      // need write access to set disableCaptureStackTrace and HttpAdapter.dump
+      permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write";
+      permission java.util.PropertyPermission "com.sun.xml.bind.*", "read";
+      permission java.util.PropertyPermission "javax.xml.soap.*", "read";
+      permission java.util.PropertyPermission "javax.activation.*", "read";
+      permission java.util.PropertyPermission "xml.catalog.*", "read";
+      permission java.util.PropertyPermission "user.dir", "read";
+      permission java.util.PropertyPermission "user.home", "read";
+      permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read";
+      permission java.io.FilePermission "${java.home}/lib/mailcap", "read";
+      permission java.io.FilePermission "${user.home}/.mailcap", "read";
+      permission java.io.FilePermission "basename", "read";
+      permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
+      permission java.lang.RuntimePermission "setContextClassLoader";
+      permission javax.management.MBeanServerPermission "createMBeanServer";
+      permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean";
+      permission javax.management.MBeanTrustPermission "register";
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/jaxb-impl-2.1.9.jar" {
+      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+      permission java.lang.RuntimePermission "accessDeclaredMembers";
+      permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
+      permission java.util.PropertyPermission "user.dir", "read";
+};
+
+grant codeBase "file:${catalina.base}/webapps/bkuonline/WEB-INF/lib/commons-httpclient-3.1.jar" {
+      permission java.util.PropertyPermission "*", "read";
+};
+
+// ======== NETBEANS
+
+//grant codeBase "file:${catalina.base}/nblib/-" {
+//      permission java.security.AllPermission;
+//};
+\ No newline at end of file
author	mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2010-01-26 16:22:56 +0000
committer	mcentner <mcentner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>	2010-01-26 16:22:56 +0000
commit	d89f36b67ea1d838a78523538a24e044518f3587 (patch)
tree	6a8f6195d36ffa4971d47616ee674439a7e8a16d /mocca-1.2.11/BKUOnline/src/main/policy
parent	f550e15e55aff5c2cd813e8be90efc9b1120bb13 (diff)
download	mocca-d89f36b67ea1d838a78523538a24e044518f3587.tar.gz mocca-d89f36b67ea1d838a78523538a24e044518f3587.tar.bz2 mocca-d89f36b67ea1d838a78523538a24e044518f3587.zip