//  Copyright 2008 Federal Chancellery Austria and
//  Graz University of Technology
//
//  Licensed under the Apache License, Version 2.0 (the "License");
//  you may not use this file except in compliance with the License.
//  You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
//  Unless required by applicable law or agreed to in writing, software
//  distributed under the License is distributed on an "AS IS" BASIS,
//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//  See the License for the specific language governing permissions and
//  limitations under the License.
//
//
// =========================================================================
// || IMPORTANT: REVIEW AND ADAPT TO YOUR NEEDS PRIOR TO INSTALLATION
// =========================================================================
//
// =========================================================================
// || This file contains all default permissions from $CATALINA_HOME/conf/catalina.policy
// || and codebase paths to development dirs (for in-place deployment of IDEs)
// =========================================================================
//
// (set -Djava.security.debug=access,failure and search for "denied" (failed))
// (-Djava.net.preferIPv4Stack=true)
//
// ========== MOCCA CODE PERMISSIONS =======================================
//
// replace  ${catalina.base}/webapps/bkuonline
//    with  ${catalina.base}/webapps/<mocca_context>
// replace  ${catalina.base}/work/Catalina/localhost/bkuonline
//    with  ${catalina.base}/work/Catalina/localhost/<mocca_context> (the path to the compiled JSPs, excl. package dir: org/apache/jsp/)
// replace  version info in 
//          ${catalina.base}/webapps/bkuonline/WEB-INF/lib/BKUViewer-1.2.12.jar" {
//          ${catalina.base}/webapps/bkuonline/WEB-INF/lib/utils-1.2.12.jar and
//          ${catalina.base}/webapps/bkuonline/WEB-INF/lib/bkucommon-1.2.12.jar
//    with  current version
// replace  www.sozialversicherung.gv.at:443
//    with  <DataURL_host:DataURL_port>
// replace  localhost:8080
//    with  <StylesheetURL_host:StylesheetURL_port>
// replace  www.xslt-stylesheet-include-url.org:80
//    with  <XSL_include_URL>
// replace  ../conf/secret.xml
//    with  <any_resource_you_would_like_to_grant_XSLTs_document()_function_access_to>
//
// replace  www.a-trust.at and ksp.ecard.sozialversicherung.gv.at
//    with  <idLink_template_download_URL>
// replace  ldap.a-trust.at:389, ocsp.a-trust.at:80 and ocsp.ecard.sozialversicherung.at:80
//    with  <certificate_revocation_authority_endpoint> (OCSP, CRLs)
//

// ========== SYSTEM CODE PERMISSIONS =========================================


// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};

// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};


// ========== CATALINA CODE PERMISSIONS =======================================


// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the logging API
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
        permission java.lang.RuntimePermission "shutdownHooks";
        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
        permission java.util.PropertyPermission "catalina.base", "read";
        permission java.util.logging.LoggingPermission "control";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
        permission java.lang.RuntimePermission "getClassLoader";

        // added by clemenso (for manager webapp)
        permission java.lang.RuntimePermission "setContextClassLoader";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";

        // To enable per context logging configuration, permit read access to the appropriate file.
        // Be sure that the logging configuration is secure before enabling such access
        // eg for the examples web application:
        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
};

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};


// ========== WEB APPLICATION PERMISSIONS =====================================


// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// and JndiPermission for all files and directories in its document root.
grant {
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // Precompiled JSPs need access to this package.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to this system property.
    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";

};








// =========== container grants required by MOCCA
//
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
      permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/logging.properties", "read";
      // (for manager webapp)
      permission java.lang.RuntimePermission "setContextClassLoader";
};

grant codeBase "file:${catalina.base}/work/Catalina/localhost/bkuonline" {
      permission java.io.FilePermission "/helpfiles/-", "read";
      permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
};

// =========== MOCCA grants
//
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/-" {
      permission java.io.FilePermission "${catalina.base}/logs", "read, write";
      permission java.io.FilePermission "${catalina.base}/logs/*", "read, write";
      permission java.io.FilePermission "${catalina.base}/logs/*", "delete";

      // DataURLs
      permission java.net.SocketPermission "apps.egiz.gv.at:443", "connect, resolve";
      permission java.net.SocketPermission "www.buergerkarte.at:443", "connect, resolve";
      permission java.net.SocketPermission "www.sozialversicherung.gv.at:443", "connect, resolve";

      // other resources (crls, persb.xsl, ...)
      permission java.net.SocketPermission "www.a-trust.at:80", "connect, resolve";
      permission java.net.SocketPermission "ksp.ecard.sozialversicherung.gv.at:80", "connect,resolve";
      permission java.net.SocketPermission "ldap.a-trust.at:389", "connect, resolve";
      permission java.net.SocketPermission "ocsp.a-trust.at:80", "connect, resolve";
      permission java.net.SocketPermission "ocsp.ecard.sozialversicherung.at:80", "connect, resolve";
//      permission java.net.SocketPermission "localhost:8080", "connect, resolve";
//      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";

      permission java.security.SecurityPermission "insertProvider.IAIK";
      permission java.security.SecurityPermission "putProviderProperty.IAIK";
      permission java.security.SecurityPermission "removeProvider.IAIK";
      permission java.security.SecurityPermission "insertProvider.IAIK_ECC";
      permission java.security.SecurityPermission "putProviderProperty.IAIK_ECC";
      permission java.security.SecurityPermission "insertProvider.XSECT";
      permission java.security.SecurityPermission "putProviderProperty.XSECT";
      permission java.security.SecurityPermission "insertProvider.STAL";
      permission java.security.SecurityPermission "putProviderProperty.STAL";
      // XMLDSig is moved backwards by XSECT
      permission java.security.SecurityPermission "insertProvider.XMLDSig";
      permission java.security.SecurityPermission "removeProvider.XMLDSig";

      permission java.util.PropertyPermission "*", "read";
      permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.RuntimePermission "getClassLoader";
      permission java.lang.RuntimePermission "getProtectionDomain";
      //bkucommon,pki
      permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
      //jax-ws jaxb
      permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
      //permission java.lang.RuntimePermission "modifyThread";
      //permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
      permission java.net.NetPermission "specifyStreamHandler";

      //jaxb
      //permission java.io.FilePermission "/WEB-INF/classes/-", "read";

};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/-" {
//      permission java.util.PropertyPermission "com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace", "write";
//      permission java.util.PropertyPermission "com.sun.xml.ws.transport.http.HttpAdapter.dump", "write";

      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";

      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
      permission java.util.PropertyPermission "*", "read, write";
      permission java.lang.RuntimePermission "modifyThread";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/utils-1.2.12-pinguin-1-SNAPSHOT.jar" {
//      permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/bkucommon-1.2.12-pinguin-1-SNAPSHOT.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
      permission java.io.FilePermission "${catalina.base}/temp/*", "read, write";
//      permission java.io.FilePermission "../conf/secret.xml", "read";
      permission java.util.PropertyPermission "*", "read, write";
      permission java.lang.RuntimePermission "modifyThread";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_jce_full_signed-3.16.jar" {
      permission java.util.PropertyPermission "*", "read, write";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_xsect-1.14.jar" {
      permission java.util.PropertyPermission "*", "read, write";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/iaik_pki-1.0-MOCCA.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
      //permission java.net.NetPermission "specifyStreamHandler";
      //permission java.lang.RuntimePermission "accessClassInPackage.sun.net.www.protocol.ldap";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar" {
      permission java.io.FilePermission "${java.home}/lib/xalan.properties", "read";
      //permission java.lang.RuntimePermission "getClassLoader";
};

// allow xsl:include from the specified URL
//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/processor/-" {
//      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
//};

// allow XSLT document function to reference the specified URL
//grant codeBase "jar:file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.1.jar!/org/apache/xalan/xsltc/dom/LoadDocument.class" {
//      permission java.io.FilePermission "../conf/secret.xml", "read";
//};

// use tomcat/jre endorsed xerces instead
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.9.1.jar" {
      permission java.io.FilePermission "${java.home}/lib/xerces.properties", "read";
//      permission java.io.FilePermission "../conf/secret.xml", "read";
//      permission java.net.SocketPermission "www.xslt-stylesheet-include-url.org:80", "connect, resolve";
      permission java.io.FilePermission "/WEB-INF/classes/-", "read";
      permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
      permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/commons-logging-1.1.1.jar" {
      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/log4j-1.2.12.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/log4j.properties", "read";
      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-core-2.5.5.jar" {
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.RuntimePermission "modifyThread";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-web-2.5.5.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
      permission java.util.PropertyPermission "*", "read, write";
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.RuntimePermission "modifyThread";
      permission java.lang.RuntimePermission "setFactory";
      //permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-beans-2.5.5.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
      permission java.util.PropertyPermission "*", "read, write";
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/spring-context-2.5.5.jar" {
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/-", "write";
      permission java.io.FilePermission "/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/classes/at/gv/egiz/bku/certs/certStore/toBeAdded/-", "delete";
      permission java.util.PropertyPermission "*", "read, write";
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
      permission java.lang.RuntimePermission "modifyThread";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.RuntimePermission "getProtectionDomain";
      permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxws-rt-2.1.5.jar" {
      // need write access to set disableCaptureStackTrace and HttpAdapter.dump
      permission java.util.PropertyPermission "com.sun.xml.ws.*", "read, write";
      //permission java.util.PropertyPermission "com.sun.xml.bind.*", "read";
      //permission java.util.PropertyPermission "javax.xml.soap.*", "read";
      //permission java.util.PropertyPermission "javax.activation.*", "read";
      //permission java.util.PropertyPermission "xml.catalog.*", "read";
      //permission java.util.PropertyPermission "user.dir", "read";
      //permission java.util.PropertyPermission "user.home", "read";
      permission java.io.FilePermission "${java.home}/lib/jaxm.properties", "read";
      permission java.io.FilePermission "${java.home}/lib/mailcap", "read";
      permission java.io.FilePermission "${user.home}/.mailcap", "read";
      permission java.io.FilePermission "basename", "read";
      permission java.io.FilePermission "${catalina.home}/bin/xcatalog", "read";
      permission java.io.FilePermission "${catalina.home}/temp/xcatalog", "read";
      permission java.io.FilePermission "/WEB-INF/classes/-", "read";
      //permission java.lang.RuntimePermission "accessDeclaredMembers";
      //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
      permission java.lang.RuntimePermission "setContextClassLoader";
      permission javax.management.MBeanServerPermission "createMBeanServer";
      permission javax.management.MBeanPermission "com.sun.xml.ws.*", "registerMBean";
      permission javax.management.MBeanTrustPermission "register";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

grant codeBase "file:/home/clemens/workspace/bku/BKUOnline/target/BKUOnline-1.2.12-pinguin-1-SNAPSHOT/WEB-INF/lib/jaxb-impl-2.1.9.jar" {
      //permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources";
      permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
//      permission java.lang.RuntimePermission "accessDeclaredMembers";
//      permission java.util.PropertyPermission "com.sun.xml.bind.v2.*", "read";
//      permission java.util.PropertyPermission "user.dir", "read";
      permission java.io.FilePermission "/WEB-INF/classes/-", "read";
};

// ======== NETBEANS

grant codeBase "file:${catalina.base}/nblib/-" {
      permission java.security.AllPermission;
};