/* * Standard policy file for oc4j * * When this file is in use the System property ${oracle.home} must * be set to $ORACLE_HOME or to the value of $ORACLE_HOME * * This file grants AllPermission to "oc4j code" * oc4j code is code used either directly or indirectly by the app server * itself.Including code generated for ejb wrappers. * See oc4j.jar!boot.xml for a complete list. Currently this file * only lists jar's that believed to need permissions. Others may be * added if neccessary. * * In a future release the grants will be refined so that * only the Permissions actually needed by oc4j code will be granted. * * Calls to accessController.doPrivileged have been added to oc4j * with the intention that application code only needs to be * granted the Permissions needed by actions it performs directly. * It should not need to be granted Permissions required by J2EE * operations. * * For example if a Servlet (or jsp) forwards to a .jsp it does not * need Permission to read and compile the .jsp. Similarly the * application code associated with an ejb that specifies container * managed persistence does not need Permission to create a socket * talking to the database holding the underlying data. But an EJB * using bean managed persistence does need such Permission. */ /* * The OC4J ClassLoader attaches varioius Principal's to various categories of * classes. This allows grants to be based on on the category of the class * rather than it's location in the file system. Grants can continue to be * made to code sources if finer granularity is desired. */ /* * Internal classes are those referenced in the class loaders * specified by boot.xml. They are distributed * by Oracle and used to implement the containers. Most of them * are not intended for use by application code. */ /* * TODO: FilePermissions in this file use / (i.e. UNIX file separator) they * will need to adjusted for Windows. */ grant principal oracle.classloader.ClassLoaderPrincipal$MAIN "main" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oc4j.internal" { permission java.security.AllPermission; }; /* * Classes in oc4j.jar and pcl.jar are loaded by the JRE system class loader and * hance do not have any principal */ grant codebase "file:${oracle.home}/j2ee/home/oc4j.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/pcl.jar" { permission java.security.AllPermission; }; /* * Shared libraries declared in boot.xml */ grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.dms" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.jdbc" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.cache" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "soap" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.xml" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.jwsdl" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.ws.client" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.xml.security" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.ws.security" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.ws.core" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.ws.reliability" { permission java.security.AllPermission; }; /** * There are still some URL ClassLoaders in use and these need grants to code * sources */ grant codebase "file:${java.home}/../lib/tools.jar" { permission java.security.AllPermission; }; /** * The EJB container generates "wrapper" classes. These do not contain * Any application code and treated similarly to internal */ grant principal oracle.classloader.ClassLoaderPrincipal$MAIN "ejb_wrapper" { permission java.security.AllPermission; }; /** * The Web Services implementation generates "wrapper" classes used in * accessing web services. These do not contain any application code * and are treated similarly to internal. */ grant principal oracle.classloader.ClassLoaderPrincipal$MAIN "webservice_wrapper" { permission java.security.AllPermission; }; /** * Shared libraries configured in server.xml * each get a principal based on their name (not including * their version number). They may be granted persions via that principal * rather than the code source. */ /* * Out of the box "global.libraries" contain code distributed by Oracle. * */ grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "global.libraries" { permission java.security.AllPermission; }; grant principal oracle.classloader.ClassLoaderPrincipal$SharedLibrary "oracle.security.jazn" { permission java.security.AllPermission; }; /** * OC4J support an "extensions" directory (or directories) similar in intent * to the jre's. Namely jars in these directories are treated as part of * OC4J's internal classes. */ grant principal oracle.classloader.ClassLoaderPrincipal$MAIN "oc4j_extension" { permission java.security.AllPermission; }; /** * Miscellaneous grants to jars distributed as part of oc4j that may be used * in various ways */ grant codebase "file:${oracle.home}/j2ee/home/connectors/OracleASjms/OracleASjms/gjra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/iiop_rmic.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/bc4j/jlib/*" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/ojsputil.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jsp/lib/taglib/standard.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/connectors/jaxr-ra/jaxr-ra/jaxr-ra.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/scheduler.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/dms/lib/dmsapp.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/dmsapp.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/diagnostics/lib/ojdl.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/jmxri.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/oc4j-internal.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/adminclient.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/oc4j-unsupported-api.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jazncore.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/lib/ojsp.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/jazn.jar" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/j2ee/home/lib/servlet.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/jdbc/lib/ojdbc5dms.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/wsserver.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/wsclient.jar" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/webservices/lib/wssecurity.jar" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/webservices/lib/orawsdl.jar" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/webservices/lib/wssecurity.jar" { permission java.security.AllPermission; }; grant codeBase "file:${oracle.home}/webservices/lib/wssecurity.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/saaj-api.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/orasaaj.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/webservices/lib/JMXSoapAdapterShared.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/lib/xmlparserv2.jar" { permission java.security.AllPermission; }; /* GRANTS TO DEFAULT APPLICATIONS */ /* default application contains ocj4 code, so we grant it AllPermission. * Since it might also contain site specific code this is problematic. * In some future release the oc4j code will be separated from the * other code. */ /** * The ASControl provides functionality to managge the OC4J. * TODO: Ask EM to provide the exact set of permission need to run this app. */ grant principal oracle.oc4j.loader.OC4JClassLoaderPrincipal$Application "default" { permission java.security.AllPermission; }; grant principal oracle.oc4j.loader.OC4JClassLoaderPrincipal$Application "ascontrol" { permission java.security.AllPermission; }; grant principal oracle.oc4j.loader.OC4JClassLoaderPrincipal$Application "usermbean" { permission java.security.AllPermission; }; grant principal oracle.oc4j.loader.OC4JClassLoaderPrincipal$Application "j2eetest" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/admin_ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter-ejb.jar" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/applications/jmsrouter" { permission java.security.AllPermission; }; grant codebase "file:${oracle.home}/j2ee/home/default-web-app/WEB-INF/classes/" { /* BBoardServlet */ permission java.io.FilePermission "${oracle.home}/j2ee/home/default-web-appboard.html", "read,write"; }; /* GRANTS of read on various System properties that for the moment I'm * regarding as harmless. There may be a lot more that are * not tickled by the srg */ grant { permission java.util.PropertyPermission "j2ee.home", "read"; } ; grant { permission java.util.PropertyPermission "java.home", "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "read"; } ; grant { permission java.util.PropertyPermission "javax.activation.debug" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.parsers.DocumentBuilderFactory" , "read"; } ; grant { permission java.util.PropertyPermission "javax.xml.soap.MessageFactory" , "read"; } ; grant { permission java.util.PropertyPermission "jdbc.nontx.autocommit" , "read"; } ; grant { permission java.util.PropertyPermission "mail.URLName.dontencode" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.event.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oc4j.jmx.heartbeat.interval" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.defaultNChar" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.DMSStatementMetrics" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.J2EE13Compliant" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.TcpNoDelay" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.useFetchSizeWithLongColumn" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jdbc.V8Compatible" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.jserver.version" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.debugmode" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.parser.default.character.set" , "read"; } ; grant { permission java.util.PropertyPermission "oracle.xml.xslt.jdwp", "read"; }; grant { permission java.util.PropertyPermission "orasaaj.soapversion" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.Log" , "read"; } ; grant { permission java.util.PropertyPermission "org.apache.commons.logging.LogFactory" , "read"; } ; grant { permission java.util.PropertyPermission "PersistenceManagerDebug" , "read"; } ; grant { permission java.util.PropertyPermission "pro.debug" , "read"; } ; grant { permission java.util.PropertyPermission "sqlj.runtime" , "read"; } ; grant { permission java.util.PropertyPermission "transaction.debug" , "read"; } ; grant { permission java.util.PropertyPermission "user.home" , "read"; } ; grant { permission java.util.PropertyPermission "user.name" , "read"; } ; grant { permission java.util.PropertyPermission "rmi.verbose" , "read"; } ; grant { permission java.util.PropertyPermission "AssociateUserToThread", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "AllowZeroInPK", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Modules", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.Nagle", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.accept", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.hosts.reject", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.cookies.save", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.deferStreamed", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disableKeepAlives", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.disable_pipelining", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontChunkRequests", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.dontTimeoutRespBody", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.forceHTTP_1.0", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.log.level", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksHost", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksPort", "read"; }; grant { permission java.util.PropertyPermission "HTTPClient.socksVersion", "read"; }; grant { permission java.util.PropertyPermission "JavaClass.debug", "read"; }; grant { permission java.util.PropertyPermission "LoadBalanceOnLookup", "read"; }; grant { permission java.util.PropertyPermission "SQLLog", "read"; }; grant { permission java.util.PropertyPermission "USE_JAAS", "read"; }; grant { permission java.util.PropertyPermission "com.sun.enterprise.home", "read"; }; grant { permission java.util.PropertyPermission "customFinderMethod.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "debug", "read"; }; grant { permission java.util.PropertyPermission "default.cmp.pm", "read"; }; grant { permission java.util.PropertyPermission "ejb.debug.verbose", "read"; }; grant { permission java.util.PropertyPermission "findByPrimaryKey.noLazyLoading", "read"; }; grant { permission java.util.PropertyPermission "http.nonProxyHosts", "read"; }; grant { permission java.util.PropertyPermission "http.proxyHost", "read"; }; grant { permission java.util.PropertyPermission "http.proxyPort", "read"; }; grant { permission java.util.PropertyPermission "java.ext.dirs", "read"; }; grant { permission java.util.PropertyPermission "java.class.path", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.parsers.SAXParserFactory", "read"; }; grant { permission java.util.PropertyPermission "jca.connection.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configDebug", "read"; }; grant { permission java.util.PropertyPermission "log4j.configuration", "read"; }; grant { permission java.util.PropertyPermission "log4j.debug", "read"; }; grant { permission java.util.PropertyPermission "log4j.defaultInitOverride", "read"; }; grant { permission java.util.PropertyPermission "log4j.disable", "read"; }; grant { permission java.util.PropertyPermission "log4j.disableOverride", "read"; }; grant { permission java.util.PropertyPermission "oneToOneJoin", "read"; }; grant { permission java.util.PropertyPermission "sun.boot.class.path", "read"; }; grant { permission java.util.PropertyPermission "toplink.changePolicy", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkParameters", "read"; }; grant { permission java.util.PropertyPermission "toplink.cts.collection.checkTransaction", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.dbTableGenSetting", "read"; }; grant { permission java.util.PropertyPermission "toplink.defaultmapping.useExtendedTableNames", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.destination", "read"; }; grant { permission java.util.PropertyPermission "toplink.log.level", "read"; }; grant { permission java.util.PropertyPermission "toplink.xml.platform", "read"; }; grant { permission java.util.PropertyPermission "upload.buflen", "read"; }; grant { permission java.util.PropertyPermission "user.dir", "read"; }; grant { permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "read";}; grant { permission java.util.PropertyPermission "HTTPClient.socket.idleTimeout", "write";}; /* * The default JDK system policy grants AllPermission to jars * in the jre extension library */ /* JDK */ grant codeBase "file:${java.home}/lib/ext/*" { permission java.security.AllPermission; }; /* Default Grants copied from the JDK default system policy. */ grant { // "standard" properies that can be read by anyone. permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; /* The following are granted by the default jdk policy but are considered * unsafe and are omitted by this policy file */ //permission java.lang.RuntimePermission "stopThread"; //permission java.net.SocketPermission "localhost:1024-", "listen"; }; /* * The site needs to add grants to application code as required */ grant principal oracle.oc4j.loader.OC4JClassLoaderPrincipal$Application "default" { permission java.util.PropertyPermission "*", "read"; /* MBean stuf creates temp files */ permission java.io.FilePermission "/tmp/*", "read,write,delete"; permission java.io.FilePermission "/tmp/-", "read,write,delete"; };