appserver/security/core-ee/src/test/resources/com/sun/enterprise/security/perms/server.policy - glassfish - Git at Google

 /*
  * Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Public License v. 2.0, which is available at
  * http://www.eclipse.org/legal/epl-2.0.
  *
  * This Source Code may also be made available under the following Secondary
  * Licenses when the conditions for such availability set forth in the
  * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
  * version 2 with the GNU Classpath Exception, which is available at
  * https://www.gnu.org/software/classpath/license.html.
  *
  * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
  */

 // classes in lib get all permissions by default
 grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
     permission java.security.AllPermission;
 };

 // Core server classes get all permissions by default
 grant codeBase "file:${com.sun.aas.installRoot}/modules/-" {
     permission java.security.AllPermission;
 };

 // Felix classes get all permissions by default
 grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
     permission java.security.AllPermission;
 };

 // iMQ classes get all permissions by default
 grant codeBase "file:${com.sun.aas.imqLib}/-" {
     permission java.security.AllPermission;
 };

 // Derby driver classes get all permissions by default
 grant codeBase "file:${com.sun.aas.derbyRoot}/lib/-" {
     permission java.security.AllPermission;
 };


 // permission for JDK's tools.jar to enable webservice annotation processing
 // at runtime by wsgen tool:
 //       permission java.lang.RuntimePermission "createClassLoader";
 //
 // permission for JDK's tools.jar to sign JARs at runtime for
 // Java Web Start support:
 //       permissions java.security.AllPermission;
 // on the advice of the JDK tools folks.  Should be refined later.
 //Bug Glassfish-21012 - changing to the right location of tools.jar

 grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" {
     permission java.security.AllPermission;
 };

 //Loading MBeans from anywhere, to take care of side effects of 6235678.
 grant {
     permission javax.management.MBeanTrustPermission "register" ;
 };
 //Loading MBeans from anywhere, to take care of side effects of 6235678.


 // Basic set of required permissions granted to all remaining code
 // The permission FilePermission "<<ALL FILES>>", "read,write"
 // allows all applications to read and write any file in the filesystem.
 // It should be changed based on real deployment needs. If you know your
 // applications just need to read/write a few directories consider removing
 // this permission and adding grants indicating those specific directories.
 // against the codebase of your application(s).
 grant {
     //Workaround for bugs #6484935, 6513799
     permission java.lang.RuntimePermission "getProtectionDomain";
     permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
     permission java.util.PropertyPermission "*", "read,write";

     permission java.lang.RuntimePermission  "loadLibrary.*";
     permission java.lang.RuntimePermission  "queuePrintJob";
     permission java.net.SocketPermission    "*", "connect";
     permission java.io.FilePermission       "<<ALL FILES>>", "read,write";

         // work-around for pointbase bug 4864405
         permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
         permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";

     permission java.util.PropertyPermission "*", "read";

     permission java.lang.RuntimePermission    "modifyThreadGroup";
     permission java.lang.RuntimePermission    "getClassLoader";
     permission java.lang.RuntimePermission    "setContextClassLoader";
     permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*";

     // Following needed for CTS to pass with SM on, bug 16344201
     permission java.lang.RuntimePermission "closeClassLoader";
     permission java.io.SerializablePermission "enableSubstitution";
     permission java.security.SecurityPermission "getProperty.package.definition";
 };

 // Following grant block is only required by Connectors. If Connectors
 // are not in use the recommendation is to remove this grant.
 grant {
         permission javax.security.auth.PrivateCredentialPermission "jakarta.resource.spi.security.PasswordCredential * \"*\"","read";
 };

 // Following grant block is only required for Reflection. If Reflection
 // is not in use the recommendation is to remove this section.
 grant {
     permission java.lang.RuntimePermission "accessDeclaredMembers";
 };

 // Permissions to invoke CORBA objects in server
 grant {
     permission com.sun.enterprise.security.CORBAObjectPermission "*", "*";
 };
     // GLASSFISH-21011
 grant {
     permission java.io.SerializablePermission "enableSubclassImplementation";
 };
	/*
	* Copyright (c) 2013, 2018 Oracle and/or its affiliates. All rights reserved.
	*
	* This program and the accompanying materials are made available under the
	* terms of the Eclipse Public License v. 2.0, which is available at
	* http://www.eclipse.org/legal/epl-2.0.
	*
	* This Source Code may also be made available under the following Secondary
	* Licenses when the conditions for such availability set forth in the
	* Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
	* version 2 with the GNU Classpath Exception, which is available at
	* https://www.gnu.org/software/classpath/license.html.
	*
	* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
	*/

	// classes in lib get all permissions by default
	grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
	permission java.security.AllPermission;
	};

	// Core server classes get all permissions by default
	grant codeBase "file:${com.sun.aas.installRoot}/modules/-" {
	permission java.security.AllPermission;
	};

	// Felix classes get all permissions by default
	grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
	permission java.security.AllPermission;
	};

	// iMQ classes get all permissions by default
	grant codeBase "file:${com.sun.aas.imqLib}/-" {
	permission java.security.AllPermission;
	};

	// Derby driver classes get all permissions by default
	grant codeBase "file:${com.sun.aas.derbyRoot}/lib/-" {
	permission java.security.AllPermission;
	};


	// permission for JDK's tools.jar to enable webservice annotation processing
	// at runtime by wsgen tool:
	// permission java.lang.RuntimePermission "createClassLoader";
	//
	// permission for JDK's tools.jar to sign JARs at runtime for
	// Java Web Start support:
	// permissions java.security.AllPermission;
	// on the advice of the JDK tools folks. Should be refined later.
	//Bug Glassfish-21012 - changing to the right location of tools.jar

	grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" {
	permission java.security.AllPermission;
	};

	//Loading MBeans from anywhere, to take care of side effects of 6235678.
	grant {
	permission javax.management.MBeanTrustPermission "register" ;
	};
	//Loading MBeans from anywhere, to take care of side effects of 6235678.


	// Basic set of required permissions granted to all remaining code
	// The permission FilePermission "<<ALL FILES>>", "read,write"
	// allows all applications to read and write any file in the filesystem.
	// It should be changed based on real deployment needs. If you know your
	// applications just need to read/write a few directories consider removing
	// this permission and adding grants indicating those specific directories.
	// against the codebase of your application(s).
	grant {
	//Workaround for bugs #6484935, 6513799
	permission java.lang.RuntimePermission "getProtectionDomain";
	permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
	permission java.util.PropertyPermission "*", "read,write";

	permission java.lang.RuntimePermission "loadLibrary.*";
	permission java.lang.RuntimePermission "queuePrintJob";
	permission java.net.SocketPermission "*", "connect";
	permission java.io.FilePermission "<<ALL FILES>>", "read,write";

	// work-around for pointbase bug 4864405
	permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
	permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";

	permission java.util.PropertyPermission "*", "read";

	permission java.lang.RuntimePermission "modifyThreadGroup";
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission "setContextClassLoader";
	permission javax.management.MBeanPermission "[com.sun.messaging.jms.:]", "*";

	// Following needed for CTS to pass with SM on, bug 16344201
	permission java.lang.RuntimePermission "closeClassLoader";
	permission java.io.SerializablePermission "enableSubstitution";
	permission java.security.SecurityPermission "getProperty.package.definition";
	};

	// Following grant block is only required by Connectors. If Connectors
	// are not in use the recommendation is to remove this grant.
	grant {
	permission javax.security.auth.PrivateCredentialPermission "jakarta.resource.spi.security.PasswordCredential * \"*\"","read";
	};

	// Following grant block is only required for Reflection. If Reflection
	// is not in use the recommendation is to remove this section.
	grant {
	permission java.lang.RuntimePermission "accessDeclaredMembers";
	};

	// Permissions to invoke CORBA objects in server
	grant {
	permission com.sun.enterprise.security.CORBAObjectPermission "", "";
	};
	// GLASSFISH-21011
	grant {
	permission java.io.SerializablePermission "enableSubclassImplementation";
	};