Derby upgrade
diff --git a/appserver/distributions/glassfish/src/main/assembly/glassfish.xml b/appserver/distributions/glassfish/src/main/assembly/glassfish.xml
index 9d44033..f60a51b 100644
--- a/appserver/distributions/glassfish/src/main/assembly/glassfish.xml
+++ b/appserver/distributions/glassfish/src/main/assembly/glassfish.xml
@@ -78,7 +78,7 @@
<!-- javadb -->
<fileSet>
- <directory>${temp.dir}/derby/db-derby-${derby.version}-bin</directory>
+ <directory>${temp.dir}/derby/</directory>
<excludes>
<exclude>demo/**</exclude>
<exclude>docs/**</exclude>
diff --git a/appserver/distributions/web/src/main/assembly/web.xml b/appserver/distributions/web/src/main/assembly/web.xml
index 183639f..e8b3e9a 100644
--- a/appserver/distributions/web/src/main/assembly/web.xml
+++ b/appserver/distributions/web/src/main/assembly/web.xml
@@ -47,7 +47,7 @@
<!-- javadb -->
<fileSet>
- <directory>${temp.dir}/derby/db-derby-${derby.version}-bin</directory>
+ <directory>${temp.dir}/derby/</directory>
<excludes>
<exclude>demo/**</exclude>
<exclude>docs/**</exclude>
diff --git a/appserver/pom.xml b/appserver/pom.xml
index 4a97207..78bf326 100644
--- a/appserver/pom.xml
+++ b/appserver/pom.xml
@@ -90,7 +90,7 @@
<dbschema.version>6.6</dbschema.version>
<schema2beans.version>6.6</schema2beans.version>
<mq.version>5.1.3</mq.version>
- <derby.version>10.13.1.1</derby.version>
+ <derby.version>10.13.1.3</derby.version>
<weld.version>3.0.0.Final</weld.version>
<wsdl4j.version>1.6.2</wsdl4j.version>
<websocket-api.version>1.1.1</websocket-api.version>
diff --git a/appserver/tests/appserv-tests/devtests/transaction/ee/ee-test.policy b/appserver/tests/appserv-tests/devtests/transaction/ee/ee-test.policy
new file mode 100644
index 0000000..369ffd7
--- /dev/null
+++ b/appserver/tests/appserv-tests/devtests/transaction/ee/ee-test.policy
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2019 Oracle and/or its affiliates. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0, which is available at
+ * http://www.eclipse.org/legal/epl-2.0.
+ *
+ * This Source Code may also be made available under the following Secondary
+ * Licenses when the conditions for such availability set forth in the
+ * Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
+ * version 2 with the GNU Classpath Exception, which is available at
+ * https://www.gnu.org/software/classpath/license.html.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
+ */
+
+ grant {
+ permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write";
+ permission java.security.AllPermission;
+};
diff --git a/appserver/tests/appserv-tests/devtests/transaction/ee/ee.xml b/appserver/tests/appserv-tests/devtests/transaction/ee/ee.xml
index c4406ee..c168095 100644
--- a/appserver/tests/appserv-tests/devtests/transaction/ee/ee.xml
+++ b/appserver/tests/appserv-tests/devtests/transaction/ee/ee.xml
@@ -35,6 +35,8 @@
<arg line="${env.S1AS_HOME}/databases"/>
<arg line="--dbport"/>
<arg line="${db.port}"/>
+ <arg line="--jvmoptions"/>
+ <arg line="'-Djava.security.manager -Djava.security.policy=${env.APS_HOME}/devtests/transaction/ee/ee-test.policy'"/>
</exec>
</target>
@@ -169,4 +171,3 @@
<param name="db.url" value="jdbc:derby://localhost:${db.port}/${db.name};create=true;"/>
</antcall>
</target>
-
diff --git a/nucleus/admin/template/src/main/resources/config/server.policy b/nucleus/admin/template/src/main/resources/config/server.policy
index e8ce81e..5cbd9fb 100644
--- a/nucleus/admin/template/src/main/resources/config/server.policy
+++ b/nucleus/admin/template/src/main/resources/config/server.policy
@@ -14,113 +14,119 @@
* SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0
*/
-// classes in lib get all permissions by default
-grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
- permission java.security.AllPermission;
-};
+ // classes in lib get all permissions by default
+ grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
+ permission java.security.AllPermission;
+ };
-// Core server classes get all permissions by default
-grant codeBase "file:${com.sun.aas.installRoot}/modules/-" {
- permission java.security.AllPermission;
-};
+ // Core server classes get all permissions by default
+ grant codeBase "file:${com.sun.aas.installRoot}/modules/-" {
+ permission java.security.AllPermission;
+ };
-// Felix classes get all permissions by default
-grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
- permission java.security.AllPermission;
-};
+ // Felix classes get all permissions by default
+ grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
+ permission java.security.AllPermission;
+ };
-// iMQ classes get all permissions by default
-grant codeBase "file:${com.sun.aas.imqLib}/-" {
- permission java.security.AllPermission;
-};
+ // iMQ classes get all permissions by default
+ grant codeBase "file:${com.sun.aas.imqLib}/-" {
+ permission java.security.AllPermission;
+ };
-// Derby driver classes get all permissions by default
-grant codeBase "file:${com.sun.aas.derbyRoot}/lib/-" {
- permission java.lang.RuntimePermission "createClassLoader";
- permission java.io.FilePermission "<<ALL FILES>>", "read,write";
-};
+ // Derby driver classes get all permissions by default
+ grant codeBase "file:${com.sun.aas.derbyRoot}/lib/-" {
+ permission java.lang.RuntimePermission "createClassLoader";
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write";
+ permission java.security.AllPermission;
+ };
-// permission for JDK's tools.jar to enable webservice annotation processing
-// at runtime by wsgen tool:
-// permission java.lang.RuntimePermission "createClassLoader";
-//
-// permission for JDK's tools.jar to sign JARs at runtime for
-// Java Web Start support:
-// permissions java.security.AllPermission;
-// on the advice of the JDK tools folks. Should be refined later.
-//Bug Glassfish-21012 - changing to the right location of tools.jar
-grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" {
- permission java.security.AllPermission;
-};
+ // permission for JDK's tools.jar to enable webservice annotation processing
+ // at runtime by wsgen tool:
+ // permission java.lang.RuntimePermission "createClassLoader";
+ //
+ // permission for JDK's tools.jar to sign JARs at runtime for
+ // Java Web Start support:
+ // permissions java.security.AllPermission;
+ // on the advice of the JDK tools folks. Should be refined later.
+ //Bug Glassfish-21012 - changing to the right location of tools.jar
+ grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" {
+ permission java.security.AllPermission;
+ };
-//Loading MBeans from anywhere, to take care of side effects of 6235678.
-grant {
- permission javax.management.MBeanTrustPermission "register" ;
-};
-//Loading MBeans from anywhere, to take care of side effects of 6235678.
+ //Loading MBeans from anywhere, to take care of side effects of 6235678.
+ grant {
+ permission javax.management.MBeanTrustPermission "register" ;
+ };
+ //Loading MBeans from anywhere, to take care of side effects of 6235678.
-// Basic set of required permissions granted to all remaining code
-// The permission FilePermission "<<ALL FILES>>", "read,write"
-// allows all applications to read and write any file in the filesystem.
-// It should be changed based on real deployment needs. If you know your
-// applications just need to read/write a few directories consider removing
-// this permission and adding grants indicating those specific directories.
-// against the codebase of your application(s).
-grant {
- //Workaround for bugs #6484935, 6513799
- permission java.lang.RuntimePermission "getProtectionDomain";
- permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
- permission java.util.PropertyPermission "*", "read,write";
+ // Basic set of required permissions granted to all remaining code
+ // The permission FilePermission "<<ALL FILES>>", "read,write"
+ // allows all applications to read and write any file in the filesystem.
+ // It should be changed based on real deployment needs. If you know your
+ // applications just need to read/write a few directories consider removing
+ // this permission and adding grants indicating those specific directories.
+ // against the codebase of your application(s).
+ grant {
+ //Workaround for bugs #6484935, 6513799
+ permission java.lang.RuntimePermission "getProtectionDomain";
+ permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
+ permission java.util.PropertyPermission "*", "read,write";
- permission java.lang.RuntimePermission "loadLibrary.*";
- permission java.lang.RuntimePermission "queuePrintJob";
- permission java.net.SocketPermission "*", "connect";
+ permission java.lang.RuntimePermission "loadLibrary.*";
+ permission java.lang.RuntimePermission "queuePrintJob";
+ permission java.net.SocketPermission "*", "connect,resolve";
- // work-around for pointbase bug 4864405
- permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
- permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
+ // work-around for pointbase bug 4864405
+ permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
+ permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
- permission java.util.PropertyPermission "*", "read";
+ permission java.util.PropertyPermission "*", "read";
- permission java.lang.RuntimePermission "modifyThreadGroup";
- permission java.lang.RuntimePermission "getClassLoader";
- permission java.lang.RuntimePermission "setContextClassLoader";
- permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*";
-
- // Following needed for CTS to pass with SM on, bug 16344201
- permission java.lang.RuntimePermission "closeClassLoader";
- permission java.io.SerializablePermission "enableSubstitution";
- permission java.security.SecurityPermission "getProperty.package.definition";
-};
+ permission java.lang.RuntimePermission "modifyThreadGroup";
+ permission java.lang.RuntimePermission "getClassLoader";
+ permission java.lang.RuntimePermission "setContextClassLoader";
+ permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*";
-// Following grant block is only required by Connectors. If Connectors
-// are not in use the recommendation is to remove this grant.
-grant {
- permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"","read";
-};
+ // Following needed for CTS to pass with SM on, bug 16344201
+ permission java.lang.RuntimePermission "closeClassLoader";
+ permission java.io.SerializablePermission "enableSubstitution";
+ permission java.security.SecurityPermission "getProperty.package.definition";
+ };
-// Following grant block is only required for Reflection. If Reflection
-// is not in use the recommendation is to remove this section.
-grant {
- permission java.lang.RuntimePermission "accessDeclaredMembers";
-};
+ // Following grant block is only required by Connectors. If Connectors
+ // are not in use the recommendation is to remove this grant.
+ grant {
+ permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"","read";
+ };
-// Permissions to invoke CORBA objects in server
-grant {
- permission com.sun.enterprise.security.CORBAObjectPermission "*", "*";
-};
- // GLASSFISH-21011
-grant {
- permission java.io.SerializablePermission "enableSubclassImplementation";
-};
+ // Following grant block is only required for Reflection. If Reflection
+ // is not in use the recommendation is to remove this section.
+ grant {
+ permission java.lang.RuntimePermission "accessDeclaredMembers";
+ };
-grant codeBase "file:${com.sun.aas.instanceRoot}/applications/-"{
- permission java.io.FilePermission "<<ALL FILES>>", "read,write";
- permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";
-};
-//Added for changes proposed by Derby 10.12.1.1 (DERBY-6648)
-grant {
- permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
-};
+ // Permissions to invoke CORBA objects in server
+ grant {
+ permission com.sun.enterprise.security.CORBAObjectPermission "*", "*";
+ };
+ // GLASSFISH-21011
+ grant {
+ permission java.io.SerializablePermission "enableSubclassImplementation";
+ };
+
+ grant codeBase "file:${com.sun.aas.instanceRoot}/applications/-"{
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write";
+ permission org.hibernate.validator.HibernateValidatorPermission "accessPrivateMembers";
+ };
+ //Added for changes proposed by Derby 10.12.1.1 (DERBY-6648) and Derby 10.14.2.0
+ grant {
+ permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
+
+ permission java.net.SocketPermission "*", "listen";
+ permission java.net.SocketPermission "*", "accept";
+ permission java.io.FilePermission "<<ALL FILES>>", "write,read";
+
+ };
