Security

Leon edited this page Jul 9, 2013 · 11 revisions

JVM Security Manager

Most application containers (like Tomcat) actually say they havent tested a lot with security managers, so expect weird errors.

Below is a list of permissions you have to add to make BIMserver work, this list will probably have to be updated a lot, please let us know if things are missing or not required anymore:

grant { 
        // Read only file permissions on eclipse workspace, you wont need this on an application server
        permission java.io.FilePermission "..", "read";
        permission java.io.FilePermission "../-", "read";

        // Read only file permissions on local git repository, you wont need this on an application server
        permission java.io.FilePermission "C:/Users/Ruben/git/-", "read";

        // Read/Write/Delete file permissions on home directory
        permission java.io.FilePermission "home/-", "read, write, delete";

        // Needed to catch all exceptions
        permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";

        // Permissions needed for OSGI (needed for Eclipse code that parses Java code to AST)
        // TODO this sucks, eclipse its OSGI implementation is requesting all property permissions (read and write!!)
        permission java.util.PropertyPermission "*", "read, write";

        // Needed to suppress logging to sysout/syserr of IFC schema parser (which uses antlr)
        permission java.lang.RuntimePermission "setIO";

        // Allow the webserver to accept incoming connections on port 8080
        permission java.net.SocketPermission "*", "listen, accept, connect, resolve";

        // Needed for java reflection
        permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect.generics.reflectiveObjects";

        // Needed for Jetty (Embedded Webserver)
        permission java.lang.RuntimePermission "setContextClassLoader";

        // Needed for BerkeleyDB
        permission java.util.logging.LoggingPermission "control";
        permission java.lang.management.ManagementPermission "monitor";
        
        // Needed for JAXB serialization/deserialization, it sounds very broad, but its not really a security issue
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        
        // Needed by CXF (Web Services)
        permission javax.xml.ws.WebServicePermission "publishEndpoint";
        
        // Needed by EMF
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "accessClassInPackage.com.sun.org.apache.xerces.internal.parsers";

        // Needed for PluginManager
        permission java.lang.RuntimePermission "createClassLoader";

        // Permissions to read system properties
        permission java.util.PropertyPermission "java.version", "read";
        permission java.util.PropertyPermission "java.vendor", "read";
        permission java.util.PropertyPermission "java.vendor.url", "read";
        permission java.util.PropertyPermission "java.class.version", "read";
        permission java.util.PropertyPermission "java.class.path", "read";
        permission java.util.PropertyPermission "os.name", "read";
        permission java.util.PropertyPermission "os.version", "read";
        permission java.util.PropertyPermission "os.arch", "read";
        permission java.util.PropertyPermission "file.separator", "read";
        permission java.util.PropertyPermission "path.separator", "read";
        permission java.util.PropertyPermission "line.separator", "read";
        permission java.util.PropertyPermission "user.dir", "read";
        
        permission java.util.PropertyPermission "java.specification.version", "read";
        permission java.util.PropertyPermission "java.specification.vendor", "read";
        permission java.util.PropertyPermission "java.specification.name", "read";
        
        permission java.util.PropertyPermission "java.vm.specification.version","read";
        permission java.util.PropertyPermission "java.vm.specification.vendor","read";
        permission java.util.PropertyPermission "java.vm.specification.name", "read";
        permission java.util.PropertyPermission "java.vm.version", "read";
        permission java.util.PropertyPermission "java.vm.vendor", "read";
        permission java.util.PropertyPermission "java.vm.name", "read";
};
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.