private static void checkMBeanTrustPermission(final Class<?> theClass) throws SecurityException { SecurityManager sm = System.getSecurityManager(); if (sm != null) { Permission perm = new MBeanTrustPermission("register"); PrivilegedAction<ProtectionDomain> act = new PrivilegedAction<ProtectionDomain>() { public ProtectionDomain run() { return theClass.getProtectionDomain(); } }; ProtectionDomain pd = AccessController.doPrivileged(act); AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] { pd }); sm.checkPermission(perm, acc); } }
public static void createServiceActivatorDeployment(File destination, String objectName, Class mbeanClass) throws IOException { final JavaArchive archive = ShrinkWrap.create(JavaArchive.class); archive.addClass(ServiceActivatorDeployment.class); archive.addClass(mbeanClass); archive.addAsServiceProvider(ServiceActivator.class, ServiceActivatorDeployment.class); StringBuilder sb = new StringBuilder(); sb.append(ServiceActivatorDeployment.MBEAN_CLASS_NAME); sb.append('='); sb.append(mbeanClass.getName()); sb.append("\n"); sb.append(ServiceActivatorDeployment.MBEAN_OBJECT_NAME); sb.append('='); sb.append(objectName); sb.append("\n"); archive.addAsManifestResource(PermissionUtils.createPermissionsXmlAsset( getMBeanPermission(mbeanClass, objectName, "registerMBean"), getMBeanPermission(mbeanClass, objectName, "unregisterMBean"), new MBeanTrustPermission("register")), "permissions.xml"); archive.addAsManifestResource(new StringAsset("Dependencies: org.jboss.msc,org.jboss.as.jmx,org.jboss.as.server,org.jboss.as.controller\n"), "MANIFEST.MF"); archive.addAsResource(new StringAsset(sb.toString()), ServiceActivatorDeployment.PROPERTIES_RESOURCE); archive.as(ZipExporter.class).exportTo(destination); }
public void setPermissions() { col.add(new MBeanPermission("*#*[*:*]", "registerMBean")); col.add(new LoggingPermission("control", null)); col.add(new SecurityPermission("*")); col.add(new PropertyPermission("*", "read,write")); col.add(new RuntimePermission("*")); col.add(new MBeanTrustPermission("*")); }
private Main installSecurityPolicy() throws Exception { Config config = readConfig(); List<Permission> permissions = new ArrayList<>(); // Need access to the network interface/port to which we listen PortInfo listen = PortInfo.parseUrl(config.getString("listen.url", "http://localhost:8000")); permissions.add(new SocketPermission("*:" + listen.port(), "listen,resolve")); // Configurable list of servers to which we can connect String csv = config.getString("connect.outbound"); if (csv != null) { for (String s : csv.split(",")) { permissions.add(new SocketPermission(s, "connect,resolve")); } } // For fake security we need to act as a client to our own embedded authentication if (config.getBooleanOrFalse("insecure.fake.security")) { permissions.add(new SocketPermission("localhost:" + listen.port(), "connect,resolve")); } // Connecting to centralized authentication server PortInfo authServer = PortInfo.parseUrl(config.getString("auth.server.base.uri")); if (authServer != null) { permissions.add(new SocketPermission(authServer.host() + ":" + authServer.port(), "connect,resolve")); } // These two are for hsqldb to store its database files permissions.add(new FilePermission(workDir() + "/.hsql", "read,write,delete")); permissions.add(new FilePermission(workDir() + "/.hsql/-", "read,write,delete")); // In case we are terminating SSL/TLS on the server permissions.add(new FilePermission(workDir() + "/local.ssl.jks", "read")); // Vert.x default directory for handling file uploads permissions.add(new FilePermission(workDir() + "/file-uploads", "read,write")); // The SAML implementation needs these four (xml parsing; write metadata into conf) permissions.add(new FilePermission(workDir() + "/conf", "read,write")); permissions.add(new FilePermission(workDir() + "/conf/-", "read,write")); permissions.add(new SecurityPermission("org.apache.xml.security.register")); permissions.add(new PropertyPermission("org.apache.xml.security.ignoreLineBreaks", "write")); // Oracle JDBC driver requires these Flavor flavor = Flavor.fromJdbcUrl(config.getString("database.url", "jdbc:postgresql:")); if (flavor == Flavor.oracle) { permissions.add(new MBeanServerPermission("createMBeanServer")); permissions.add(new ManagementPermission("control")); permissions.add(new MBeanPermission("*", "registerMBean")); permissions.add(new MBeanTrustPermission("register")); } setSecurityPolicy(permissions.toArray(new Permission[0])); return this; }
protected boolean checkMBeanTrustPermission(MBeanTrustPermission perm) { return true; }
public void setPermissions() { col.add(new SecurityPermission("*")); col.add(new PropertyPermission("*", "read")); col.add(new RuntimePermission("*")); col.add(new MBeanTrustPermission("*")); }