1/* 2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. 3 * 4 * Copyright (c) 2013-2017 Oracle and/or its affiliates. All rights reserved. 5 * 6 * The contents of this file are subject to the terms of either the GNU 7 * General Public License Version 2 only ("GPL") or the Common Development 8 * and Distribution License("CDDL") (collectively, the "License"). You 9 * may not use this file except in compliance with the License. You can 10 * obtain a copy of the License at 11 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html 12 * or packager/legal/LICENSE.txt. See the License for the specific 13 * language governing permissions and limitations under the License. 14 * 15 * When distributing the software, include this License Header Notice in each 16 * file and include the License file at packager/legal/LICENSE.txt. 17 * 18 * GPL Classpath Exception: 19 * Oracle designates this particular file as subject to the "Classpath" 20 * exception as provided by Oracle in the GPL Version 2 section of the License 21 * file that accompanied this code. 22 * 23 * Modifications: 24 * If applicable, add the following below the License Header, with the fields 25 * enclosed by brackets [] replaced by your own identifying information: 26 * "Portions Copyright [year] [name of copyright owner]" 27 * 28 * Contributor(s): 29 * If you wish your version of this file to be governed by only the CDDL or 30 * only the GPL Version 2, indicate your decision by adding "[Contributor] 31 * elects to include this software in this distribution under the [CDDL or GPL 32 * Version 2] license." If you don't indicate a single choice of license, a 33 * recipient has the option to distribute your version of this file under 34 * either the CDDL, the GPL Version 2 or to extend the choice of license to 35 * its licensees as provided above. However, if you add GPL Version 2 code 36 * and therefore, elected the GPL Version 2 license, then the option applies 37 * only if the new code is made subject to such option by the copyright 38 * holder. 39 */ 40 // Portions Copyright [2019-2020] [Payara Foundation and/or its affiliates] 41 42// classes in lib get all permissions by default 43grant codeBase "file:${com.sun.aas.installRoot}/lib/-" { 44 permission java.security.AllPermission; 45}; 46 47// Core server classes get all permissions by default 48grant codeBase "file:${com.sun.aas.installRoot}/modules/-" { 49 permission java.security.AllPermission; 50}; 51 52// Felix classes get all permissions by default 53grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" { 54 permission java.security.AllPermission; 55}; 56 57// iMQ classes get all permissions by default 58grant codeBase "file:${com.sun.aas.imqLib}/-" { 59 permission java.security.AllPermission; 60}; 61 62// H2 driver classes get all permissions by default 63grant codeBase "file:${fish.payara.aas.h2Root}/bin/-" { 64 permission java.lang.RuntimePermission "createClassLoader"; 65 permission java.io.FilePermission "<<ALL FILES>>", "read,write"; 66}; 67 68 69// permission for JDK's tools.jar to enable webservice annotation processing 70// at runtime by wsgen tool: 71// permission java.lang.RuntimePermission "createClassLoader"; 72// 73// permission for JDK's tools.jar to sign JARs at runtime for 74// Java Web Start support: 75// permissions java.security.AllPermission; 76// on the advice of the JDK tools folks. Should be refined later. 77//Bug Glassfish-21012 - changing to the right location of tools.jar 78grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" { 79 permission java.security.AllPermission; 80}; 81 82//Loading MBeans from anywhere, to take care of side effects of 6235678. 83grant { 84 permission javax.management.MBeanTrustPermission "register" ; 85}; 86//Loading MBeans from anywhere, to take care of side effects of 6235678. 87 88 89// Basic set of required permissions granted to all remaining code 90// The permission FilePermission "<<ALL FILES>>", "read,write" 91// allows all applications to read and write any file in the filesystem. 92// It should be changed based on real deployment needs. If you know your 93// applications just need to read/write a few directories consider removing 94// this permission and adding grants indicating those specific directories. 95// against the codebase of your application(s). 96grant { 97 //Workaround for bugs #6484935, 6513799 98 permission java.lang.RuntimePermission "getProtectionDomain"; 99 permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access"; 100 permission java.util.PropertyPermission "*", "read,write"; 101 102 permission java.lang.RuntimePermission "loadLibrary.*"; 103 permission java.lang.RuntimePermission "queuePrintJob"; 104 permission java.net.SocketPermission "*", "connect"; 105 106 // work-around for pointbase bug 4864405 107 permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete"; 108 permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete"; 109 110 permission java.util.PropertyPermission "*", "read"; 111 112 permission java.lang.RuntimePermission "modifyThreadGroup"; 113 permission java.lang.RuntimePermission "getClassLoader"; 114 permission java.lang.RuntimePermission "setContextClassLoader"; 115 permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 116 117 // Following needed for CTS to pass with SM on, bug 16344201 118 permission java.lang.RuntimePermission "closeClassLoader"; 119 permission java.io.SerializablePermission "enableSubstitution"; 120 permission java.security.SecurityPermission "getProperty.package.definition"; 121 permission java.security.SecurityPermission "createPolicy.JavaPolicy"; 122}; 123 124// Following grant block is only required by Connectors. If Connectors 125// are not in use the recommendation is to remove this grant. 126grant { 127 permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"","read"; 128}; 129 130// Following grant block is only required for Reflection. If Reflection 131// is not in use the recommendation is to remove this section. 132grant { 133 permission java.lang.RuntimePermission "accessDeclaredMembers"; 134}; 135 136// Permissions to invoke CORBA objects in server 137grant { 138 permission com.sun.enterprise.security.CORBAObjectPermission "*", "*"; 139}; 140 // GLASSFISH-21011 141grant { 142 permission java.io.SerializablePermission "enableSubclassImplementation"; 143}; 144 145grant { 146 permission javax.management.MBeanPermission "sun.management.*", "*"; 147 permission javax.management.MBeanPermission "javax.management.*", "*"; 148 permission javax.management.MBeanPermission "[amx:*]", "*"; 149 permission javax.management.MBeanPermission "[amx-support:*]", "*"; 150 permission java.lang.management.ManagementPermission "monitor"; 151 permission javax.management.MBeanPermission "com.hazelcast.*", "*"; 152 permission javax.management.MBeanPermission "fish.payara.*", "*"; 153}; 154 155grant codeBase "file:${com.sun.aas.instanceRoot}/applications/-"{ 156 permission java.io.FilePermission "<<ALL FILES>>", "read,write"; 157}; 158