1/*
2 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
3 *
4 * Copyright (c) 2013-2017 Oracle and/or its affiliates. All rights reserved.
5 *
6 * The contents of this file are subject to the terms of either the GNU
7 * General Public License Version 2 only ("GPL") or the Common Development
8 * and Distribution License("CDDL") (collectively, the "License").  You
9 * may not use this file except in compliance with the License.  You can
10 * obtain a copy of the License at
11 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
12 * or packager/legal/LICENSE.txt.  See the License for the specific
13 * language governing permissions and limitations under the License.
14 *
15 * When distributing the software, include this License Header Notice in each
16 * file and include the License file at packager/legal/LICENSE.txt.
17 *
18 * GPL Classpath Exception:
19 * Oracle designates this particular file as subject to the "Classpath"
20 * exception as provided by Oracle in the GPL Version 2 section of the License
21 * file that accompanied this code.
22 *
23 * Modifications:
24 * If applicable, add the following below the License Header, with the fields
25 * enclosed by brackets [] replaced by your own identifying information:
26 * "Portions Copyright [year] [name of copyright owner]"
27 *
28 * Contributor(s):
29 * If you wish your version of this file to be governed by only the CDDL or
30 * only the GPL Version 2, indicate your decision by adding "[Contributor]
31 * elects to include this software in this distribution under the [CDDL or GPL
32 * Version 2] license."  If you don't indicate a single choice of license, a
33 * recipient has the option to distribute your version of this file under
34 * either the CDDL, the GPL Version 2 or to extend the choice of license to
35 * its licensees as provided above.  However, if you add GPL Version 2 code
36 * and therefore, elected the GPL Version 2 license, then the option applies
37 * only if the new code is made subject to such option by the copyright
38 * holder.
39 */
40 // Portions Copyright [2019-2020] [Payara Foundation and/or its affiliates]
41
42// classes in lib get all permissions by default
43grant codeBase "file:${com.sun.aas.installRoot}/lib/-" {
44    permission java.security.AllPermission;
45};
46
47// Core server classes get all permissions by default
48grant codeBase "file:${com.sun.aas.installRoot}/modules/-" {
49    permission java.security.AllPermission;
50};
51
52// Felix classes get all permissions by default
53grant codeBase "file:${com.sun.aas.installRoot}/osgi/felix/bin/-" {
54    permission java.security.AllPermission;
55};
56
57// iMQ classes get all permissions by default
58grant codeBase "file:${com.sun.aas.imqLib}/-" {
59    permission java.security.AllPermission;
60};
61
62// H2 driver classes get all permissions by default
63grant codeBase "file:${fish.payara.aas.h2Root}/bin/-" {
64    permission java.lang.RuntimePermission "createClassLoader";
65    permission java.io.FilePermission       "<<ALL FILES>>", "read,write";
66};
67
68
69// permission for JDK's tools.jar to enable webservice annotation processing
70// at runtime by wsgen tool:
71//       permission java.lang.RuntimePermission "createClassLoader";
72//
73// permission for JDK's tools.jar to sign JARs at runtime for
74// Java Web Start support:
75//       permissions java.security.AllPermission;
76// on the advice of the JDK tools folks.  Should be refined later.
77//Bug Glassfish-21012 - changing to the right location of tools.jar
78grant codeBase "file:${com.sun.aas.javaRoot}/../lib/tools.jar" {
79    permission java.security.AllPermission;
80};
81
82//Loading MBeans from anywhere, to take care of side effects of 6235678.
83grant {
84    permission javax.management.MBeanTrustPermission "register" ;
85};
86//Loading MBeans from anywhere, to take care of side effects of 6235678.
87
88
89// Basic set of required permissions granted to all remaining code
90// The permission FilePermission "<<ALL FILES>>", "read,write"
91// allows all applications to read and write any file in the filesystem.
92// It should be changed based on real deployment needs. If you know your
93// applications just need to read/write a few directories consider removing
94// this permission and adding grants indicating those specific directories.
95// against the codebase of your application(s).
96grant {
97    //Workaround for bugs #6484935, 6513799
98    permission java.lang.RuntimePermission "getProtectionDomain";
99    permission com.sun.corba.ee.impl.presentation.rmi.DynamicAccessPermission "access";
100    permission java.util.PropertyPermission "*", "read,write";
101
102    permission java.lang.RuntimePermission  "loadLibrary.*";
103    permission java.lang.RuntimePermission  "queuePrintJob";
104    permission java.net.SocketPermission    "*", "connect";
105
106        // work-around for pointbase bug 4864405
107        permission java.io.FilePermission "${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
108        permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
109
110    permission java.util.PropertyPermission "*", "read";
111
112    permission java.lang.RuntimePermission    "modifyThreadGroup";
113    permission java.lang.RuntimePermission    "getClassLoader";
114    permission java.lang.RuntimePermission    "setContextClassLoader";
115    permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*";
116
117    // Following needed for CTS to pass with SM on, bug 16344201
118    permission java.lang.RuntimePermission "closeClassLoader";
119    permission java.io.SerializablePermission "enableSubstitution";
120    permission java.security.SecurityPermission "getProperty.package.definition";
121    permission java.security.SecurityPermission "createPolicy.JavaPolicy";
122};
123
124// Following grant block is only required by Connectors. If Connectors
125// are not in use the recommendation is to remove this grant.
126grant {
127        permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"","read";
128};
129
130// Following grant block is only required for Reflection. If Reflection
131// is not in use the recommendation is to remove this section.
132grant {
133    permission java.lang.RuntimePermission "accessDeclaredMembers";
134};
135
136// Permissions to invoke CORBA objects in server
137grant {
138    permission com.sun.enterprise.security.CORBAObjectPermission "*", "*";
139};
140    // GLASSFISH-21011
141grant {
142    permission java.io.SerializablePermission "enableSubclassImplementation";
143};
144
145grant {
146    permission javax.management.MBeanPermission "sun.management.*", "*";
147    permission javax.management.MBeanPermission "javax.management.*", "*";
148    permission javax.management.MBeanPermission "[amx:*]", "*";
149    permission javax.management.MBeanPermission "[amx-support:*]", "*";
150    permission java.lang.management.ManagementPermission "monitor";
151    permission javax.management.MBeanPermission "com.hazelcast.*", "*";
152    permission javax.management.MBeanPermission "fish.payara.*", "*";
153};
154
155grant  codeBase "file:${com.sun.aas.instanceRoot}/applications/-"{
156    permission java.io.FilePermission       "<<ALL FILES>>", "read,write";
157};
158