Sample customized Java security policy file
Here is a sample customized Java security policy file.
Java securitypolicy file sample
grant codeBase "file:///Users/me/javadb/lib/derby.jar"
{
//
// These permissions are needed for everyday, embedded Derby usage.
//
permission java.lang.RuntimePermission "createClassLoader";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "derby.storage.jvmInstanceId",
"write";
permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
// The next two properties are used to determine if the VM is 32-bit
// or 64-bit.
permission java.util.PropertyPermission "sun.arch.data.model", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.io.FilePermission "/Users/me/derby/dummy","read";
permission java.io.FilePermission "/Users/me/derby/dummy${/}-",
"read,write,delete";
//
// This permission lets a DBA reload the policy file while the server
// is still running. The policy file is reloaded by invoking the
// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
//
permission java.security.SecurityPermission "getPolicy";
//
// This permission lets you back up and restore databases
// to and from arbitrary locations in your file system.
//
// This permission also lets you import/export data to and from
// arbitrary locations in your file system.
//
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "/Users/me/derby/dummy/backups/-",
"read,write,delete";
// imports/exports
permission java.io.FilePermission "/Users/me/derby/dummy/imports/-",
"read,write,delete";
// jar files of user-written functions and procedures
permission java.io.FilePermission "/Users/me/derby/dummy/jars/-",
"read,write,delete";
//
// Permissions needed for JMX based management and monitoring, which is
// available only for JVMs that support "platform management", that is,
// Java SE 5.0 or above.
//
// Allows this code to create an MBeanServer:
//
permission javax.management.MBeanServerPermission "createMBeanServer";
//
// Allows access to Derby's built-in MBeans, within the domain
// org.apache.derby. Derby must be allowed to register and unregister
// these MBeans. It is possible to allow access only to specific
// MBeans, // attributes, or operations. To fine-tune this
// permission, see the API documentation of
// javax.management.MBeanPermission or the JMX Instrumentation and
// Agent Specification.
//
permission javax.management.MBeanPermission
"org.apache.derby.*#[org.apache.derby:*]",
"registerMBean,unregisterMBean";
//
// Trusts Derby code to be a source of MBeans and to register these in
// the MBean server.
//
permission javax.management.MBeanTrustPermission "register";
// getProtectionDomain is an optional permission needed for printing
// classpath information to derby.log.
permission java.lang.RuntimePermission "getProtectionDomain";
//
// The following permission must be granted for
// Connection.abort(Executor) to work. Note that this permission must
// also be granted to outer (application) code domains.
//
permission java.sql.SQLPermission "callAbort";
// Needed by file permissions restriction system.
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
// This permission is needed to connect to the LDAP server in order
// to authenticate users.
// permission java.net.SocketPermission "127.0.0.1:1389",
// "accept,connect,resolve";
};
grant codeBase "file:///Users/me/javadb/lib/derbynet.jar"
{
//
// This permission lets the Network Server manage connections from
// clients.
//
// Accept connections from any host. Derby is listening to the host
// interface specified via the -h option to "NetworkServerControl
// start" on the command line, via the address parameter to the
// org.apache.derby.drda.NetworkServerControl constructor in the API
// or via the property derby.drda.host; the default is localhost.
// You may want to restrict allowed hosts, e.g. to hosts in a specific
// subdomain, e.g. "*.example.com".
permission java.net.SocketPermission "localhost:0-", "accept";
//
// Needed for server tracing.
//
permission java.io.FilePermission "/Users/me/derby/dummy/traces${/}-",
"read,write,delete";
// Needed by file permissions restriction system.
permission java.lang.RuntimePermission "accessUserInformation";
permission java.lang.RuntimePermission "getFileStoreAttributes";
permission java.util.PropertyPermission
"derby.__serverStartedFromCmdLine", "read, write";
// JMX: Needed to boot MBeans
permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
// JMX: Uncomment this permission to allow the ping operation of the
// NetworkServerMBean to connect to the Network Server.
//permission java.net.SocketPermission "*", "connect,resolve";
//
// Needed by sysinfo. The file permission is needed to check the
// existence of jars on the classpath. You can limit this permission to
// just the locations that hold your jar files.
//
// In this template file, this block of permissions is granted to
// derbynet.jar under the assumption that derbynet.jar is the first jar
// file in your classpath that contains the sysinfo classes. If that is
// not the case, then you will want to grant this block of permissions
// to the first jar file in your classpath that contains the sysinfo
// classes. Those classes are bundled into the following Derby jar
// files:
//
// derbynet.jar
// derby.jar
// derbyclient.jar
// derbytools.jar
//
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.io.FilePermission "/Users/me/javadb/lib/-", "read";
};