You should run the Network Server under the Java security manager.
An sample security policy file is shown in the following examples. Fine tune
this policy to suit your needs.
Opening
up the server to all clients without limiting access by using a policy similar
to the one in the following example is a severe security risk.//Recommended set of permissions to start and use the Network Server,
//assuming the 'd://lib' directory has been secured.
//Fine tune based on your environment settings
grant codeBase "file:d://lib/-" {
permission java.io.FilePermission "${derby.system.home}${/}-",
"read, write, delete";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${user.dir}${/}-", "read, write, delete";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "myclientmachine", "accept";
};
//Required set of permissions to stop the Network Server, assuming you have
// secured the 'd://lib' directory
//Remember to fine tune this as per your environment.
grant codeBase "file:d://lib/-" {
//Following is required when server is started with "-h localhost"
//or without the -h option
permission java.net.SocketPermission "localhost", "accept, connect, resolve";
permission java.net.SocketPermission "127.0.0.1", "accept, connect, resolve";
//The following is only required if the server is started with the -h <host>
//option (else shutdown access will be denied).
permission java.net.SocketPermission "<host>:*", "accept, connect, resolve";
};