I had installed WLS6.0 on Solaris 2.6 and try to turn on
java security manager with this option
-Djava.security.policy==/usr/home/bea/wlserver6.0/lib/
weblogic.policy -Djava.security.manager
This make me unable to boot WLS. Here is contents of my weblogic.policy
grant {
// Permission "enableSubstitution" needed to run the WebLogic console
permission java.io.SerializablePermission "enableSubstitution";
// Permission "modifyThreadGroup" required to run the WebLogic Server
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setContextClassLoader";
// Permission "setIO" needed to start a server from the WebLogic console
permission java.lang.RuntimePermission "setIO";
// Permission "getClassLoader" needed for many EJB clients
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission "${/}usr${/}home${/}bea${/}wlserver6.0${/}-",
"read,write,delete,execute";
And here is the error occurs
java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/bea/wlserver6.0
read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.exists(File.java:535)
at weblogic.utils.classloaders.ClasspathClassFinder.<init>(ClasspathClassFinder.java:61)
at weblogic.Home.getFileSource(Home.java:64)
at weblogic.Home.<init>(Home.java:29)
at weblogic.Home.getInstance(Home.java:82)
at weblogic.Home.getPath(Home.java:90)
at weblogic.security.internal.ServerAuthenticate.main(ServerAuthenticate.java:76)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:167)
at weblogic.Server.main(Server.java:35)
Could anyone give me what goes wrong. If you have a working version of weblogic.policy,
please share with me.
Regards,
Khemchart
Hope that helps
Yaodong Hu
permission java.net.SocketPermission "*:1-", "accept,resolve";
Without this entry my WLS will complain about license broken.
Furthermore, without this entry, my browser is also unable to
talk to WLS. But now I got a new exception when I try to access
WLS console from browser. Here is the exception
java.security.AccessControlException: access denied java.io.FilePermission /usr/home/bea/wlserver6.0/weblogic/management/console/pages/_common/_error.class
read)
My codeBase is set to /usr/home/bea/- and java.io.FilePermission is granted this
dir and all its subdir to be able to read,write,delete,execute. Do you have any idea?
Using the Java Security Manager with WebLogic Server
When you run WebLogic Server under Java 2 (JDK 1.2 or 1.3), WebLogic
Server can use the Java Security Manager in Java 2 to provide
additional access control for WebLogic Server resources. The Java
Virtual Machine (JVM) has security mechanisms built into it which can
be managed via a security policy file. The Java Security Manager can
enforce a set of permissions granted to CodeSource or SignedBy
classes. The permissions allow certain classes running in that
instance of the JVM to do or not do certain runtime operations. In
many cases, where the threat model does not include malicious code
being run on the JVM, the Java Security Manager is unnecessary. In
cases such as when an Application Service Provider uses WebLogic
Server and unknown classes are being run, the Java Security Manager is
necessary. To use the Java Security Manager with WebLogic Server,
specify the -Djava.security.manager property when starting WebLogic
Server.
Note: In past releases of WebLogic Server, the Java Security Manager
was enabled by using the -Dweblogic.security.manager property when
starting WebLogic Server. Please note the change in the property for
WebLogic Server version 6.0 and greater.
The Java Security Manager uses a security policy file that defines
permissions. The full pathname of security policy is specified in the
-Djava.security.policy property when starting WebLogic Server. If you
enable the Java Security Manager but do not specify a security policy
file, the Java Security Manager uses the default security policies
defined in the java.security and java.policy files in the
$JAVA_HOME/lib/security directory.
WebLogic Server includes an example security policy file named
weblogic.policy. This file contains a set of default permissions.
You need to make the following edits to the file in order to use the
file with your WebLogic Server deployment.
1. Edit the following lines in the weblogic.policy file, replacing the
specified location with the location of your WebLogic Server
installation:
grant codebase "file://BEA/-"{
permission java.io.FilePermission "D:${/}BEA${/}=", ...
Note: This change assumes your installation directory structure is the
same as the one described in the BEA Home Directory topic in the BEA
WebLogic Server Installation Guide.
2. If you want to run the Administration Console, add the following
grant block and permissions to the weblogic.policy file:
grant {
permission java.io.FilePermission
"D:{/}BEA${/}wlserver600${/}weblogic${/}management${/}console${/}-",
"read";
permission java.io.FilePermission
"D:{/}BEA${/}wlserver600${/}config${/}mydomain${/}applications${/}.wl_te\
mp_do_not_delete${/}weblogic${/}management${/}console${/}-", "read";
permission java.util.PropertyPermission "user.*", "read";
};
3. If you have extra directories in your CLASSPATH or if you are
deploying applications in extra directories, you need to add specific
permissions for those directories to your weblogic.policy file.
BEA also recommends taking the following precautions:
? Make a backup copy of the weblogic.policy file and put the backup
copy in a secure location.
? Set the permissions on the weblogic.policy file such that the
adminstrator of the WebLogic Server deployment has write and read
privileges and no other users
To use the Java Security Manager and the weblogic.policy file with
your WebLogic Server deployment, use the following properties when
starting WebLogic Server:
$java... -Djava.security.manager \
-Djava.security.policy==D:/BEA/wlserver600/lib/weblogic.policy
For more information about the Java Security Manager, see the Javadoc
shipped with Java 2.
The RecordingSecurityManager utility can be used to detect permission
problems that occur when starting and running WebLogic Server. The
utility outputs permissions that can be added to your security policy
file to resolve the permission problems that the utility finds. The
RecordingSecurityManager is available at the BEA Developer's Center.