Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Sample of weblogic.policy for WLS6.0

15 views
Skip to first unread message

Khemchart Rungchavalnont

unread,
May 15, 2001, 5:37:39 AM5/15/01
to

Dear all,

I had installed WLS6.0 on Solaris 2.6 and try to turn on
java security manager with this option

-Djava.security.policy==/usr/home/bea/wlserver6.0/lib/
weblogic.policy -Djava.security.manager

This make me unable to boot WLS. Here is contents of my weblogic.policy

grant {
// Permission "enableSubstitution" needed to run the WebLogic console
permission java.io.SerializablePermission "enableSubstitution";
// Permission "modifyThreadGroup" required to run the WebLogic Server
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setContextClassLoader";
// Permission "setIO" needed to start a server from the WebLogic console
permission java.lang.RuntimePermission "setIO";
// Permission "getClassLoader" needed for many EJB clients
permission java.lang.RuntimePermission "getClassLoader";

permission java.lang.RuntimePermission "stopThread";
permission java.net.SocketPermission "localhost:1024-", "listen";
permission java.util.PropertyPermission "*", "read,write";
permission java.io.FilePermission "${/}usr${/}home${/}bea${/}wlserver6.0${/}-",
"read,write,delete,execute";

And here is the error occurs

java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/bea/wlserver6.0
read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.exists(File.java:535)
at weblogic.utils.classloaders.ClasspathClassFinder.<init>(ClasspathClassFinder.java:61)
at weblogic.Home.getFileSource(Home.java:64)
at weblogic.Home.<init>(Home.java:29)
at weblogic.Home.getInstance(Home.java:82)
at weblogic.Home.getPath(Home.java:90)
at weblogic.security.internal.ServerAuthenticate.main(ServerAuthenticate.java:76)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:167)
at weblogic.Server.main(Server.java:35)

Could anyone give me what goes wrong. If you have a working version of weblogic.policy,
please share with me.

Regards,
Khemchart

yaodong hu

unread,
May 15, 2001, 3:08:48 PM5/15/01
to

check the policy part for grant the file permission for the code base which weblogic
is running. be carefully with syntax.
you can simply run some sample java program to open a file to verify that your
policy is set up correctly.

Hope that helps

Yaodong Hu

Khemchart Rungchavalnont

unread,
May 16, 2001, 1:11:43 AM5/16/01
to

Now I successfully boot WLS6 by changing what you told
me. Big Thanks! However, I have to add one more entry
inside this codeBase. It is

permission java.net.SocketPermission "*:1-", "accept,resolve";

Without this entry my WLS will complain about license broken.
Furthermore, without this entry, my browser is also unable to
talk to WLS. But now I got a new exception when I try to access
WLS console from browser. Here is the exception

java.security.AccessControlException: access denied java.io.FilePermission /usr/home/bea/wlserver6.0/weblogic/management/console/pages/_common/_error.class
read)

My codeBase is set to /usr/home/bea/- and java.io.FilePermission is granted this
dir and all its subdir to be able to read,write,delete,execute. Do you have any idea?

Christopher Allen

unread,
May 29, 2001, 1:35:59 PM5/29/01
to
Here's a snippet from upcoming release notes about the Java
security manager and the example weblogic.policy file.
------------------------------------------------------------------

Using the Java Security Manager with WebLogic Server

When you run WebLogic Server under Java 2 (JDK 1.2 or 1.3), WebLogic
Server can use the Java Security Manager in Java 2 to provide
additional access control for WebLogic Server resources. The Java
Virtual Machine (JVM) has security mechanisms built into it which can
be managed via a security policy file. The Java Security Manager can
enforce a set of permissions granted to CodeSource or SignedBy
classes. The permissions allow certain classes running in that
instance of the JVM to do or not do certain runtime operations. In
many cases, where the threat model does not include malicious code
being run on the JVM, the Java Security Manager is unnecessary. In
cases such as when an Application Service Provider uses WebLogic
Server and unknown classes are being run, the Java Security Manager is
necessary. To use the Java Security Manager with WebLogic Server,
specify the -Djava.security.manager property when starting WebLogic
Server.

Note: In past releases of WebLogic Server, the Java Security Manager
was enabled by using the -Dweblogic.security.manager property when
starting WebLogic Server. Please note the change in the property for
WebLogic Server version 6.0 and greater.

The Java Security Manager uses a security policy file that defines
permissions. The full pathname of security policy is specified in the
-Djava.security.policy property when starting WebLogic Server. If you
enable the Java Security Manager but do not specify a security policy
file, the Java Security Manager uses the default security policies
defined in the java.security and java.policy files in the
$JAVA_HOME/lib/security directory.

WebLogic Server includes an example security policy file named
weblogic.policy. This file contains a set of default permissions.
You need to make the following edits to the file in order to use the
file with your WebLogic Server deployment.

1. Edit the following lines in the weblogic.policy file, replacing the
specified location with the location of your WebLogic Server
installation:

grant codebase "file://BEA/-"{
permission java.io.FilePermission "D:${/}BEA${/}=", ...

Note: This change assumes your installation directory structure is the
same as the one described in the BEA Home Directory topic in the BEA
WebLogic Server Installation Guide.

2. If you want to run the Administration Console, add the following
grant block and permissions to the weblogic.policy file:

grant {
permission java.io.FilePermission
"D:{/}BEA${/}wlserver600${/}weblogic${/}management${/}console${/}-",
"read";

permission java.io.FilePermission

"D:{/}BEA${/}wlserver600${/}config${/}mydomain${/}applications${/}.wl_te\
mp_do_not_delete${/}weblogic${/}management${/}console${/}-", "read";

permission java.util.PropertyPermission "user.*", "read";
};

3. If you have extra directories in your CLASSPATH or if you are
deploying applications in extra directories, you need to add specific
permissions for those directories to your weblogic.policy file.

BEA also recommends taking the following precautions:

? Make a backup copy of the weblogic.policy file and put the backup
copy in a secure location.

? Set the permissions on the weblogic.policy file such that the
adminstrator of the WebLogic Server deployment has write and read
privileges and no other users

To use the Java Security Manager and the weblogic.policy file with
your WebLogic Server deployment, use the following properties when
starting WebLogic Server:

$java... -Djava.security.manager \
-Djava.security.policy==D:/BEA/wlserver600/lib/weblogic.policy

For more information about the Java Security Manager, see the Javadoc
shipped with Java 2.

The RecordingSecurityManager utility can be used to detect permission
problems that occur when starting and running WebLogic Server. The
utility outputs permissions that can be added to your security policy
file to resolve the permission problems that the utility finds. The
RecordingSecurityManager is available at the BEA Developer's Center.

0 new messages