Setting Multiple permissions for the file in wildfly

[syed ghouse Habib]

Hello All,

I am working on Wildfly 17 by generating the Ear and I am setting the permissions in the META-INF/permissions.xml .

Here I define it as 

<permission>

        <class-name>java.io.FilePermission</class-name>

        <name>C:\users\upload.properties</name>

      <actions>read,write</actions>

  </permission>

For the same file, I define the java.util. PropertyPermission as follows as a new entry.

<permission>

        <class-name>>java.util.PropertyPermission</class-name>

        <name>C:\users\upload.properties</name>

      <actions>read,write</actions>

  </permission>

Is there any way I can define the multiple permissions for the file instead of defining it individually?

For eg: like below. I used to define in WebLogic

grant codeBase "file:C:/users/upload.properties"

{

  permission java.util.PropertyPermission "*", "read,write";

  permission  java.io.FilePermission "*", "read,write";

};

I have to define around 70 + permissions for each of the files.

Thanks in advance.

[Darran Lofthouse]

I am not sure if I am following your example correctly as they don't seem to be equivalent.

In this section:

grant codeBase "file:C:/users/upload.properties"

{

  permission java.util.PropertyPermission "*", "read,write";

  permission  java.io.FilePermission "*", "read,write";

};

I would expect the codebase to be the location the code is being loaded from.

But then the permissions are described with the name being a wildcard so looking at the file permission it is the equivalent of:

    new java.io.FilePermission("*", "read,write);

i.e. The code may read and write all files on the filesystem.

For the permissions.xml example however you have:

<permission>

        <class-name>java.io.FilePermission</class-name>

        <name>C:\users\upload.properties</name>

      <actions>read,write</actions>

</permission>

This would be the equivalent of:

    new java.io.FilePermission("C:\users\upload.properties", "read,write);

So here the deployment has been granted read / write access to just the properties file.

[syed ghouse Habib]

Thanks  Darran for a quick response.

In my case, the permissions.xml looks like below.

<permission>

        <class-name>java.io.FilePermission</class-name>

        <name>C:\users\upload.properties</name>

      <actions>read,write</actions>

</permission>

<permission>

        <class-name>java.io.FilePermission</class-name>

        <name>C:\users\upload.properties</name>

      <actions>read,write</actions>

  </permission>

when you see for the C:\users\upload.properties file, I have given two entries for permission is there a way to join both of these and add as one?.

In weblogic we used to define it as below.

grant codeBase "file:C:/users/upload.properties"

{

  permission java.util.PropertyPermission "*", "read,write";

  permission  java.io.FilePermission "*", "read,write";

};

Regards,

Syed Ghouse

[Darran Lofthouse]

As I say the weblogic equivalent just does not look valid to me - that looks more that it is matching all files due to the wildcard i.e. granting access to all files on the filesystem that the Java process can access.

[Darran Lofthouse]

Also the PropertyPermission is in relation to reading system properties not reading and writing files, so your wildcard means all system properties can be read and written.

[syed ghouse Habib]

I tried defining like below with wildcard for the access, when I execute the code for reading the file again it gives 

the java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\users\upload.properties" "read")

To avoid this issue only I am defining file-based permission instead of a wildcard.

<permission>

<class-name>java.io.FilePermission</class-name>

<name>*</name>

<actions>read,write</actions>

</permission>

<permission>

<class-name>java.util.PropertyPermission</class-name>

<name>*</name>

<actions>read,write</actions>

</permission>

you mentioned it as new java.io.FilePermission("*", "read, write); I can't define in the java file for permission. It has to be in some config, where can I define it. Can you provide some samples on how to define it in the config file?

Regards,

Syed Ghouse

[Darran Lofthouse]

What is the structure of your deployment and where is the permissions.xml located?  If this is a nested deployment e.g. packaged in an ear the permissions,xml should be in the root deployment under META-INF