M2MLabs Wiki

Brought to you by: eet1009, jim2308, ladybird77

ScriptSecurity

Authors:

Securing Groovy Scripts

In a production system it is strongly recommended to run the Groovy scripts in a sandbox environment, especially if owners are writing and executing their own scripts.

To run Groovy scripts in a sandbox perform following steps:

enable the java security manager with "asadmin create-jvm-options -Djava.security.manager"
edit the server policy file (in glassfish located in ../domains/<your domain>/config/server.policy
restart the server

The following example shows the permissions to be assigned:

keep the permissions for glassfish itself
delete all other permissions
add codebase /m2mlabs/scripts which contains the minimum set of permissions assigned to Groovy scripts

    grant codeBase "file:/m2mlabs/scripts" {
       // this permission is required to execute the scripts
       permission java.lang.RuntimePermission    "getClassLoader";
    };

add codebase /applications/mainspring-ear-0.9 which contains the permission for the mainspring server itself. For future releases this has to be updated to the application name of the release.

    grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {
       permission java.lang.RuntimePermission "getProtectionDomain";
       permission javax.management.MBeanTrustPermission "register";
       permission java.util.PropertyPermission "*", "read,write";
       permission java.io.FilePermission       "<<ALL FILES>>", "read,write";
       permission java.lang.RuntimePermission    "modifyThreadGroup";
       permission java.lang.RuntimePermission    "getClassLoader";
       permission java.lang.RuntimePermission    "setContextClassLoader";
       permission java.net.SocketPermission    "*", "connect";
       permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 
       //needed by URLClassloader.close() on JDK7
       permission java.lang.RuntimePermission "closeClassLoader";
       // for Groovy
       permission java.lang.RuntimePermission "createClassLoader";
       permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts";
       // for cassandra
       permission javax.management.MBeanServerPermission "createMBeanServer";
       permission javax.management.MBeanPermission
           "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";
       permission java.net.SocketPermission "localhost:1024-", "accept,listen,resolve";
       permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
       permission java.lang.RuntimePermission "accessDeclaredMembers";
       permission org.osgi.framework.AdminPermission "resolve,resource";
       permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
    };

    grant {
       permission java.util.PropertyPermission "SERVER_TIMEZONE", "read";
    };