Recent changes to ScriptSecurity

ScriptSecurity modified by Jim

Jim — Sat, 30 May 2015 15:57:48 -0000

--- v6
+++ v7
@@ -49,5 +49,9 @@
        permission org.osgi.framework.AdminPermission "resolve,resource";
        permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
     };
+
+    grant {
+       permission java.util.PropertyPermission "SERVER_TIMEZONE", "read";
+    };
 ~~~~~~

ScriptSecurity modified by Jim

Jim — Sat, 25 Apr 2015 18:39:39 -0000

--- v5
+++ v6
@@ -16,6 +16,7 @@

 ~~~~~~
     grant codeBase "file:/m2mlabs/scripts" {
+       // this permission is required to execute the scripts
        permission java.lang.RuntimePermission    "getClassLoader";
     };
 ~~~~~~

ScriptSecurity modified by Jim

Jim — Sat, 25 Apr 2015 18:34:56 -0000

--- v4
+++ v5
@@ -1,6 +1,6 @@
 ### Securing Groovy Scripts ###

-In a production system it is strongly recommended to run the Groovy scripts in sandbox environment, especially if owners are writing and executing their own scripts.
+##### In a production system it is strongly recommended to run the Groovy scripts in a sandbox environment, especially if owners are writing and executing their own scripts.

 To run Groovy scripts in a sandbox perform following steps:

@@ -23,8 +23,7 @@
 * add codebase /applications/mainspring-ear-0.9 which contains the permission for the mainspring server itself. For future releases this has to be updated to the application name of the release.

 ~~~~~~
-   grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {
-
+    grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {
        permission java.lang.RuntimePermission "getProtectionDomain";
        permission javax.management.MBeanTrustPermission "register";
        permission java.util.PropertyPermission "*", "read,write";
@@ -43,11 +42,11 @@
        permission javax.management.MBeanServerPermission "createMBeanServer";
        permission javax.management.MBeanPermission
            "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";
-
        permission java.net.SocketPermission "localhost:1024-", "accept,listen,resolve";
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission org.osgi.framework.AdminPermission "resolve,resource";
        permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
-   };
+    };
 ~~~~~~
+

ScriptSecurity modified by Jim

Jim — Sat, 25 Apr 2015 18:26:35 -0000

--- v3
+++ v4
@@ -23,31 +23,31 @@
 * add codebase /applications/mainspring-ear-0.9 which contains the permission for the mainspring server itself. For future releases this has to be updated to the application name of the release.

 ~~~~~~
-grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {
+   grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {

-   permission java.lang.RuntimePermission "getProtectionDomain";
-   permission javax.management.MBeanTrustPermission "register";
-   permission java.util.PropertyPermission "*", "read,write";
-   permission java.io.FilePermission       "<<ALL FILES="">>", "read,write";
-   permission java.lang.RuntimePermission    "modifyThreadGroup";
-   permission java.lang.RuntimePermission    "getClassLoader";
-   permission java.lang.RuntimePermission    "setContextClassLoader";
-   permission java.net.SocketPermission    "*", "connect";
-   permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 
-   //needed by URLClassloader.close() on JDK7
-   permission java.lang.RuntimePermission "closeClassLoader";
-   // for Groovy
-   permission java.lang.RuntimePermission "createClassLoader";
-   permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts";
-   // for cassandra
-   permission javax.management.MBeanServerPermission "createMBeanServer";
-   permission javax.management.MBeanPermission
-       "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";
+       permission java.lang.RuntimePermission "getProtectionDomain";
+       permission javax.management.MBeanTrustPermission "register";
+       permission java.util.PropertyPermission "*", "read,write";
+       permission java.io.FilePermission       "<<ALL FILES="">>", "read,write";
+       permission java.lang.RuntimePermission    "modifyThreadGroup";
+       permission java.lang.RuntimePermission    "getClassLoader";
+       permission java.lang.RuntimePermission    "setContextClassLoader";
+       permission java.net.SocketPermission    "*", "connect";
+       permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 
+       //needed by URLClassloader.close() on JDK7
+       permission java.lang.RuntimePermission "closeClassLoader";
+       // for Groovy
+       permission java.lang.RuntimePermission "createClassLoader";
+       permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts";
+       // for cassandra
+       permission javax.management.MBeanServerPermission "createMBeanServer";
+       permission javax.management.MBeanPermission
+           "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";

-   permission java.net.SocketPermission "localhost:1024-", "accept,listen,resolve";
-   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-   permission java.lang.RuntimePermission "accessDeclaredMembers";
-   permission org.osgi.framework.AdminPermission "resolve,resource";
-   permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
-};
+       permission java.net.SocketPermission "localhost:1024-", "accept,listen,resolve";
+       permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+       permission java.lang.RuntimePermission "accessDeclaredMembers";
+       permission org.osgi.framework.AdminPermission "resolve,resource";
+       permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
+   };
 ~~~~~~

ScriptSecurity modified by Jim

Jim — Sat, 25 Apr 2015 18:23:47 -0000

--- v2
+++ v3
@@ -16,40 +16,38 @@

 ~~~~~~
     grant codeBase "file:/m2mlabs/scripts" {
-       permission java.io.FilePermission       
-          "${com.sun.aas.instanceRoot}/applications/cs-ws/WEB-INF/classes/-", "read";
-       permission java.io.FilePermission       
-          "${com.sun.aas.instanceRoot}/generated/jsp/cs-ws/-", "read";
        permission java.lang.RuntimePermission    "getClassLoader";
     };
 ~~~~~~

-* add codebase /applications/cs-ws which contains the permission for the mainspring server itself
+* add codebase /applications/mainspring-ear-0.9 which contains the permission for the mainspring server itself. For future releases this has to be updated to the application name of the release.

 ~~~~~~
-    grant codeBase "file:${com.sun.aas.instanceRoot}/applications/cs-ws/-" {
-    
-       permission java.lang.RuntimePermission "getProtectionDomain";
-       permission javax.management.MBeanTrustPermission "register";
-       permission java.util.PropertyPermission "*", "read,write";
-       permission java.io.FilePermission       "<<ALL FILES="">>", "read,write";
-       permission java.lang.RuntimePermission    "modifyThreadGroup";
-       permission java.lang.RuntimePermission    "getClassLoader";
-       permission java.lang.RuntimePermission    "setContextClassLoader";
-       permission java.net.SocketPermission    "*", "connect";
-       permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 
-       //needed by URLClassloader.close() on JDK7
-       permission java.lang.RuntimePermission "closeClassLoader";
-       // for Groovy
-       permission java.lang.RuntimePermission "createClassLoader";
-       permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts";
-       // for cassandra
-       permission javax.management.MBeanServerPermission "createMBeanServer";
-       permission javax.management.MBeanPermission
-           "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";
-    
-       permission java.net.SocketPermission "localhost:1024-", "accept,resolve";
-       permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
-       permission java.lang.RuntimePermission "accessDeclaredMembers";
-    };
+grant codeBase "file:${com.sun.aas.instanceRoot}/applications/mainspring-ear-0.9/-" {
+
+   permission java.lang.RuntimePermission "getProtectionDomain";
+   permission javax.management.MBeanTrustPermission "register";
+   permission java.util.PropertyPermission "*", "read,write";
+   permission java.io.FilePermission       "<<ALL FILES="">>", "read,write";
+   permission java.lang.RuntimePermission    "modifyThreadGroup";
+   permission java.lang.RuntimePermission    "getClassLoader";
+   permission java.lang.RuntimePermission    "setContextClassLoader";
+   permission java.net.SocketPermission    "*", "connect";
+   permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; 
+   //needed by URLClassloader.close() on JDK7
+   permission java.lang.RuntimePermission "closeClassLoader";
+   // for Groovy
+   permission java.lang.RuntimePermission "createClassLoader";
+   permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts";
+   // for cassandra
+   permission javax.management.MBeanServerPermission "createMBeanServer";
+   permission javax.management.MBeanPermission
+       "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean";
+
+   permission java.net.SocketPermission "localhost:1024-", "accept,listen,resolve";
+   permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+   permission java.lang.RuntimePermission "accessDeclaredMembers";
+   permission org.osgi.framework.AdminPermission "resolve,resource";
+   permission java.lang.RuntimePermission, "accessClassInPackage.com.sun.proxy";
+};
 ~~~~~~

WikiPage ScriptSecurity modified by Jim

Jim — Thu, 22 Nov 2012 20:34:59 -0000

--- v1
+++ v2
@@ -10,7 +10,9 @@
 
 The following example shows the permissions to be assigned:
 
-* the /m2mlabs/scripts contains the minimum set of permissions assigned to Groovy scripts
+* keep the permissions for glassfish itself
+* delete all other permissions
+* add codebase /m2mlabs/scripts which contains the minimum set of permissions assigned to Groovy scripts
 
 ~~~~~~
     grant codeBase "file:/m2mlabs/scripts" {
@@ -22,7 +24,7 @@
     };
 ~~~~~~
 
-* the /applications/cs-ws codebase contains the permission for the mainspring server itself
+* add codebase /applications/cs-ws which contains the permission for the mainspring server itself
 
 ~~~~~~
     grant codeBase "file:${com.sun.aas.instanceRoot}/applications/cs-ws/-" {

WikiPage ScriptSecurity modified by Jim

Jim — Thu, 22 Nov 2012 20:29:26 -0000

### Securing Groovy Scripts ### In a production system it is strongly recommended to run the Groovy scripts in sandbox environment, especially if owners are writing and executing their own scripts. To run Groovy scripts in a sandbox perform following steps: * enable the java security manager with "asadmin create-jvm-options -Djava.security.manager" * edit the server policy file (in glassfish located in ../domains//config/server.policy * restart the server The following example shows the permissions to be assigned: * the /m2mlabs/scripts contains the minimum set of permissions assigned to Groovy scripts ~~~~~~ grant codeBase "file:/m2mlabs/scripts" { permission java.io.FilePermission "${com.sun.aas.instanceRoot}/applications/cs-ws/WEB-INF/classes/-", "read"; permission java.io.FilePermission "${com.sun.aas.instanceRoot}/generated/jsp/cs-ws/-", "read"; permission java.lang.RuntimePermission "getClassLoader"; }; ~~~~~~ * the /applications/cs-ws codebase contains the permission for the mainspring server itself ~~~~~~ grant codeBase "file:${com.sun.aas.instanceRoot}/applications/cs-ws/-" { permission java.lang.RuntimePermission "getProtectionDomain"; permission javax.management.MBeanTrustPermission "register"; permission java.util.PropertyPermission "*", "read,write"; permission java.io.FilePermission "<>", "read,write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; permission java.net.SocketPermission "*", "connect"; permission javax.management.MBeanPermission "[com.sun.messaging.jms.*:*]", "*"; //needed by URLClassloader.close() on JDK7 permission java.lang.RuntimePermission "closeClassLoader"; // for Groovy permission java.lang.RuntimePermission "createClassLoader"; permission groovy.security.GroovyCodeSourcePermission "/m2mlabs/scripts"; // for cassandra permission javax.management.MBeanServerPermission "createMBeanServer"; permission javax.management.MBeanPermission "me.prettyprint.cassandra.service.CassandraClientMonitor", "registerMBean"; permission java.net.SocketPermission "localhost:1024-", "accept,resolve"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission java.lang.RuntimePermission "accessDeclaredMembers"; }; ~~~~~~