XAP

Java Security Policy File

When accessing the space, you should have the java.security.policy property set correctly. You may use a default security file bundled with the distribution. It is located at: $GS_HOME\policy\policy.all:

grant {
    permission java.security.AllPermission "", "";
};

You can augment or replace the default JVMClosed Java Virtual Machine. A virtual machine that enables a computer to run Java programs as well as programs written in other languages that are also compiled to Java bytecode. runtime permissions using the java.security.policy system property to specify the path to a policy file. This System property is unique in that it can use = or == to indicate whether the policy file specified should append to, or replace the default permissions. If you use the "=", the permissions in the specified policy file are appended to the default permissions. If you use the ==, then the permissions in the specified policy file replace the default permissions.

The preferred way is to export the environment variable GS_SECURITY_POLICY which is defined in the script $GS_HOME\bin\setenv.(sh/bat), instead of the system property java.security.policy to specify the path to a policy file. Use the setenv-overrides.(sh/bat) script and define the security policy file path:

  export GS_SECURITY_POLICY=/home/user/my-policy.txt

GigaSpaces includes default security permissions, based on the above settings. These are located in the xap-common.jar file, under \com\gigaspaces\start\policy.all. If you do not need special security settings, you do not need to set up the java.security.policy property when accessing the space. The default setting is used. The same occurs when using the SpaceFinder to start a space (not using the ServiceStarter).

Flat File Structure – the policy.all file can be moved under the $GS_HOME directory, if you want to maintain a flat file structure – where configuration, jar, and security files can be organized under the $GS_HOME folder, or under their main folder without having sub-folders.

For more details on Java security, refer to: Sun;Default Policy Implementation and Policy File Syntax.

Security permissions required for GigaSpaces

If you want to create your own security policy file, you need to add, at least, the following security grants.

grant {
  permission java.util.PropertyPermission "*", "read, write";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission "<<ALL FILES>>", "read, write, delete, execute";
  permission java.io.SerializablePermission "enableSubstitution";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.lang.RuntimePermission "accessClassInPackage.org.apache.*";
  permission java.lang.RuntimePermission "accessClassInPackage.sun.*";
  permission java.lang.RuntimePermission "accessDeclaredMembers";
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.lang.RuntimePermission "getClassLoader";
  permission java.lang.RuntimePermission "loadLibrary.libtcnative-1";
  permission java.lang.RuntimePermission "loadLibrary.management";
  permission java.lang.RuntimePermission "loadLibrary.net";
  permission java.lang.RuntimePermission "loadLibrary.tcnative-1";
  permission java.lang.RuntimePermission "modifyThread";
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setServer";
  permission java.lang.RuntimePermission "setContextClassLoader";
  permission java.lang.RuntimePermission "createSecurityManager";
  permission java.lang.RuntimePermission "setFactory";
  permission java.lang.RuntimePermission "setIO";
  permission java.lang.RuntimePermission "shutdownHooks";
  permission java.net.NetPermission "specifyStreamHandler";
  permission java.net.SocketPermission "*", "listen, resolve, connect, accept";
  permission java.security.SecurityPermission "createAccessControlContext";
  permission java.security.SecurityPermission "getDomainCombiner";
  permission java.security.SecurityPermission "getPolicy";
  permission java.security.SecurityPermission "getProperty.*";
  permission java.security.SecurityPermission "insertProvider.SUN";
  permission java.security.SecurityPermission "putProviderProperty.SUN";
  permission java.security.SecurityPermission "setPolicy";
  permission java.security.SecurityPermission "setProperty.package.access";
  permission java.security.SecurityPermission "setProperty.package.definition";
  permission net.jini.security.GrantPermission "java.security.AllPermission";
  permission com.sun.jini.discovery.internal.EndpointInternalsPermission "set";
  permission com.sun.jini.discovery.internal.EndpointInternalsPermission "get";
  permission java.util.logging.LoggingPermission "control";
  permission net.jini.discovery.DiscoveryPermission "*";
  permission javax.security.auth.AuthPermission "refreshLoginConfiguration";
  permission javax.security.auth.AuthPermission "setLoginConfiguration";
  permission javax.management.MBeanServerPermission "createMBeanServer";
  permission javax.management.MBeanServerPermission "findMBeanServer";
  permission javax.management.MBeanServerPermission "newMBeanServer";
  permission javax.management.MBeanTrustPermission "register";
  permission javax.management.MBeanPermission "*", "*";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setRunAsRole";
  permission javax.security.auth.AuthPermission "doAsPrivileged";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.getPrincipalInfo";
  permission javax.security.auth.AuthPermission "createLoginContext.HsqlDbRealm";
  permission javax.security.auth.AuthPermission "getLoginConfiguration";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.accessContextInfo";
  permission javax.security.auth.PrivateCredentialPermission "javax.resource.spi.security.PasswordCredential * \"*\"", "read";
  permission javax.security.auth.AuthPermission "*";
  permission java.lang.RuntimePermission "org.jboss.security.SecurityAssociation.setPrincipalInfo";
  permission net.jini.security.GrantPermission "java.security.AllPermission \"<all permissions>\", \"<all actions>\"";
  permission net.jini.export.ExportPermission "exportRemoteInterface.com.sun.jini.reggie.Registrar";
  permission com.sun.jini.thread.ThreadPoolPermission "getSystemThreadPool";
  permission javax.management.MBeanServerPermission "releaseMBeanServer";
  permission java.lang.RuntimePermission "exitVM";
};