Permissions needed to work in secure mode

This section describes the special permissions you need to add if the web application server will be running in secure mode during the scan.

If the server will be running in secure mode (that is, with Java Security Manager enabled), you must add the following special permissions to the GBootStrap web application:
  • Permission to access "getClassLoader" (java.lang.RuntimePermission)
  • Permission to use "accessClassInPackage.sun.net.www.protocol.*" (java.lang.RuntimePermission)
  • Read permission to the "java.io.tmpdir" property (java.util.PropertyPermission)
  • Read/Write/Delete permission to "<<ALL FILES>>"

If necessary, consult your web server manual for instructions on how and where to add these Java Security permissions. The sections below provide some sources and examples that may help you in doing this. It should be stressed that the examples are examples only, and would almost certainly need adaptation to work in your particular case.

IBM WebSphere

Guide:

http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/topic/com.ibm.websphere.express.doc/info/exp/ae/tsec_waspolicyfile.html

Outline of lines to be added:

grant codeBase "file:${application}" {
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission 
"accessClassInPackage.sun.net.www.protocol.*";
	permission java.io.FilePermission "<>", "read, write, delete"; 	
	permission java.util.PropertyPermission "java.io.tmpdir", "read"; 
};

Location:

<profile_root>/config/cells/<cell_name>/applications/<ear_file_name>
/deployments/<application_name>/META-INF/was.policy

Example of lines to be added:

"C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\AppSrv01
\config\cells\ROIS-PSNode01Cell\applications\GBootStrap_war.ear
\deployments\GBootStrap_war\META-INF\was.policy")

Apache Tomcat

Guide:

http://tomcat.apache.org/tomcat-6.0-doc/security-manager-howto.html#Configuring_Tomcat_With_A_SecurityManager

Outline of lines to be added:

grant codeBase "file:${catalina.base}/webapps/GBootStrap/-"{
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission 
"accessClassInPackage.sun.net.www.protocol.*";
	permission java.io.FilePermission "<<ALL FILES>>">>", "read, write, delete";
	permission java.util.PropertyPermission "java.io.tmpdir", "read";
};

Location:

<CATALINA_HOME>/conf/catalina.policy

Example of lines to be added:

"C:\Software\Tomcat\apache-tomcat-6.0.33\conf\catalina.policy"

Weblogic

Guide:

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/security/server_prot.html

Specifically refer to the section entitled "Setting Application-Specific Security Policies"

Outline of lines to be added:

<security-permission>
 <description>
  Allow getting the J2EEJ2SETest4 property
 </description>
 <security-permission-spec>
  grant {
    permission java.util.PropertyPermission 
"welcome.J2EEJ2SETest4","read";
  };
 </security-permission-spec>
</security-permission>

Line to be added:

weblogic.xml

JBoss

Guide:

http://docs.jboss.org/jbossweb/latest/security-manager-howto.html

Outline of lines to be added:

grant codeBase "file:${catalina.base}/webapps/GBootStrap/-"{
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission 
"accessClassInPackage.sun.net.www.protocol.*";
	permission java.io.FilePermission "ALL FILES", "read, write, delete";
	permission java.util.PropertyPermission "java.io.tmpdir", "read";
};

Line to be added:

CATALINA_HOME/conf/catalina.policy