From b09cfe4af7d989af738795f1b6edfbf7541b82ca Mon Sep 17 00:00:00 2001
From: Atwijukire Ariho Seth <120330466+Ariho-Seth@users.noreply.github.com>
Date: Thu, 31 Jul 2025 23:15:59 +0100
Subject: [PATCH 1/3] Refactoring out security.policy
Signed-off-by: Atwijukire Ariho Seth <120330466+Ariho-Seth@users.noreply.github.com>
---
.../src/test/resources/UpgradeTest.xml | 1 -
.../src/main/resources/config/domain.xml | 2 -
.../client/acc/agent/CLIBootstrap.java | 3 -
.../appclient/client/jws/boot/JWSACCMain.java | 56 -------
.../client/jws/boot/LaunchSecurityHelper.java | 11 +-
.../common/ClientClassLoaderDelegate.java | 25 ---
.../appclient/common/PermissionsUtil.java | 69 --------
.../main/resources/glassfish/bin/appclient.js | 1 -
.../admin/src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/PasswordAliasTest.xml | 2 +-
.../connectors/ConnectorRuntime.java | 4 +-
...nnectorConfigurationParserServiceImpl.java | 108 -------------
.../application/EJBSecurityManager.java | 25 +--
.../admin/src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../security/ee/JavaEESecurityLifecycle.java | 13 --
.../enterprise/security/ee/SecurityUtil.java | 6 +-
.../security/ee/authorize/HandlerData.java | 28 ----
.../authorize/PolicyContextHandlerImpl.java | 15 +-
.../ee/authorize/cache/PermissionCache.java | 3 -
.../cache/PermissionCacheFactory.java | 21 +--
.../security/ee/perms/SMGlobalPolicyUtil.java | 152 +-----------------
.../web/integration/WebSecurityManager.java | 15 --
.../WebSecurityManagerFactory.java | 1 -
.../ee/perms/SMGlobalPolicyUtilTest.java | 76 +--------
.../iiop/security/SecurityContextUtil.java | 14 +-
.../com/sun/web/security/RealmAdapter.java | 1 -
.../webservices/SecurityServiceImpl.java | 1 -
.../admin/cli/resources/configs/v2domain.xml | 8 +-
.../cli/resources/configs/v3_0_1domain.xml | 2 +-
.../simple-versioned-appclient/build.xml | 1 -
.../devtests/security/jaccApi/build.xml | 2 -
.../devtests/transaction/ee/ee.xml | 1 -
.../osgitest/basicosgi/security.policy | 20 ---
.../admin/framework/testfiles/test.xml | 4 +-
.../admin/offlineconfig/testfiles/domain.xml | 2 +-
.../com/sun/enterprise/config/domain.orig.xml | 4 +-
.../web/loader/WebappClassLoader.java | 19 ---
.../catalina/loader/StandardClassLoader.java | 3 -
.../sun/web/server/EEInstanceListener.java | 17 +-
.../src/main/asciidoc/jvm.adoc | 1 -
.../src/main/asciidoc/instances.adoc | 2 -
.../src/main/asciidoc/delete-jvm-options.adoc | 2 +-
.../src/main/asciidoc/list-jvm-options.adoc | 1 -
.../src/test/resources/ClusterDomain.xml | 6 +-
.../src/test/resources/DomainTest.xml | 2 +-
.../src/test/resources/parser/c1i1.xml | 14 +-
.../src/test/resources/parser/c1i1c1i2.xml | 14 +-
.../src/test/resources/parser/i1.xml | 6 +-
.../src/test/resources/parser/i1i2.xml | 8 +-
.../test/resources/parser/noconfigfori1.xml | 6 +-
.../src/test/resources/parser/stock.xml | 4 +-
.../domains/baddomain/config/domain.xml | 2 +-
.../domains/domain1/config/domain.xml | 2 +-
.../domains/domain2/config/domain.xml | 2 +-
.../domains/domain3/config/domain.xml | 2 +-
.../domains/domainNoLog/config/domain.xml | 2 +-
.../src/main/resources/config/domain.xml | 4 +-
.../common-util/src/test/resources/big.xml | 2 +-
.../src/test/resources/clusters1.xml | 12 +-
.../src/test/resources/manysysprops.xml | 12 +-
.../src/test/resources/monitoringFalse.xml | 2 +-
.../src/test/resources/monitoringNone.xml | 2 +-
.../src/test/resources/monitoringTrue.xml | 2 +-
.../src/test/resources/olddomain.xml | 2 +-
.../v3/admin/commands/list-jvm-options.1 | 1 -
.../kernel/src/test/resources/DomainTest.xml | 2 +-
.../resources/lib/appclient/client.policy | 71 --------
.../lib/appclient/javaee.client.policy | 50 ------
.../lib/appclient/restrict.client.policy | 21 ---
.../security/LocalStrings.properties | 1 -
.../sun/enterprise/security/PolicyLoader.java | 85 +---------
.../enterprise/security/SecurityContext.java | 19 +--
.../security/SecurityLifecycle.java | 23 ---
.../services/common/SecurityAccessFilter.java | 10 +-
.../AuthorizationServiceImpl.java | 6 +-
80 files changed, 95 insertions(+), 1058 deletions(-)
delete mode 100644 appserver/tests/quicklook/osgitest/basicosgi/security.policy
delete mode 100644 nucleus/distributions/nucleus-common/src/main/resources/lib/appclient/client.policy
delete mode 100644 nucleus/distributions/nucleus-common/src/main/resources/lib/appclient/javaee.client.policy
delete mode 100644 nucleus/distributions/nucleus-common/src/main/resources/lib/appclient/restrict.client.policy
diff --git a/appserver/admin/admin-core/src/test/resources/UpgradeTest.xml b/appserver/admin/admin-core/src/test/resources/UpgradeTest.xml
index 032daebfa82..408d6ec2357 100644
--- a/appserver/admin/admin-core/src/test/resources/UpgradeTest.xml
+++ b/appserver/admin/admin-core/src/test/resources/UpgradeTest.xml
@@ -198,7 +198,6 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Xmx512m
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.p12
diff --git a/appserver/admin/template/src/main/resources/config/domain.xml b/appserver/admin/template/src/main/resources/config/domain.xml
index c30fa534715..67217ee6580 100644
--- a/appserver/admin/template/src/main/resources/config/domain.xml
+++ b/appserver/admin/template/src/main/resources/config/domain.xml
@@ -166,7 +166,6 @@
-Djavax.xml.accessExternalSchema=all
-Djavax.management.builder.initial=com.sun.enterprise.v3.admin.AppServerMBeanServerBuilder
-XX:+UnlockDiagnosticVMOptions
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
-Xmx512m
@@ -368,7 +367,6 @@
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-Djdk.xml.totalEntitySizeLimit=50000000
-XX:+UnlockDiagnosticVMOptions
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.p12
diff --git a/appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java b/appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java
index bf280f2713d..ba7169f1c75 100644
--- a/appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java
+++ b/appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java
@@ -77,8 +77,6 @@ public class CLIBootstrap {
static final String ENV_VAR_PROP_PREFIX = "acc.";
-
- private final static String SECURITY_POLICY_PROPERTY_EXPR = "-Djava.security.policy=";
private final static String SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR = "-Djava.security.auth.login.config=";
private final static String SYSPROP_SYSTEM_CLASS_LOADER = "-Djava.system.class.loader=";
@@ -293,7 +291,6 @@ private void addProperties(final StringBuilder command) {
command.append(' ').append(SYSPROP_SYSTEM_CLASS_LOADER).append("org.glassfish.appclient.client.acc.agent.ACCAgentClassLoader");
command.append(' ').append("-D").append(INSTALL_ROOT.getSystemPropertyName()).append('=').append(quote(gfInfo.home().getAbsolutePath()));
command.append(' ').append("-Dorg.glassfish.gmbal.no.multipleUpperBoundsException=true");
- command.append(' ').append(SECURITY_POLICY_PROPERTY_EXPR).append(quote(gfInfo.securityPolicy().getAbsolutePath()));
command.append(' ').append(SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR).append(quote(gfInfo.loginConfig().toExternalForm()));
}
diff --git a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/JWSACCMain.java b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/JWSACCMain.java
index e5ee12509cb..a254f1dbe95 100644
--- a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/JWSACCMain.java
+++ b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/JWSACCMain.java
@@ -29,17 +29,13 @@
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
-import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
-import java.security.Policy;
-import java.text.MessageFormat;
import java.util.ResourceBundle;
import java.util.Vector;
import javax.swing.SwingUtilities;
-import org.glassfish.appclient.client.acc.AppClientContainer;
import org.glassfish.appclient.client.acc.JWSACCClassLoader;
import static org.glassfish.main.jdke.props.SystemProperties.setProperty;
@@ -62,9 +58,6 @@
*/
public class JWSACCMain implements Runnable {
- /** name of the permissions template */
- private static final String PERMISSIONS_TEMPLATE_NAME = "jwsclient.policy";
-
/** placeholder used in the policy template to substitute dynamically-generated grant clauses */
private static final String GRANT_CLAUSES_PROPERTY_EXPR = "${grant.clauses}";
@@ -79,11 +72,6 @@ public class JWSACCMain implements Runnable {
private static final String JWSACC_RUN_ON_SWING_THREAD = "RunOnSwingThread";
- /** grant clause template for dynamically populating the policy */
- private static final String GRANT_CLAUSE_TEMPLATE = "grant codeBase \"{0}\" '{'\n" +
- " permission java.security.AllPermission;\n" +
- "'}';";
-
/**
* request to exit the JVM upon return from the client - should be set (via
* the -jwsacc command-line argument value) only for
@@ -138,12 +126,6 @@ public static void main(String[] args) {
throw new IllegalArgumentException(rb.getString("jwsacc.errorLocJARs"), thr);
}
- /*
- *Before creating the new instance of the real ACC main, set permissions
- *so ACC and the user's app client can function properly.
- */
- setPermissions();
-
/*
*Make sure that the main ACC class is instantiated and run in the
*same thread. Java Web Start may not normally do so.
@@ -274,37 +256,6 @@ private static void processJWSArgs(Vector args) {
}
}
- private static void setPermissions() {
- try {
- /*
- */
- String permissionsTemplate = loadResource(JWSACCMain.class, PERMISSIONS_TEMPLATE_NAME);
-
- /*
- *Prepare the grant clauses for the downloaded jars and substitute
- *those clauses into the policy template.
- */
- StringBuilder grantClauses = new StringBuilder();
-
- for (URL url : downloadedJarURLs) {
- grantClauses.append(MessageFormat.format(GRANT_CLAUSE_TEMPLATE, url.toExternalForm()));
- }
-
- for (URL url : persistenceJarURLs) {
- grantClauses.append(MessageFormat.format(GRANT_CLAUSE_TEMPLATE, url.toExternalForm()));
- }
-
- String substitutedPermissionsTemplate = permissionsTemplate.replace(GRANT_CLAUSES_PROPERTY_EXPR, grantClauses.toString());
- boolean retainTempFiles = Boolean.getBoolean(AppClientContainer.APPCLIENT_RETAIN_TEMP_FILES_PROPERTYNAME);
- File policyFile = writeTextToTempFile(substitutedPermissionsTemplate, "jwsacc", ".policy", retainTempFiles);
-
- refreshPolicy(policyFile);
-
- } catch (IOException ioe) {
- throw new RuntimeException("Error loading permissions template", ioe);
- }
- }
-
/**
*Locates the first free policy.url.x setting.
*@return the int value for the first unused policy setting
@@ -324,13 +275,6 @@ public static int firstFreePolicyIndex() {
*as additional policy.
*@param policyFile the file containing additional policy
*/
- public static void refreshPolicy(File policyFile) {
- int idx = firstFreePolicyIndex();
- URI policyFileURI = policyFile.toURI();
- java.security.Security.setProperty("policy.url." + idx, policyFileURI.toASCIIString());
- Policy p = Policy.getPolicy();
- p.refresh();
- }
/**
*The methods below are duplicates from the com.sun.enterprise.appclient.jws.Util class.
diff --git a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/LaunchSecurityHelper.java b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/LaunchSecurityHelper.java
index d72b6074845..a0ca6a650c5 100644
--- a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/LaunchSecurityHelper.java
+++ b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/LaunchSecurityHelper.java
@@ -21,8 +21,6 @@
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
-import java.net.URI;
-import java.security.Policy;
import org.glassfish.appclient.client.acc.AppClientContainer;
import org.glassfish.appclient.client.acc.Util;
@@ -50,7 +48,6 @@ public static void setPermissions() {
*/
boolean retainTempFiles = Boolean.getBoolean(AppClientContainer.APPCLIENT_RETAIN_TEMP_FILES_PROPERTYNAME);
File policyFile = Util.writeTextToTempFile(permissionsTemplate, "jwsacc", ".policy", retainTempFiles);
- refreshPolicy(policyFile);
} catch (IOException ioe) {
throw new RuntimeException("Error loading permissions template", ioe);
@@ -115,11 +112,5 @@ private static int firstFreePolicyIndex() {
* as additional policy.
* @param policyFile the file containing additional policy
*/
- private static void refreshPolicy(File policyFile) {
- int idx = firstFreePolicyIndex();
- URI policyFileURI = policyFile.toURI();
- java.security.Security.setProperty("policy.url." + idx, policyFileURI.toASCIIString());
- Policy p = Policy.getPolicy();
- p.refresh();
- }
+
}
diff --git a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/ClientClassLoaderDelegate.java b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/ClientClassLoaderDelegate.java
index ed04f73c3ac..50fd7d22190 100644
--- a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/ClientClassLoaderDelegate.java
+++ b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/ClientClassLoaderDelegate.java
@@ -33,31 +33,6 @@ public class ClientClassLoaderDelegate {
public ClientClassLoaderDelegate(URLClassLoader cl) {
this.cl = cl;
- loadPemissions();
- }
-
- private void loadPemissions() {
- try {
- processDeclaredPermissions();
- } catch (IOException e) {
- throw new RuntimeException(e);
- }
- }
-
- private void processDeclaredPermissions() throws IOException {
- if (System.getSecurityManager() == null) {
- return;
- }
-
- PermissionCollection declaredPermissionCollection = PermissionsUtil.getClientDeclaredPermissions(cl);
-
- PermissionCollection eePc = PermissionsUtil.getClientEEPolicy(cl);
- PermissionCollection eeRestriction = PermissionsUtil.getClientRestrictPolicy(cl);
-
- SMGlobalPolicyUtil.checkRestriction(eePc, eeRestriction);
- SMGlobalPolicyUtil.checkRestriction(declaredPermissionCollection, eeRestriction);
-
- permHolder = new PermsHolder(eePc, declaredPermissionCollection, eeRestriction);
}
public PermissionCollection getCachedPerms(CodeSource codesource) {
diff --git a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/PermissionsUtil.java b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/PermissionsUtil.java
index 9f58dba1457..07a06f19f99 100644
--- a/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/PermissionsUtil.java
+++ b/appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/PermissionsUtil.java
@@ -17,22 +17,13 @@
import com.sun.enterprise.security.ee.perms.XMLPermissionsHandler;
-import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URISyntaxException;
import java.net.URL;
-import java.security.CodeSource;
-import java.security.NoSuchAlgorithmException;
import java.security.PermissionCollection;
-import java.security.Policy;
-import java.security.URIParameter;
-import java.security.cert.Certificate;
import javax.xml.stream.XMLStreamException;
-import static com.sun.enterprise.security.ee.perms.SMGlobalPolicyUtil.CLIENT_TYPE_CODESOURCE;
import static com.sun.enterprise.security.ee.perms.SMGlobalPolicyUtil.CommponentType.car;
public class PermissionsUtil {
@@ -63,64 +54,4 @@ public static PermissionCollection getClientDeclaredPermissions(ClassLoader clas
}
}
- // get the permissions configured inside the javaee.client.policy,
- // which might be packaged inside the client jar,
- // or from the installed folder lib/appclient
- // result could be null if either of the above is found
- public static PermissionCollection getClientEEPolicy(ClassLoader classLoader) throws IOException {
- return getClientPolicy(classLoader, CLIENT_EE_PERMS_PKG, CLIENT_EE_PERMS_FILE);
- }
-
- // get the permissions configured inside the javaee.client.policy,
- // which might be packaged inside the client jar,
- // or from the installed folder lib/appclient
- // result could be null if either of the above is found
- public static PermissionCollection getClientRestrictPolicy(ClassLoader classLoader) throws IOException {
- return getClientPolicy(classLoader, CLIENT_RESTRICT_PERMS_PKG, CLIENT_RESTRICT_PERMS_FILE);
- }
-
- private static PermissionCollection getClientPolicy(ClassLoader classLoader, String pkgedFile, String policyFileName) throws IOException {
-
- // 1st try to find from the packaged client jar
- URL eeClientUrl = classLoader.getResource(pkgedFile);
- if (eeClientUrl != null)
- return getEEPolicyPermissions(eeClientUrl);
-
- // 2nd try to find from client's installation at lib/appclient folder
- String clientPolicyClocation = getClientInstalledPath();
- if (clientPolicyClocation != null) {
- return getPolicyPermissions(clientPolicyClocation + policyFileName);
- }
-
- return null;
-
- }
-
- private static PermissionCollection getPolicyPermissions(String policyFilename) throws IOException {
- if (!new File(policyFilename).exists()) {
- return null;
- }
-
- return getEEPolicyPermissions(new URL("file:" + policyFilename));
- }
-
- private static PermissionCollection getEEPolicyPermissions(URL fileUrl) throws IOException {
- try {
- return
- Policy.getInstance("JavaPolicy", new URIParameter(fileUrl.toURI()))
- .getPermissions(new CodeSource(new URL(CLIENT_TYPE_CODESOURCE), (Certificate[]) null));
- } catch (NoSuchAlgorithmException | MalformedURLException | URISyntaxException e) {
- throw new IllegalStateException(e);
- }
- }
-
- private static String getClientInstalledPath() {
- String policyPath = System.getProperty("java.security.policy");
- if (policyPath == null) {
- return null;
- }
-
- return new File(policyPath).getParent() + File.separator;
- }
-
}
diff --git a/appserver/appclient/client/appclient-scripts/src/main/resources/glassfish/bin/appclient.js b/appserver/appclient/client/appclient-scripts/src/main/resources/glassfish/bin/appclient.js
index 8facac7be60..25186598ba4 100644
--- a/appserver/appclient/client/appclient-scripts/src/main/resources/glassfish/bin/appclient.js
+++ b/appserver/appclient/client/appclient-scripts/src/main/resources/glassfish/bin/appclient.js
@@ -43,7 +43,6 @@ var appcPath = envVars("APPCPATH");
var accJar=quoteStringIfNeeded(AS_INSTALL + "\\lib\\gf-client.jar");
var jvmArgs="-Dcom.sun.aas.installRoot=" + quoteStringIfNeeded(AS_INSTALL) +
- " -Djava.security.policy=" + quoteStringIfNeeded(AS_INSTALL + "\\lib\\appclient\\client.policy") +
" -Djava.system.class.loader=org.glassfish.appclient.client.acc.agent.ACCAgentClassLoader" +
" -Djava.security.auth.login.config=" + quoteStringIfNeeded(AS_INSTALL + "\\lib\\appclient\\appclientlogin.conf");
var VMARGS = envVars("VMARGS");
diff --git a/appserver/connectors/admin/src/test/resources/DomainTest.xml b/appserver/connectors/admin/src/test/resources/DomainTest.xml
index e3cb9792a5c..517178c0ce5 100644
--- a/appserver/connectors/admin/src/test/resources/DomainTest.xml
+++ b/appserver/connectors/admin/src/test/resources/DomainTest.xml
@@ -134,7 +134,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
diff --git a/appserver/connectors/connectors-internal-api/src/test/resources/DomainTest.xml b/appserver/connectors/connectors-internal-api/src/test/resources/DomainTest.xml
index 733999eb277..90d095c39c2 100644
--- a/appserver/connectors/connectors-internal-api/src/test/resources/DomainTest.xml
+++ b/appserver/connectors/connectors-internal-api/src/test/resources/DomainTest.xml
@@ -128,7 +128,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
diff --git a/appserver/connectors/connectors-internal-api/src/test/resources/PasswordAliasTest.xml b/appserver/connectors/connectors-internal-api/src/test/resources/PasswordAliasTest.xml
index 04085641b58..45f1f4551be 100644
--- a/appserver/connectors/connectors-internal-api/src/test/resources/PasswordAliasTest.xml
+++ b/appserver/connectors/connectors-internal-api/src/test/resources/PasswordAliasTest.xml
@@ -137,7 +137,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
-Xmx512m
diff --git a/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/ConnectorRuntime.java b/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/ConnectorRuntime.java
index de15b84887b..ff08e61528c 100755
--- a/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/ConnectorRuntime.java
+++ b/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/ConnectorRuntime.java
@@ -651,12 +651,12 @@ public String[] getSystemConnectorsAllowingPoolCreation() {
@Override
public String[] getConnectionDefinitionNames(String rarName) throws ConnectorRuntimeException {
- return configParserAdmService.getConnectionDefinitionNames(rarName);
+ return null;
}
@Override
public String getSecurityPermissionSpec(String moduleName) throws ConnectorRuntimeException {
- return configParserAdmService.getSecurityPermissionSpec(moduleName);
+ return null;
}
@Override
diff --git a/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/service/ConnectorConfigurationParserServiceImpl.java b/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/service/ConnectorConfigurationParserServiceImpl.java
index 661165264bd..bc4d65553ec 100755
--- a/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/service/ConnectorConfigurationParserServiceImpl.java
+++ b/appserver/connectors/connectors-runtime/src/main/java/com/sun/enterprise/connectors/service/ConnectorConfigurationParserServiceImpl.java
@@ -21,18 +21,10 @@
import com.sun.enterprise.connectors.util.AdminObjectConfigParser;
import com.sun.enterprise.connectors.util.ConnectorConfigParser;
import com.sun.enterprise.connectors.util.ConnectorConfigParserFactory;
-import com.sun.enterprise.connectors.util.MCFConfigParser;
import com.sun.enterprise.connectors.util.MessageListenerConfigParser;
import com.sun.enterprise.deployment.ConnectorDescriptor;
-import com.sun.enterprise.deployment.SecurityPermission;
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileReader;
-import java.util.Iterator;
import java.util.Properties;
-import java.util.Set;
-import java.util.logging.Level;
/**
@@ -48,106 +40,6 @@ public class ConnectorConfigurationParserServiceImpl extends ConnectorService {
public ConnectorConfigurationParserServiceImpl() {
}
- /**
- * Obtains the Permission string that needs to be added to the
- * to the security policy files. These are the security permissions needed
- * by the resource adapter implementation classes.
- * These strings are obtained by parsing the ra.xml
- *
- * @param moduleName rar module Name
- * @return Required policy permissions in server.policy file
- * @throws ConnectorRuntimeException If rar.xml parsing fails.
- */
- public String getSecurityPermissionSpec(String moduleName)
- throws ConnectorRuntimeException {
-
- if (moduleName == null) {
- return null;
- }
- String policyString = null;
-
- //check whether the policy file already has required permissions.
- String fileName = System.getProperty("java.security.policy");
- if (fileName != null) {
- File policyFile = new File(fileName);
- String policyContent = getFileContent(policyFile);
-
- ConnectorDescriptor connectorDescriptor = getConnectorDescriptor(moduleName);
- Set securityPermissions = connectorDescriptor.getSecurityPermissions();
- Iterator it = securityPermissions.iterator();
- SecurityPermission secPerm = null;
- String permissionString = null;
-
- while (it.hasNext()) {
- secPerm = (SecurityPermission) it.next();
- permissionString = secPerm.getPermission();
- if(permissionString != null) {
- int intIndex = policyContent.indexOf(permissionString);
- if (intIndex == -1) {
- if (policyString != null) {
- policyString = policyString + "\n \n" + permissionString;
- } else {
- policyString = "\n\n" + permissionString;
- }
- }
- }
- }
-
- //print the missing permissions
- if (policyString != null) {
- policyString = CAUTION_MESSAGE + policyString;
- }
- }
- return policyString;
- }
-
- /**
- * Obtain the content of server.policy file
- *
- * @param file File server.policy file
- * @return String content of server.policy file
- */
- public String getFileContent(File file) {
- StringBuilder contents = new StringBuilder();
- BufferedReader input = null;
- try {
- input = new BufferedReader(new FileReader(file));
- try {
- String line = null;
- while ((line = input.readLine()) != null) {
- contents.append(line);
- contents.append(System.getProperty("line.separator"));
- }
- } finally {
- input.close();
- }
- }
- catch (Exception ex) {
- _logger.log(Level.WARNING, "Exception while performing resource-adapter's " +
- "security permission check : ", ex);
- }
- return contents.toString();
- }
-
- /** Obtains all the Connection definition names of a rar
- * @param rarName rar moduleName
- * @return Array of connection definition names.
- */
- public String[] getConnectionDefinitionNames(String rarName)
- throws ConnectorRuntimeException
- {
-
- String[] result = new String[0];
- ConnectorDescriptor desc = getConnectorDescriptor(rarName);
- if(desc != null) {
- MCFConfigParser mcfConfigParser = (MCFConfigParser)
- ConnectorConfigParserFactory.getParser(ConnectorConfigParser.MCF);
- return mcfConfigParser.getConnectionDefinitionNames(desc);
- } else {
- return result;
- }
- }
-
/**
* Retrieves the Resource adapter javabean properties with default values.
* The default values will the values present in the ra.xml. If the
diff --git a/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java b/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java
index 975213665d9..ad89ef335c8 100644
--- a/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java
+++ b/appserver/ejb/ejb-container/src/main/java/org/glassfish/ejb/security/application/EJBSecurityManager.java
@@ -26,13 +26,11 @@
import com.sun.enterprise.security.common.AppservAccessController;
import com.sun.enterprise.security.ee.SecurityUtil;
import com.sun.enterprise.security.ee.audit.AppServerAuditManager;
-import com.sun.enterprise.security.ee.authorize.PolicyContextHandlerImpl;
import com.sun.enterprise.security.ee.authorize.cache.PermissionCache;
import com.sun.enterprise.security.ee.authorize.cache.PermissionCacheFactory;
import com.sun.logging.LogDomains;
import jakarta.security.jacc.EJBMethodPermission;
-import jakarta.security.jacc.PolicyContext;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
@@ -91,8 +89,6 @@ public final class EJBSecurityManager implements SecurityManager {
private static final Logger _logger = LogDomains.getLogger(EJBSecurityManager.class, LogDomains.EJB_LOGGER);
- private static final PolicyContextHandlerImpl pcHandlerImpl = PolicyContextHandlerImpl.getInstance();
-
// We use two protection domain caches until we decide how to
// set the applicationCodeSource in the protection domain of system apps.
//
@@ -200,7 +196,6 @@ public boolean authorize(ComponentInvocation componentInvocation) {
return ejbInvocation.getAuth().booleanValue();
}
- pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
SecurityContext securityContext = SecurityContext.getCurrent();
@@ -293,7 +288,7 @@ public Object invoke(Method beanClassMethod, boolean isLocal, Object bean, Objec
// System Security Manager is disabled.
// Still need to execute it within the target bean's policy context.
// see CR 6331550
- if ((isLocal && getUsesCallerIdentity()) || getSecurityManager() == null) {
+ if ((isLocal && getUsesCallerIdentity())) {
return authorizationService.invokeBeanMethod(bean, beanClassMethod, methodParameters);
}
@@ -550,25 +545,7 @@ public Object run() {
@Override
public void resetPolicyContext() {
- if (System.getSecurityManager() == null) {
- PolicyContextHandlerImpl.getInstance().reset();
- PolicyContext.setContextID(null);
- return;
- }
- try {
- AppservAccessController.doPrivileged(new PrivilegedExceptionAction<>() {
- @Override
- public Object run() throws Exception {
- PolicyContextHandlerImpl.getInstance().reset();
- PolicyContext.setContextID(null);
- return null;
- }
- });
- } catch (PrivilegedActionException pae) {
- _logger.log(SEVERE, "Unexpected exception manipulating policy context", pae);
- throw new RuntimeException(pae);
- }
}
private SecurityContext getSecurityContext() {
diff --git a/appserver/jdbc/admin/src/test/resources/DomainTest.xml b/appserver/jdbc/admin/src/test/resources/DomainTest.xml
index 8160668d34a..af628c4d859 100644
--- a/appserver/jdbc/admin/src/test/resources/DomainTest.xml
+++ b/appserver/jdbc/admin/src/test/resources/DomainTest.xml
@@ -119,7 +119,7 @@
-client
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
-Dsun.rmi.dgc.client.gcInterval=3600000
diff --git a/appserver/jdbc/jdbc-runtime/src/test/resources/DomainTest.xml b/appserver/jdbc/jdbc-runtime/src/test/resources/DomainTest.xml
index 67defe4336a..779f9cc064b 100644
--- a/appserver/jdbc/jdbc-runtime/src/test/resources/DomainTest.xml
+++ b/appserver/jdbc/jdbc-runtime/src/test/resources/DomainTest.xml
@@ -142,7 +142,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
diff --git a/appserver/orb/orb-connector/src/test/resources/DomainTest.xml b/appserver/orb/orb-connector/src/test/resources/DomainTest.xml
index 87460ecffe0..24435e9f9be 100644
--- a/appserver/orb/orb-connector/src/test/resources/DomainTest.xml
+++ b/appserver/orb/orb-connector/src/test/resources/DomainTest.xml
@@ -128,7 +128,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
diff --git a/appserver/resources/mail/mail-connector/src/test/resources/DomainTest.xml b/appserver/resources/mail/mail-connector/src/test/resources/DomainTest.xml
index e3cb9792a5c..517178c0ce5 100644
--- a/appserver/resources/mail/mail-connector/src/test/resources/DomainTest.xml
+++ b/appserver/resources/mail/mail-connector/src/test/resources/DomainTest.xml
@@ -134,7 +134,7 @@
-XX:+UnlockDiagnosticVMOptions
-XX:+LogVMOutput
-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dsun.rmi.dgc.server.gcInterval=3600000
diff --git a/appserver/resources/resources-connector/src/test/resources/DomainTest.xml b/appserver/resources/resources-connector/src/test/resources/DomainTest.xml
index e32bdf6f3b1..27f89949f6a 100644
--- a/appserver/resources/resources-connector/src/test/resources/DomainTest.xml
+++ b/appserver/resources/resources-connector/src/test/resources/DomainTest.xml
@@ -125,7 +125,7 @@
-Djavax.xml.accessExternalSchema=all
-Djavax.management.builder.initial=com.sun.enterprise.v3.admin.AppServerMBeanServerBuilder
-XX:+UnlockDiagnosticVMOptions
- -Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy
+
-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf
-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as
-Xmx512m
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java
index febbf218778..1c5f5c7cf2b 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/JavaEESecurityLifecycle.java
@@ -61,19 +61,6 @@ public void postConstruct() {
@Override
public void onInitialization() {
- java.lang.SecurityManager securityManager = System.getSecurityManager();
-
- // TODO: need someway to not override the SecMgr if the EmbeddedServer was
- // run with a different non-default SM.
- // right now there seems no way to find out if the SM is the VM's default SM.
- if (securityManager != null && !J2EESecurityManager.class.equals(securityManager.getClass())) {
- try {
- System.setSecurityManager(new J2EESecurityManager());
- } catch (SecurityException ex) {
- LOG.log(WARNING, "Could not override SecurityManager");
- }
- }
-
initializeJakartaAuthentication();
}
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityUtil.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityUtil.java
index 54914c5a576..3b24991f09b 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityUtil.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/SecurityUtil.java
@@ -28,7 +28,6 @@
import jakarta.security.jacc.PolicyConfigurationFactory;
import jakarta.security.jacc.PolicyContextException;
-import java.security.Policy;
import java.util.Collection;
import java.util.logging.Logger;
@@ -106,10 +105,7 @@ public static void removePolicy(String contextId) throws IASSecurityException {
// find the PolicyConfig and delete it.
PolicyConfiguration pc = PolicyConfigurationFactory.getPolicyConfigurationFactory().getPolicyConfiguration(contextId, false);
pc.delete();
- // Only do refresh policy if the deleted context was in service
- if (wasInService) {
- Policy.getPolicy().refresh();
- }
+
} catch (ClassNotFoundException cnfe) {
String msg = localStrings.getLocalString("enterprise.security.securityutil.classnotfound",
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/HandlerData.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/HandlerData.java
index 27dc99273d7..a1b63f64545 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/HandlerData.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/HandlerData.java
@@ -54,34 +54,6 @@ public void setInvocation(ComponentInvocation inv) {
this.inv = inv;
}
- public Object get(String key) {
- if (PolicyContextHandlerImpl.HTTP_SERVLET_REQUEST.equalsIgnoreCase(key)) {
- return httpReq;
- }
- if (PolicyContextHandlerImpl.SUBJECT.equalsIgnoreCase(key)) {
- return SecurityContext.getCurrent().getSubject();
- }
- if (PolicyContextHandlerImpl.REUSE.equalsIgnoreCase(key)) {
- PermissionCacheFactory.resetCaches();
- return Integer.valueOf(0);
- }
-
- if (inv == null) {
- return null;
- }
-
- if (PolicyContextHandlerImpl.SOAP_MESSAGE.equalsIgnoreCase(key)) {
- return ejbDelegate != null ? ejbDelegate.getSOAPMessage(inv) : null;
- }
- if (PolicyContextHandlerImpl.ENTERPRISE_BEAN.equalsIgnoreCase(key)) {
- return ejbDelegate != null ? ejbDelegate.getEnterpriseBean(inv) : null;
- }
- if (PolicyContextHandlerImpl.EJB_ARGUMENTS.equalsIgnoreCase(key)) {
- return ejbDelegate != null ? ejbDelegate.getEJbArguments(inv) : null;
- }
- return null;
- }
-
void reset() {
httpReq = null;
inv = null;
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/PolicyContextHandlerImpl.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/PolicyContextHandlerImpl.java
index 5510d6e71a6..ca3a5882ce7 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/PolicyContextHandlerImpl.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/PolicyContextHandlerImpl.java
@@ -34,7 +34,6 @@ public class PolicyContextHandlerImpl implements PolicyContextHandler {
public static final String ENTERPRISE_BEAN = "jakarta.ejb.EnterpriseBean";
public static final String EJB_ARGUMENTS = "jakarta.ejb.arguments";
public static final String SUBJECT = "javax.security.auth.Subject.container";
- public static final String REUSE = "java.security.Policy.supportsReuse";
private static PolicyContextHandlerImpl pchimpl = null;
@@ -50,15 +49,6 @@ private synchronized static PolicyContextHandlerImpl _getInstance() {
return pchimpl;
}
- public static PolicyContextHandlerImpl getInstance() {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null) {
- sm.checkPermission(new SecurityPermission("setPolicy"));
- }
-
- return _getInstance();
- }
-
@Override
public boolean supports(String key) {
String[] s = getKeys();
@@ -72,14 +62,13 @@ public boolean supports(String key) {
@Override
public String[] getKeys() {
- String[] s = { HTTP_SERVLET_REQUEST, SOAP_MESSAGE, ENTERPRISE_BEAN, SUBJECT, EJB_ARGUMENTS, REUSE };
+ String[] s = { HTTP_SERVLET_REQUEST, SOAP_MESSAGE, ENTERPRISE_BEAN, SUBJECT, EJB_ARGUMENTS };
return s;
}
@Override
public Object getContext(String key, Object data) {
- // ignore data Object
- return getHandlerData().get(key);
+ return null;
}
public HandlerData getHandlerData() {
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCache.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCache.java
index 10334d755e8..510b86f8a74 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCache.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCache.java
@@ -28,7 +28,6 @@
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
-import java.security.Policy;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Enumeration;
@@ -47,7 +46,6 @@
public class PermissionCache extends Object {
private static final Logger LOG = LogDomains.getLogger(PermissionCache.class, LogDomains.SECURITY_LOGGER, false);
- private static Policy policy = Policy.getPolicy();
private static AllPermission allPermission = new AllPermission();
private Permissions cache;
@@ -231,7 +229,6 @@ private boolean checkCache(Permission p, Epoch e) {
setPolicyContextID(this.pcID);
}
- pc = policy.getPermissions(this.codesource);
} catch (Exception ex) {
LOG.log(Level.SEVERE, "JACC: Unexpected security exception on access decision", ex);
return false;
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCacheFactory.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCacheFactory.java
index 573cd7ab312..cd55764d402 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCacheFactory.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/authorize/cache/PermissionCacheFactory.java
@@ -16,11 +16,8 @@
package com.sun.enterprise.security.ee.authorize.cache;
-import com.sun.enterprise.security.ee.J2EESecurityManager;
-
import java.security.CodeSource;
import java.security.Permission;
-import java.security.Policy;
import java.util.Hashtable;
import java.util.Iterator;
@@ -41,16 +38,7 @@ public class PermissionCacheFactory {
private static PermissionCache securityManagerCache = createSecurityManagerCache();
static {
- try {
- // make a call to policy.refresh() to see if the provider
- // calls the supportsReuse callback (see resetCaches below).
- // which will set supportsReuse to true (to enable caching).
- Policy policy = Policy.getPolicy();
- if (policy != null) {
- policy.refresh();
- }
- } catch (Exception pe) {
- }
+
}
/**
@@ -164,13 +152,6 @@ public static synchronized void resetCaches() {
supportsReuse = true;
- java.lang.SecurityManager sm = System.getSecurityManager();
- if (sm != null && sm instanceof J2EESecurityManager) {
- if (!((J2EESecurityManager) sm).cacheEnabled()) {
- ((J2EESecurityManager) sm).enablePermissionCache(securityManagerCache);
- }
- }
-
Iterator iter = cacheMap.values().iterator();
while (iter.hasNext()) {
Object cache = iter.next();
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtil.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtil.java
index f2bb9ea39b8..3ab41882000 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtil.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtil.java
@@ -19,24 +19,13 @@
import com.sun.logging.LogDomains;
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.net.URISyntaxException;
-import java.net.URL;
import java.security.AllPermission;
-import java.security.CodeSource;
-import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.PermissionCollection;
-import java.security.Policy;
-import java.security.URIParameter;
-import java.security.cert.Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
-import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
@@ -89,8 +78,6 @@ private enum PolicyType {
*/
public static final String SERVER_ALLOWED_FILE = "restrict.server.policy";
- protected static final String SYS_PROP_JAVA_SEC_POLICY = "java.security.policy";
-
/**
* Code source URL representing Ejb type
*/
@@ -126,8 +113,6 @@ private enum PolicyType {
private static boolean eeGrantedPolicyInitDone = false;
- protected static final String domainCfgFolder = getJavaPolicyFolder() + File.separator;
-
private static final AllPermission ALL_PERM = new AllPermission();
// JDK-8173082: JDK required permissions needed by applications using java.desktop module
@@ -180,142 +165,7 @@ public static PermissionCollection getCompRestrictedPerms(String type) {
}
private synchronized static void initDefPolicy() {
-
- try {
-
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("defGrantedPolicyInitDone= " + eeGrantedPolicyInitDone);
- }
-
- if (eeGrantedPolicyInitDone) {
- return;
- }
-
- eeGrantedPolicyInitDone = true;
-
- loadServerPolicy(PolicyType.EEGranted);
-
- loadServerPolicy(PolicyType.EERestricted);
-
- loadServerPolicy(PolicyType.ServerAllowed);
-
- checkDomainRestrictionsForDefaultPermissions();
-
- } catch (FileNotFoundException e) {
- // ignore: the permissions files not exist
- } catch (IOException | NoSuchAlgorithmException | URISyntaxException e) {
- logger.warning(e.getMessage());
- throw new RuntimeException(e);
- }
- }
-
- private static String getJavaPolicyFolder() {
-
- String policyPath = System.getProperty(SYS_PROP_JAVA_SEC_POLICY);
-
- if (policyPath == null) {
- return null;
- }
-
- File pf = new File(policyPath);
-
- return pf.getParent();
- }
-
- private static void loadServerPolicy(PolicyType policyType) throws IOException, NoSuchAlgorithmException, URISyntaxException {
- if (policyType == null) {
- return;
- }
-
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("PolicyType= " + policyType);
- }
-
- String policyFilename = null;
- Map policyMap = null;
-
- switch (policyType) {
- case EEGranted:
- policyFilename = domainCfgFolder + EE_GRANT_FILE;
- policyMap = compTypeToEEGarntsMap;
- break;
- case EERestricted:
- policyFilename = domainCfgFolder + EE_RESTRICTED_FILE;
- policyMap = compTypeToEERestrictedMap;
- break;
- case ServerAllowed:
- policyFilename = domainCfgFolder + SERVER_ALLOWED_FILE;
- policyMap = compTypeToServAllowedMap;
- break;
- }
-
- if (policyFilename == null || policyMap == null) {
- throw new IllegalArgumentException("Unrecognized policy type: " + policyType);
- }
-
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("policyFilename= " + policyFilename);
- }
-
-
- File file = new File(policyFilename);
- if (!file.exists()) {
- return;
- }
-
- URL furl = file.toURI().toURL();
-
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loading policy from " + furl);
- }
-
- Policy pf = Policy.getInstance("JavaPolicy", new URIParameter(furl.toURI()));
-
- CodeSource cs = new CodeSource(new URL(EJB_TYPE_CODESOURCE), (Certificate[]) null);
- PermissionCollection pc = pf.getPermissions(cs);
- policyMap.put(CommponentType.ejb, pc);
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loaded EJB policy = " + pc);
- }
-
- cs = new CodeSource(new URL(WEB_TYPE_CODESOURCE), (Certificate[]) null);
- pc = pf.getPermissions(cs);
- policyMap.put(CommponentType.war, pc);
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loaded WEB policy =" + pc);
- }
-
- cs = new CodeSource(new URL(RAR_TYPE_CODESOURCE), (Certificate[]) null);
- pc = pf.getPermissions(cs);
- policyMap.put(CommponentType.rar, pc);
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loaded rar policy =" + pc);
- }
-
- cs = new CodeSource(new URL(CLIENT_TYPE_CODESOURCE), (Certificate[]) null);
- pc = pf.getPermissions(cs);
- policyMap.put(CommponentType.car, pc);
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loaded car policy =" + pc);
- }
-
- cs = new CodeSource(new URL(EAR_TYPE_CODESOURCE), (Certificate[]) null);
- pc = pf.getPermissions(cs);
- policyMap.put(CommponentType.ear, pc);
- if (logger.isLoggable(Level.FINE)) {
- logger.fine("Loaded ear policy =" + pc);
- }
-
- }
-
- // this checks default permissions against restrictions
- private static void checkDomainRestrictionsForDefaultPermissions() throws SecurityException {
-
- checkEETypePermsAgainstServerRestiction(CommponentType.ejb);
- checkEETypePermsAgainstServerRestiction(CommponentType.war);
- checkEETypePermsAgainstServerRestiction(CommponentType.rar);
- checkEETypePermsAgainstServerRestiction(CommponentType.car);
- checkEETypePermsAgainstServerRestiction(CommponentType.ear);
+ System.out.println("Policy no longer supported");
}
private static void checkEETypePermsAgainstServerRestiction(CommponentType type) throws SecurityException {
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManager.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManager.java
index f76ad6b5dd3..11f03921cf1 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManager.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManager.java
@@ -142,9 +142,6 @@ public class WebSecurityManager {
null);
authorizationService.setConstrainedUriRequestAttribute(CONSTRAINT_URI);
- authorizationService.setRequestSupplier(
- () -> (HttpServletRequest) webSecurityManagerFactory.pcHandlerImpl.getHandlerData().get(HTTP_SERVLET_REQUEST));
-
authorizationService.addConstraintsToPolicy(
getConstraintsFromBundle(webBundleDescriptor),
webBundleDescriptor.getRoles()
@@ -299,10 +296,6 @@ public void onLogin(HttpServletRequest httpServletRequest) {
setSecurityInfo(httpServletRequest);
}
- public void onLogout() {
- resetSecurityInfo();
- }
-
public boolean linkPolicy(String linkedContextId, boolean lastInService) {
return authorizationService.linkPolicy(linkedContextId, lastInService);
}
@@ -491,15 +484,7 @@ private SecurityContext getSecurityContext(Principal principal) {
* @param httpRequest
*/
private void setSecurityInfo(HttpServletRequest httpRequest) {
- if (httpRequest != null) {
- webSecurityManagerFactory.pcHandlerImpl.getHandlerData().setHttpServletRequest(httpRequest);
- }
- AuthorizationService.setThreadContextId(contextId);
- }
- private void resetSecurityInfo() {
- PolicyContextHandlerImpl.getInstance().reset();
- PolicyContext.setContextID(null);
}
/**
diff --git a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManagerFactory.java b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManagerFactory.java
index 6d680278587..8b891d76fec 100644
--- a/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManagerFactory.java
+++ b/appserver/security/core-ee/src/main/java/com/sun/enterprise/security/ee/web/integration/WebSecurityManagerFactory.java
@@ -49,7 +49,6 @@ public class WebSecurityManagerFactory extends SecurityManagerFactory {
private static Logger logger = LogUtils.getLogger();
private final WebSecurityDeployerProbeProvider probeProvider = new WebSecurityDeployerProbeProvider();
- final PolicyContextHandlerImpl pcHandlerImpl = PolicyContextHandlerImpl.getInstance();
private final Map adminPrincipals = new ConcurrentHashMap<>();
private final Map adminGroups = new ConcurrentHashMap<>();
diff --git a/appserver/security/core-ee/src/test/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtilTest.java b/appserver/security/core-ee/src/test/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtilTest.java
index 91d895c1f79..a5abc26fedb 100644
--- a/appserver/security/core-ee/src/test/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtilTest.java
+++ b/appserver/security/core-ee/src/test/java/com/sun/enterprise/security/ee/perms/SMGlobalPolicyUtilTest.java
@@ -19,28 +19,20 @@
import java.io.File;
import java.io.FilePermission;
-import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Paths;
-import java.security.CodeSource;
-import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.PermissionCollection;
-import java.security.Policy;
-import java.security.URIParameter;
-import java.security.cert.Certificate;
import java.util.Enumeration;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.condition.EnabledForJreRange;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.condition.JRE.JAVA_23;
public class SMGlobalPolicyUtilTest {
@@ -50,7 +42,6 @@ public class SMGlobalPolicyUtilTest {
public static void setUpBeforeClass() throws Exception {
String absolutePath = getFile(plfile).getAbsolutePath();
System.out.println("policy path = " + absolutePath);
- System.setProperty(SMGlobalPolicyUtil.SYS_PROP_JAVA_SEC_POLICY, absolutePath);
}
private static File getFile(final String fileName) throws URISyntaxException {
@@ -62,12 +53,12 @@ private static File getFile(final String fileName) throws URISyntaxException {
return file;
}
- @Test
- public void testSystemPolicyPath() {
- System.out.println("path= " + SMGlobalPolicyUtil.domainCfgFolder);
-
- assertNotNull(SMGlobalPolicyUtil.domainCfgFolder);
- }
+// @Test
+// public void testSystemPolicyPath() {
+// System.out.println("path= " + SMGlobalPolicyUtil.domainCfgFolder);
+//
+// assertNotNull(SMGlobalPolicyUtil.domainCfgFolder);
+// }
@Test
public void testTYpeConvert() {
@@ -96,61 +87,6 @@ public void testTYpeConvert() {
assertThrows(NullPointerException.class, () -> SMGlobalPolicyUtil.convertComponentType(null));
}
- @Test
- @EnabledForJreRange(max = JAVA_23)
- public void testPolicyLoading() throws NoSuchAlgorithmException, MalformedURLException, URISyntaxException {
- System.out.println("Starting testDefPolicy loading - ee");
-
- PermissionCollection defaultPC = Policy.getInstance("JavaPolicy",
- new URIParameter(SMGlobalPolicyUtilTest.class.getResource("nobody.policy").toURI()))
- .getPermissions(new CodeSource(new URL("file:/module/ALL"), (Certificate[]) null));
-
- int defaultCount = dumpPermissions("Grant", "ALL", defaultPC);
- assertEquals(4, defaultCount);
- PermissionCollection defEjbGrantededPC
- = SMGlobalPolicyUtil.getEECompGrantededPerms(SMGlobalPolicyUtil.CommponentType.ejb);
- int count = dumpPermissions("Grant", "Ejb", defEjbGrantededPC);
- assertEquals(5, count - defaultCount);
-
- PermissionCollection defWebGrantededPC
- = SMGlobalPolicyUtil.getEECompGrantededPerms(SMGlobalPolicyUtil.CommponentType.war);
- count = dumpPermissions("Grant", "Web", defWebGrantededPC);
- assertEquals(6, count - defaultCount);
-
- PermissionCollection defRarGrantededPC
- = SMGlobalPolicyUtil.getEECompGrantededPerms(SMGlobalPolicyUtil.CommponentType.rar);
- count = dumpPermissions("Grant", "Rar", defRarGrantededPC);
- assertEquals(5, count - defaultCount);
-
- PermissionCollection defClientGrantededPC
- = SMGlobalPolicyUtil.getEECompGrantededPerms(SMGlobalPolicyUtil.CommponentType.car);
- count = dumpPermissions("Grant", "Client", defClientGrantededPC);
- assertEquals(10, count - defaultCount);
-
- System.out.println("Starting testDefPolicy loading - ee restrict");
-
- PermissionCollection defEjbRestrictedPC
- = SMGlobalPolicyUtil.getCompRestrictedPerms(SMGlobalPolicyUtil.CommponentType.ejb);
- count = dumpPermissions("Restricted", "Ejb", defEjbRestrictedPC);
- assertEquals(2, count - defaultCount);
-
- PermissionCollection defWebRestrictedPC
- = SMGlobalPolicyUtil.getCompRestrictedPerms(SMGlobalPolicyUtil.CommponentType.war);
- count = dumpPermissions("Restricted", "Web", defWebRestrictedPC);
- assertEquals(2, count - defaultCount);
-
- PermissionCollection defRarRestrictedPC
- = SMGlobalPolicyUtil.getCompRestrictedPerms(SMGlobalPolicyUtil.CommponentType.rar);
- count = dumpPermissions("Restricted", "Rar", defRarRestrictedPC);
- assertEquals(1, count - defaultCount);
-
- PermissionCollection defClientRestrictedPC
- = SMGlobalPolicyUtil.getCompRestrictedPerms(SMGlobalPolicyUtil.CommponentType.car);
- count = dumpPermissions("Restricted", "Client", defClientRestrictedPC);
- assertEquals(2, count - defaultCount);
-
- }
-
@Test
public void testFilePermission() {
System.out.println("Starting testFilePermission");
diff --git a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecurityContextUtil.java b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecurityContextUtil.java
index b0d08d41299..24bcf3254f3 100644
--- a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecurityContextUtil.java
+++ b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/SecurityContextUtil.java
@@ -30,7 +30,6 @@
import java.net.Socket;
import java.security.AccessController;
import java.security.CodeSource;
-import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
@@ -64,7 +63,6 @@ public class SecurityContextUtil implements PostConstruct {
private static final String IS_A = "_is_a";
- private Policy policy;
@Inject
private GlassFishORBHelper orbHelper;
@@ -78,13 +76,6 @@ public SecurityContextUtil() {
@Override
public void postConstruct() {
- AccessController.doPrivileged(new PrivilegedAction