Refactored out the policy files and their usages

appserver/admin/admin-core/src/test/resources/UpgradeTest.xml

@@ -198,7 +198,6 @@
         <jvm-options>-XX:+UnlockDiagnosticVMOptions</jvm-options>
         <jvm-options>-XX:+LogVMOutput</jvm-options>
         <jvm-options>-XX:LogFile=${com.sun.aas.instanceRoot}/logs/jvm.log</jvm-options>
-        <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
         <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
         <jvm-options>-Xmx512m</jvm-options>
         <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.p12</jvm-options>

appserver/admin/template/src/main/resources/config/domain.xml

@@ -166,7 +166,6 @@
         <jvm-options>-Djavax.xml.accessExternalSchema=all</jvm-options>
         <jvm-options>-Djavax.management.builder.initial=com.sun.enterprise.v3.admin.AppServerMBeanServerBuilder</jvm-options>
         <jvm-options>-XX:+UnlockDiagnosticVMOptions</jvm-options>
-        <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
         <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
         <jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as</jvm-options>
         <jvm-options>-Xmx512m</jvm-options>
@@ -368,7 +367,6 @@
              <jvm-options>-Djdk.tls.rejectClientInitiatedRenegotiation=true</jvm-options>
              <jvm-options>-Djdk.xml.totalEntitySizeLimit=50000000</jvm-options>
              <jvm-options>-XX:+UnlockDiagnosticVMOptions</jvm-options>
-             <jvm-options>-Djava.security.policy=${com.sun.aas.instanceRoot}/config/server.policy</jvm-options>
              <jvm-options>-Djava.security.auth.login.config=${com.sun.aas.instanceRoot}/config/login.conf</jvm-options>
              <jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=s1as</jvm-options>
              <jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.p12</jvm-options>

appserver/admingui/common/src/main/java/org/glassfish/admingui/common/handlers/SecurityHandler.java

@@ -736,84 +736,4 @@ else if (providerMap.get("providerType").equals("client-server")) {
         }
     }
 
-
-    @Handler(id="saveSecurityManagerValue",
-         input={
-            @HandlerInput(name="configName", type=String.class),
-            @HandlerInput(name="value", type=String.class, required=true)
-     })
-     public static void saveSecurityManagerValue(HandlerContext handlerCtx){
-        try {
-            String configName = (String) handlerCtx.getInputValue("configName");
-            if (GuiUtil.isEmpty(configName))
-                configName = "server-config";
-            String endpoint = GuiUtil.getSessionValue("REST_URL") +
-                    "/configs/config/" + configName + "/java-config/jvm-options.json";
-            ArrayList<String> list;
-            Map result = (HashMap) RestUtil.restRequest(endpoint, null, "GET", null, false).get("data");
-            list = (ArrayList<String>) ((Map<String, Object>) result.get("extraProperties")).get("leafList");
-            if (list == null)
-                list = new ArrayList<String>();
-            Boolean status = isSecurityManagerEnabled(list);
-            String value= (String) handlerCtx.getInputValue("value");
-            Boolean userValue = Boolean.valueOf(value);
-            if (status.equals(userValue)){
-                //no need to change
-                return;
-            }
-
-            ArrayList<String> newOptions = new ArrayList();
-            Object [] origOptions = list.toArray();
-            if (userValue){
-                for(int i=0; i<origOptions.length; i++){
-                    newOptions.add((String)origOptions[i]);
-                }
-                newOptions.add(JVM_OPTION_SECURITY_MANAGER);
-            } else{
-                for(int i=0; i<origOptions.length; i++){
-                    String str = (String) origOptions[i];
-                    if (! (str.trim().equals(JVM_OPTION_SECURITY_MANAGER) ||
-                            str.trim().startsWith(JVM_OPTION_SECURITY_MANAGER_WITH_EQUAL))){
-                       newOptions.add((String)origOptions[i]);
-                    }
-                }
-            }
-            Map<String, Object> payload = new HashMap<String, Object>();
-            payload.put("target", configName);
-            for (String option : newOptions) {
-                String option1 = UtilHandlers.escapePropertyValue(option);
-                ArrayList kv = InstanceHandler.getKeyValuePair(option1);
-                payload.put((String)kv.get(0), kv.get(1));
-            }
-            RestUtil.restRequest(endpoint, payload, "POST", handlerCtx, false);
-        }catch(Exception ex){
-            GuiUtil.handleException(handlerCtx, ex);
-        }
-    }
-
-    @Handler(id="getSecurityManagerValue",
-        input={
-            @HandlerInput(name="endpoint", type=String.class),
-            @HandlerInput(name="attrs", type=Map.class, required=false)},
-       output={
-           @HandlerOutput(name="value", type=String.class)}
-    )
-    public static void getSecurityManagerValue(HandlerContext handlerCtx){
-        ArrayList<String> list = InstanceHandler.getJvmOptions(handlerCtx);
-        handlerCtx.setOutputValue("value",  isSecurityManagerEnabled(list).toString());
-    }
-
-    private static Boolean isSecurityManagerEnabled(List<String> jvmOptions){
-        for(String jvmOption : jvmOptions){
-            if (jvmOption.trim().equals(JVM_OPTION_SECURITY_MANAGER) ||
-                    jvmOption.trim().startsWith(JVM_OPTION_SECURITY_MANAGER_WITH_EQUAL)){
-                return Boolean.TRUE;
-            }
-        }
-        return Boolean.FALSE;
-    }
-
-    private static final String JVM_OPTION_SECURITY_MANAGER = "-Djava.security.manager";
-    private static final String JVM_OPTION_SECURITY_MANAGER_WITH_EQUAL = "-Djava.security.manager=";
-
 }

appserver/appclient/client/acc-standalone/src/main/java/org/glassfish/appclient/client/acc/agent/CLIBootstrap.java

@@ -77,8 +77,6 @@ public class CLIBootstrap {
 
     static final String ENV_VAR_PROP_PREFIX = "acc.";
 
-
-    private final static String SECURITY_POLICY_PROPERTY_EXPR = "-Djava.security.policy=";
     private final static String SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR = "-Djava.security.auth.login.config=";
     private final static String SYSPROP_SYSTEM_CLASS_LOADER = "-Djava.system.class.loader=";
 
@@ -293,7 +291,6 @@ private void addProperties(final StringBuilder command) {
         command.append(' ').append(SYSPROP_SYSTEM_CLASS_LOADER).append("org.glassfish.appclient.client.acc.agent.ACCAgentClassLoader");
         command.append(' ').append("-D").append(INSTALL_ROOT.getSystemPropertyName()).append('=').append(quote(gfInfo.home().getAbsolutePath()));
         command.append(' ').append("-Dorg.glassfish.gmbal.no.multipleUpperBoundsException=true");
-        command.append(' ').append(SECURITY_POLICY_PROPERTY_EXPR).append(quote(gfInfo.securityPolicy().getAbsolutePath()));
         command.append(' ').append(SECURITY_AUTH_LOGIN_CONFIG_PROPERTY_EXPR).append(quote(gfInfo.loginConfig().toExternalForm()));
     }
 

appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/JWSAppClientContainerMain.java

@@ -93,8 +93,6 @@ public static void main(String[] args) {
             processJWSArgs();
 
             final String agentArgsText = System.getProperty("agent.args");
-            LaunchSecurityHelper.setPermissions();
-
             // Prevent the Java Web Start class loader from delegating to its parent when resolving
             // classes and resources that should come from the GlassFish-provided endorsed JARs.
             insertMaskingLoader();

appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/JWSACCMain.java

@@ -29,17 +29,13 @@
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.net.MalformedURLException;
-import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
-import java.security.Policy;
-import java.text.MessageFormat;
 import java.util.ResourceBundle;
 import java.util.Vector;
 
 import javax.swing.SwingUtilities;
 
-import org.glassfish.appclient.client.acc.AppClientContainer;
 import org.glassfish.appclient.client.acc.JWSACCClassLoader;
 
 import static org.glassfish.main.jdke.props.SystemProperties.setProperty;
@@ -62,9 +58,6 @@
  */
 public class JWSACCMain implements Runnable {
 
-    /** name of the permissions template */
-    private static final String PERMISSIONS_TEMPLATE_NAME = "jwsclient.policy";
-
     /** placeholder used in the policy template to substitute dynamically-generated grant clauses */
     private static final String GRANT_CLAUSES_PROPERTY_EXPR = "${grant.clauses}";
 
@@ -79,11 +72,6 @@ public class JWSACCMain implements Runnable {
 
     private static final String JWSACC_RUN_ON_SWING_THREAD = "RunOnSwingThread";
 
-    /** grant clause template for dynamically populating the policy */
-    private static final String GRANT_CLAUSE_TEMPLATE = "grant codeBase \"{0}\" '{'\n" +
-    "    permission java.security.AllPermission;\n" +
-        "'}';";
-
     /**
      * request to exit the JVM upon return from the client - should be set (via
      * the -jwsacc command-line argument value) only for
@@ -138,12 +126,6 @@ public static void main(String[] args) {
                 throw new IllegalArgumentException(rb.getString("jwsacc.errorLocJARs"), thr);
             }
 
-            /*
-             *Before creating the new instance of the real ACC main, set permissions
-             *so ACC and the user's app client can function properly.
-             */
-            setPermissions();
-
             /*
              *Make sure that the main ACC class is instantiated and run in the
              *same thread.  Java Web Start may not normally do so.
@@ -274,37 +256,6 @@ private static void processJWSArgs(Vector<String> args) {
         }
     }
 
-    private static void setPermissions() {
-        try {
-            /*
-             */
-            String permissionsTemplate = loadResource(JWSACCMain.class, PERMISSIONS_TEMPLATE_NAME);
-
-            /*
-             *Prepare the grant clauses for the downloaded jars and substitute
-             *those clauses into the policy template.
-             */
-            StringBuilder grantClauses = new StringBuilder();
-
-            for (URL url : downloadedJarURLs) {
-                grantClauses.append(MessageFormat.format(GRANT_CLAUSE_TEMPLATE, url.toExternalForm()));
-            }
-
-            for (URL url : persistenceJarURLs) {
-                grantClauses.append(MessageFormat.format(GRANT_CLAUSE_TEMPLATE, url.toExternalForm()));
-            }
-
-            String substitutedPermissionsTemplate = permissionsTemplate.replace(GRANT_CLAUSES_PROPERTY_EXPR, grantClauses.toString());
-            boolean retainTempFiles = Boolean.getBoolean(AppClientContainer.APPCLIENT_RETAIN_TEMP_FILES_PROPERTYNAME);
-            File policyFile = writeTextToTempFile(substitutedPermissionsTemplate, "jwsacc", ".policy", retainTempFiles);
-
-            refreshPolicy(policyFile);
-
-        } catch (IOException ioe) {
-            throw new RuntimeException("Error loading permissions template", ioe);
-        }
-    }
-
     /**
      *Locates the first free policy.url.x setting.
      *@return the int value for the first unused policy setting
@@ -324,13 +275,6 @@ public static int firstFreePolicyIndex() {
      *as additional policy.
      *@param policyFile the file containing additional policy
      */
-    public static void refreshPolicy(File policyFile) {
-        int idx = firstFreePolicyIndex();
-        URI policyFileURI = policyFile.toURI();
-        java.security.Security.setProperty("policy.url." + idx, policyFileURI.toASCIIString());
-        Policy p = Policy.getPolicy();
-        p.refresh();
-    }
 
     /**
      *The methods below are duplicates from the com.sun.enterprise.appclient.jws.Util class.

appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/client/jws/boot/LaunchSecurityHelper.java

@@ -21,8 +21,6 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.net.URI;
-import java.security.Policy;
 
 import org.glassfish.appclient.client.acc.AppClientContainer;
 import org.glassfish.appclient.client.acc.Util;
@@ -37,25 +35,6 @@ public class LaunchSecurityHelper {
     private static final String SYSTEM_CODEBASE_PROPERTY = "appclient.system.codebase";
     private static final int BUFFER_SIZE = 1024;
 
-    public static void setPermissions() {
-        try {
-            /*
-             * Get the permissions template and write it to a temporary file.
-             */
-            final String permissionsTemplate = loadResource(LaunchSecurityHelper.class, PERMISSIONS_TEMPLATE_NAME);
-
-            /*
-             * The Java security logic will process property references in
-             * the policy file template automatically.
-             */
-            boolean retainTempFiles = Boolean.getBoolean(AppClientContainer.APPCLIENT_RETAIN_TEMP_FILES_PROPERTYNAME);
-            File policyFile = Util.writeTextToTempFile(permissionsTemplate, "jwsacc", ".policy", retainTempFiles);
-            refreshPolicy(policyFile);
-
-        } catch (IOException ioe) {
-            throw new RuntimeException("Error loading permissions template", ioe);
-        }
-    }
 
     /**
      * Retrieves a resource as a String.
@@ -115,11 +94,5 @@ private static int firstFreePolicyIndex() {
      * as additional policy.
      * @param policyFile the file containing additional policy
      */
-    private static void refreshPolicy(File policyFile) {
-        int idx = firstFreePolicyIndex();
-        URI policyFileURI = policyFile.toURI();
-        java.security.Security.setProperty("policy.url." + idx, policyFileURI.toASCIIString());
-        Policy p = Policy.getPolicy();
-        p.refresh();
-    }
+
 }

appserver/appclient/client/acc/src/main/java/org/glassfish/appclient/common/ClientClassLoaderDelegate.java

@@ -33,31 +33,6 @@ public class ClientClassLoaderDelegate {
 
     public ClientClassLoaderDelegate(URLClassLoader cl) {
         this.cl = cl;
-        loadPemissions();
-    }
-
-    private void loadPemissions() {
-        try {
-            processDeclaredPermissions();
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    private void processDeclaredPermissions() throws IOException {
-        if (System.getSecurityManager() == null) {
-            return;
-        }
-
-        PermissionCollection declaredPermissionCollection = PermissionsUtil.getClientDeclaredPermissions(cl);
-
-        PermissionCollection eePc = PermissionsUtil.getClientEEPolicy(cl);
-        PermissionCollection eeRestriction = PermissionsUtil.getClientRestrictPolicy(cl);
-
-        SMGlobalPolicyUtil.checkRestriction(eePc, eeRestriction);
-        SMGlobalPolicyUtil.checkRestriction(declaredPermissionCollection, eeRestriction);
-
-        permHolder = new PermsHolder(eePc, declaredPermissionCollection, eeRestriction);
     }
 
     public PermissionCollection getCachedPerms(CodeSource codesource) {