Java Security Manager

The Java Security Manager can be used with DataNucleus to provide a security platform to sensitive applications.

To use the Security Manager, specify the java.security.manager and java.security.policy arguments when starting the JVM. e.g.

java -Djava.security.manager -Djava.security.policy==/etc/apps/security/security.policy ...

Note that when you use -Djava.security.policy==... (double equals sign) you override the default JVM security policy files, while if you use -Djava.security.policy=... (single equals sign), you append the security policy file to any existing ones.

The following is a sample security policy file to be used with DataNucleus.


grant codeBase "file:${/}jdo2-api-2.0.jar" {

    //jdo API needs datetime (timezone class needs the following)
    permission java.util.PropertyPermission "user.country", "read";
    permission java.util.PropertyPermission "user.variant", "read";
    permission java.util.PropertyPermission "user.timezone", "read,write";
    permission java.util.PropertyPermission "java.home", "read";
};
grant codeBase "file:${/}datanucleus*.jar" {

     //jdo
    permission javax.jdo.spi.JDOPermission "getMetadata";
    permission javax.jdo.spi.JDOPermission "setStateManager";
	
    //DataNucleus needs to get classloader of classes
    permission java.lang.RuntimePermission "getClassLoader";
	
    //DataNucleus needs to detect the java and os version
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "os.name", "read";

    //DataNucleus reads these system properties
    permission java.util.PropertyPermission "datanucleus.*", "read";	
    permission java.util.PropertyPermission "javax.jdo.*", "read";	
	
    //DataNucleus runtime enhancement (needs read access to all jars/classes in classpath, 
    // so use <<ALL FILES>> to facilitate config)
    permission java.lang.RuntimePermission "createClassLoader";
    permission java.io.FilePermission "<<ALL FILES>>", "read";
	
    //DataNucleus needs to read manifest files (read permission to location of MANIFEST.MF files) 
    permission java.io.FilePermission "${user.dir}${/}-", "read";
    permission java.io.FilePermission "<<ALL FILES>>", "read";
	
    //DataNucleus uses reflection!!!
    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
    permission java.lang.RuntimePermission "accessDeclaredMembers";
};

grant codeBase "file:${/}datanucleus-hbase*.jar" {

    //HBASE does not run in a doPrivileged, so we do...
    permission java.net.SocketPermission "*", "connect,resolve";
};