| ||||||||||||||||||
In ISP environments, it's important that each user have restricted permissions to use the server. Normally, the web server will be run as a non-root user so the users can't read system files, but that user will still have read access. The use of RMI also requires a security manager. Don't use a security manager if you're not in an ISP environment or using RMI. There's no need for it and the security manager does slow the server down somewhat.
Adding a Java security manager puts each web-app into a "sandbox" where Java limits the things that can be done from code within th web-app. The security manager is enabled by adding a <security-manager> tag in the resin.conf.
The security manager determines a The simplest way to change the policy is to change one of the default policy file's. There are two default policy files that are used by the JDK: that applies to the current virtual machine. The security manager is controlled by policy file's.
An additional policy file can be set using the java.security.policy system property at the command line:
The resulting policy for the virtual machine is the union of all granted permissions in all policy files.
A useful resource is Sun's documentation about security , in particular the policy permissions and policy file syntax files are useful. Each web-app automatically has permissions to read, write and delete any file under the web-app's directory, including WEB-INF. It also has read permission for the classpath, including <classpath> from the <host> and <server> contexts.
|