users@glassfish.java.net

Re: per-application policy file not working

From: Mathijs Kwik <bluescreen303_at_gmail.com>
Date: Thu, 7 Jan 2010 19:48:49 +0100

I will file a bug report, thanks for reminding me :)

Still looking for a way to get .war-based apps setup their policy
during deployment though(see my last message)



On Thu, Jan 7, 2010 at 6:46 PM, Vivek Pandey <Vivek.Pandey_at_sun.com> wrote:
>
> Mathijs Kwik wrote:
>>
>> Ok, switched to jruby from glassfish's update tool.
>>
>> Same behaviour.
>>
>>
>
> jruby is installed inside glassfishv3/glassfish directory using updatetool
> or is installed somewhere else on the filesystem - its the same thing. Your
> Rails application runs in exactly in the same way and in the same JVM as
> glassfish.
>
>> So probably the new "directory deployment" is not suitable for
>> per-application policy.
>>
>>
>
> Right. Please file an issue ticket.
>
>> Will check warbler now to deploy inside glassfish itself.
>> This is a bit of a step backwards, since I will lose stuff like
>> migrations and local file storage which I will need to work around :(
>>
>>
>
> For now use warbler to package your app as WAR file and per-app security
> policy should work.
>
> -vivek.
>>
>> will keep you informed
>>
>> 2010/1/7 Felipe Gaúcho <fgaucho_at_gmail.com>:
>>
>>>
>>> no, you don't.. but since your application is a ruby application not
>>> deployied in GF, but running from outside.. this should be the
>>> problem..
>>>
>>> can you try to pack and deploy the application in Glassfish ? using
>>> the GF ruby instead of an external one ?
>>>
>>> - did you used the "update tool" for installing Ruby support in GF ?
>>> (localhost:4848)
>>>
>>> On Thu, Jan 7, 2010 at 2:53 PM, Mathijs Kwik <bluescreen303_at_gmail.com>
>>> wrote:
>>>
>>>>
>>>> http://docs.sun.com/app/docs/doc/820-7695/beabz?a=view tells me
>>>> there's also domains/domain1/generated/policy/application/granted.policy
>>>> So that is what I'm after.
>>>> Just trying to figure out why it doesn't work. I guess I need to
>>>> enable this functionality somehow.
>>>>
>>>> 2010/1/7 Felipe Gaúcho <fgaucho_at_gmail.com>:
>>>>
>>>>>
>>>>> there are two places you can configure that:
>>>>>
>>>>> the main server.policy
>>>>> in the JVM security policy file..
>>>>>
>>>>> in either cases you need to restart the GF ..
>>>>>
>>>>> On Thu, Jan 7, 2010 at 2:47 PM, Mathijs Kwik <bluescreen303_at_gmail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>> thanks, but I don't quite understand yet.
>>>>>>
>>>>>> where should I put this?
>>>>>> I don't want to put this in the main server.policy file for 2 reasons:
>>>>>> - I would need to restart the domain for it to take effect, causing
>>>>>> other apps to be down for a few seconds.
>>>>>> - I think the codebase "file:..." won't work for jruby apps, since
>>>>>> (from glassfish's perspective) the running code is in "/opt/jruby"
>>>>>> (interpreter itself) and not in '/srv/myapp' (where the ruby script
>>>>>> files are)
>>>>>>
>>>>>> So I really want to use the per-application granted.policy solution
>>>>>> somehow
>>>>>>
>>>>>> Thanks
>>>>>> Mathijs
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2010/1/7 Felipe Gaúcho <fgaucho_at_gmail.com>:
>>>>>>
>>>>>>>
>>>>>>> like
>>>>>>>
>>>>>>> grant codeBase "file:~/your/folder/app/-" {
>>>>>>> ...
>>>>>>> }
>>>>>>>
>>>>>>> 2010/1/7 Felipe Gaúcho <fgaucho_at_gmail.com>:
>>>>>>>
>>>>>>>>
>>>>>>>> you can point the rule directly to the application folder, doesn't
>>>>>>>> matter if it is in a domain folder or not.....
>>>>>>>>
>>>>>>>> On Thu, Jan 7, 2010 at 2:33 PM, Mathijs Kwik
>>>>>>>> <bluescreen303_at_gmail.com> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> I would like to grant some applications more permissions than
>>>>>>>>> others.
>>>>>>>>> As described here
>>>>>>>>> http://docs.sun.com/app/docs/doc/820-7695/beabz?a=view , this is
>>>>>>>>> possible without creating a domain per application.
>>>>>>>>>
>>>>>>>>> I checked domains/domain1/generated/policy but there's no directory
>>>>>>>>> for my app there.
>>>>>>>>> I created it and created a granted.policy file in there containing:
>>>>>>>>> grant {
>>>>>>>>>   permission java.security.AllPermission;
>>>>>>>>> };
>>>>>>>>> just to check if my app will now be able to access stuff that I
>>>>>>>>> made
>>>>>>>>> inaccessible in server.policy
>>>>>>>>>
>>>>>>>>> Nothing happens.
>>>>>>>>> Not after restarting domain/redeploying either.
>>>>>>>>>
>>>>>>>>> Is there anything I need to enable to have per-app policy files?
>>>>>>>>>
>>>>>>>>> My app was deployed using directory deployment (jruby container),
>>>>>>>>> maybe that influences stuff, since there's no directory for it in
>>>>>>>>> domains/domain1/applications either.
>>>>>>>>>
>>>>>>>>> Thanks for any help.
>>>>>>>>> Mathijs
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> ------------------------------------------
>>>>>>>>  Felipe Gaúcho
>>>>>>>>  10+ Java Programmer
>>>>>>>>  CEJUG Senior Advisor
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> ------------------------------------------
>>>>>>>  Felipe Gaúcho
>>>>>>>  10+ Java Programmer
>>>>>>>  CEJUG Senior Advisor
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> ------------------------------------------
>>>>>  Felipe Gaúcho
>>>>>  10+ Java Programmer
>>>>>  CEJUG Senior Advisor
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>>
>>>>
>>>
>>> --
>>> ------------------------------------------
>>>  Felipe Gaúcho
>>>  10+ Java Programmer
>>>  CEJUG Senior Advisor
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>