users@glassfish.java.net

Re: restarting an application from asadmin (or enabling a security policy _on_ deployment)

From: <Ronald.Monzillo_at_Sun.COM>
Date: Mon, 11 Jan 2010 14:51:04 -0500

On 01/08/10 09:44, Hong Zhang wrote:
> Hi, Mathijs
> No, currently there is no asadmin command for restarting
> application. But you can use the equivalent: "asadmin disable" +
> "asadmin enable".
> Not sure about the specifics with the security policy, security
> team might be able to help with a better alternative..
Glassfish v3 includes 2 policy providers, and others can be developed
and integrated.

Of the 2 providers that ship with V3, the file based provider is
configured by default. The
file-based provider will detect and internalize changes to policy files
when Policy#refresh is called.

Policy#refresh is called whenever any application is
deployed/undeployed/enabled, or disabled. It can also be
called explicitly by any application (that has been granted the
setPolicy SecurityPermission)

For example, when application A is undeployed, the deployment system
call Policy#refresh, on the installed provider.
The file-based provider proceeds to check all the policy files for all
the deployed applications to determine if any
have changed since the last refresh. Any changed files are internalized
such that will be used for the corresponding
applications.

Ron

ps: we have been prototyping a third variant of the existing providers,
that will merge in policy rules from a policy file
embedded in the application archive. We'd like to make that available in
an upcoming release, and if this is something you
want to try for yourself, Glassfish supports the configuration of
pluggable authorization providers according to the jacc contract.

>
> - Hong
>
>>
>> I am looking for a way to deploy applications and set their
>> app-specific security policy.
>>
>> At the moment I have to do it like this:
>> asadmin deploy myapp.war
>> asadmin disable myapp
>> [here I overwrite generated/policy/appname/modulename/granted.policy]
>> asadmin enable myapp
>>
>> While it works, it feels a bit hacky & dirty.
>> I tried deploying with --enabled=false (thus skipping the disable
>> step) but in that case enabling it will overwrite my policy file
>> again.
>>
>> Is there a way to use the AdminGui 'restart application' functionality
>> from asadmin?
>> If I change a granted.policy file and click the restart link in the
>> admin gui afterwards, this will affectuate my policy.
>>
>> Or a way to somehow set the policy on deployment? (like asadmin deploy
>> --policyfile=my.policy)
>> Or a way to include it in the .war file?
>>
>> I know it's also possible to put policies into server.policy and use
>> 'grant codeBase' to give policies to the app-specific code,
>> but I couldn't find a way to enable those without restarting the
>> domain (which would mean all apps on all virtual servers would suffer
>> a few seconds downtime which is unacceptable).
>>
>> Does anyone know of a better way to do this?
>>
>> Thanks,
>> Mathijs
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>