Hi Ron,
That sounds very useful.
Any chance I can get my hands on some alpha/beta code of the
embedded-policy provider?
Or do I have to wait for a release?
And the other option you gave might be not-too-hard too.
Am I correct to assume I can write 1 application which manages the
permissions for all other apps?
Is it possible for this app to hook into Policy#refresh to find out
that new apps got deployed?
Or some other way to find out? (I can ofcourse call asadmin
list-applications from it every minute or so, not as nice).
Or I can notify this app by hand (curl API call).
Thanks
Mathijs
On Mon, Jan 11, 2010 at 8:51 PM, <Ronald.Monzillo_at_sun.com> wrote:
> On 01/08/10 09:44, Hong Zhang wrote:
>>
>> Hi, Mathijs
>> No, currently there is no asadmin command for restarting application.
>> But you can use the equivalent: "asadmin disable" + "asadmin enable".
>> Not sure about the specifics with the security policy, security team
>> might be able to help with a better alternative..
>
> Glassfish v3 includes 2 policy providers, and others can be developed and
> integrated.
>
> Of the 2 providers that ship with V3, the file based provider is configured
> by default. The
> file-based provider will detect and internalize changes to policy files when
> Policy#refresh is called.
>
> Policy#refresh is called whenever any application is
> deployed/undeployed/enabled, or disabled. It can also be
> called explicitly by any application (that has been granted the setPolicy
> SecurityPermission)
>
> For example, when application A is undeployed, the deployment system call
> Policy#refresh, on the installed provider.
> The file-based provider proceeds to check all the policy files for all the
> deployed applications to determine if any
> have changed since the last refresh. Any changed files are internalized such
> that will be used for the corresponding
> applications.
>
> Ron
>
> ps: we have been prototyping a third variant of the existing providers, that
> will merge in policy rules from a policy file
> embedded in the application archive. We'd like to make that available in an
> upcoming release, and if this is something you
> want to try for yourself, Glassfish supports the configuration of pluggable
> authorization providers according to the jacc contract.
>
>>
>> - Hong
>>
>>>
>>> I am looking for a way to deploy applications and set their
>>> app-specific security policy.
>>>
>>> At the moment I have to do it like this:
>>> asadmin deploy myapp.war
>>> asadmin disable myapp
>>> [here I overwrite generated/policy/appname/modulename/granted.policy]
>>> asadmin enable myapp
>>>
>>> While it works, it feels a bit hacky & dirty.
>>> I tried deploying with --enabled=false (thus skipping the disable
>>> step) but in that case enabling it will overwrite my policy file
>>> again.
>>>
>>> Is there a way to use the AdminGui 'restart application' functionality
>>> from asadmin?
>>> If I change a granted.policy file and click the restart link in the
>>> admin gui afterwards, this will affectuate my policy.
>>>
>>> Or a way to somehow set the policy on deployment? (like asadmin deploy
>>> --policyfile=my.policy)
>>> Or a way to include it in the .war file?
>>>
>>> I know it's also possible to put policies into server.policy and use
>>> 'grant codeBase' to give policies to the app-specific code,
>>> but I couldn't find a way to enable those without restarting the
>>> domain (which would mean all apps on all virtual servers would suffer
>>> a few seconds downtime which is unacceptable).
>>>
>>> Does anyone know of a better way to do this?
>>>
>>> Thanks,
>>> Mathijs
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>