The following standard Java security policy file defines the Rhino codebase security configuration.
As Rhino starts, it:
|
Disabling or debugging security
There may be times when you want to disable security (for example, during development), or enable fine-grained security tracing in Rhino (for example, to track down security-related issues in Rhino).
Disabling security completely
You can disable security two ways:
-
Insert a rule into the policy file that grants
AllPermission
to all code:grant { permission java.security.AllPermission; };
-
Disable the use of a security manager — edit
$RHINO_HOME/node-XXX/read-config-variables
, commenting out the following line:#OPTIONS="$OPTIONS -Djava.security.manager"
Enable security when running Rhino
OpenCloud recommends you always run Rhino with security enabled. |
Debugging security
You can debug Rhino’s security configuration by enabling security tracing (so that the security manager produces trace logs) — edit $RHINO_NODE_HOME/read-config-variables
, adding the following line:
OPTIONS="$OPTIONS -Djava.security.debug=access,failure"
This option will produce a lot of console output. To capture it, redirect the standard out and standard error streams from Rhino to a file. For example: $ start-rhino.sh > out 2>&1 |
Excerpt of rhino.policy
Below is an excerpt of $RHINO_HOME/node-XXX/config/rhino.policy
:
grant {
permission java.io.FilePermission "${java.home}${/}lib${/}rt.jar", "read";
permission java.io.FilePermission "${java.home}${/}lib${/}jaxp.properties","read";
// Needed by default logging configuration.
permission java.io.FilePermission "${rhino.dir.work}${/}log${/}-","read,write";
// Java "standard" properties that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};
// Standard extensions get all permissions by default
grant codeBase "file:///${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ...
Java Security Properties
Configuration introduced in Rhino 2.6.0.1 |
A per node configuration file $RHINO_NODE_HOME/config/rhino.java.security
has been added to allow overriding of JVM security settings. This file includes default values for the following networking security properties:
networkaddress.cache.ttl=30 networkaddress.negative.cache.ttl=10
The value of these properties control how long Resource Adaptors and Rhino based applications cache network addresses after successful and unsuccessful DNS queries.
These values override the ones specified in the JVMs java.security
file.
See Oracle’s Networking Properties documentation for more details.
The JVM default for networkaddress.cache.ttl
is to cache forever. (-1)
Therefore the introduction of this file to Rhino’s per-node configuration will alter an applications caching behavior on upgrade to a newer Rhino version.
Use of a different java.security
configuration file can be achieved by modifying the following line in $RHINO_NODE_HOME/read-config-variables
:
OPTIONS="$OPTIONS -Djava.security.properties=${SCRIPT_WORK_DIR}/config/rhino.java.security"