Note

As Rhino starts, it:

  1. pre-processes configuration files (including rhino.policy

  2. substitutes configuration variables (such as @RHINO_HOME@)

  3. creates working configuration files (in the node-XXX/work/config subdirectory).

Disabling or debugging security

There may be times when you want to disable security (for example, during development), or enable fine-grained security tracing in Rhino (for example, to track down security-related issues in Rhino).

Disabling security completely

You can disable security two ways:

  1. Insert a rule into the policy file that grants AllPermission to all code:

    grant {
    permission java.security.AllPermission;
    };
  2. Disable the use of a security manager — edit $RHINO_HOME/node-XXX/read-config-variables, commenting out the following line:

    #OPTIONS="$OPTIONS -Djava.security.manager"
Warning
Enable security when running Rhino

OpenCloud recommends you always run Rhino with security enabled.

Debugging security

You can debug Rhino’s security configuration by enabling security tracing (so that the security manager produces trace logs) — edit $RHINO_NODE_HOME/read-config-variables, adding the following line:

OPTIONS="$OPTIONS -Djava.security.debug=access,failure"
Warning

This option will produce a lot of console output. To capture it, redirect the standard out and standard error streams from Rhino to a file. For example:

$ start-rhino.sh > out 2>&1

Excerpt of rhino.policy

Below is an excerpt of $RHINO_HOME/node-XXX/config/rhino.policy:

grant {
permission java.io.FilePermission "${java.home}${/}lib${/}rt.jar", "read";
permission java.io.FilePermission "${java.home}${/}lib${/}jaxp.properties","read";

// Needed by default logging configuration.
permission java.io.FilePermission "${rhino.dir.work}${/}log${/}-","read,write";

// Java "standard" properties that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";

permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";

permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
};

// Standard extensions get all permissions by default
grant codeBase "file:///${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};

// ...

Java Security Properties

A per node configuration file $RHINO_NODE_HOME/config/rhino.java.security has been added to allow overriding of JVM security settings. This file includes default values for the following networking security properties:

networkaddress.cache.ttl=30
networkaddress.negative.cache.ttl=10

The value of these properties control how long Resource Adaptors and Rhino based applications cache network addresses after successful and unsuccessful DNS queries. These values override the ones specified in the JVMs java.security file. See Oracle’s Networking Properties documentation for more details. The JVM default for networkaddress.cache.ttl is to cache forever. (-1) Therefore the introduction of this file to Rhino’s per-node configuration will alter an applications caching behavior on upgrade to a newer Rhino version.

Use of a different java.security configuration file can be achieved by modifying the following line in $RHINO_NODE_HOME/read-config-variables:

OPTIONS="$OPTIONS -Djava.security.properties=${SCRIPT_WORK_DIR}/config/rhino.java.security"
Previous page Next page
Rhino Version 2.7.0