Running the Network Server under the security manager

You should run the Network Server under the Java security manager. An sample security policy file is shown in the following examples. Fine tune this policy to suit your needs.

CAUTION:
Opening up the server to all clients without limiting access by using a policy similar to the one in the following example is a severe security risk.
//Recommended set of permissions to start and use the Network Server,
//assuming the 'd:/derby/lib' directory has been secured. 
//Fine tune based on your environment settings
grant codeBase "file:d:/derby/lib/-" {
permission java.io.FilePermission "${derby.system.home}${/}-", 
	"read, write, delete";
permission java.io.FilePermission "${derby.system.home}","read";
permission java.io.FilePermission "${user.dir}${/}-", "read, write, delete";
permission java.util.PropertyPermission "derby.*", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.lang.RuntimePermission "createClassLoader";
permission java.net.SocketPermission "myclientmachine", "accept";
};
 
//Required set of permissions to stop the Network Server, assuming you have
// secured the 'd:/derby/lib' directory
//Remember to fine tune this as per your environment.
grant codeBase "file:d:/derby/lib/-"  {
//Following is required when server is started with "-h localhost" 
//or without the -h option
permission java.net.SocketPermission "localhost", "accept, connect, resolve"; 
permission java.net.SocketPermission "127.0.0.1", "accept, connect, resolve";
//The following is only required if the server is started with the -h <host> 
//option (else shutdown access will be denied).
permission java.net.SocketPermission "<host>:*", "accept, connect, resolve";
};
Parent topic: Derby Network Server advanced topics
Related concepts
Network Server security
Related tasks
Configuring the Network Server to handle connections
Controlling logging by using the log file
Controlling tracing by using the trace facility