Sample customized Java security policy file

Here is a sample customized Java security policy file.

grant codeBase "file:///Users/me/javadb/lib/derby.jar"
{
  //
  // These permissions are needed for everyday, embedded Derby usage.
  //
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.util.PropertyPermission "derby.*", "read";
  permission java.util.PropertyPermission "user.dir", "read";
  permission java.util.PropertyPermission "derby.storage.jvmInstanceId", 
      "write"; 
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
  // The next two properties are used to determine if the VM is 32-bit
  // or 64-bit.
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.io.FilePermission "/Users/me/derby/dummy","read";
  permission java.io.FilePermission "/Users/me/derby/dummy${/}-", 
      "read,write,delete";

  //
  // This permission lets a DBA reload the policy file while the server
  // is still running. The policy file is reloaded by invoking the
  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
  //
  permission java.security.SecurityPermission "getPolicy";

  //
  // This permission lets you back up and restore databases
  // to and from arbitrary locations in your file system.
  //
  // This permission also lets you import/export data to and from
  // arbitrary locations in your file system.
  //
  // You may want to restrict this access to specific directories.
  //
  permission java.io.FilePermission "/Users/me/derby/dummy/backups/-", 
      "read,write,delete";
  // imports/exports
  permission java.io.FilePermission "/Users/me/derby/dummy/imports/-",
      "read,write,delete";
  // jar files of user-written functions and procedures
  permission java.io.FilePermission "/Users/me/derby/dummy/jars/-",
      "read,write,delete";

  //
  // Permissions needed for JMX based management and monitoring, which is
  // available only for JVMs that support "platform management", that is,
  // Java SE 5.0 or above.
  //
  // Allows this code to create an MBeanServer:
  //
  permission javax.management.MBeanServerPermission "createMBeanServer";
  //
  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby. Derby must be allowed to register and unregister
  // these MBeans. It is possible to allow access only to specific
  // MBeans,   // attributes, or operations. To fine-tune this
  // permission, see the API documentation of
  // javax.management.MBeanPermission or the JMX Instrumentation and
  // Agent Specification. 
  //
  permission javax.management.MBeanPermission 
      "org.apache.derby.*#[org.apache.derby:*]",
      "registerMBean,unregisterMBean";
  //
  // Trusts Derby code to be a source of MBeans and to register these in
  // the MBean server.
  //
  permission javax.management.MBeanTrustPermission "register";

  // getProtectionDomain is an optional permission needed for printing
  // classpath information to derby.log.
  permission java.lang.RuntimePermission "getProtectionDomain";

  //
  // The following permission must be granted for
  // Connection.abort(Executor) to work. Note that this permission must
  // also be granted to outer (application) code domains.
  //
  permission java.sql.SQLPermission "callAbort";

  // Needed by file permissions restriction system.
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

  // This permission is needed to connect to the LDAP server in order
  // to authenticate users.
  // permission java.net.SocketPermission "127.0.0.1:1389", 
  //    "accept,connect,resolve";
};

grant codeBase "file:///Users/me/javadb/lib/derbynet.jar"
{
  //
  // This permission lets the Network Server manage connections from
  // clients.
  //

  // Accept connections from any host. Derby is listening to the host
  // interface specified via the -h option to "NetworkServerControl
  // start" on the command line, via the address parameter to the
  // org.apache.derby.drda.NetworkServerControl constructor in the API
  // or via the property derby.drda.host; the default is localhost.
  // You may want to restrict allowed hosts, e.g. to hosts in a specific
  // subdomain, e.g. "*.example.com".
  permission java.net.SocketPermission "localhost:0-", "accept";

  //
  // Needed for server tracing.
  //
  permission java.io.FilePermission "/Users/me/derby/dummy/traces${/}-", 
      "read,write,delete";

  // Needed by file permissions restriction system.
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";
  permission java.util.PropertyPermission 
      "derby.__serverStartedFromCmdLine", "read, write";

  // JMX: Needed to boot MBeans
  permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
  // JMX: Uncomment this permission to allow the ping operation of the 
  //      NetworkServerMBean to connect to the Network Server.
  //permission java.net.SocketPermission "*", "connect,resolve";

  //
  // Needed by sysinfo. The file permission is needed to check the
  // existence of jars on the classpath. You can limit this permission to
  // just the locations that hold your jar files.
  //
  // In this template file, this block of permissions is granted to
  // derbynet.jar under the assumption that derbynet.jar is the first jar
  // file in your classpath that contains the sysinfo classes. If that is
  // not the case, then you will want to grant this block of permissions
  // to the first jar file in your classpath that contains the sysinfo
  // classes. Those classes are bundled into the following Derby jar
  // files:
  //
  //    derbynet.jar
  //    derby.jar
  //    derbyclient.jar
  //    derbytools.jar
  //
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission "/Users/me/javadb/lib/-", "read";
};
Related concepts
Using a Java security policy file
Running embedded Derby with a security manager
Related tasks
Running the Network Server with a security manager
Running the Network Server without a security manager
Related reference
Basic security policy template