Customizing the Network Server's security policy

The Network Server's Basic security policy is documented in the section Basic Network Server security policy. Most likely, you will want to customize your own security policy. For example, you might want to restrict the server's liberal file i/o permissions which let the server backup/restore and export/import to or from any location in the local file system. Customizing the security policy is simple:

The following example is a copy of a sample, customized policy file:

grant codeBase "file:/usr/local/share/sw/derby/lib/derby.jar"
{
//
// These permissions are needed for everyday, embedded Derby usage.
//
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.util.PropertyPermission "derby.*", "read";
  // The next two properties are used to determine if the VM is 32 or 64 bit.
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";
  permission java.util.PropertyPermission "user.dir", "read";
  permission java.io.FilePermission "/usr/local/shoppingCartApp/databases","read";
  permission java.io.FilePermission "/usr/local/shoppingCartApp/databases/-", 
      "read,write,delete";
  permission java.util.PropertyPermission "derby.storage.jvmInstanceId", 
      "write"; 

//
// This permission lets a DBA reload the policy file while the server
// is still running. The policy file is reloaded by invoking the
// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
//
  permission java.security.SecurityPermission "getPolicy";

//
// This permission lets you backup and restore databases
// to and from a selected branch of the local file system:
//
  permission java.io.FilePermission "/usr/local/shoppingCartApp/backups/-", "read,write,delete";
//
// This permission lets you import data from
// a selected branch of the local file system:
//
  permission java.io.FilePermission "/usr/local/shoppingCartApp/imports/-", "read";
//
// This permission lets you export data to
// a selected branch of the local file system:
//
  permission java.io.FilePermission "/usr/local/shoppingCartApp/exports/-", "write";
//
// This permission lets you load your databases with jar files of
// application code
//
  permission java.io.FilePermission "/usr/local/shoppingCartApp/lib/*", "read";

// LDAP server on localhost using default LDAP port 389:
  permission java.net.SocketPermission "localhost:389", "connect,resolve";  
};

grant codeBase "file:/usr/local/share/sw/derby/lib/derbynet.jar"
{
//
// This permission lets the Network Server manage connections from clients
// originating from the localhost, on any port.
//
  permission java.net.SocketPermission "localhost:0-", "accept"; 
};

After customizing the Basic policy, you may bring up the Network Server as follows:

java -Djava.security.manager -Djava.security.policy=/usr/local/shoppingCartApp/lib/myCustomized.policy org.apache.derby.drda.NetworkServerControl start -h localhost
Related tasks
Basic Network Server security policy
Running the Network Server without a security policy