Customizing the Network Server's security policy

You will probably want to customize the Network Server's Basic security policy.

The Network Server's Basic security policy is documented in Basic Network Server security policy.

For example, you might want to restrict the server's liberal file I/O permissions, which let the server backup/restore and export/import to or from any location in the local file system. Customizing the security policy is simple:

  1. A template policy lives in the Derby distribution at demo/templates/server.policy. Copy the file from this location to your own file, say myCustomized.policy. All of the following edits take place in your custom file.
  2. Replace the ${derby.install.url} variable with the location of the Derby jars in your local file system.
  3. Replace the ${derby.system.home} variable with the location of your Derby system directory. Alternatively, rather than replacing this variable, you can simply set the value of the derby.system.home system property when you boot the server.
  4. Replace the ${derby.drda.traceDirectory} variable with the location of your server trace file if you plan to use tracing.
  5. Grant java.net.SocketPermission to derby.jar if you are using LDAP authentication, so that the Derby code is allowed to contact the LDAP server to perform the authentication.
  6. You may want to restrict the socket permission for derbynet.jar, which by default accepts connections from any host ("*"). Note that the special wildcard address "0.0.0.0" is not understood by SocketPermission, even though Derby accepts this wildcard as a valid value for accepting connections on all network interfaces (IPv4).
  7. Refine the file permissions needed by backup/restore, import/export, and the loading of application jars.

The following is a sample customized policy file:

grant codeBase "file:/usr/local/share/sw/derby/lib/derby.jar"
{
  // These permissions are needed for everyday, embedded Derby usage.
  //
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.util.PropertyPermission "derby.*", "read";
  permission java.util.PropertyPermission "user.dir", "read";

  // The next two properties are used to determine if the VM is 32 or
  // 64 bit.
  //
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";

  // Customized to actual location of derby.system.home:
  //
  permission java.io.FilePermission
      "/usr/local/shoppingCartApp/databases", "read";
  permission java.io.FilePermission
      "/usr/local/shoppingCartApp/databases/-", "read,write,delete";

  // This permission lets a DBA reload the policy file while the server
  // is still running. The policy file is reloaded by invoking the
  // SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.
  //
  permission java.security.SecurityPermission "getPolicy";

  // This permission lets you backup and restore databases
  // to and from a selected branch of the local file system:
  //
  permission java.io.FilePermission
    "/usr/local/shoppingCartApp/backups/-", "read,write,delete";

  // This permission lets you import data from
  // a selected branch of the local file system:
  //
  permission java.io.FilePermission
      "/usr/local/shoppingCartApp/imports/-", "read";

  // This permission lets you export data to
  // a selected branch of the local file system:
  //
  permission java.io.FilePermission
      "/usr/local/shoppingCartApp/exports/-", "write";

  // This permission lets you load your databases with jar files of
  // application code
  //
  permission java.io.FilePermission "/usr/local/shoppingCartApp/lib/*",
      "read";

  // LDAP server on localhost using default LDAP port 389:
  //
  permission java.net.SocketPermission "localhost:389",
      "connect,resolve";  

  // Permissions needed for JMX based management and monitoring.
  // Uncomment the following MBeanServerPermission, MBeanPermission and
  // MBeanTrustPermission if you need JMX monitoring. Consider the
  // security implications before you open up for JMX
  // monitoring.
  //
  // Allows this code to create an MBeanServer:
  //
  // permission javax.management.MBeanServerPermission 
  //     "createMBeanServer";
  //
  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby. Derby must be allowed to register and unregister
  // these MBeans. It is possible to allow access only to specific
  // MBeans, attributes or operations. To fine-tune this permission, see
  // the API documentation for javax.management.MBeanPermission or the
  // JMX Instrumentation and Agent Specification:
  //
  // permission javax.management.MBeanPermission
  //     "org.apache.derby.*#[org.apache.derby:*]", 
  //     "registerMBean, unregisterMBean";
  //
  // Trusts Derby code to be a source of MBeans and to register these
  // in the MBean server:
  //
  // permission javax.management.MBeanTrustPermission "register";
  
  // getProtectionDomain is an optional permission needed for printing
  // classpath information to derby.log. Consider if this could be a 
  // security risk before enabling it.
  //
  // permission java.lang.RuntimePermission "getProtectionDomain";
  
  // The following permission must be granted for
  // Connection.abort(Executor) to work. Note that this permission must
  // also be granted to outer (application) code domains.
  // Uncomment this permission if you plan to use Connection.abort.
  //
  // permission java.sql.SQLPermission "callAbort";
  
  // Needed by file permissions restriction system (see the
  // documentation for derby.storage.useDefaultFilePermissions in the
  // Reference Manual). Consider restricting the database file-level
  // permissions for security.
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";
};

grant codeBase "file:/usr/local/share/sw/derby/lib/derbynet.jar"
{
  // This permission lets the Network Server manage connections from
  // clients originating from the localhost, on any port. Consider the
  // security implications before you open up database connections
  // from other hosts.
  //
  permission java.net.SocketPermission "localhost:0-", "accept,listen"; 

  // Needed for server tracing.
  //
  permission java.io.FilePermission 
      "/usr/local/shoppingCartApp/trace/-", "read,write,delete";
  
  // Needed by file permissions restriction system:
  //
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

  // Mandatory if running with a customized policy file.
  //
  permission java.util.PropertyPermission 
      "derby.__serverStartedFromCmdLine", "read, write";
  
  //
  // JMX: Uncomment this permission to allow the ping operation of the 
  //      NetworkServerMBean to connect to the Network Server.
  //
  // permission java.net.SocketPermission "*", "connect,resolve";
  
  // Needed by the sysinfo tool only. You may want to remove the
  // block of permissions below if you don't plan to use it. The file 
  // permission is needed to check the existence of jars on the
  // classpath. You can limit this permission to just the locations
  // which hold your jar files.
  //
  // This block of permissions is granted to derbynet.jar under the
  // assumption that derbynet.jar is the first jar file in your
  // classpath which contains the sysinfo classes. If that is not the
  // case, then you will want to grant this block of permissions to
  // the first jar file in your classpath which contains the sysinfo
  // classes.  Those classes are bundled into the following Derby jar
  // files:
  //
  //    derbynet.jar
  //    derby.jar
  //    derbyclient.jar
  //    derbytools.jar
  //
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission java.io.FilePermission 
      "/usr/local/shoppingCartApp/jars/-", "read";
  permission java.io.FilePer mission "java.runtime.version", "read";
  permission java.io.FilePermission "java.fullversion", "read";
};

After customizing the Basic policy, you may bring up the Network Server as follows:

java -Djava.security.manager \
-Djava.security.policy=/usr/local/shoppingCartApp/lib/myCustomized.policy \
org.apache.derby.drda.NetworkServerControl start -h localhost
Parent topic: Running the Network Server under the security manager
Related tasks
Basic Network Server security policy
Running the Network Server without a security policy