Basic tools security policy template

Customize this policy if you run Derby tools against an embedded Derby engine.

This policy grants essential permissions to the tools, engine, and shared modules.

grant codeBase "${derby.install.url}derbyshared.jar"
{
  // Needed to determine whether the JVM was booted with a module path.
  permission java.util.PropertyPermission "jdk.module.path", "read";

  // Need in order to read message localizations from other derby jars
  // when running with a module path.
  permission java.io.FilePermission "${derby.install.path}${/}-", "read";

  // Gives permission for JMX to be used against Derby
  // but only if JMX authentication is not being used.
  // In that case the application would need to create
  // a whole set of fine-grained permissions to allow specific
  // users access to MBeans and actions they perform.
  permission org.apache.derby.shared.common.security.SystemPermission "engine", "monitor";
  permission org.apache.derby.shared.common.security.SystemPermission "server", "monitor";

};

grant codeBase "${derby.install.url}derby.jar"
{
  // These permissions are needed for everyday, embedded Derby usage.
  permission java.lang.RuntimePermission "createClassLoader";
  permission java.util.PropertyPermission "derby.*", "read";
  permission java.util.PropertyPermission "user.dir", "read";
  permission org.apache.derby.shared.common.security.SystemPermission "engine", "usederbyinternals";
  permission java.io.FilePermission "${derby.system.home}","read,write";
  permission java.io.FilePermission "${derby.system.home}${/}-", "read,write,delete";
  permission java.io.FilePermission "${derby.system.home}${/}derby.properties", "read";
  permission java.io.FilePermission "${derby.system.home}${/}derby.log", "read,write,delete";

  // Properties needed to determine if the VM is 32 or 64 bit.
  permission java.util.PropertyPermission "sun.arch.data.model", "read";
  permission java.util.PropertyPermission "os.arch", "read";

  // Gives permission for JMX to be used against Derby
  // but only if JMX authentication is not being used.
  // In that case the application would need to create
  // a whole set of fine-grained permissions to allow specific
  // users access to MBeans and actions they perform.
  permission org.apache.derby.shared.common.security.SystemPermission "jmx", "control";
  permission org.apache.derby.shared.common.security.SystemPermission "engine", "monitor";
  permission org.apache.derby.shared.common.security.SystemPermission "server", "monitor";

  // Permissions needed for JMX based management and monitoring.
  permission javax.management.MBeanServerPermission "createMBeanServer";

  // Allows access to Derby's built-in MBeans, within the domain
  // org.apache.derby.  Derby must be allowed to register and unregister these
  // MBeans.  To fine tune this permission, see the javadoc of
  // javax.management.MBeanPermission or the JMX Instrumentation and Agent Specification.
  permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]", "registerMBean,unregisterMBean";

  // Trusts Derby code to be a source of MBeans and to register these in the MBean server.
  permission javax.management.MBeanTrustPermission "register";

  // Optional permission needed for printing classpath information to derby.log.
  permission java.lang.RuntimePermission "getProtectionDomain";

  // The following permission must be granted for Connection.abort(Executor) to work.
  // Note that this permission must also be granted to outer (application) code domains.
  permission java.sql.SQLPermission "callAbort";

  // Needed by FileUtil#limitAccessToOwner.
  permission java.lang.RuntimePermission "accessUserInformation";
  permission java.lang.RuntimePermission "getFileStoreAttributes";

};

grant codeBase "${derby.install.url}derbytools.jar"
{
  // Access all properties using System.getProperties -
  // ij enumerates the properties in order to open connections
  // for any property set in ij.connection.* and set protocols
  // for any property in ij.protocol.*
  permission java.util.PropertyPermission "*", "read,write";

  // Needed by sysinfo. The file permission is needed to check the existence
  // of jars on the classpath. You can limit this permission to just the locations
  // which hold your jar files.
  permission java.util.PropertyPermission "user.*", "read";
  permission java.util.PropertyPermission "java.home", "read";
  permission java.util.PropertyPermission "java.class.path", "read";
  permission java.util.PropertyPermission "java.runtime.version", "read";
  permission java.util.PropertyPermission "java.fullversion", "read";
  permission java.lang.RuntimePermission "getProtectionDomain";
  permission org.apache.derby.shared.common.security.SystemPermission "engine", "usederbyinternals";
  permission java.io.FilePermission "<<ALL FILES>>", "read";

};
Parent topic: Configuring Java security
Related concepts
Using a Java security policy file
Related tasks
Running the Network Server with a security manager
Running the Network Server without a security manager
Related reference
Basic engine security policy template
Basic server security policy template
Basic client security policy template
Sample customized Java security policy file