Using Java Security to Protect WebLogic Resources 8-5
Allow getting the J2EEJ2SETest4 property description
security-permission-spec grant {
permission java.util.PropertyPermission welcome.J2EEJ2SETest4,read; };
security-permission-spec security-permission
8.2.2 Using Printing Security Manager
Printing Security Manager is an enhancement to the Java Security Manager. You can use Printing Security Manager to identify all of the required permissions for any Java
application running under Java Security Manager. Unlike The Java Security Manager, which identifies needed permissions one at a time, the Printing Security Manager
identifies all of the needed permissions without intervention.
For more information on Java Security Manager, see the Java Security Web page at http:java.sun.comj2se1.5.0docsguidesecurityindex.html
.
8.2.2.1 Printing Security Manager Startup Arguments
To use the Java Security Manager with WebLogic Server, you specify two arguments when starting WebLogic Server:
■
-Djava.security.manager=weblogic.security.psm.PrintingSecurityManager The -Djava.security.manager argument tells WebLogic Server which Java Security
Manager to start, in this case the Printing Security Manager.
■
-Djava.security.policy The -Djava.security.policy argument specifies a filename using a relative or
fully-qualified pathname that contains Java 2 security policies. WebLogic Server provides a sample Java security policy file, which you can edit and use. The file is
located at WL_HOME\server\lib\weblogic.policy.
By default, startWebLogic.cmdsh already includes the -Djava.security.policy=WL_HOMEserverlibweblogic.policy property, so you do not
need to specify it unless you want to use another Java security policy file.
Note: The security-permission-spec tag cannot currently be added
to a weblogic-application.xml file, you are limited to using this tag within a weblogic-ejb-jar.xml, rar.xml, or weblogic.xml file. Also,
variables are not supported in the security-permission-spec attribute.
Note:
Do not use Printing Security Manager in production environments. It is intended solely for development to identify
missing permissions.
It does not prevent untrusted code operations.
8-6 Programming Security for Oracle WebLogic Server
8.2.2.2 Starting WebLogic Server With Printing Security Manager
To start WebLogic Server with the Printing Security Manager from a UNIX shell, pass the following argument to the startWebLogic.sh script in DOMAIN_HOME. This
example uses the default weblogic.policy Java policy file from startWeblogic.sh.
startWeblogic.sh -Xbootclasspathp:MWHOMEmodulescom.bea.core.weblogic.security.psm_1.0.0.0.jar
-Djava.security.manager=weblogic.security.psm.PrintingSecurityManager
For a Windows system without a UNIX shell, first set the startup options in JAVA_ OPTIONS, and then use the startWebLogic.cmd script in DOMAIN_HOME to start
WebLogic Server. This example uses the default weblogic.policy Java policy file from startWeblogic.cmd.
set JAVA_ OPTIONS=-Xbootclasspathp:MWHOMEmodulescom.bea.core.weblogic.security.psm_
1.0.0.0.jar -Djava.security.manager=weblogic.security.psm.PrintingSecurityManager
DOMAIN_HOME\startWeblogic.cmd
8.2.2.3 Writing Output Files