Using Java Security to Protect WebLogic Resources 8-5 Allow getting the J2EEJ2SETest4 property description security-permission-spec grant { permission java.util.PropertyPermission welcome.J2EEJ2SETest4,read; }; security-permission-spec security-permission

8.2.2 Using Printing Security Manager

Printing Security Manager is an enhancement to the Java Security Manager. You can use Printing Security Manager to identify all of the required permissions for any Java application running under Java Security Manager. Unlike The Java Security Manager, which identifies needed permissions one at a time, the Printing Security Manager identifies all of the needed permissions without intervention. For more information on Java Security Manager, see the Java Security Web page at http:java.sun.comj2se1.5.0docsguidesecurityindex.html .

8.2.2.1 Printing Security Manager Startup Arguments

To use the Java Security Manager with WebLogic Server, you specify two arguments when starting WebLogic Server: ■ -Djava.security.manager=weblogic.security.psm.PrintingSecurityManager The -Djava.security.manager argument tells WebLogic Server which Java Security Manager to start, in this case the Printing Security Manager. ■ -Djava.security.policy The -Djava.security.policy argument specifies a filename using a relative or fully-qualified pathname that contains Java 2 security policies. WebLogic Server provides a sample Java security policy file, which you can edit and use. The file is located at WL_HOME\server\lib\weblogic.policy. By default, startWebLogic.cmdsh already includes the -Djava.security.policy=WL_HOMEserverlibweblogic.policy property, so you do not need to specify it unless you want to use another Java security policy file. Note: The security-permission-spec tag cannot currently be added to a weblogic-application.xml file, you are limited to using this tag within a weblogic-ejb-jar.xml, rar.xml, or weblogic.xml file. Also, variables are not supported in the security-permission-spec attribute. Note: Do not use Printing Security Manager in production environments. It is intended solely for development to identify missing permissions. It does not prevent untrusted code operations. 8-6 Programming Security for Oracle WebLogic Server

8.2.2.2 Starting WebLogic Server With Printing Security Manager

To start WebLogic Server with the Printing Security Manager from a UNIX shell, pass the following argument to the startWebLogic.sh script in DOMAIN_HOME. This example uses the default weblogic.policy Java policy file from startWeblogic.sh. startWeblogic.sh -Xbootclasspathp:MWHOMEmodulescom.bea.core.weblogic.security.psm_1.0.0.0.jar -Djava.security.manager=weblogic.security.psm.PrintingSecurityManager For a Windows system without a UNIX shell, first set the startup options in JAVA_ OPTIONS, and then use the startWebLogic.cmd script in DOMAIN_HOME to start WebLogic Server. This example uses the default weblogic.policy Java policy file from startWeblogic.cmd. set JAVA_ OPTIONS=-Xbootclasspathp:MWHOMEmodulescom.bea.core.weblogic.security.psm_ 1.0.0.0.jar -Djava.security.manager=weblogic.security.psm.PrintingSecurityManager DOMAIN_HOME\startWeblogic.cmd

8.2.2.3 Writing Output Files