This page last changed on Jan 14, 2007 by dhardiker@adaptavist.com.

If you would like to secure the confluence webapp to make sure plugins (or other code executed) cannot access unwanted system resources, the following will restrict file system access.

Create the following .java.policy file and place it somewhere:

.java.policy
grant {
  permission java.util.PropertyPermission "*", "read,write";
  permission java.net.SocketPermission "*:-", "connect,accept,listen";
  permission java.io.FilePermission "/tangosol-coherence-override.xml","read";
  permission java.io.FilePermission "/tangosol-coherence-override-prod.xml","read";
  permission java.io.FilePermission "/path/to/confluenceWebapp/-","read,write";
  permission java.io.FilePermission "/path/to/confluence.home","read,write,delete";
  permission java.io.FilePermission "/path/to/confluence.home/-","read,write,delete";
  permission java.io.FilePermission "/path/to/resin/lib/-","read";
  permission java.io.FilePermission "/tmp", "read";
  permission java.io.FilePermission "/tmp/*", "read,write,delete";
  permission java.io.FilePermission "quartz.properties", "read";
  permission java.util.logging.LoggingPermission "control";
  permission java.awt.AWTPermission "*";
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission java.io.SerializablePermission "*";
  permission java.lang.RuntimePermission "*";
  permission java.net.NetPermission "*";
  permission ognl.OgnlInvokePermission "*";
};

Make sure the following are java options are defined:

-Djava.security.manager -Djava.security.policy=/path/to/.java.policy

Of course you might be able to get away with less - please edit with any improvements you have!

Document generated by Confluence on Mar 22, 2007 20:54