src/main/config/security.policy - sis - Git at Google

 //
 // Security policy for running Apache SIS in a security-constrained environment.
 // The first grant block below contains the permissions that are most likely to
 // be needed for SIS use. Other grant blocks contain permissions needed only if
 // the JavaDB is used or if MBeans monitoring is desired.
 //
 grant {
   permission java.lang.RuntimePermission   "shutdownHooks";
   permission java.lang.RuntimePermission   "getenv.SIS_DATA";
   permission java.util.PropertyPermission  "java.naming.factory.initial", "read";
   permission java.util.PropertyPermission  "derby.system.home", "read";
   permission java.lang.RuntimePermission   "getClassLoader";

   // Apache SIS suppresses those checks only for its own classes or fields.
   permission java.lang.reflect.ReflectPermission  "suppressAccessChecks";

   // Actually only need access to the ${SIS_DATA} directory.
   // The read and delete actions are needed for Derby and may be omitted if another
   // database is used (e.g. PostgreSQL). Read operations may also be omitted too if
   // another database is used and no other files (e.g. datum shift grids) is needed.
   permission java.io.FilePermission "${user.home}${/}-", "read,write,delete";
 };


 //
 // Optional permissions for using the JavaDB embedded with Oracle JDK.
 // Some or all of those permissions can be omitted if a Derby driver
 // or another database driver (e.g. PostgreSQL) is on the classpath.
 //
 grant {
   permission java.io.FilePermission        "${user.dir}${/}derby.log", "read,write,delete";
   permission java.io.FilePermission        "${java.home}${/}..${/}db${/}lib${/}derby.jar", "read";
   permission java.util.PropertyPermission  "java.home", "read";
   permission java.util.PropertyPermission  "derby.*", "read";
   permission java.lang.RuntimePermission   "getClassLoader";
   permission java.lang.RuntimePermission   "createClassLoader";
   permission java.lang.RuntimePermission   "setContextClassLoader";
 };


 //
 // Optional permissions. If those permissions are not granted, a message
 // will be logged at Level.CONFIG and JMX monitoring will be disabled.
 //
 grant {
   permission javax.management.MBeanServerPermission  "createMBeanServer";
   permission javax.management.MBeanPermission        "org.apache.sis.internal.system.Supervisor#-[org.apache.sis:type=Supervisor]", "registerMBean,unregisterMBean";
   permission javax.management.MBeanTrustPermission   "register";
 };
	//
	// Security policy for running Apache SIS in a security-constrained environment.
	// The first grant block below contains the permissions that are most likely to
	// be needed for SIS use. Other grant blocks contain permissions needed only if
	// the JavaDB is used or if MBeans monitoring is desired.
	//
	grant {
	permission java.lang.RuntimePermission "shutdownHooks";
	permission java.lang.RuntimePermission "getenv.SIS_DATA";
	permission java.util.PropertyPermission "java.naming.factory.initial", "read";
	permission java.util.PropertyPermission "derby.system.home", "read";
	permission java.lang.RuntimePermission "getClassLoader";

	// Apache SIS suppresses those checks only for its own classes or fields.
	permission java.lang.reflect.ReflectPermission "suppressAccessChecks";

	// Actually only need access to the ${SIS_DATA} directory.
	// The read and delete actions are needed for Derby and may be omitted if another
	// database is used (e.g. PostgreSQL). Read operations may also be omitted too if
	// another database is used and no other files (e.g. datum shift grids) is needed.
	permission java.io.FilePermission "${user.home}${/}-", "read,write,delete";
	};



	//
	// Optional permissions for using the JavaDB embedded with Oracle JDK.
	// Some or all of those permissions can be omitted if a Derby driver
	// or another database driver (e.g. PostgreSQL) is on the classpath.
	//
	grant {
	permission java.io.FilePermission "${user.dir}${/}derby.log", "read,write,delete";
	permission java.io.FilePermission "${java.home}${/}..${/}db${/}lib${/}derby.jar", "read";
	permission java.util.PropertyPermission "java.home", "read";
	permission java.util.PropertyPermission "derby.*", "read";
	permission java.lang.RuntimePermission "getClassLoader";
	permission java.lang.RuntimePermission "createClassLoader";
	permission java.lang.RuntimePermission "setContextClassLoader";
	};



	//
	// Optional permissions. If those permissions are not granted, a message
	// will be logged at Level.CONFIG and JMX monitoring will be disabled.
	//
	grant {
	permission javax.management.MBeanServerPermission "createMBeanServer";
	permission javax.management.MBeanPermission "org.apache.sis.internal.system.Supervisor#-[org.apache.sis:type=Supervisor]", "registerMBean,unregisterMBean";
	permission javax.management.MBeanTrustPermission "register";
	};