For more information about using the sample policy file, see Downloading and running the IBM® JGSS samples.
Note: Read the Code example disclaimer for important legal information.
// ----------------------------------------------------------------------------
// JAAS policy file for running the JGSS sample applications.
// Modify these permissions to suit your environment.
// Not recommended for use for any purpose other than that stated above.
// In particular, do not use this policy file or its
// contents to protect resources in a production environment.
//
// Code example disclaimer
// IBM grants you a nonexclusive copyright license to use all programming code
// examples from which you can generate similar function tailored to your own
// specific needs.
// All sample code is provided by IBM for illustrative purposes only.
// These examples have not been thoroughly tested under all conditions.
// IBM, therefore, cannot guarantee or imply reliability, serviceability, or
// function of these programs.
// All programs contained herein are provided to you "AS IS" without any
// warranties of any kind.
// The implied warranties of non-infringement, merchantability and fitness
// for a particular purpose are expressly disclaimed.
//
// ----------------------------------------------------------------------------
//-----------------------------------------------------------------------------
// Permissions for client only
//-----------------------------------------------------------------------------
grant CodeBase "file:ibmjgsssample.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"bob@REALM.IBM.COM"
{
// foo needs to be able to initiate a context with the server
permission javax.security.auth.kerberos.ServicePermission
"gss_service/myhost.ibm.com@REALM.IBM.COM", "initiate";
// So that foo can delegate his creds to the server
permission javax.security.auth.kerberos.DelegationPermission
"\"gss_service/myhost.ibm.com@REALM.IBM.COM\" \"krbtgt/REALM.IBM.COM@REALM.IBM.COM\"";
};
//-----------------------------------------------------------------------------
// Permissions for the server only
//-----------------------------------------------------------------------------
grant CodeBase "file:ibmjgsssample.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"gss_service/myhost.ibm.com@REALM.IBM.COM"
{
// Permission for the server to accept network connections on its host
permission java.net.SocketPermission "myhost.ibm.com", "accept";
// Permission for the server to accept JGSS contexts
permission javax.security.auth.kerberos.ServicePermission
"gss_service/myhost.ibm.com@REALM.IBM.COM", "accept";
// The server acts as a client when communicating with the secondary (backup) server
// This permission allows the server to initiate a context with the secondary server
permission javax.security.auth.kerberos.ServicePermission
"gss_service2/myhost.ibm.com@REALM.IBM.COM", "initiate";
};
//-----------------------------------------------------------------------------
// Permissions for the secondary server
//-----------------------------------------------------------------------------
grant CodeBase "file:ibmjgsssample.jar",
Principal javax.security.auth.kerberos.KerberosPrincipal
"gss_service2/myhost.ibm.com@REALM.IBM.COM"
{
// Permission for the secondary server to accept network connections on its host
permission java.net.SocketPermission "myhost.ibm.com", "accept";
// Permission for the server to accept JGSS contexts
permission javax.security.auth.kerberos.ServicePermission
"gss_service2/myhost.ibm.com@REALM.IBM.COM", "accept";
};