For more information about using the sample policy file, see Downloading and running the IBM® JGSS samples.
Note: Read the Code example disclaimer for important legal information.
// -----------------------------------------------------------------
// Java policy file for running the JGSS sample applications on
// the iSeries server.
// Modify these permissions to suit your environment.
// Not recommended for use for any purpose other than that stated above.
// In particular, do not use this policy file or its
// contents to protect resources in a production environment.
//
// Code example disclaimer
// IBM grants you a nonexclusive copyright license to use all programming code
// examples from which you can generate similar function tailored to your own
// specific needs.
// All sample code is provided by IBM for illustrative purposes only.
// These examples have not been thoroughly tested under all conditions.
// IBM, therefore, cannot guarantee or imply reliability, serviceability, or
// function of these programs.
// All programs contained herein are provided to you "AS IS" without any
// warranties of any kind.
// The implied warranties of non-infringement, merchantability and fitness
// for a particular purpose are expressly disclaimed.
//
//---------------------------------------------------------------------
grant CodeBase "file:ibmjgsssample.jar" {
// For Java 1.3
permission javax.security.auth.AuthPermission "createLoginContext";
// For Java 1.4
permission javax.security.auth.AuthPermission "createLoginContext.JAASClient";
permission javax.security.auth.AuthPermission "createLoginContext.JAASServer";
permission javax.security.auth.AuthPermission "doAsPrivileged";
// Permission to request a ticket from the KDC
permission javax.security.auth.kerberos.ServicePermission
"krbtgt/REALM.IBM.COM@REALM.IBM.COM", "initiate";
// Permission to access sun.security.action classes
permission java.lang.RuntimePermission "accessClassInPackage.sun.security.action";
// A whole bunch of Java properties are accessed
permission java.util.PropertyPermission "java.net.preferIPv4Stack", "read";
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "DEBUG", "read";
permission java.util.PropertyPermission "com.ibm.security.jgss.debug", "read";
permission java.util.PropertyPermission "java.security.krb5.kdc", "read";
permission java.util.PropertyPermission "java.security.krb5.realm", "read";
permission java.util.PropertyPermission "java.security.krb5.conf", "read";
permission java.util.PropertyPermission "javax.security.auth.useSubjectCredsOnly",
"read,write";
// Permission to communicate with the Kerberos KDC host
permission java.net.SocketPermission "kdc.ibm.com", "connect,accept,resolve";
// I run the samples from my localhost
permission java.net.SocketPermission "myhost.ibm.com", "accept,connect,resolve";
permission java.net.SocketPermission "localhost", "listen,accept,connect,resolve";
// Access to some possible Kerberos config locations
// Modify the file paths as applicable to your environment
permission java.io.FilePermission "${user.home}/krb5.ini", "read";
permission java.io.FilePermission "${java.home}/lib/security/krb5.conf", "read";
// Access to the Kerberos key table so we can get our server key.
permission java.io.FilePermission
"/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab", "read";
// Access to the user's Kerberos credentials cache.
permission java.io.FilePermission "${user.home}/krb5cc_${user.name}",
"read";
};