Using a Java policy file to control access to protected resources
By default, a BIRT design cannot obtain permission to perform a potentially unsafe operation, such as opening an internet connection. If the administrator needs to further restrict operations a BIRT design has permission to perform, the administrator can implement restrictions using a Java policy file. A volume implements a java.security.Policy object. The Policy object obtains permission information from a Java policy file. This section describes how to use a policy file.
If the administrator wants to keep a set of restrictions in place, but the design developer needs to work around a restriction, the developer can implement a Java-based event handler, which the administrator can place in a .jar file in the AC_SERVER_HOME\resources folder. BIRT iHub places no restriction on the actions a program residing in AC_SERVER_HOME/resources may perform. As an example, if a report developer wants to create a BIRT design that obtains customer-specific information from a public entity, the developer can create an event handler that calls an application which obtains the customer information. The administrator places the event handler in AC_SERVER_HOME/resources. When the BIRT design needs to load the customer information, the design calls the event handler, which in turn calls the application that retrieves the customer information.
This section makes reference to the AC_CONFIG_HOME variable, which represents the shared configuration directory which all nodes in a cluster access. In a default BIRT iHub installation on Windows, performed using the installer, in which the install folder is C:\Actuate, AC_CONFIG_HOME represents the following path:
C:\Actuate\BIRTiHubVisualization\modules\BIRTiHub\iHub\shared\config
In a cluster consisting of two or more nodes, AC_CONFIG_HOME represents the shared configuration directory the system administrator created before adding the second node to a cluster.
How to create and enable a policy file
1 In System Console—Clusters, edit the cluster. Then, from the Manage Cluster menu, choose Stop Cluster to stop the cluster. Wait until all services stop before going to the next step.
2 Using Windows Explorer, navigate to AC_CONFIG_HOME.
3 Open acserverconfig.xml in a text editor.
4 Edit each <ServerResourceGroupSetting> element, adding the Djavaserver.security argument to the StartArguments attribute definition, as shown in the following code sample:
StartArguments="-Djavaserver.security -Xmx512M
-XX:MaxPermSize=256m -XX:-UsePerfData
-Djava.awt.headless=true
-Djava.protocol.handler.pkgs=com.actuate.javaserver.protocol com.actuate.javaserver.Server”
The following example shows the <ServerResourceGroupSetting> element for the Default BIRT Online resource group in the small template after adding the Djavaserver.security argument to the StartArguments attribute definition:
<ServerResourceGroupSetting
Name="Default BIRT Online"
Activate="TRUE"
MinFactory="1"
StartArguments="-Djavaserver.security -Xmx512M
-XX:MaxPermSize=256m -XX:-UsePerfData
-Djava.awt.headless=true
-Djava.net.preferIPv4Stack=true
-Djava.protocol.handler.pkgs=
com.actuate.javaserver.protocol
com.actuate.javaserver.Server"/>
Save and exit acserverconfig.xml.
5 In AC_CONFIG_HOME, create a new file named javaserver.policy. You can create this file manually, or use the Policy Tool utility to create the file. Launch the Policy Tool by executing AC_JAVA_HOME\bin\policytool.exe in a command prompt. In a default BIRT iHub installation on Windows, performed using the installer, in which the install folder is C:\Actuate, AC_JAVA_HOME represents the following path:
C:\Actuate\BIRTiHubVisualization\modules\JDK64
Instructions for using the Policy Tool utility can be found at the following location:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyGuide.html
Listing 5‑5 shows example policy file content:
Listing 5‑5 Viewing example policy file content
grant codeBase "file:/${AC_SERVER_HOME}/Jar/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/${AC_SERVER_HOME}/MyClasses/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/${AC_SERVER_HOME}/drivers/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/${AC_SERVER_HOME}/oda/-" {
permission java.security.AllPermission;
};
grant codeBase "file:/${AC_SERVER_HOME}/reportengines/-" {
permission java.security.AllPermission;
};
6 Using Windows Explorer, navigate to AC_JRE_HOME\lib\security. In a default BIRT iHub installation on Windows, performed using the installer, in which the install folder is C:\Actuate, AC_JRE_HOME represents the following path:
C:\Actuate\BIRTiHubVisualization\modules\JDK64\jre
Create a copy of the java.security file, then open java.security using a text editor.
7 Do a find on policy.url. By default, java.security contains two policy.url.n properties where n is a number, as shown in Listing 5‑6.
Listing 5‑6 Viewing policy.url.n properties in java.security
# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
Add another policy.url.n property, specifying the location of javaserver.policy, as shown in the example in Listing 5‑7.
Listing 5‑7 Specifying the location of javaserver.policy in java.security
# The default is to have a single system-wide policy file,
# and a policy file in the user's home directory.
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
policy.url.3=file:C:/Actuate/BIRTiHubVisualization/modules/BIRTiHub/iHub/shared/config/javaserver.policy
Save and exit java.security.
8 In System Console—Clusters, edit the cluster. Then, from the Manage Cluster menu, choose Start Cluster to start the cluster.