i hope this is the correct place to put this, my apologies if not but then i would appreciate to be directed to the correct forum.
I am working on a JACC implementation for a company security framework, after finishing the implementation i tried to do some test runs using glassfish as application server. Here i encountered two things that puzzle me and i hope someone can give me a clue about it.
First of when putting my own JACC implementation in place the server failed to start up due to setPolicy-permission not being granted by the server.policy file. The weird thing is that the default JACC implementation provided by glassfish did not cause those errors even with the security manager enabled. Does that simply mean that the default implementation does not bother about the setPolicy-permission or is there something else bugged with my setup?
The second question concerns the default policies granted to all codebases by the server.policy file. Those include FilePermission <<ALL FILES>> read,write. Doesn't that mean that any application running in the appserver can read and write to any file the VM has access to? I am sure there are very good reasons for putting that permission there, i am just a bit worried because it looks like serious security hole to me. Does anyone know why it is okay to put that permission there? Doesn't it allow an application e.g. to read and modify the server.policy file itself and thus adding additional statements there?
Edit: Of course i forgot to add the most important information, the version i am using: Sun Java System Application Server Platform Edition 9.0 update 1
I'm thinking of the complexity of writing a custom JACC provider for Glassfish 9. May you recommend some article/blog/example/reading to get an idea?
I have just downloaded the JSR and I'm a bit overwhelmed.
Thanks in advance.