<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 7/12/2016 22:31, Sean Mullan wrote:<br>
    </div>
    <blockquote cite="mid:5784FF3B.9060804@oracle.com" type="cite">Did
      you try to grant less than AllPermission to these modules?
      <br>
    </blockquote>
    <br>
    Ah yes, below is the exact permissions needed to run the
    sun/security/krb5/auto/BasicProc.java test. Some of them will need
    to be applied to the application also. The SocketPermission,
    FilePermission, DelegationPermission and ServicePermission will need
    to change the name to "*".<br>
    <br>
    The permissions are surely not enough. For example, if server-side
    rcache is enabled, FilePermission on "write" will be needed. If
    SPNEGO is used, at least the spnego debug flag should be read. There
    are other kind of LoginModules that would need other permissions.<br>
    <br>
    <font size="-1"><tt>grant codeBase "jrt:/java.security.jgss" {</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.jdk.internal.misc";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.util";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.action";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.ssl";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.debug", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "java.security.krb5.kdc", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "java.security.krb5.realm", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "java.security.krb5.conf", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.jgss.mechanism", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.msinterop.kstring", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.jgss.debug", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "javax.security.auth.useSubjectCredsOnly", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.rcache", "read";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.acceptor.subkey", "read";</tt><tt><br>
      </tt><tt>        // Config#loadConfigFile</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "user.dir", "read";</tt><tt><br>
      </tt><tt>        // Connecting to KDC (could be UDP)</tt><tt><br>
      </tt><tt>        permission java.net.SocketPermission "127.0.0.1:14234",
        "accept,connect,resolve";</tt><tt><br>
      </tt><tt>        permission java.io.FilePermission "krb5.conf",
        "read";</tt><tt><br>
      </tt><tt>        permission java.security.SecurityPermission
        "getProperty.krb5.kdc.bad.policy";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessDeclaredMembers";</tt><tt><br>
      </tt><tt>        permission java.lang.reflect.ReflectPermission
        "suppressAccessChecks";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.autodeducerealm", "read";</tt><tt><br>
      </tt><tt>        permission java.security.SecurityPermission
        "putProviderProperty.SunJGSS";</tt><tt><br>
      </tt><tt>        permission java.security.SecurityPermission
        "clearProviderProperties.SunJGSS";</tt><tt><br>
      </tt><tt>        permission java.security.SecurityPermission
        "removeProviderProperty.SunJGSS";</tt><tt><br>
      </tt><tt>        permission javax.security.auth.AuthPermission
        "getSubject";</tt><tt><br>
      </tt><tt>        permission javax.security.auth.AuthPermission
        "modifyPrivateCredentials";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.PrivateCredentialPermission
        "javax.security.auth.kerberos.KeyTab * \"*\"", "read";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.PrivateCredentialPermission
        "javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.PrivateCredentialPermission
        "javax.security.auth.kerberos.KerberosKey * \"*\"", "read";    </tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "server/localhost@REALM", "accept";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "backend/localhost@REALM", "accept";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "krbtgt/REALM@REALM", "initiate";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "server/localhost@REALM", "initiate";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.DelegationPermission
        "\"server/localhost@REALM\" \"krbtgt/REALM@REALM\"";</tt><tt><br>
      </tt><tt>        permission java.io.FilePermission
        "C:\\cygwin\\home\\ww155710\\tmp\\RR1\\W\\scratch\\ktab",
        "read";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "backend/localhost@REALM", "accept";</tt><tt><br>
      </tt><tt>        permission
        javax.security.auth.kerberos.ServicePermission
        "backend/localhost@REALM", "initiate";</tt><tt><br>
      </tt><tt>};</tt><tt><br>
      </tt><tt><br>
      </tt><tt>grant codeBase "jrt:/jdk.security.jgss" {</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.jgss";        </tt><tt><br>
      </tt><tt>        permission
        com.sun.security.jgss.InquireSecContextPermission "*";</tt><tt><br>
      </tt><tt>};</tt><tt><br>
      </tt><tt>grant codeBase "jrt:/jdk.security.auth" {</tt><tt><br>
      </tt><tt>        permission javax.security.auth.AuthPermission
        "modifyPrivateCredentials";</tt><tt><br>
      </tt><tt>        permission javax.security.auth.AuthPermission
        "modifyPrincipals";</tt><tt><br>
      </tt><tt>        permission java.util.PropertyPermission
        "sun.security.krb5.principal", "read";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.krb5";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.jgss.krb5";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.krb5.internal.ktab";</tt><tt><br>
      </tt><tt>        // resource bundle</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "accessClassInPackage.sun.security.util";</tt><tt><br>
      </tt><tt>        permission java.lang.RuntimePermission
        "getClassLoader";</tt><tt><br>
      </tt></font><tt><font size="-1">};</font><br>
      <br>
    </tt>Thanks<br>
    Max<tt><br>
    </tt>
  </body>
</html>