The Java Service Wrapper implements a series of Permissions which can be used to fully control access to the Wrapper API using the standard Java Security Model.

The Wrapper makes it possible to start, stop, interogate, and perform other operations on any service on a system by sending the appropriate control codes. This can be very powerful, but if used incorrectly can also open up some severe security problems on a server. For this reason, access to the WrapperManager.sendServiceControlCode(...) method is disabled by default. To make use of it requires that a SecurityManager be installed in the JVM and that specific permissions be granted.

The simplest way to setup a security manager in your JVM is to add the following properties to your wrapper.conf file:

wrapper.java.additional.1=-Djava.security.manager
wrapper.java.additional.2=-Djava.security.policy=../conf/java.policy

The first system property, java.security.manager, tells java that a security manager should be created when the JVM is created.

The second system property then tells the location of a file which will describe the permissions that should be granted within your application.

Be aware that the act of setting a security manager will likely cause many things in your application to start failing with security errors. It is necessary to go in and grant the appropriate permissions for your application. See the following SUN tutorial for more information on security managers: http://java.sun.com/docs/books/tutorial/security/tour2/index.html

The policy file is a simple text file.

// Give Wrapper classes full permissions
grant codeBase "file:../lib/wrapper.jar" {
        permission java.security.AllPermission;
};

// Grant various permissions to a specific service.
grant codeBase "file:../lib/-" {
        permission org.tanukisoftware.wrapper.security.WrapperServicePermission
"myservice", "interrogate,start,stop";
};

The first block lets the classes wrapper.jar do anything. This is advised as the Wrapper needs to be able to launch your entire application meaning that anything your application does is originating from the Wrapper.

The second block means that any other classes in jars in your lib directory are able to make calls to interrogate, start, and stop the "myservice" service via the Wrapper. If this is not there then the calls will result in SecurityExceptions being thrown.

If you notice something that is incorrect, missing, or simply feel that some part of this page could be explained better, feel free to log in and add a comment. You will need to register before you can log on.