Appendix B. JEUS Server Permissions

Table of Contents

B.1. Overview
B.2. JEUS System Resource Name
B.3. jeusadmin Command Permission Configurations

This appendix describes the standard Permission resource names and resource actions.

B.1. Overview

This appendix lists the standard Permission resource names and resource actions. They are used by various JEUS sub-modules (JNDI, JMS, manager, security, etc.) to check for authority to access the resources. The java.security.Permission type related to the resource Permission check is always jeus.security.resource.ResourcePermission, and the context id is always “default”.

Authorization is always performed by combining the resource name with the resource action. In general, the resource name is the name of the target resource, and the resource action is the action that will be performed on the target. If the authorization configurations do not seems to be properly configured, check DAS or the server logs and add the proper permissions.

B.2. JEUS System Resource Name

This section only describes the major resource names that are provided in the default JEUS security system.

Resource nameDescription
jeus.*Can access all resource names in the JEUS system.
jeus.server.<server-name>.*

Can access all resource names of a particular server in the JEUS system. The list of permissions that are checked by the server when the default security system is used.

Grouped according to the following resource actions:

  • boot: When starting the server.

  • down: When terminating the server.

  • deploy: When deploying applications to the server.

  • ftp: When using ftp for file transfer.

jeus.server.<server-name>.app.<application-name>The resource name for a particular application of a specific server in the JEUS system.
jeus.cluster.<cluster-name>.*Can access all the resource names of a specific cluster of the JEUS system.
jeus.domain.<domain-name>

The resource name for permission to dynamically modify the configurations in the JEUS system. The domain specified here is the JEUS system domain instead of the security domain.

Grouped according to the following resource actions:

  • dynamicConfiguration: When dynamically changing the domain configurations using WebAdmin or jeusadmin.

jeus.jndi

The resource name for JNDI operation permission of the JEUS system.

Grouped according to the following resource actions:

  • lookup: When trying to look up a object using JNDI.

  • modify: When adding/deleting/changing a JNDI repository object such as bind/unbind/rename.

  • list : When retrieving the list of objects that is stored in the JNDI repository.

jeus.node.<node-name>

The resource name of a certain node in the JEUS system. It is used to add/delete/install/uninstall a node. For more information about nodes, refer to "JEUS Server Guide" or "JEUS Node Manager Guide".

Grouped according to the following resource actions:

  • edit: When adding or deleting a node.

  • install: When installing JEUS on the node.

  • uninstall: When uninstalling JEUS on the node.

B.3. jeusadmin Command Permission Configurations

Based on the default security system, the permissions can be set in units of jeusadmin command.

When permissions are set in units of jeusadmin command, only the permission for the command will be checked, and other internal permissions will be ignored.

The resource names of the command permissions are related to the command option. The resource names, explained earlier, are used for the server, servers, cluster, clusters, node options. For other options, the name, jeus.domain.<domain-name> is used as the resource name.

The resource action for the command permission is defined for the command name, and not for the command aliases. Thus, the actual command name, that can be checked using help <command-name> command, should be used. For more information about commands, refer to JEUS Reference Book. Part II, "Console Commands and Tools".

The following is an example that gives the administrator permission to user1, and the permission to perform deploy on server2 to user2. Since only the permission for server2 will be granted to user2, the resource name is set to "jeus.server.server2.*". The resource action is set to "deploy-application", which is the actual deployment command name in jeusadmin.

[Example B.1] Security System Policy Configuration: <<policies.xml>>

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<policies xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
    <policy>
        <role-permissions>
            <role-permission>
                <principal>user1</principal>
                <role>adminRole</role>
            </role-permission>
            <role-permission>
                <principal>user2</principal>
                <role>server2DeployRole</role>
            </role-permission>
        </role-permissions>
        <resource-permissions>
            <context-id>default</context-id>
            <resource-permission>
                <role>adminRole</role>
                <resource>jeus.*</resource>
                <actions>*</actions>
            </resource-permission>
            <resource-permission>
                <role>server2DeployRole</role>
                <resource>jeus.server.server2.*</resource>
                <actions>deploy-application</actions>
            </resource-permission>
        </resource-permissions>
    </policy>
</policies>