Configuring Minimal File Access Permissions

This topic includes information about configuring file permissions in relation to Oxygen XML Web Author.

The Oxygen XML Web Author requires access to the following file resources:
  • READ access to the directory where the Oxygen XML Web Author is deployed.
  • READ and WRITE access to the application's working directory.
  • READ and WRITE access to JVM's temporary directory.
It is a good security practice to allow a component to access only the information and resources that are necessary for its purpose. In an environment that uses Apache Tomcat, you can enforce these rules following these steps:
  • Start the Apache Tomcat server using the -security flag.

  • Edit the catalina.policy file and add the following snippet:

grant codeBase "file:${catalina.base}/webapps/oxygen-webapp/-" {
  // Oxygen uses System properties for various configuration purposes.
  permission java.util.PropertyPermission "*", "read,write";
  // Oxygen custom protocols need access to network.
  permission "*";
  permission "*", "accept,connect,listen,resolve";
  // The web framework used by Oxygen Webapp uses reflection and classloaders.
  permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
  permission "*";
  permission java.util.logging.LoggingPermission "control";
  permission java.lang.RuntimePermission "*";

  // Oxygen requires these permissions to connect to a URL.
  permission "http:*", "*";
  permission "https:*", "*";
  permission "file:*", "*";

  // Oxygen should be allowed to read JVM jars
  permission "${java.home}/-", "read";
  // Oxygen uses the JVM's for various file handling tasks.
  permission "${}/-", "read,write,delete";
  permission "${}", "read,write,delete";

  // Folder used by oXygen to deploy the plugins to.
  permission "${}/-", "read,write,delete";
  permission "${}", "read,write,delete";
// The jar that contains sandboxing code.
grant codeBase 
  "jar:file:${catalina.base}/oxygen-webapp/WEB-INF/lib/oxygen-sandbox.jar!/-" {
// Give all permissions to plugins code unless otherwise instructed by vendor.
grant codeBase "file:${}/plugins-v18.0.1/-" {
// Give all permissions to frameworks code unless otherwise instructed by vendor
grant codeBase "file:${}/frameworks-v18.0.1/-" {
Note: In the previous example, in the first line, replace oxygen-webapp with the name of your deployment of the Oxygen XML Web Author.

Configuring File Permissions to Custom Locations

There are cases when the Oxygen XML Web Author needs to access files system resources, but due to security reasons, you want to prevent your users from opening them directly in the Oxygen XML Web Author editing page using the file:// protocol.

You can do this by following these steps:
  • Edit the catalina.policy file and add a line such as:
    permission "path/to/yourSecretDir/-", "read,write,delete";
    permission "path/to/yourSecretDir", "read,write,delete";
  • Use the following system property when starting the Tomcat server:
    Note: Use the value of path.separator system property to separate more directories. For example, under Linux, the value of path.separator property is a colon punctuation character :.