Java permission reference

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.

What you need to know about Java permission policies

If you are developing Java Callout policies, you need to know which permission policies are in effect in the Edge JVM and how they will affect your code. For example, your custom Java code does not have unlimited access to the file system. However, in the case of file system access, you can read certain files, such as policy resource files. But most other file system access is blocked. This topic lists all of JDK permission types and their respective targets or actions. For each target or action, we specify the permission policy and any exceptions that you need to know about.

To learn more about the JDK permission types and what each permission allows, see Permissions in the Java Development Kit (JDK).

Enabling security restrictions

In Edge for Private Cloud, the security restrictions are disabled by default. This means that your custom Java callout code can access all resources without restrictions. To enable security restrictions in your Edge for Private Cloud installation, follow the procedure below:

  1. On the first Message Processor node, open the file $APIGEE_ROOT/customer/application/ in an editor. If the file doesn't exist, create it.
  2. Add the following line to the file:
  3. Save the file and ensure the file is owned by the apigee user:
    chown apigee:apigee $APIGEE_ROOT/customer/application/
  4. Restart the Message Processor:
    apigee-service message-processor restart
  5. Repeat these steps on all remaining Message Processors.
Permission Type Target or Action Name Permission Granted
accessClipboard NO
accessEventQueue NO
accessSystemTray NO
createRobot NO
fullScreenExclusive NO
listenToAllAWTEvents NO
readDisplayPixels NO
replaceKeyboardFocusManager NO
setAppletStub NO
setWindowsAlwaysOnTop NO
showWindowWithoutWarningBanner NO
toolkitModality NO
watchMousePointer NO

A represents access to a file or directory. A FilePermission consists of a pathname and a set of actions valid for that pathname.
read YES but restrictions apply. See Restrictions.
write NO
execute NO
delete NO
readLink YES

A SerializablePermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.
enableSubclassImplementation YES
enableSubstitution NO

Methods defined in the management interface for the Java platform
control NO
monitor NO

For reflective operations. A ReflectPermission is a named permission and has no actions
suppressAccessChecks NO
newProxyInPackage.{package name} NO

Contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.
createClassLoader NO
getClassLoader YES
setContextClassLoader YES
enableContextClassLoaderOverride YES
closeClassLoader NO
setSecurityManager NO
createSecurityManager NO
getenv.{variable name} NO
exitVM.{exit status} NO
shutdownHooks NO
setFactory NO
setIO NO
modifyThread YES
stopThread YES
modifyThreadGroup YES
getProtectionDomain YES
getFileSystemAttributes NO
readFileDescriptor YES
writeFileDescriptor NO
loadLibrary.{library name} NO
accessClassInPackage. {package name} YES
defineClassInPackage. {package name} NO
accessDeclaredMembers NO
queuePrintJob NO
getStackTrace NO
setDefaultUncaughtExceptionHandler NO
preferences NO
usePolicy NO

A NetPermission contains a name but no actions list; you either have the named permission or you don't.
setDefaultAuthenticator NO
requestPasswordAuthentication NO
specifyStreamHandler YES
setProxySelector NO
getProxySelector NO
setCookieHandler NO
getCookieHandler NO
setResponseCache NO
getResponseCache NO
getNetworkInformation NO

Represents access to a network via sockets. A SocketPermission consists of a host specification and a set of "actions" specifying ways to connect to that host.
host = (hostname | IPaddress)[:portrange]
portrange = portnumber | -portnumber | portnumber-[portnumber]

The possible ways to connect to the host are


The "listen" action is only meaningful when used with "localhost". The "resolve" (resolve host/ip name service lookups) action is implied when any of the other actions are present.
resolve YES

YES but restrictions apply. See Restrictions.

Apigee restricts access to sitelocal, anylocal, loopback, and linklocal addresses.


Represents permission to access a resource or set of resources defined by a given url, and for a given set of user-settable request methods and request headers. The name of the permission is the url string. The actions string is a concatenation of the request methods and headers. The range of method and header names is not restricted by this class.

The Permission class for link creation operations.
hard NO
symbolic NO

A SecurityPermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.
The target name is the name of a security configuration parameter (see below). Currently the SecurityPermission object is used to guard access to the Policy, Security, Provider, Signer, and Identity objects.
createAccessControlContext NO
getDomainCombiner NO
getPolicy NO
setPolicy NO
createPolicy.{policy type} NO
getProperty.{key} NO
setProperty.{key} NO
insertProvider NO
removeProvider.{provider name} NO
clearProviderProperties.{provider name} NO
putProviderProperty.{provider name} NO
removeProviderProperty.{provider name} NO
SQLPermission setLog NO
callAbort NO
setSyncFactory NO
setNetworkTimeout NO
deregisterDriver NO

A SecurityManager will check the java.util.logging.LoggingPermission object when code running with a SecurityManager calls one of the logging control methods (such as Logger.setLevel).
control NO
The name is the name of the property ("java.home", "", etc). The naming convention follows the hierarchical property naming convention. Also, an asterisk may appear at the end of the name, following a ".", or by itself, to signify a wildcard match. For example: "java.*" or "*" is valid, "*java" or "a*b" is not valid.

The actions to be granted are passed to the constructor in a string containing a list of zero or more comma-separated keywords.
read YES
write NO
publishEndpoint NO
javax.xml.bind.JAXBPermission setDatatypeConverter NO

Access rights to the audio system resources.
play NO
record NO

Protect access to private Credentials belonging to a particular Subject. The Subject is represented by a Set of Principals. The target name of this Permission specifies a Credential class name, and a Set of Principals. The only valid value for this Permission's actions is, "read".
CredentialClass {PrincipalClass "PrincipalName"}* NO

Protect Kerberos services and the credentials necessary to access those services.
initiate NO
accept NO

Used to restrict the usage of the Kerberos delegation model; ie, forwardable and proxiable tickets.

The target name of this Permission specifies a pair of kerberos service principals. The first is the subordinate service principal being entrusted to use the Ticket Granting Ticket (TGT). The second service principal designates the target service the subordinate service principal is to interact with on behalf of the initiating KerberosPrincipal.
initiate NO
accept NO

Currently the AuthPermission object is used to guard access to the Subject, SubjectDomainCombiner, LoginContext and Configuration objects.
doAs NO
doAsPrivileged NO
getSubject NO
getSubjectFromDomainCombiner NO
setReadOnly NO
modifyPrincipals NO
modifyPublicCredentials NO
modifyPrivateCredentials NO
refreshCredential NO
destroyCredential NO
createLoginContext.{name} NO
getLoginConfiguration NO
setLoginConfiguration NO
createLoginConfiguration.{configuration type} NO
refreshLoginConfiguration NO
setHostnameVerifier NO
getSSLSessionContext NO
setDefaultSSLContext NO

Permission controlling access to MBeanServer operations. If a security manager has been set using System.setSecurityManager(java.lang.SecurityManager), most operations on the MBeanServer require that the caller's permissions imply an MBeanPermission appropriate for the operation.

action className#member[objectName]

If you have an MBeanPermission, it allows operations only if all four of the items match.
addNotificationListener NO
getAttribute NO
getClassLoader NO
getClassLoaderFor NO
getClassLoaderRepository NO
getDomains NO
getMBeanInfo NO
getObjectInstance NO
instantiate NO
invoke NO
isInstanceOf NO
queryMBeans NO
queryNames NO
registerMBean NO
removeNotificationListener NO
setAttribute NO
unregisterMBean NO
createMBeanServer NO
findMBeanServer NO
newMBeanServer NO
releaseMBeanServer NO

This permission represents "trust" in a signer or codebase.
register NO
* NO