This is a side issue to related bug https://bugzilla.redhat.com/show_bug.cgi?id=1035232. The process described in the Security Guide and Administration guide and the Administration and Configuration guide is not correct for domain mode. http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager http://documentation-devel.engineering.redhat.com/docs/en-US/JBoss_Enterprise_Application_Platform/6.2/html/Administration_and_Configuration_Guide/Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager.html The problem is "2. Add the Java options at the end of the file." followed by an instruction to configure the JAVA_OPTS variable. By the time the last line of domain.conf is processed, no further use of the JAVA_OPTS variable will be made except for domain.sh's outputting of its value to the console. The line that's described must come *before* this line: # The ProcessController process uses its own set of java options if [ "x$PROCESS_CONTROLLER_JAVA_OPTS" = "x" ]; then PROCESS_CONTROLLER_JAVA_OPTS="$JAVA_OPTS" fi It could be placed at the beginning of the file, but in that case the settings configured in this block would not be used: if [ "x$JAVA_OPTS" = "x" ]; then JAVA_OPTS="-Xms64m -Xmx512m -XX:MaxPermSize=256m -Djava.net.preferIPv4Stack=true" JAVA_OPTS="$JAVA_OPTS -Djboss.modules.system.pkgs=$JBOSS_MODULES_SYSTEM_PKGS -Djava.awt.headless=true" else echo "JAVA_OPTS already set in environment; overriding default settings with values: $JAVA_OPTS" fi The most appropriate placement is in the 'if [ "x$JAVA_OPTS" = "x" ]; then' block above.
Also there's a typo in the suggested JAVA_OPTS settings: -Djava.security.policy==$PWD/server.policy Two equals signs. Using that results in obscure permission failures on domain boot, probably because the policy file isn't loaded so no permissions are set?
I think using two equals is correct expression (not a typo), it means that security manager use only policy file which is set in java.security.policy property. If you use one equals it means that security manager uses policy from java.security.policy combined with policy set in policy.url part of java.home/lib/security/java.security. You can see at http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#DefaultLocs to part "Specifying an Additional Policy File at Runtime". However it is possible that two equals sign causes any problems if $PWD/server.policy doesn't grant needed permissions, but it that way it should throw SecurityException or AccessControlException.
Ondrej -- agreed, not a typo. Thanks for the information.
These changes were made to the 6.3 content and backported to the 6.2 content. The updated 6.2 documents are available for review at: http://docbuilder.usersys.redhat.com/14874/ (Admin and Config Guide) http://docbuilder.usersys.redhat.com/14876/ (Security Guide). Moving this ticket to MODIFIED until update is available for QA on the documentation stage.
Moving to ON_QA. The changes should be available for review on the documentation stage within an hour or so from this comment. http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/
The changed were not backported to EAP 6.2 Administration and Configuration Guide.
The 6.2 docs have been rebuilt to show the updated content. Admin & Config Guide: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Administration_and_Configuration_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager Security Guide: http://documentation-devel.engineering.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#Run_JBoss_Enterprise_Application_Platform_Within_the_Java_Security_Manager