web-2/wildfly/docs/schema/wildfly-security-manager_1_0.xsd

97 lines
4.9 KiB
XML
Raw Permalink Normal View History

2024-10-15 03:01:27 +03:00
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright The WildFly Authors
~ SPDX-License-Identifier: Apache-2.0
-->
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="urn:jboss:domain:security-manager:1.0"
xmlns="urn:jboss:domain:security-manager:1.0"
elementFormDefault="qualified"
attributeFormDefault="unqualified"
version="1.0">
<!-- The security manager subsystem root element -->
<xs:element name="subsystem" type="securityManagerSubsystemType"/>
<xs:complexType name="securityManagerSubsystemType">
<xs:annotation>
<xs:documentation>
<![CDATA[
The security manager subsystem configuration.
]]>
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="deployment-permissions" minOccurs="0" maxOccurs="1" type="deploymentPermissionsConfigType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="deploymentPermissionsConfigType">
<xs:annotation>
<xs:documentation>
<![CDATA[
The deploymentPermissionConfigType specifies the elements and attributes that can be used to configure
the minimum and maximum set of permissions for deployments.
- minimum-set: this element allows for the configuration of the minimum set of permissions that are to
be granted to all deployments. If this element is not specified or if the element is empty in the
subsystem configuration, an empty minimum permission set will be created. The effect in this case is that
deployment will not get any permissions other than the ones configured in the deployment itself.
- maximum-set: this element allows for the configuration of the maximum set of permissions that a deployment
can have. This set defines the maximum scope of permissions that can be granted to a deployment and acts
as a validation mechanism that prevents deployments from acquiring undesirable permissions. If this element
is not specified, a default maximum set with a single java.security.AllPermission is created (and it thus
implies all permissions specified in the minimum set or in the deployment). If this element is empty, the
maximum set will be assigned an empty set of permissions and will thus reject any permissions specified
in the minimum set or in the deployment. In this case, the empty set can be used to enforce a policy
where deployments cannot be assigned any permissions.
NOTE: the behavior regarding empty maximum sets has changed in version 3.0. In previous versions of the
subsystem an empty maximum set was handled the same way as an undefined set and that caused caused the
maximum set to resolve to a set containing java.security.AllPermission.
]]>
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="minimum-set" minOccurs="0" maxOccurs="1" type="permissionSetType"/>
<xs:element name="maximum-set" minOccurs="0" maxOccurs="1" type="permissionSetType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="permissionSetType">
<xs:annotation>
<xs:documentation>
<![CDATA[
The permissionSetConfigType defines a sequence of permission elements that can be used to specify the
permissions that are to be granted to deployments or external jars.
]]>
</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="permission" minOccurs="0" maxOccurs="unbounded" type="permissionType"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="permissionType">
<xs:annotation>
<xs:documentation>
<![CDATA[
The permission specifies the attributes used to declare a security permission.
* class: the permission fully-qualified class name (e.g. java.util.PropertyPermission).
* name: the name of permission target (e.g. java.* for a PropertyPermission).
* actions: the permission actions (e.g. read, write)
* module: the name of the module that contains the permission class.
]]>
</xs:documentation>
</xs:annotation>
<xs:attribute name="class" type="xs:string" use="required"/>
<xs:attribute name="name" type="xs:string" use="optional"/>
<xs:attribute name="actions" type="xs:string" use="optional"/>
<xs:attribute name="module" type="xs:string" use="optional"/>
</xs:complexType>
</xs:schema>