--- /dev/null
+//\r
+// This template policy file gives examples of how to configure the\r
+// permissions needed to run a Derby network server with the Java\r
+// Security manager.\r
+//\r
+grant codeBase "${derby.install.url}derby.jar"\r
+{\r
+//\r
+// These permissions are needed for everyday, embedded Derby usage.\r
+//\r
+ permission java.lang.RuntimePermission "createClassLoader";\r
+ permission java.util.PropertyPermission "derby.*", "read";\r
+ permission java.util.PropertyPermission "user.dir", "read";\r
+ permission java.util.PropertyPermission "derby.storage.jvmInstanceId", \r
+ "write"; \r
+ permission java.io.FilePermission "${derby.system.home}","read";\r
+ permission java.io.FilePermission "${derby.system.home}${/}-", "read,write,delete";\r
+\r
+//\r
+// This permission lets a DBA reload the policy file while the server\r
+// is still running. The policy file is reloaded by invoking the\r
+// SYSCS_UTIL.SYSCS_RELOAD_SECURITY_POLICY() system procedure.\r
+//\r
+ permission java.security.SecurityPermission "getPolicy";\r
+\r
+//\r
+// This permission lets you backup and restore databases\r
+// to and from arbitrary locations in your file system.\r
+//\r
+// This permission also lets you import/export data to and from\r
+// arbitrary locations in your file system.\r
+//\r
+// You may want to restrict this access to specific directories.\r
+//\r
+ permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";\r
+\r
+};\r
+\r
+grant codeBase "${derby.install.url}derbynet.jar"\r
+{\r
+//\r
+// This permission lets the Network Server manage connections from clients.\r
+//\r
+\r
+// Accept connections from any host. Derby is listening to the host\r
+// interface specified via the -h option to "NetworkServerControl\r
+// start" on the command line, via the address parameter to the\r
+// org.apache.derby.drda.NetworkServerControl constructor in the API\r
+// or via the property derby.drda.host; the default is localhost.\r
+// You may want to restrict allowed hosts, e.g. to hosts in a specific\r
+// subdomain, e.g. "*.acme.com".\r
+\r
+ permission java.net.SocketPermission "*", "accept"; \r
+\r
+//\r
+// Needed for server tracing.\r
+//\r
+ permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", "read,write,delete";\r
+\r
+//\r
+// Needed by sysinfo. The file permission is needed to\r
+// check the existence of jars on the classpath. You can\r
+// limit this permission to just the locations which hold\r
+// your jar files.\r
+//\r
+// In this template file, this block of permissions is granted\r
+// to derbynet.jar under the assumption that derbynet.jar is\r
+// the first jar file in your classpath which contains the\r
+// sysinfo classes. If that is not the case, then you will want\r
+// to grant this block of permissions to the first jar file\r
+// in your classpath which contains the sysinfo classes.\r
+// Those classes are bundled into the following Derby\r
+// jar files:\r
+//\r
+// derbynet.jar\r
+// derby.jar\r
+// derbyclient.jar\r
+// derbytools.jar\r
+//\r
+ permission java.util.PropertyPermission "user.*", "read";\r
+ permission java.util.PropertyPermission "java.home", "read";\r
+ permission java.util.PropertyPermission "java.class.path", "read";\r
+ permission java.lang.RuntimePermission "getProtectionDomain";\r
+ permission java.io.FilePermission "<<ALL FILES>>", "read";\r
+};\r
+\r