Integrating EclipseLink with an Application Server (ELUG)

This section describes how to configure EclipseLink for use with Java EE containers and application servers.

For more information, see the following:

• Creating EclipseLink Files for Deployment
• Packaging a EclipseLink Application
• Deploying a EclipseLink Application

Introduction to the Application Server Support

EclipseLink can be used with any Java EE application server.

For more information, see the following:

• #Integrating EclipseLink with Oracle Containers for J2EE (OC4J)
• #Integrating EclipseLink with BEA WebLogic Server
• #Integrating EclipseLink with IBM WebSphere Application Server
• #Integrating EclipseLink with Sun Application Server
• #Integrating EclipseLink with JBoss Application Server

Integrating EclipseLink with an Application Server

This section describes concepts unique to EclipseLink application server integration, including the following:

• #What Are the Software Requirements
• #How to Configure the XML Parser Platform
• #How to Set Security Permissions
• #How to Integrate Clustering

What Are the Software Requirements

To run a EclipseLink application within a Java EE container, your system must meet the following software requirements:

• An application server or Java EE container
• XML parser (see #How to Configure the XML Parser Platform);
• A JDBC driver configured to connect with your local database system (for more information, see your database administrator);
• A Java development environment, such as the following:
  • Eclispe IDE;
  • Oracle JDeveloper;
  • IBM WebSphere Studio Application Developer (WSAD);
  • Sun Java Development Kit (JDK) 1.5 or later;
• Any other Java environment that is compatible with the Sun JDK 1.5 or later;
• A command-line JVM executable (such as java.exe or jre.exe).

How to Configure the XML Parser Platform

The EclipseLink run-time environment uses an XML parser to do the following:

• Read and write XML configuration files (see project.xml File and sessions.xml File);
• Read and write Workbench project files (see Introduction to Workbench);
• Perform object-to-XML transformations in EIS projects using XML records (see Introduction to EIS Mappings);
• Perform object-to-XML transformations in XML projects (see Introduction to XML Mappings);

Application servers use an XML parser to read deployment files, such as ejb-jar.xml and <Java EE container>-ejb-jar.xml files (see Creating EclipseLink Files for Deployment).

To avoid XML parser conflicts, you must configure your EclipseLink application to use the same XML parser as that used by the application server on which you deploy your application.

Internally, EclipseLink accesses its XML parser using an instance of org.eclipse.persistence.platform.xml.XMLPlatform class.

You can configure EclipseLink to use any XML parser for which an XMLPlatform class exists (see #Configuring XML Parser Platform).

You can also create your own XMLPlatform to provide access to an XML parser not currently supported by EclipseLink (see #Creating an XML Parser Platform).

Configuring XML Parser Platform

EclipseLink provides the XMLPlatform instances shown in the following table.

Table: Supported XML Platforms

^{Footnote 1} Default:

To configure your EclipseLink application to use a particular instance of the XMLPlatform class, set system property eclipse.persistence.xml.platform to the fully qualified name of your XMLPlatform class, as the following example shows.

Configuring XML Platform

eclipse.persistence.xml.platform=org.eclipse.persistence.platform.xml.jaxp.JAXPPlatform

Creating an XML Parser Platform

Using the org.eclipse.persistence.internal.xml classes you can create your own instance of the org.eclipse.persistence.platform.xml.XMLPlatform class to specify an XML parser not listed in the table.

After creating your XMLPlatform, configure EclipseLink to use it (see #Configuring XML Parser Platform).

XML Parser Limitations

Crimson (http://xml.apache.org/crimson/) is the XML parser supplied in the Java Platform, Standard Edition (Java SE) and in some JAXP reference implementations.

If you use Crimson with the JAXP API to parse XML files whose system identifier is not a fully qualified URL, then XML parsing will fail with a not valid URL exception.

Other XML parsers defer validation of the system identifier URL until it is specifically referenced.

If you are experiencing this problem, consider one of the following alternatives:

• Ensure that your XML files use a fully qualified system identifier URL.
• Use another XML parser (such as the OracleAS XML Parser for Java v2).

How to Set Security Permissions

By default, when you run a EclipseLink-enabled application in a JVM configured with a nondefault java.lang.SecurityManager, the EclipseLink run-time environment executes certain internal functions by executing a PrivilegedAction with java.security.AccessController method doPrivileged. This ensures that you do not need to grant many permissions to EclipseLink for it to perform its most common operations. You need only grant certain permissions depending on the types of optional EclipseLink features you use.

For more information, see #Defining Security Permissions.

If you run a EclipseLink-enabled application in a JVM without a nondefault SecurityManager, you do not need to set any permissions.

How to Integrate Clustering

Most application servers include a clustering service that you can use with your EclipseLink application.

To use EclipseLink with an application server cluster, use this general procedure:

1. Install the eclipselink.jar file (and include it in the classpath) on each application server in the cluster to which you deploy EclipseLink applications.
2. Configure EclipseLink cache consistency options appropriate for your application.For more information, see Chapter 98, "Introduction to Cache".
3. Configure EclipseLink coordinated cache support for your application server, if available.For more information, see #How to Integrate with Oracle Application Server Clustering.
4. Configure clustering on each application server.For more information, see your application server documentation.

Integrating EclipseLink with Oracle Containers for J2EE (OC4J)

To integrate a EclipseLink application with OC4J, you must consider the following:

• #How to Integrate JTA
• #How to Integrate JMX
• #How to Integrate with Oracle Application Server Clustering
• #How to Integrate with Oracle Application Server MaD

In addition to configuring these OC4J specific options, you must also consider the general application server integration issues in #Integrating EclipseLink with an Application Server.

How to Integrate JTA

For applications that require JTA integration, specify the external transaction controller when you configure the server platform in your session (see Configuring the Server Platform).

For more information, see Integrating the Unit of Work with an External Transaction Service.

How to Integrate JMX

By default, when you deploy a EclipseLink application to OC4J, the EclipseLink runtime deploys the following Java Management Extensions (JMX) MBeans to the OC4J JMX service for each EclipseLink session:

• Oc4jRuntimeServices: This class is meant to provide facilities for managing a EclipseLink session external to EclipseLink over JMX.
• Oc4jRuntime implements Oc4jRuntimeMXBean: This class is meant to provide facilities for managing a EclipseLink session external to EclipseLink over JMX.

These classes are from the org.eclipse.persistence.services.oc4j package.

Use the API that these JMX MBeans expose to access and configure your EclipseLink sessions at runtime using JMX code that you write or to integrate your EclipseLink application with a third-party JMX management application, such as Oracle Enterprise Manager 10g Application Server Control, jconsole, or others.

Confirming that EclipseLink JMX MBeans are Deployed

Before you access EclipseLink JMX MBeans, you can use various methods to determine whether or not they were successfully deployed in OC4J.

To confirm that EclipseLink JMX MBeans are deployed:

1. Package and deploy your EclipseLink application to OC4J.For more information, see EclipseLink Application Deployment (ELUG).
2. Examine OC4J logs and look for the appropriate log messages.
   1. For a JPA application, EclipseLink session instantiation and login occurs at EntityManager instantiation time.
      EclipseLink JMX MBean Deployment Log Messages: JPA Application
      TBD
3. Use the System MBean Browser in the Oracle Enterprise Manager 10g Application Server Control to access the EclipseLink JMX MBeans.For more information, see #Accessing EclipseLink JMX MBeans Using Oracle Enterprise Manager 10g Application Server Control.

Accessing EclipseLink JMX MBeans Using Oracle Enterprise Manager 10g Application Server Control

After you deploy your EclipseLink application, you can use the System MBean Browser in the Oracle Enterprise Manager 10g Application Server Control to access and use a subset of the public API that EclipseLink MBeans provide.

To access EclipseLink JMX MBeans using Oracle Enterprise Manager 10g Application Server Control:

1. Package and deploy your EclipseLink application to OC4J.For more information, see EclipseLink Application Deployment (ELUG).
2. Determine the http port for the oc4j_admin instance using the following asctl command on the computer on which the oc4j_admin instance is running:

   $ asctl getports ORACLE_INSTANCE_NAME/oc4j_admin/http-web-site

       Oracle Fusion Middleware Administration Server Release 11.1.1.0.0
    
        --------------------------------------------------------
       | Name      | Dps Id    | Port      | Ip Address| Port Status |
       |           |           |           |           |            |
       | http-web-site| /farm1_FarmRoot/farm1/asinst_1/oc4j_admin/http-web-site| 6799      | 10.1.2.3| READY      |
        --------------------------------------------------------
   

   
   Where ORACLE_INSTANCE_NAME is the name of the Oracle instance that hosts oc4j_admin. In this example, the ORACLE_INSTANCE_NAME is asinst_1 and the http port for the oc4j_admin instance is 6799.For more information, see Oracle Fusion Middleware Administration and Application Deployment Guide for Oracle Containers for Java EE.
3. Log into the Application Server Control Console by launching a Web browser and entering a URL like:
   http://HOST_NAME:PORT/em/faces/targetauth/emasLogin

   Where HOST_NAME is the host name or IP address of the computer on which the oc4j_admin instance is running and PORT is the http port for the oc4j_admin instance from step 2.

4. In the navigator, click on the Farm tab pull-down menu and select Administration and then select System MBean Browser.
5. On the System MBean Browser page, expand the Search menu and select MBean Name.
6. Enter your EclipseLink session or application name in the search field and click the Search button.The Application Server Control Console finds all the MBeans associated with your EclipseLink session or application.Application Server Control Console System MBean Browser shows the MBeans for a EclipseLink application named jpa-example.Application Server Control Console System MBean Browser
   
   
7. Select an MBean and use the Attributes, Operations, and Notifications tabs to access attributes, invoke operations, and examine MBEan notifications.Application Server Control Console gives you access to a subset of the public API of the Oc4jRuntimeServices and Oc4Runtime MBeans.

Accessing EclipseLink JMX MBeans Using a Third-Party JMX Management Application

After you deploy your EclipseLink application, you can use any JMX-compliant management application to access and use the full public API that EclipseLink MBeans provide.

To access EclipseLink JMX MBeans using a third-party JMX management application:

1. Package and deploy your EclipseLink application to OC4J.For more information, see EclipseLink Application Deployment (ELUG).
2. Optionally, confirm that EclipseLink JMX MBeans are deployed using Oracle Enterprise Manager 10g Application Server Control.For more information, see #Accessing EclipseLink JMX MBeans Using Oracle Enterprise Manager 10g Application Server Control.
3. Configure your third-party JMX management application classpath to include:
   • ORACLE_HOME/dms/lib/dms.jar
   • ORACLE_HOME/j2ee/home/lib/adminclient.jar
   • ORACLE_HOME/j2ee/home/lib/javax77.jar
   • ORACLE_HOME/j2ee/home/oc4jclient.jar
4. Launch your third-party JMX management application.For example, launch JDK_HOME\bin\jconsole.exe using the batch file that the following figure shows.
   Batch File for jconsole

   ORACLE_HOME=C:\app-servers\OraHome-oc4j-101330
   JAVA_HOME="C:\Program Files\Java\jdk1.5.0_06"
    
   J2EE_HOME=%ORACLE_HOME%\j2ee\home
   PATH=%JAVA_HOME%\bin;%PATH%
   CLASSPATH=.;%JAVA_HOME%\lib\jconsole.jar;%JAVA_HOME%\lib\tools.jar;%J2EE_HOME%\lib\jms.jar;%J2EE_HOME%\lib\jndi.jar;%J2EE_HOME%\oc4jclient.jar;%J2EE_HOME%\lib\javax77.jar;%ORACLE_HOME%\j2ee\home\lib\adminclient.jar;%ORACLE_HOME%\lib\dms.jar
    
   REM OC4J Standalone
   %JAVA_HOME%\bin\jconsole -J-Djava.class.path=%CLASSPATH% -J-Dcom.sun.management.jmxremote.ssl=false -J-Dcom.sun.management.jmxremote.authenticate=true -J-Djmx.remote.protocol.provider.pkgs=oracle.oc4j.admin.jmx.remote "service:jmx:rmi://localhost:23791"
   

5. Establish a connection to the OC4J JMX service using one of the following JMX URLs:
   • Stand-alone OC4J:service:jmx:rmi://OC4J_HOST:OC4J_PORT
   • Oracle Application Server:service:jmx:rmi:///opmn://OPMN_HOST:OPMN_PORT/OC4J_NAME
   Connection Configuration for jconsole shows how to create a jconsole connection to the OC4J JMX service for a stand-alone OC4J.
   Connection Configuration for jconsole
   
   
   
6. Use your third-party JMX management application to examine EclipseLink MBean attributes, operations, and notifications.Using jconsole or JMX code you write, you can access the full public API of the Oc4jRuntimeServices and Oc4Runtime MBeans.MBean Display for jconsole shows the jconsole display for a EclipseLink application named jpa-example.
   MBean Display for jconsole
   
   
   

Disabling EclipseLink JMX Support Using Deployment XML

By default, EclipseLink deploys MBeans to OC4J. To disable this feature for a EclipseLink application that includes a EclipseLink sessions.xml file, you can use this deployment XML file to disable EclipseLink JMX support. If your application does not include a EclipseLink sessions.xml file, you can use a preLogin event handler to disable this feature instead (see #Disabling EclipseLink JMX Support Using a preLogin Event Handler).

To disable EclipseLink JMX support using deployment XML:

1. Undeploy your EclipseLink application on OC4J.
2. Edit your EclipseLink application's OC4J platform to disable runtime services.For more information, see Configuring the Server Platform.
3. Package your EclipseLink application and re-deploy on OC4J.For more information, see EclipseLink Application Deployment (ELUG)
4. Confirm that EclipseLink JMX MBean instances for your application no longer exist.For more information, see #Confirming that EclipseLink JMX MBeans are Deployed.

Disabling EclipseLink JMX Support Using a preLogin Event Handler

By default, EclipseLink deploys MBeans to OC4J. To disable this feature for a EclipseLink application that does not include a EclipseLink sessions.xml file (such as a EclipseLink JPA application), you can use a EclipseLink event handler to disable EclipseLink JMX support during the EclipseLink session preLogin event. If your application does include a EclipseLink sessions.xml file, you can use it to disable this feature instead (see #Disabling EclipseLink JMX Support Using Deployment XML).

To disable EclipseLink JMX support using a preLogin event handler:

1. Undeploy your EclipseLink application on OC4J.
2. Create a EclipseLink session customizer.For more information, see Configuring a Session Customizer Class.
3. In your session customizer, create a session event listener for the preLogin session event and register the listener with the session event manager as this example shows.
   EclipseLink Session Customizer with Session Event Listener

   import org.eclipse.persistence.tools.sessionconfiguration.SessionCustomizer;
    import org.eclipse.persistence.sessions.Session;
    import org.eclipse.persistence.sessions.SessionEvent;
    import org.eclipse.persistence.sessions.SessionEventAdapter;
    import org.eclipse.persistence.platform.server.ServerPlatform;
    
    public class EmployeeSessionCustomizer implements SessionCustomizer {
    
        public void customize(Sesssion session) {
            SessionEventAdapter myEventListener = new SessionEventAdapter() {
                // Listen for preLogin event
   
               public void preLogin(SessionEvent event) {
                   // Disable runtime services
                   Session session event.getSession();
                   ServerPlatform serverPlatform = session.getServerPlatform();
                   serverPlatform.disableRuntimeServices();
               }
           };
           // Register session event listener
           session.getEventManager().addListener(myEventListener);
       }
   }
   

   For more information, see Configuring Session Event Listeners
4. Package your EclipseLink application, including your session customizer, and re-deploy on OC4J. For more information, see EclipseLink Application Deployment (ELUG).
5. Confirm that EclipseLink JMX MBean instances for your application are not deployed.For more information, see #Confirming that EclipseLink JMX MBeans are Deployed.

What You May Need to Know About EclipseLink JMX Support

You can use EclipseLink JMX support to access Oracle Dynamic Monitoring System (DMS) run-time data in EclipseLink-enabled applications, including both Java EE and Java SE applications.

For more information on EclipseLink and OC4J JMX support, see "Using MBeans in OC4J" in Oracle Fusion Middleware Administration and Application Deployment Guide for Oracle Containers for Java EE.

For more information on JMX in general, see http://java.sun.com/docs/books/tutorial/jmx/index.html.

How to Integrate with Oracle Application Server Clustering

EclipseLink provides coordinated cache support for Oracle Application Server clusters for EclipseLink applications you deploy to Oracle Containers for J2EE (OC4J) when OC4J is running in a clustered mode.

For more information, see the following:

• #How to Integrate Clustering
• Oracle Application Server Cluster Coordinated Cache

How to Integrate with Oracle Application Server MaD

We recommend that you consider EclipseLink support for Oracle Application Server Manageability and Diagnosability (MaD) to simplify application management and problem diagnosis.

For more information, see .

Integrating EclipseLink with BEA WebLogic Server

To integrate a EclipseLink application with BEA WebLogic Server, you must consider the following:

• #How to Configure Classpath
• #How to Integrate JTA
• #How to Integrate the Security Manager

In addition to configuring these BEA WebLogic Server-specific options, you must also consider the general application server integration issues in #Integrating EclipseLink with an Application Server.




How to Configure Classpath

To configure EclipseLink support for BEA WebLogic Server, do the following:

1. Add the following JAR files to the application server classpath:
   <ECLIPSELINK_HOME>/lib/java/api/eclipselink.jar
2. Ensure that your EclipseLink application defines an XML parser platform (see #How to Configure the XML Parser Platform).

How to Integrate JTA

For applications that require JTA integration, specify the external transaction controller when you configure the server platform in your session (see Configuring the Server Platform).

For more information, see Integrating the Unit of Work with an External Transaction Service.

How to Integrate the Security Manager

If you use a security manager, specify a security policy file in the weblogic.policy file (normally located in the BEA WebLogic install directory), as follows:

-Djava.security.manager
-Djava.security.policy==c:\weblogic\weblogic.policy

The BEA WebLogic installation procedure includes a sample security policy file. You need to edit the weblogic.policy file to grant permission for EclipseLink to use reflection.

The following example illustrates only the permissions that EclipseLink requires, but most weblogic.policy files contain more permissions than are shown in this example.


A Subset of a "Grant" Section from a BEA WebLogic.policy File

grant {
// "enableSubstitution" required to run the WebLogic console
permission java.io.SerializablePermission "enableSubstitution";
// "modifyThreadGroup" required to run the WebLogic Server
permission java.lang.RuntimePermission "modifyThreadGroup";
// grant permission for EclipseLink to use reflection

    permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};

Integrating EclipseLink with IBM WebSphere Application Server

To integrate a EclipseLink application with IBM WebSphere Application Server, you must consider the following:

• #How to Configure Classpath
• #How to Configure Class Loader Order
• #How to Integrate JTA

In addition to configuring these IBM WebSphere application server-specific options, you must also consider the general application server integration issues in #Integrating EclipseLink with an Application Server.




How to Configure Classpath

You configure the IBM WebSphere application server classpath differently depending on what version of this server you are using:

• #Configuring Classpath for IBM WebSphere Application Server 5.0 and Later




Configuring Classpath for IBM WebSphere Application Server 5.0 and Later

EclipseLink provides JTA and general integration support for IBM WebSphere application server 5.0 and later. To configure the classpath for this version, do the following:

1. Create a shared library that contains the following EclipseLink JAR files and associate the shared library with the application:
   <ECLIPSELINK_HOME>\lib\java\ape\eclipselink.jar
2. Ensure that your EclipseLink application defines an XML parser platform (see #How to Configure the XML Parser Platform).

How to Configure Class Loader Order

If you are deploying a EclipseLink enabled application that uses EclipseLink sessions.xml or XML project deployment, you must configure the order in which IBM WebSphere accesses class loaders:

• When using IBM WebSphere application server 5.1, use the default PARENT_FIRST classloader setting.
• When using IBM WebSphere application server 6.1, use the WebSphere Application Server Administrative Console to set Class loader order to Class loaded with application class loader first.




How to Integrate JTA

For applications that require JTA integration, specify the external transaction controller when you configure the server platform in your session (see Configuring the Server Platform).

For more information, see Integrating the Unit of Work with an External Transaction Service.




How to Configure Clustering on IBM WebSphere Application Server

For information on integrating a EclipseLink application with an application server cluster, see #How to Integrate Clustering.

Integrating EclipseLink with Sun Application Server

To integrate a EclipseLink application with Sun Application Server (SunAS), you must consider the following:

• #How to Configure Classpath
• #How to Integrate JTA

In addition to configuring these SunAS-specific options, you must also consider the general application server integration issues in #Integrating EclipseLink with an Application Server.




How to Configure Classpath

To configure EclipseLink support for SunAS, do the following:

1. Add the following JAR files to the application server classpath:
   <ECLIPSELINK_HOME>\lib\java\ape\eclipselink.jar
2. Ensure that your EclipseLink application defines an XML parser platform (see How to Configure the XML Parser Platform).

How to Integrate JTA

For applications that require JTA integration, specify the external transaction controller when you configure the server platform in your session (see Configuring the Server Platform).

For more information, see Integrating the Unit of Work with an External Transaction Service.

Integrating EclipseLink with JBoss Application Server

To integrate a EclipseLink application with JBoss Application Server, you must consider the following:

• #How to Configure Classpath
• #How to Integrate JTA

In addition to configuring these JBoss-specific options, you must also consider the general application server integration issues in [[#Integrating EclipseLink with an Application Server].




How to Configure Classpath

To configure EclipseLink support for JBoss, do the following:

1. Add the following JAR files to the application server classpath:
   <ECLIPSELINK_HOME>\lib\java\ape\eclipselink.jar
2. Ensure that your EclipseLink application defines an XML parser platform (see #How to Configure the XML Parser Platform).

How to Integrate JTA

For applications that require JTA integration, specify the external transaction controller when you configure the server platform in your session (see Configuring the Server Platform).

For more information, see Integrating the Unit of Work with an External Transaction Service.

Defining Security Permissions

By default, when you run a EclipseLink-enabled application in a JVM configured with a nondefault java.lang.SecurityManager, the EclipseLink run time executes certain internal functions by executing a PrivilegedAction with java.security.AccessController method doPrivileged. This ensures that you do not need to grant many permissions to EclipseLink for it to perform its most common operations. You need only grant certain permissions depending on the types of optional EclipseLink features you use (see #How to Define Permissions Required by EclipseLink Features).

While using doPrivileged method provides enhanced security, it will severely impact overall performance. Alternatively, you can configure EclipseLink to disable the use of doPrivileged method even when a nondefault SecurityManager is present (see #How to Disable doPrivileged Operation). In this case, you must grant EclipseLink all required permissions (see #How to Define Permissions Required by EclipseLink Features and #How to Define Permissions Required when doPrivileged Is Disabled).




Note: While enabling the use of doPriviledged method enhances EclipseLink application security, it does not guarantee that secure code cannot be called by application code in ways that the system did not intend. You must consider the use of doPriviledged method within the context of your overall application security strategy. For more information, see http://java.sun.com/security/index.jsp.


If you run a EclipseLink-enabled application in a JVM without a nondefault SecurityManager, you do not need to grant any permissions.




How to Define Permissions Required by EclipseLink Features

When you run a EclipseLink-enabled application in a JVM configured with a nondefault java.lang.SecurityManager and doPrivileged operation is enabled, you may need to grant additional permissions if your application requires any of the following:

• #Defining System Properties
• #Loading project.xml or sessions.xml Files
• #Defining Cache Coordination
• #Accessing a Data Source by Port
• #Logging with java.util.logging
• #Granting Permissions for Java EE Application Deployment




Defining System Properties

By default, a EclipseLink-enabled application requires access to the system properties granted in the default <JAVA_HOME>/lib/security/java.policy file. If your application requires access to other platform-specific, environment, or custom properties, then grant further PropertyPermission permissions, as the following example shows.

Permissions for System Properties

permission java.util.PropertyPermission "my.property", "read";

Loading project.xml or sessions.xml Files

Most EclipseLink-enabled applications read in project.xml and sessions.xml files directly. Grant permissions to the specific files or file locations, as the following example shows. This example assumes that both project.xml and sessions.xml files are located in the same directory (given by application-specific system property deployment.xml.home). Alternatively, you can specify a separate FilePermission for each file.


Permissions for Loading Deployment XML Files

permission java.io.FilePermission "${deployment.xml.home}/*.xml", "read";




For information on FilePermission settings for Java EE applications, see #Granting Permissions for Java EE Application Deployment.

Defining Cache Coordination

If your application uses cache coordination (see Cache Coordination), then grant accept, connect, listen, and resolve permissions to the specific sockets used by your coordinated cache, as the following example shows. This example assumes that the coordinated cache multicast port (see Configuring a Multicast Port) is 1024.


Permissions for Cache Coordination

permission java.net.SocketPermission "localhost:1024-", "accept, connect, listen, resolve";

Accessing a Data Source by Port

If your EclipseLink-enabled application accesses a data source using a socket, then grant connect and resolve permissions for that socket, as the following example shows. This example assumes that the host name (or IP address) of the remote host that provides the data source (such as a relational database server host) is given by application-specific system property remote.data.source.host and that this host accepts data source connections on port 1025.

Permissions for non-Java EE Data Source Connections

permission java.net.SocketPermission "${remote.data.source.host}:1025-", "connect, resolve";

For Java EE applications, data source socket permissions are usually handled by the application server.

Logging with java.util.logging

If you configure your EclipseLink-enabled application to use java.util.logging package (see Configuring Logging), then grant your application control permissions, as this example shows.


Permissions for java.util.logging

permission java.util.logging.LoggingPermission "control"

Granting Permissions for Java EE Application Deployment

If you are deploying a EclipseLink-enabled Java EE application, you must grant permissions for the following:

• The eclipselink.jar file. For example:

grant codeBase "file:<ECLIPSELINK_HOME>/lib/java/api/eclipselink.jar" {
    permission java.security.AllPermission;
};

If you are using an XML platform, you must also grant the following permissions:

• The eclipse.persistence.xml.platform system property. For Example:

permission java.util.PropertyPermission "eclipse.persistence.xml.platform", "read"

How to Define Permissions Required when doPrivileged Is Disabled

If you disable doPrivileged operation when you run a EclipseLink-enabled application in a JVM configured with a nondefault java.lang.SecurityManager, you must grant the following permissions:

• java.lang.reflect.RelectPermission "suppressAccessChecks"
• java.lang.RuntimePermission "accessDeclaredMembers"
• java.lang.RuntimePermission "getClassLoader"

You may also have to grant additional permissions depending on the EclipseLink features your application uses. For more information, see How to Define Permissions Required by EclipseLink Features.

How to Disable doPrivileged Operation

To disable doPrivileged operation when you run a EclipseLink-enabled application in a JVM configured with a nondefault java.lang.SecurityManager, set system property oracle.j2ee.toplink.security.usedoprivileged to false. If you are using OC4J, set system property oracle.j2ee.security.usedoprivileged to false.

To enable doPrivileged operation, set these system properties to true.




---

Copyright Statement