Java policy settings not working for FilePermission

northpole picture northpole · Jun 27, 2012 · Viewed 16k times · Source

Our Java policy file used to just be:

grant {
  permission java.security.AllPermission;
};

I am trying to make our application more secure than just granting everything to everyone. I have it working well except I am having troubles giving permission to files.

The error I currently get is:

java.security.AccessControlException: access denied (java.io.FilePermission \\server.log write)

I have tried so many combinations of things, such as:

permission java.io.FilePermission "\\\\server.log", "write";
permission java.io.FilePermission "C:\\Temp\\logs\\server.log", "write";
permission java.io.FilePermission "\\server.log", "write";
permission java.io.FilePermission "${TEMP}${/}-", "write";
permission java.io.FilePermission "*", "read,write";

The only thing I can get it to work is using:

grant {
  permission java.security.AllPermission;
};

I get the error "java.io.FileNotFoundException: \server.log (The filename, directory name, or volume label syntax is incorrect)" when using (even when the files do exist):

permission java.io.FilePermission "<<ALL FILES>>", "write";

Just wondering if anyone had any other ideas to try. I don't really want to have to resort to granting all just to get the file permissions right, obviously I am missing something.

EDIT:

I just realized that maybe this is a clue in the log file:

log4j:ERROR setFile(null,false) call failed.

Maybe I need some permissions for this specifically? Digging around Google now....

Answer

Marcus Vinicius picture Marcus Vinicius · May 25, 2015

In Oracle documentation have some examples: https://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html

permission java.io.FilePermission "myfile", "read,write";
permission java.io.FilePermission "/home/gong/", "read";
permission java.io.FilePermission "/tmp/mytmp", "read,delete";
permission java.io.FilePermission "/bin/*", "execute";
permission java.io.FilePermission "*", "read";
permission java.io.FilePermission "/-", "read,execute";
permission java.io.FilePermission "-", "read,execute";
permission java.io.FilePermission "<<ALL FILES>>", "read";

permission java.io.FilePermission "c:\\temp\\foo", "read,write,delete")
\\this one works for me