Java Policy file - Deny permissions to a codebase

securitypolicymanager picture securitypolicymanager · Feb 15, 2011 · Viewed 11.8k times · Source

In the Java policy file, the grant codeBase syntax specifies which codebase should be granted which permissions. for example,

grant codeBase "file:/C:/abc.jar" { permission java.security.AllPermission; };

grants AllPermission to code inside abc.jar

In a similar way, Is there a way to deny permissions to a specific syntax? Like this:

deny codeBase "file:/C:/def.jar" { permission java.io.FilePermission; };

so that the code inside def.jar gets every other permissions except the FilePermission?

Is this even possible?

I know this can be easily done using the SecurityManager class, but I just want to know if this is possible by using the policy file only.

Answer

pinkonion picture pinkonion · Jan 18, 2012

I realize this is almost a year late but I think I am trying to do something similar.

There is a way to set the runtime permissions such that Java won't grant the global permissions. Then you can specify only the permissions you want granted for your app. The key is to run your app with the options below.

java -Djava.security.manager -Djava.security.policy==policyFile.txt MyClass

Note the double equals -Djava.security.policy==policyFile.txt. The double equals == means to use only the permissions in the named file as opposed to the single equal sign -Djava.security.policy=policyFile.txt which means use these permissions in addition to the inherited global permissions.

Then create a policy file excluding the permissions you want to deny:

// policyFile.txt
grant codeBase "file:/C:/abc.jar" {

    // list of permissions minus the ones you want to deny
    // for example, the following would give the application
    // ONLY AudioPermission and AWTPermission.  Other
    // permissions such as java.io.FilePermission would be
    // denied.

    permission javax.sound.sampled.AudioPermission;
    permission java.awt.AWTPermission;

}