In the Java policy file, the grant codeBase
syntax specifies which codebase should be granted which permissions. for example,
grant codeBase "file:/C:/abc.jar" { permission java.security.AllPermission; };
grants AllPermission
to code inside abc.jar
In a similar way, Is there a way to deny
permissions to a specific syntax? Like this:
deny codeBase "file:/C:/def.jar" { permission java.io.FilePermission; };
so that the code inside def.jar
gets every other permissions except the FilePermission?
Is this even possible?
I know this can be easily done using the SecurityManager
class, but I just want to know if this is possible by using the policy file only.
I realize this is almost a year late but I think I am trying to do something similar.
There is a way to set the runtime permissions such that Java won't grant the global permissions. Then you can specify only the permissions you want granted for your app. The key is to run your app with the options below.
java -Djava.security.manager -Djava.security.policy==policyFile.txt MyClass
Note the double equals -Djava.security.policy==policyFile.txt
. The double equals ==
means to use only the permissions in the named file as opposed to the single equal sign -Djava.security.policy=policyFile.txt
which means use these permissions in addition to the inherited global permissions.
Then create a policy file excluding the permissions you want to deny:
// policyFile.txt
grant codeBase "file:/C:/abc.jar" {
// list of permissions minus the ones you want to deny
// for example, the following would give the application
// ONLY AudioPermission and AWTPermission. Other
// permissions such as java.io.FilePermission would be
// denied.
permission javax.sound.sampled.AudioPermission;
permission java.awt.AWTPermission;
}