Java Policy file - Deny permissions to a codebase

Question

In the Java policy file, the grant codeBase syntax specifies which codebase should be granted which permissions. for example,

grant codeBase "file:/C:/abc.jar" { permission java.security.AllPermission; };

grants AllPermission to code inside abc.jar

In a similar way, Is there a way to deny permissions to a specific syntax? Like this:

deny codeBase "file:/C:/def.jar" { permission java.io.FilePermission; };

so that the code inside def.jar gets every other permissions except the FilePermission?

Is this even possible?

I know this can be easily done using the SecurityManager class, but I just want to know if this is possible by using the policy file only.

Answer 1

I realize this is almost a year late but I think I am trying to do something similar.

There is a way to set the runtime permissions such that Java won't grant the global permissions. Then you can specify only the permissions you want granted for your app. The key is to run your app with the options below.

java -Djava.security.manager -Djava.security.policy==policyFile.txt MyClass

Note the double equals -Djava.security.policy==policyFile.txt. The double equals == means to use only the permissions in the named file as opposed to the single equal sign -Djava.security.policy=policyFile.txt which means use these permissions in addition to the inherited global permissions.

Then create a policy file excluding the permissions you want to deny:

// policyFile.txt
grant codeBase "file:/C:/abc.jar" {

    // list of permissions minus the ones you want to deny
    // for example, the following would give the application
    // ONLY AudioPermission and AWTPermission.  Other
    // permissions such as java.io.FilePermission would be
    // denied.

    permission javax.sound.sampled.AudioPermission;
    permission java.awt.AWTPermission;

}

Answer 2

You can use Prograde library, which implements policy file with deny rules.

Add following Maven dependency to your app

<dependency>
    <groupId>net.sourceforge.pro-grade</groupId>
    <artifactId>pro-grade</artifactId>
    <version>1.0</version>
</dependency>

And then enable it for your application by using standard system properties:

-Djava.security.manager=net.sourceforge.prograde.sm.ProgradeSecurityManager -Djava.security.policy==/path/to/your/application.policy

or you can just replace programatically the Policy implementation in your code:

System.setProperty("java.security.policy","/path/to/your/application.policy");
Policy.setPolicy(new ProgradePolicyFile());

The syntax of policy file stays similar to the standard implementation, but you can use deny instead of grant and you can also change priorities by using keyword priority (default value is "deny" - to stay backward compatible).

For instance, you can do sth. like:

grant {
    permission java.lang.RuntimePermission "*";
};

deny {
    permission java.lang.RuntimePermission "exitVM.*";
};

Other examples are here.

Answer 3

No. There is nothing like this implemented for policy files. You could write your own system, if you were really desperate.