So far we've learned how to see if a class has properties. Security
properties files show us the other end of the deal - setting properties.
The standard policy object reads these files to set permissions.
The SecurityManager can then query this policy object to see if the given
stack of classes have this permission.
- A typical policy file looks like this:
- We can put these permissions in java.policy in the \jre\lib\security subdirectory of the Java home directory, or in .java.policy in the user home directory.
- Or, perhaps a better approach is to make our own file and specify that as an argument when we start our class.
- We commonly use the -D flag to send startup parameters to the JVM running our app. This applies to other parameters, not just policy files. Note that there is no space between -D and java.security.policy.
- If you use the double equals instead of the equals in this argument, you specify that this is the only policy file that should be used; the default files should be ignored.
- I searched my hard drive for .java.policy and java.policy. There are a number of JVMs installed on my machine for various purposes. It found about a dozen java.policy files, but no .java.policy files. The contents of the java.policy files all looked fairly similar. What can we determine from this?
grant codeBase "project.jar"
{
permission java.io.FilePermission "/data/*", "read,write,delete"
}
which assigns read, write, and delete access to all of the files in the data directory to all of the classes in project.jar.
java -Djava.security.policy=application.policy Application
// Standard extensions get all permissions by default
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// default permissions granted to all domains
grant {
// Allows any thread to stop itself using the java.lang.Thread.stop()
// method that takes no argument.
// Note that this permission is granted by default only to
remain
// backwards compatible.
// It is strongly recommended that you either remove this
permission
// from this policy file or further restrict it to code sources
// that you specify, because Thread.stop() is potentially
unsafe.
// See "http://java.sun.com/notes" for more information.
permission java.lang.RuntimePermission "stopThread";
// allows anyone to listen on un-privileged ports
permission java.net.SocketPermission "localhost:1024-", "listen";
// "standard" properies that can be read by anyone
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url",
"read";
permission java.util.PropertyPermission "java.class.version",
"read";
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator",
"read";
permission java.util.PropertyPermission "path.separator",
"read";
permission java.util.PropertyPermission "line.separator",
"read";
permission java.util.PropertyPermission "java.specification.version",
"read";
permission java.util.PropertyPermission "java.specification.vendor",
"read";
permission java.util.PropertyPermission "java.specification.name",
"read";
permission java.util.PropertyPermission "java.vm.specification.version",
"read";
permission java.util.PropertyPermission "java.vm.specification.vendor",
"read";
permission java.util.PropertyPermission "java.vm.specification.name",
"read";
permission java.util.PropertyPermission "java.vm.version",
"read";
permission java.util.PropertyPermission "java.vm.vendor",
"read";
permission java.util.PropertyPermission "java.vm.name", "read";
};
Using Permissions and the SecurityManager