The pro-grade library provides implementation of custom Java Security Managers and Security Policies. The main component is a Java Security Policy implementation with denying rules as an addition to standard grant rules.
ProGrade = "Policy Rules Of GRanting And DEnying".
Simply use:
$ mvn clean install
Only thing which you need to do is to add standard java properties for enabling security manager:
java \
-Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM \
-Djava.security.policy=/path/to/your-app-prograde.policy \
...
It is a quite similar as standard policy in Java. It also works with policy file with grant entries, but you can also write deny entries - it uses same definitions as grant entries but meaning of them is opposite. For denying rules use keyword "deny".
You can take a look into policy files in pro-grade testsuite.
You can set priority
on "grant"
or "deny"
. The priority
says what rules is stronger when grant and deny are in conflict. If you use deny priority, all actions are as default denied. If you use grant priority, all actions are as default granted. It means that standard Java uses as
default "deny"
priority.
// following entry can be ommited because "deny" value is the default
priority "deny";
// grant full access to /tmp folder
grant {
permission java.io.FilePermission "/tmp/-", "read,write";
};
// deny write access for a single subfolder in /tmp
deny {
permission java.io.FilePermission "/tmp/static/-", "write";
};
The generator is a custom Java Security Manager, which generates a simple policy file from permissions checked by Java Application. The generated policy file can be used with the standard Java Security Manager afterwards.
Simply use the custom Java Security Manager class net.sourceforge.prograde.sm.PolicyFileGeneratorJSM when starting your Java application. Then go through usual application worklows and the generator will create a policy file with missing permissions for you.
Other steps are optional:
- configure the initial policy file (if you already have one)
- set the path to the java.security.policy system property
- use 2 equal characters “==” if you don’t want to use default policy configured for JRE
- configure the output file
- set the path to the prograde.generated.policy system property
- if you don’t set this property, then a new file will be generated in the user’s temporary directory
java \
-Djava.security.manager=net.sourceforge.prograde.sm.PolicyFileGeneratorJSM \
-Djava.security.policy==/path/to/initial.policy \
-Dprograde.generated.policy=/tmp/generated.policy \
...
Test the generated.policy file with standard Java Security Manager:
java \
-Djava.security.manager \
-Djava.security.policy==/tmp/generated.policy \
..
If you don’t need to generate Java Policy file and you only want to check in console which Java Permissions are missing in your policy file, then use the second custom Java Security Manager, which prints the missing permissions to System.err stream.
Main step is to use a custom Java Security Manager class net.sourceforge.prograde.generator.DumpMissingPermissionsJSM when starting your Java application. Then go through usual application worklows and the generator will print the missing permissions to the error stream.
Other steps are optional:
- configure the initial policy file (if you already have one)
- set the path to the java.security.policy system property
- use 2 equal characters “==” if you don’t want to use default policy configured for JRE
java \
-Djava.security.manager=net.sourceforge.prograde.sm.DumpMissingPermissionsJSM \
-Djava.security.policy==/path/to/initial.policy \
...
The standard Java Policy implementation is used as the underlying implementation for the policy file generator. You can use ProGrade policy instead when you set prograde.use.own.policy system property to true.
-Dprograde.use.own.policy=true