In one of my previous posts, I described how to create a custom policy file for securing one’s application.
The process was manual and incremental. Because of that, it was painstakingly long - and hence not really practical. I presented the process at some conferences, and one of the feedback was that it had to be automated. Of course, without automation, nobody would ever write such a policy file but for trivial applications.
This is the 4th post in the JVM Security focus series.Other posts include:
- The Java Security Manager: why and how?
- Proposal for a Java policy files crafting process
- Signing and verifying a standalone JAR
- Crafting Java policy files, a practical guide (this post)
- Beware the Attach API
And then it struck me: there’s a way to write the policy file under in a couple of hours, instead of days, for any application.
Even better, there’s no need for additional information, just a combination of what I already wrote about. Steps are as follow:
- Create an allow-everything policy file:
grant codeBase "file:target/spring-petclinic.jar" { permission java.security.AllPermission; }; - Launch the JAR with specific system properties, including security logging:
java -Djava.security.manager \ -Djava.security.policy==all.policy \ -Djava.security.debug=access \ -jar target/spring-petclinic.jar
This will output in the standard output every request for permissions. It’s then a no-brainer to redirect the output to a file, and process it manually i.e. deduplicate lines, and proceed as in the original post.
This time, however, there’s no need to create the policy file bit by bit: the complete file is available from the beginning.
Just be sure to build and run every available feature (and pages for webapps) to get an exhaustive list of all required permissions.