/ JVM, SECURITY, POLICY

Crafting Java policy files, a practical guide

In one of my previous posts, I described how to create a custom policy file for securing one’s application.

The process was manual and incremental. Because of that, it was painstakingly long - and hence not really practical. I presented the process at some conferences, and one of the feedback was that it had to be automated. Of course, without automation, nobody would ever write such a policy file but for trivial applications.

And then it struck me: there’s a way to write the policy file under in a couple of hours, instead of days, for any application.

Even better, there’s no need for additional information, just a combination of what I already wrote about. Steps are as follow:

  1. Create an allow-everything policy file:
    grant codeBase "file:target/spring-petclinic.jar" {
      permission java.security.AllPermission;
    };
  2. Launch the JAR with specific system properties, including security logging:
    java -Djava.security.manager \
         -Djava.security.policy==all.policy \
         -Djava.security.debug=access \
         -jar target/spring-petclinic.jar

This will output in the standard output every request for permissions. It’s then a no-brainer to redirect the output to a file, and process it manually i.e. deduplicate lines, and proceed as in the original post.

This time, however, there’s no need to create the policy file bit by bit: the complete file is available from the beginning.

Just be sure to build and run every available feature (and pages for webapps) to get an exhaustive list of all required permissions.

Nicolas Fränkel

Nicolas Fränkel

Nicolas Fränkel is a Developer Advocate with 15+ years experience consulting for many different customers, in a wide range of contexts (such as telecoms, banking, insurances, large retail and public sector). Usually working on Java/Java EE and Spring technologies, but with narrower interests like Software Quality, Build Processes and Rich Internet Applications. Currently working for Exoscale. Also double as a teacher in universities and higher education schools, a trainer and triples as a book author.

Read More