Crafting Java policy files, a practical guide

In one of my previous posts, I described how to create a custom policy file for securing one’s application.

The process was manual and incremental. Because of that, it was painstakingly long - and hence not really practical. I presented the process at some conferences, and one of the feedback was that it had to be automated. Of course, without automation, nobody would ever write such a policy file but for trivial applications.

This is the 4th post in the JVM Security focus series.Other posts include:

  1. The Java Security Manager: why and how?
  2. Proposal for a Java policy files crafting process
  3. Signing and verifying a standalone JAR
  4. Crafting Java policy files, a practical guide (this post)
  5. Beware the Attach API

And then it struck me: there’s a way to write the policy file under in a couple of hours, instead of days, for any application.

Even better, there’s no need for additional information, just a combination of what I already wrote about. Steps are as follow:

  1. Create an allow-everything policy file:
    grant codeBase "file:target/spring-petclinic.jar" {
      permission java.security.AllPermission;
  2. Launch the JAR with specific system properties, including security logging:
    java -Djava.security.manager \
         -Djava.security.policy==all.policy \
         -Djava.security.debug=access \
         -jar target/spring-petclinic.jar

This will output in the standard output every request for permissions. It’s then a no-brainer to redirect the output to a file, and process it manually i.e. deduplicate lines, and proceed as in the original post.

This time, however, there’s no need to create the policy file bit by bit: the complete file is available from the beginning.

Just be sure to build and run every available feature (and pages for webapps) to get an exhaustive list of all required permissions.

Nicolas Fränkel

Nicolas Fränkel

Developer Advocate with 15+ years experience consulting for many different customers, in a wide range of contexts (such as telecoms, banking, insurances, large retail and public sector). Usually working on Java/Java EE and Spring technologies, but with focused interests like Rich Internet Applications, Testing, CI/CD and DevOps. Also double as a trainer and triples as a book author.

Read More
Crafting Java policy files, a practical guide
Share this