Java Policy file - Deny permissions to a codebase

Question

In the Java policy file, the grant codeBase syntax specifies which codebase should be granted which permissions. for example,

grant codeB

Answer 1

I realize this is almost a year late but I think I am trying to do something similar.

There is a way to set the runtime permissions such that Java won't grant the global permissions. Then you can specify only the permissions you want granted for your app. The key is to run your app with the options below.

java -Djava.security.manager -Djava.security.policy==policyFile.txt MyClass

Note the double equals -Djava.security.policy==policyFile.txt. The double equals == means to use only the permissions in the named file as opposed to the single equal sign -Djava.security.policy=policyFile.txt which means use these permissions in addition to the inherited global permissions.

Then create a policy file excluding the permissions you want to deny:

// policyFile.txt
grant codeBase "file:/C:/abc.jar" {

    // list of permissions minus the ones you want to deny
    // for example, the following would give the application
    // ONLY AudioPermission and AWTPermission.  Other
    // permissions such as java.io.FilePermission would be
    // denied.

    permission javax.sound.sampled.AudioPermission;
    permission java.awt.AWTPermission;

}