Java Policy file - Deny permissions to a codebase

Question

In the Java policy file, the grant codeBase syntax specifies which codebase should be granted which permissions. for example,

grant codeB

Answer 1

You can use Prograde library, which implements policy file with deny rules.

Add following Maven dependency to your app

    net.sourceforge.pro-grade
    pro-grade
    1.0

And then enable it for your application by using standard system properties:

-Djava.security.manager=net.sourceforge.prograde.sm.ProgradeSecurityManager -Djava.security.policy==/path/to/your/application.policy

or you can just replace programatically the Policy implementation in your code:

System.setProperty("java.security.policy","/path/to/your/application.policy");
Policy.setPolicy(new ProgradePolicyFile());

The syntax of policy file stays similar to the standard implementation, but you can use deny instead of grant and you can also change priorities by using keyword priority (default value is "deny" - to stay backward compatible).

For instance, you can do sth. like:

grant {
    permission java.lang.RuntimePermission "*";
};

deny {
    permission java.lang.RuntimePermission "exitVM.*";
};

Other examples are here.