I am investigating java security manager. I see that 'grant' is required attribute for *.policy file and it is global. But how it will behave in case if I add 'grant codeBase' for the same resoure. For example:
grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/log4j-1.2.17.jar!/-" {
permission java.io.FilePermission "${catalina.base}/logs/-", "delete";
};
grant {
permission java.io.FilePermission "${catalina.base}/logs/-", "write";
};
Will log4j-1.2.17.jar has a permission to delete files in the log folder?
Can 'grant codeBase' override 'grant' section?
Thank you!
Related
I'm trying to enforce a security policy, giving Java classes signed by a certain signer certain permissions. My security policy file looks as following:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
The Keystore cacerts contains a certificate with the alias mycompany. The JAR file im testing the security policy with has been signed with the private key of that certificate. When I execute the JAR file with
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
I get
access: access denied ("java.io.FilePermission" "C:\" "read")
When I use codeBase "path/to/jar" instead of signedBy "mycompany" it works perfectly fine. Does anybody know what could be going wrong here?
I want to implement a security policy file in the following way :-
Restrict access to all files except for files in 3 directories, i.e. if code accesses files from these 3 directories, it should be allowed but file access for any other directory is restricted.
Grant all other permissions to the code base.
How can I proceed for creating policy file for this requirement.
You need to create next policy file (yourPolicy.policy):
grant codeBase "file:/location_of_your_code/-" {
permission java.io.FilePermission "/tmp/f1/*", "read, write";
permission java.io.FilePermission "/tmp/f2/*", "read, write";
permission java.io.FilePermission "/tmp/f3/*", "read, write";
};
And launch your code with next arguments:
java -Djava.security.manager -Djava.security.policy=yourPolicy.policy YourClassName
It will restrict access of your java program to only these three folders.
About requirement “grant all other permissions” it seems that you can’t grant all permissions and override some specific permissions (grant access to only three folders) using java policy syntax. Thus you need explicitly specify all permissions that you want to grant to your application.
Our Java policy file used to just be:
grant {
permission java.security.AllPermission;
};
I am trying to make our application more secure than just granting everything to everyone. I have it working well except I am having troubles giving permission to files.
The error I currently get is:
java.security.AccessControlException: access denied (java.io.FilePermission \\server.log write)
I have tried so many combinations of things, such as:
permission java.io.FilePermission "\\\\server.log", "write";
permission java.io.FilePermission "C:\\Temp\\logs\\server.log", "write";
permission java.io.FilePermission "\\server.log", "write";
permission java.io.FilePermission "${TEMP}${/}-", "write";
permission java.io.FilePermission "*", "read,write";
The only thing I can get it to work is using:
grant {
permission java.security.AllPermission;
};
I get the error "java.io.FileNotFoundException: \server.log (The filename, directory name, or volume label syntax is incorrect)" when using (even when the files do exist):
permission java.io.FilePermission "<<ALL FILES>>", "write";
Just wondering if anyone had any other ideas to try. I don't really want to have to resort to granting all just to get the file permissions right, obviously I am missing something.
EDIT:
I just realized that maybe this is a clue in the log file:
log4j:ERROR setFile(null,false) call failed.
Maybe I need some permissions for this specifically? Digging around Google now....
In Oracle documentation have some examples:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/spec/security-spec.doc3.html
permission java.io.FilePermission "myfile", "read,write";
permission java.io.FilePermission "/home/gong/", "read";
permission java.io.FilePermission "/tmp/mytmp", "read,delete";
permission java.io.FilePermission "/bin/*", "execute";
permission java.io.FilePermission "*", "read";
permission java.io.FilePermission "/-", "read,execute";
permission java.io.FilePermission "-", "read,execute";
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "c:\\temp\\foo", "read,write,delete")
\\this one works for me
I think the problem is because you are trying to write to a file without permission to read it.
permission java.io.FilePermission "C:\\folder\\*", "read, write";
For a school project I have to create a distributed system from a standalone application. We're using RMI for the communication, but we ran into some problems.
The server I created starts just fine, but the client (which uses some swing libraries etc.) was giving me a classNotFound exception. To fix this I added the libraries my project uses to "C:\Program Files\Java\jre6\lib\ext". I prefer to place to libs at the client (like I did with the builds).
Can someone tell me if this is possible and ifso, how?
The problems don't end here, if I start my client now I get an java.security.AccessControlException. I use a policy file, it looks like this:
grant
{ permission java.net.SocketPermission
"*:1024-65535", "connect,accept";
};
I also tried to add all the libs but this didn't help either:
grant codebase "file:${java.home}/../lib/ext/appframework-1.0.3.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/beansbinding-1.2.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/jcalendar-1.3.3.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/looks-2.0.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swing-worker-1.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-1.6.1.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-bean.jar" {
permission java.security.AllPermission;
};
grant codebase "file:${java.home}/../lib/ext/swingx-ws-2011_01_16.jar" {
permission java.security.AllPermission;
};
grant
{ permission java.net.SocketPermission
"*:1024-65535", "connect,accept";
};
I hope that anyone can help me.
-Rob
Debugging java 2 security exceptions is a tedious trial and error process. I guess you are starting the client with a JVM switch to add tell it to use a security manager - add the following
-Djava.security.debug=access,failure
You'll get masses of debug information, but searcing it for "access denied" will show you what permissions need to be granted against which code base. It's not a scientific process - you just have to keep trying until you think you've fixed all the security problems.
grant {
permission java.security.AllPermission;
};
I am working on an HTML page that is using Javascript to interact with a Java applet. The HTML page, javascript files, and .jar file for the applet will be deployed locally to a folder on the user's filesystem.
(Implmenting this as a standalone Java application is not an option here; for various reasons I will not explain here).
The applet needs to do local file i/o. As such, I'm attempting to tweek the settings in the user's .java.policy file to permit this.
I have found the following setup is the only one that works:
grant
{
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
This is not ideal, as that it grants all applets permissions to read write all files. Naturally I would prefer to isolate to the particular code base. However I could not find a "grant codeBase" syntax that works.
I have tried:
grant codeBase "file:/C:/Files/FileIOApplet/-" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
grant codeBase "file:///-" {
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
grant codeBase "file:${user.home}/-"
{
permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "<<ALL FILES>>", "write";
};
This is running using this configuration:
Firefox 3.6.10
Java 1.6 update 25
Windows 7 64 bit
Where I am I going wrong in setting up this .java.policy file?
I am pretty rusty to the Java world, especially working with applets - so your expertise is appreciated!
To connect an Applet with access here are the policy tool settings:
Go to policyTool, you will find it in following path:
java->jdk1.3->bin->policyTool Application
There appears Policy Tool window.
In the Policy Tool window select the "Add Policy Entry" button.
This will take you to Policy Entry window
There enter the CodeBase as "file:/path of your java bin". For example
CodeBase file:/c:/java/jdk1.3/bin/
Now press "Add Permission" button in the Policy Entry window.
This will take you to the "Permissions" window
There Select "All permission" from permission drop down list box.
And click "ok".
Now again press the "Add Permission" button in the Policy Entry window.
Now Select "Select "RunTimepermission" from permission drop down list box.
Now in the Target Name drop down list box select "accessClassInpackage", in the text box enter accessClassInpackage.sun.jdbc.odbc
Now click "ok".
Now click "done" in "Policy Entry" window.
Now in the Policy Entry window file->save
Save it in "bin" of your Java installation.
Remember the name...
for example say..
appletpermission
'save'
Now you have a created policy file for access
Now to compile your java file at the command prompt
javac programname.java
To run your program type the following at the cmd prompt:
appletviewer -J-Djava.security.policy=appletpermission programname.java
Now everything is done.
don't waste your time with syntax, use the policy tool instead :
click here : Policy Tool