Saturday 15 July 2017

Introduction to policy file in Java

Policy file is a simple ASCII text file, that specifies set of rules, that are used by java security manager to prevent the application from performing malicious actions.

Let me try to explain with an example.

PropertyUtil.java
package com.sample.util;

public class PropertyUtil {

 public static void printProperties() {

  String osName = System.getProperty("os.name");
  System.out.println("osName: " + osName);

  String javaVersion = System.getProperty("java.version");
  System.out.println("javaVersion: " + javaVersion);

  String userHome = System.getProperty("user.home");
  System.out.println("userHome: " + userHome);

  String javaHome = System.getProperty("java.home");
  System.out.println("javaHome: " + javaHome);

 }
}

Test.java
package com.sample.app;

import com.sample.util.PropertyUtil;

public class Test {
 public static void main(String args[]){
  PropertyUtil.printProperties();
 }
}

Output
osName: Windows 10
javaVersion: 1.8.0_131
userHome: C:\Users\Krishna
javaHome: C:\Program Files\Java\jre1.8.0_131

Now let’s try to run the same application ‘Test.java’ by enabling security manager. By default security manager is not enabled in Java applications, you need to enable it by using the command line option ‘-Djava.securiy.manager’.


How to enable security manager in Eclipse?

Go to ‘Arguments’ tab and add '-Djava.security.manager' in VM arguments section.


Click on the button ‘Run’, you can able to see the below output.

osName: Windows 10
javaVersion: 1.8.0_131
Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "user.home" "read")
 at java.security.AccessControlContext.checkPermission(Unknown Source)
 at java.security.AccessController.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPermission(Unknown Source)
 at java.lang.SecurityManager.checkPropertyAccess(Unknown Source)
 at java.lang.System.getProperty(Unknown Source)
 at com.sample.util.PropertyUtil.printProperties(PropertyUtil.java:13)
 at com.sample.app.Test.main(Test.java:7)

As you observe the output, java runtime throws 'AccessControlException' exception, while reading the property 'user.home'. It is because, when you ran java application by enabling security manager, it uses the default java policy file, that comes with java installation and apply the permissions defined in the policy file.

Where is the location of java policy file?
It is in the 'lib\security' directory of the java installation.

Windows: java.home\lib\security\java.policy
UNIX: java.home/lib/security/java.policy

Ex:
C:\Program Files (x86)\Java\jdk1.8.0_102\jre\lib\security


java.policy

// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {
        permission java.security.AllPermission;
};

// default permissions granted to all domains

grant {
        // Allows any thread to stop itself using the java.lang.Thread.stop()
        // method that takes no argument.
        // Note that this permission is granted by default only to remain
        // backwards compatible.
        // It is strongly recommended that you either remove this permission
        // from this policy file or further restrict it to code sources
        // that you specify, because Thread.stop() is potentially unsafe.
        // See the API specification of java.lang.Thread.stop() for more
        // information.
        permission java.lang.RuntimePermission "stopThread";

        // allows anyone to listen on dynamic ports
        permission java.net.SocketPermission "localhost:0", "listen";

        // "standard" properies that can be read by anyone

        permission java.util.PropertyPermission "java.version", "read";
        permission java.util.PropertyPermission "java.vendor", "read";
        permission java.util.PropertyPermission "java.vendor.url", "read";
        permission java.util.PropertyPermission "java.class.version", "read";
        permission java.util.PropertyPermission "os.name", "read";
        permission java.util.PropertyPermission "os.version", "read";
        permission java.util.PropertyPermission "os.arch", "read";
        permission java.util.PropertyPermission "file.separator", "read";
        permission java.util.PropertyPermission "path.separator", "read";
        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";
        permission java.util.PropertyPermission "java.specification.vendor", "read";
        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version", "read";
        permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
        permission java.util.PropertyPermission "java.vm.specification.name", "read";
        permission java.util.PropertyPermission "java.vm.version", "read";
        permission java.util.PropertyPermission "java.vm.vendor", "read";
        permission java.util.PropertyPermission "java.vm.name", "read";
};


How to run above program without error?
By adding below statements to the java.policy file, we can run the program
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.home", "read";

Note
Properties like "user.home", "java.home" are security sensitive, it is recommended to not give permissions to the application about the location of user home directory and java home directory.





Previous                                                 Next                                                 Home

No comments:

Post a Comment