26.3 Java Security Policies
Security policies are designed to impose restrictions on code execution and on access to resources. Security configuration settings are recorded in the properties file ${java.home}/conf/security/java.policy, where the environment variable java.home is the root directory of a Java runtime image, or a directory where the JDK is installed on a given machine. This configuration file contains properties defined as name-value pairs that describe general security settings, references to certificate keystore files, and references to other security policy files that can be found in other locations.
Here is an example of a configuration in the java.security properties file to reference policy files:
policy.url.1=file:${java.home}/conf/security/java.policy
policy.url.2=file:/anypath/java.policy
These Java security policy descriptors configure security restrictions and permissions. These restrictions and permissions define access to resources and permissions to execute code for a specific codebase. The term codebase describes a location where Java code is placed, such as a directory or a URL, but more typically JAR archives. Each security policy is defined as a grant that is associated with a specific digital signature and allows the origin of the code to be authenticated.
Here is an example of a java.policy file structure:
keystore “xyz.keystore”;
grant codeBase “file:/application.jar” signedBy “abc” {
permission java.net.SocketPermission “localhost:8080”, “listen”;
permission java.io.FilePermission “/FileSystemPath”, “read, write”;
};
The example above defines a keystore description and specifies a number of permissions. The keystore file is a secure store that contains keys and certificates. It is used to look up the public keys and associate digital signatures with a given codebase. Keystores are created and maintained using a keytool utility.
A grant is configured for a specific codebase given by the location of a JAR file containing classes to which this grant should be applied. In other words, classes within this archive will be allowed to perform restricted actions described within this grant. To make sure this is a genuine JAR file, it can be signed using a signedBy property that references a relevant digital signature alias from the keystore.
In the grant specification, this policy descriptor defines a number of permissions. One permission allows classes contained within the codebase to listen on a certain address given by the host and the specified port. Another permission allows read and write access to a specific file system path. The exact nature of the permissions depends on the permission type, such as a socket or file permission used in this example. Custom permissions can also be created by extending the java.security .BasicPermission class.
Once security policies are defined, they can be verified.
SocketPermission socketPermission
= new SocketPermission(“localhost:8080”, “listen”); // (1)
FilePermission filePermission
= new FilePermission(“/FileSystemPath”, “read, write”); // (2)
try {
AccessController.checkPermission(socketPermission); // (3)
AccessController.checkPermission(filePermission); // (4)
// (5) …
} catch(AccessControlException e) {
// (6) …
}
The numbered comments below correspond to the numbered lines in the code:
(1)–(2) A number of permission objects can be initialized to match permissions configured through the security policy descriptor.
(3)–(4) The AccessController class is used to validate whether such permissions were indeed granted to the given class. This is determined based on the class location within a codebase referenced by the relevant grant. The method checkPermission() throws an AccessControlException if corresponding permission was not granted.
(5) Once permissions are verified, the program can proceed to perform restricted actions.
(6) Handle exceptions that are thrown when requested access does not match permissions configured by the policies.