[security-dev] Java Security Policy with denying rules

Ondra Lukas olukas at redhat.com
Fri Jan 17 02:43:02 EST 2014 

Hi,
I've implemented Java Security Manager and Policy for using denying rules and I think that maybe someone will be interested in it. Standard Java Policy [1] uses only granting permissions and there are cases when denying rules are more comfortable than granting rules. I would like to know your opinion and get some feedback if you'll be interested. Project is called Prograde (Policy Rules Of GRanting And DEnying) and you can use it as maven artifact:

<dependency>
  <groupId>net.sourceforge.pro-grade</groupId>
  <artifactId>pro-grade</artifactId>
  <version>1.0</version>
</dependency>

Project is also available through github [2] and some tests are in progradeTests project [3]. 

In the README files of these two github projects is some information about using policy with denying rules. Usage is similar as with standard policy, but you can write also deny entry (keyword "deny") instead of grant. There is a new entry named "priority" which is set to grant or deny value - it says whether grant or deny rule is used if they are in conflict. Some examples of policy files are used in [3].

I think that the main advantage of this type of policy rules and Prograde project is simplification of testing. Sometimes you want to know what behavior will your application have in case that some specific permission isn't granted. In this case you need to grant everything except that permission, so a denying rule is the best option.

There are also some imperfections, but I think that they are not so important:
- Prograde is not able to work with general expansion [4]. (property expansion works fine)
- Path used in codebase entry must contain only a-z, A-Z, 0-9 and some symbols defined in encodeSpecialCharacters protected method of net.sourceforge.prograde.policy.ProgradePolicyFile class. 

I am planning to fix it in future releases.

I hope Prograde will be helpful for somebody and I'll be happy for every feedback.

Best regards,
Ondrej Lukas

[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html
[2] https://github.com/olukas/pro-grade
[3] https://github.com/olukas/progradeTests
[4] http://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#GeneralExp

More information about the security-dev mailing list