Is it possible to write an exclusive Java security policy for the default security manager?

I would like to write a java security policy that allows all permissions except a certain type.

An example could be:

  • application
  • can only read system properties called MY_ACCESSIBLE_SYSTEM_PROP_1


  • the application cannot read other system properties.
  • the application cannot write any system properties
  • there are no other security restrictions in the application.

The security policy for this might look like this:

grant {
    permission java.util.PropertyPermission "MY_ACCESSIBLE_SYSTEM_PROP_1", "read";
    permission java.util.PropertyPermission "MY_ACCESSIBLE_SYSTEM_PROP_2", "read";


... but what can I add to allow all other permissions exceptjava.util.PropertyPermission


I read a lot of documentation and started thinking that this is not possible with the default Java Security Manager. Should I just write my own security manager that allows any permissions outside of my scope?


source to share

1 answer

By default, the SecurityManager simply looks at the set policy (Policy.getPolicy () is returned) to see if the given permission should be granted.

The default policy implementation (which grants permissions based on the policy file) does not allow you to define exceptions to the permissions that have been granted, so there is no way to grant code permission for anything other than some set of listed permissions.

If you require this behavior, you must implement a custom policy (see )



All Articles