The pro-grade library provides implementation of custom Java Security Managers and Security Policies. The main component is the Java Security Policy implementation with denying rules - extension to standard grant rules.
Download the latest binaries from the SourceForge project pages.
Security Managers
pro-grade library uses custom Java Security Managers to install Security Policy objects by standard Java way.
Just use the right value for java.security.manager system property and add it to java arguments. E.g.
java -Djava.security.manager=net.sourceforge.prograde.sm.DumpMissingPermissionsJSM ...
The library contains following security manager implementations:
- ProGrade policy
- policy generator
- permissions debugger
ProGrade Policy
Let’s deny it!
net.sourceforge.prograde.sm.ProGradeJSM
Extension to standard Java Security Manager which adds deny rules to policy files.
Don’t let the grant rules overgrow your application. Utilize the possibility of better control what’s granted to whom.
ProGrade Policy example
priority "deny"; // grant full access to /tmp folder grant { permission java.io.FilePermission "/tmp/-", "read,write"; }; // deny write access for a single subfolder in /tmp deny { permission java.io.FilePermission "/tmp/static/-", "write"; };
Policy Generator
Create policy files without pain!
net.sourceforge.prograde.sm.PolicyFileGeneratorJSM
Policy file generator which creates Java policy files. The generated policies can be used together with the standard SecurityManager or ProGrade.
Policy Debugger
Show me, what’s missing in my policy!
net.sourceforge.prograde.sm.DumpMissingPermissionsJSM
Simple and comfortable way to find, what permissions are missing in your policy files. Stop fighting against denied permissions one by one using obsolete -Djava.security.debug property. Print only information which really counts.
This Security Manager prints permissions missing in your policy to error stream.
>> Denied permission java.util.PropertyPermission "com.acme.tapp.debug", "read"; >>> CodeSource: (file:/opt/acme/t-app/t-app.jar <no signer certificates>)
Usage
You can either specify the Security Manager implementation as java command line argument or use the Java API.
Command line arguments
java -classpath [ORIGINAL_CP:]/path/to/prograde.jar \ -Djava.security.manager=net.sourceforge.prograde.sm.ProGradeJSM \ -Djava.security.policy=/path/to/prograde.policy \ ...
Executable JARs
The -classpath (-cp) java argument is not used when an application is started using -jar Java argument. In such case either add pro-grade.jar to the classpath referenced from the META-INF/MANIFEST.MF in the jar or use the classic way for starting Java apps:
java -classpath pro-grade.jar:<ApplicationClasspath> [otherJvmArgs] <MainClassOfTheApplication> [ApplicationParams]
Java API
Simply set the security manager which will install correct policy for you.
System.setSecurityManager(new ProGradeJSM());
You can also use another way. If you already have a security manager installed and you only want to use some of pro-grade policy implementations:
System.setProperty("java.security.policy","/path/to/prograde.policy"); java.security.Policy.setPolicy(new net.sourceforge.prograde.policy.ProGradePolicy());