Java jars can be signed with the JDK jarsigner tool. This, in conjuction with the policytool, appears to only allow you to add privileges to the jar when it is run. I would like a default "Revoke access to run." Is it possible to make java do white-listing in such a way that only jar files that have been signed by a certain set of certificates are allowed to run at all?
Asked
Active
Viewed 5,898 times
6
-
1Install your own SecurityManager. – Hot Licks Jan 13 '13 at 15:19
-
1In the browser or in an application where you start it with the java command? – bmargulies Jan 13 '13 at 22:51
-
@bmargulies Great question. See the [answer by @TomHawtin](http://stackoverflow.com/a/14309129/418556) for an expansion on that. – Andrew Thompson Jan 14 '13 at 06:14
3 Answers
5
As I understand, this is on your computer you can control. Use
java -Djava.security.manager YourApplication
when starting the application. This installs the default security manager that can be configured through policy files. Policy files allow to configure permissions per signer or per code base along the lines
grant signedBy "me" {
permission java.io.FilePermission "/home/me/*", "read,write";
};
Between various possible permissions, I currently do not see a permission to "run at all" but it seems you can completely disable both networking and filesystem access.
If you have possibility to run your own external application that is a decision maker (to launch or not to launch), you can verify the signature from your code as already discussed.
Also, you can write a wrapper around jarsigner with the -verify switch, as documented here:
jarsigner -verify -keystore mystore hackerApplication.jar
and capture the "smk" in the output, using some bash-like wrapper.
Community
- 1
- 1
Audrius Meškauskas
- 20,936
- 12
- 75
- 93
-
That was my conclusion as well. I'm looking for possibly an external application that might be able to enforce this. Ideally, for Windows. – 0xdabbad00 Jan 13 '13 at 17:59
1
For Java PlugIn and WebStart on the Oracle JRE since 7u10 there is a relevant custom security setting in the Java Control Panel. Under "Action for untrusted apps on a secure JRE version" select "Don't run". See Setting the Security Level of the Java Client.
Tom Hawtin - tackline
- 145,806
- 30
- 211
- 305
-
I want to not only restrict unsigned java code, but restrict all java code, for example, that is not signed with my company's certificate. – 0xdabbad00 Jan 15 '13 at 12:06
0
If this is for a browser based application, this can be accomplished using a deployment rule set.
https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets
http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html
Brett Okken
- 6,210
- 1
- 19
- 25