1

I want to configure the jdk so that if I were to do java -jar myjar.jar then myjar would only execute if it has been signed (by a particular signer). I found this answer but I'm not sure editing policy files is the solution. From my understanding by reading here, it seems that you can only grant/restrict permissions for apps to read/write certain targets, not grant/restrict permission for the app itself to run. For example, using an example from the policy files docs, I can add

  grant signedBy "Duke" {
      permission java.io.FilePermission "/tmp/*", "read,write";
  };

to allow jars signed by "Duke" to read/write files in /tmp/ but I can't add a restriction so that only jars signed by "Duke" may run in the first place.

I'm aware of the ability to use jarsigner -verify to verify the jars but I'm hoping for a solution that configures the Java runtime itself. Is there a way to achieve this using policy files or some other way?

Thanks

jvs
  • 43
  • 1
  • 3

1 Answers1

0

To the best of my knowledge this is not possible using the security policy. Prohibiting the execution of JARs doesn't make sense in the current security concept of Java.

You may however extend the security manager class of Java to achieve your desired functionality. Note though, that this is probably not a simple task.

D.O.
  • 227
  • 1
  • 5