I'm trying to enforce a security policy, giving Java classes signed by a certain signer certain permissions. My security policy file looks as following:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
The Keystore cacerts contains a certificate with the alias mycompany. The JAR file im testing the security policy with has been signed with the private key of that certificate. When I execute the JAR file with
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
I get
access: access denied ("java.io.FilePermission" "C:\" "read")
When I use codeBase "path/to/jar" instead of signedBy "mycompany" it works perfectly fine. Does anybody know what could be going wrong here?
