2

I'm the owner of a platform which allows anyone to upload their own products (jar files), I'm looking to secure the platform using java policy files.

I'm using JRE azul-1.8.9_345,

I'm testing with this program,

    public static void main(String[] args) {
        String url = "http://www.java2s.com/Code/JarDownload/test/test.jar.zip";

        try {
            download(url, "C:\\Users\\User\\Desktop\\Test.jar");
        } catch (IOException exception) {
            exception.printStackTrace();
        }
    }

    private static void download(String urlStr, String file) throws IOException{
        URL url = new URL(urlStr);
        BufferedInputStream bis = new BufferedInputStream(url.openStream());
        FileOutputStream fis = new FileOutputStream(file);
        byte[] buffer = new byte[1024];
        int count=0;
        while((count = bis.read(buffer,0,1024)) != -1)
        {
            fis.write(buffer, 0, count);
        }
        fis.close();
        bis.close();
    }

I would like to use policy files to prevent this program from running,

None of my attempts so far have worked, I'm starting to wonder this might be a unsupported feature, and it might not work anymore.

This is my policy

grant CodeBase "file:HelloWorld.jar" {
    permission java.io.FilePermission "C:\Users\User\Desktop\", "read";
};

I've tried using other permissions but they seem to do nothing as well, I appreciate the help.

Could someone layout, why this doesn't work?, why I need to specify the file?, even though given when I run the jar, where to find a list of permissions and their arguments? (permission java.io.ExamplePermission (args), (args))

Launcher\files\azul-1.8.9_345\bin\java.exe -jar HelloWorld.jar -Djava.security.manager -Djava.security.policy=C:\Users\User\Desktop\policy.policy

I've attempted using other permissions, they didn't effect the program either.

8Sence W
  • 23
  • 3
  • "None of my attempts so far have worked" - how do you know that? What does "not work" mean? – Johannes Kuhn Feb 23 '23 at 02:01
  • The program completed successfully, if it worked it should've displayed a NoPermissionException. – 8Sence W Feb 23 '23 at 04:54
  • I'm not sure why this isn't working for you, but I'll point out that `SecurityManager` is [deprecated for removal as of Java 17](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html), partly because it has never been able to provide guaranteed protection against malicious code. The rationale is detailed in [JEP 411](https://openjdk.org/jeps/411). Even though it should work in Java 8, this is a dead end road and I would recommend looking for another approach. Something like Linux containers (i.e., Docker or similar) might provide a better solution. – Tim Moore Feb 23 '23 at 10:25

1 Answers1

1

You don't pass any VM parameters to enable a security manager.

Your current command line is:

java -jar HelloWorld.jar -Djava.security.manager -Djava.security.policy=...

This means, -Djava.security.manager -Djava.security.policy=... are passed as program arguments, not as VM arguments.

VM arguments have to appear before the -jar file or classname.
Arguments after that are treated as program arguments and passed as args to the main method.

To fix that, use

Launcher\files\azul-1.8.9_345\bin\java.exe -Djava.security.manager -Djava.security.policy=C:\Users\User\Desktop\policy.policy -jar HelloWorld.jar

Then the format of your policy file is not correct.
Inside ", \ needs to be escaped with \\.

Also, the codebase does not use relative file names, instead file URLs.

So, the policy file should look like this:

grant codebase "file:/C:/Users/User/Desktop/HelloWorld.jar" {
    permission java.io.FilePermission "C:\\Users\\User\\Desktop\\-", "read";
};

If your policy file contains errors, it might simply not be used, making debugging difficult.

Johannes Kuhn
  • 14,778
  • 4
  • 49
  • 73