2

So, I setup a custom Policy and enabled the SecurityManager and decided that I don't need any file permissions for my app.

But if I try to open a URL with the https protocol, I get this error:

access: access denied ("java.io.FilePermission" "jdk1.8.0/jre/lib/ext/amd64/libsunec.so" "read")

java.lang.Exception: Stack trace
    at java.lang.Thread.dumpStack(Thread.java:1329)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:447)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at java.io.File.exists(File.java:814)
    at sun.misc.Launcher$ExtClassLoader.findLibrary(Launcher.java:222)
    at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1820)
    at java.lang.Runtime.loadLibrary0(Runtime.java:870)
    at java.lang.System.loadLibrary(System.java:1119)
    at sun.security.ec.SunEC$1.run(SunEC.java:60)
    at sun.security.ec.SunEC$1.run(SunEC.java:58)

So, some class within the JRE is not able to load a native library because it doesn't get the file read permission.

Is there a good way to setup a permissive policy for JDK's own classes?

HRJ
  • 17,079
  • 11
  • 56
  • 80

1 Answers1

0

It seems there is no way to separate the permissions for JDK from the permissions for my code. Both of them are loaded by the "null" class loader, so both get the same permissions. If there is a better way, please let me know.

Right now I am allowing this permission for the null-class loader:

final String recursiveSuffix = File.separator + "-";
final String javaPath = System.getProperty("java.home") + recursiveSuffix;
new FilePermission(javaPath, "read,execute");
HRJ
  • 17,079
  • 11
  • 56
  • 80