-1

In my web application I am providing platform to run external codes which will be stored in a particular location say "C:\Users\test".

I want to deny permission for System.getProperty("user.home") to read and write and not be able to make any http connection through the codes. How to achieve this?

I also have another question related to it , that is, as we all know that we cannot deny permissions from policy text file , so can anyone let me know what are the permissions given when we mention permission java.security.AllPermission; in policy file?

smondal345
  • 65
  • 1
  • 10

1 Answers1

2

Default security policy is contained in catalina.policy file in Tomcat's configuration directory. To apply this file you should run Tomcat with -security option. More information is given in Tomcat's Security Manager HOW-TO

permission java.security.AllPermission grants permissions to do anything. It should be applied only to completely trusted code, e.g. system or Tomcat's libraries. This is the case for the default catalina.policy.

kgeorgiy
  • 1,477
  • 7
  • 9
  • Please check my question. I am asking how to deny permissions @kgeorgiy – smondal345 Nov 05 '16 at 07:25
  • 1
    There is no permission revocation mechanics in [.policy files](http://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html). To "deny" something you should not give your permission to do this. – kgeorgiy Nov 05 '16 at 07:30
  • can you tell the list of permissions given to the user while using permission java.security.AllPermission command ? – smondal345 Nov 05 '16 at 07:32
  • There is no closed list of all possible permissions. For example, there is a separate `FilePermission` for each file. Even the list of permission _types_ granted by `AllPermissions` depends on the version of Java Platform, e.g. `URLPermission` was added only in Java 8. – kgeorgiy Nov 05 '16 at 07:43
  • So if I want to remove the permission of reading a particular property of System(such as user.home) and I want to keep other permissions as granted by permission java.security.AllPermission. – smondal345 Nov 05 '16 at 09:17
  • 1
    There is no way to do this. You should grant `PropertyPermission` to really used properties instead. – kgeorgiy Nov 05 '16 at 09:21
  • Do you know about pro-grade library and how to use it? as there is a way to deny permissions also @kgeorgiy – smondal345 Nov 07 '16 at 14:57