How to use Java Policy files

Question

I'm the owner of a platform which allows anyone to upload their own products (jar files), I'm looking to secure the platform using java policy files.

I'm using JRE azul-1.8.9_345,

I'm testing with this program,

    public static void main(String[] args) {
        String url = "http://www.java2s.com/Code/JarDownload/test/test.jar.zip";

        try {
            download(url, "C:\\Users\\User\\Desktop\\Test.jar");
        } catch (IOException exception) {
            exception.printStackTrace();
        }
    }

    private static void download(String urlStr, String file) throws IOException{
        URL url = new URL(urlStr);
        BufferedInputStream bis = new BufferedInputStream(url.openStream());
        FileOutputStream fis = new FileOutputStream(file);
        byte[] buffer = new byte[1024];
        int count=0;
        while((count = bis.read(buffer,0,1024)) != -1)
        {
            fis.write(buffer, 0, count);
        }
        fis.close();
        bis.close();
    }

I would like to use policy files to prevent this program from running,

None of my attempts so far have worked, I'm starting to wonder this might be a unsupported feature, and it might not work anymore.

This is my policy

grant CodeBase "file:HelloWorld.jar" {
    permission java.io.FilePermission "C:\Users\User\Desktop\", "read";
};

I've tried using other permissions but they seem to do nothing as well, I appreciate the help.

Could someone layout, why this doesn't work?, why I need to specify the file?, even though given when I run the jar, where to find a list of permissions and their arguments? (permission java.io.ExamplePermission (args), (args))

Launcher\files\azul-1.8.9_345\bin\java.exe -jar HelloWorld.jar -Djava.security.manager -Djava.security.policy=C:\Users\User\Desktop\policy.policy

I've attempted using other permissions, they didn't effect the program either.

Answer 1

You don't pass any VM parameters to enable a security manager.

Your current command line is:

java -jar HelloWorld.jar -Djava.security.manager -Djava.security.policy=...

This means, -Djava.security.manager -Djava.security.policy=... are passed as program arguments, not as VM arguments.

VM arguments have to appear before the -jar file or classname.
Arguments after that are treated as program arguments and passed as args to the main method.

To fix that, use

Launcher\files\azul-1.8.9_345\bin\java.exe -Djava.security.manager -Djava.security.policy=C:\Users\User\Desktop\policy.policy -jar HelloWorld.jar

---

Then the format of your policy file is not correct.
Inside ", \ needs to be escaped with \\.

Also, the codebase does not use relative file names, instead file URLs.

So, the policy file should look like this:

grant codebase "file:/C:/Users/User/Desktop/HelloWorld.jar" {
    permission java.io.FilePermission "C:\\Users\\User\\Desktop\\-", "read";
};

If your policy file contains errors, it might simply not be used, making debugging difficult.