java.security.manger policy question

[Marcin Kasprzak]

hello,

Is it somehow possible to deny access for one application
to a specific resource whereas allow access for the rest
within one policy?

Example:
I would like to prevent one application from accessing disk, if
I will write something like this:

grant {
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission "/tmp/foo", "read,write";
};
grant codebase "file:/a/b/c/-" {
permission java.util.PropertyPermission "*", "read";
};

then program located within /a/b/c dir will still have an access to disk
since it will match first rule, I also neither can get rid of
FilePermission in first rule nor get rid of whole rule because
other applications will stop to work. All programs share the same policy.

Is is somehow possible to solve this issue?

Regards,

 

[Andrew Thompson]

Is it somehow possible to deny access for one application
to a specific resource whereas allow access for the rest
within one policy?

Did you ask a question related to security recently?

This post reminds me of it, since it asks a question
that itself raises many more questions.

Perhaps you could help answer a swathe of those
questions by telling us what it is you intend to
offer to the end user, rather than pursue some
strategy that you believe will achieve that.

What is all this (waves hand about vaguely)
messing with security managers, looking to offer
to me as your potential end-user?

 

[Marcin Kasprzak]

Did you ask a question related to security recently?

Yes two days ago, on this newsgroup.

This post reminds me of it, since it asks a question
that itself raises many more questions.

Perhaps you could help answer a swathe of those
questions by telling us what it is you intend to
offer to the end user, rather than pursue some
strategy that you believe will achieve that.

Actually not sure what you mean. There is "no story"
behind those questions if that's what you mean...

I have a homework to do i.e. writing a small project
in which I need to use some of security features,
but not sure if I understand them correctly.

I believe that explanation of the question is pretty clear,
if not please let me know which part is not clear?

Anyway thanks for interest.

 

[Andrew Thompson]

Yes two days ago, on this newsgroup.

Please don't split threads - it would have made
more sense to add a follow-up to the earlier
question.

Actually not sure what you mean. There is "no story"
behind those questions if that's what you mean...

I have a homework to do ..

Ahh.. That explains a lot of why this exercise sounds
quite 'arbitrary'.

.. i.e. writing a small project
in which I need to use some of security features,
but not sure if I understand them correctly.

I believe that explanation of the question is pretty clear,
if not please let me know which part is not clear?

I'm clear now.

Arne asked you a very relevant question on the
tail of the first thread. I was waiting to hear
what you'd say, before launhcing into this matter.

I initially thought that a strategy you might look
into would be to launch the project as a sandboxed
applet (or *from* an applet), or web start project.
They both provide a 'default' security environment
that prevents file access (OK - JWS has ways to
get around that limitation - but only if we code them).

OTOH - I do not think either of these solutions
satisfies the basic requirement to assign 'fine grained'
control over what the user can and cannot do.

You might purszue the strategy of getting policy
files to work as you want, but I don't mess with
those usually - instead I would look into this
little 'hack' to achieve what is required.
<http://groups.google.com.au/group/comp.lang.java.programmer/msg/
f29ab45389d9f5f2>

That one deals with calling System.exit(), but
should be trivial to change for file access.

 

[Marcin Kasprzak]

Please don't split threads - it would have made
more sense to add a follow-up to the earlier
question.

ok, I'm not going do it again.

[..]

Arne asked you a very relevant question on the
tail of the first thread. I was waiting to hear
what you'd say, before launhcing into this matter.

I initially thought that a strategy you might look
into would be to launch the project as a sandboxed
applet (or *from* an applet), or web start project.
They both provide a 'default' security environment
that prevents file access (OK - JWS has ways to
get around that limitation - but only if we code them).

OTOH - I do not think either of these solutions
satisfies the basic requirement to assign 'fine grained'
control over what the user can and cannot do.

You might purszue the strategy of getting policy
files to work as you want, but I don't mess with
those usually - instead I would look into this
little 'hack' to achieve what is required.
<http://groups.google.com.au/group/comp.lang.java.programmer/msg/
f29ab45389d9f5f2>

That one deals with calling System.exit(), but
should be trivial to change for file access.

Huh;-) Your explanation is far too complicated to me,
and not sure how it's related to my policy question.
But thanks you very much for your time, I appreciate that.

Regards,