In one of my previous posts, I described how to create a custom policy file for securing one’s application.

The process was manual and incremental. Because of that, it was painstakingly long - and hence not really practical. I presented the process at some conferences, and one of the feedback was that it had to be automated. Of course, without automation, nobody would ever write such a policy file but for trivial applications.

This is the 4th post in the JVM Security focus series.Other posts include:

And then it struck me: there’s a way to write the policy file under in a couple of hours, instead of days, for any application.

Even better, there’s no need for additional information, just a combination of what I already wrote about. Steps are as follow:

Create an allow-everything policy file: grant codeBase "file:target/spring-petclinic.jar" { permission java.security.AllPermission; }; Launch the JAR with specific system properties, including security logging: java -Djava .security.manager \ -Djava .security.policy == all.policy \ -Djava .security.debug = access \ -jar target/spring-petclinic.jar

This will output in the standard output every request for permissions. It’s then a no-brainer to redirect the output to a file, and process it manually i.e. deduplicate lines, and proceed as in the original post.

This time, however, there’s no need to create the policy file bit by bit: the complete file is available from the beginning.