As a sample application, we will be using the Spring Pet Clinic , a typical albeit small-sized Spring Boot application.

First steps

Once the application has been built, launch it with the security manager:

java -Djava .security.manager -Djava .security.policy = jvm.policy -jar target/spring-petclinic-1.4.2.jar

This, of course, fails. The output is the following:

Exception in thread "main" java.lang.IllegalStateException: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getProtectionDomain") at org.springframework.boot.loader.ExecutableArchiveLauncher.<init>(ExecutableArchiveLauncher.java:43) at org.springframework.boot.loader.JarLauncher.<init>(JarLauncher.java:37) at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:58) Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "getProtectionDomain") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) at java.security.AccessController.checkPermission(AccessController.java:884) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.getProtectionDomain(Class.java:2299) at org.springframework.boot.loader.Launcher.createArchive(Launcher.java:117) at org.springframework.boot.loader.ExecutableArchiveLauncher.<init>(ExecutableArchiveLauncher.java:40) ... 2 more

Let’s add the permission relevant to the above "access denied" exception to the policy file:

grant codeBase "file:target/spring-petclinic-1.4.2.jar" { permission java.lang.RuntimePermission "getProtectionDomain"; };

Notice the path pointing to the JAR. It prevents other potentially malicious archives to execute critical code. Onto the next blocker.

Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.protocol.handler.pkgs" "read")

This can be fixed by adding the below line to the policy file:

grant codeBase "file:target/spring-petclinic-1.4.2.jar" { permission java.lang.RuntimePermission "getProtectionDomain"; permission java.util.PropertyPermission "java.protocol.handler.pkgs", "read"; };

Next please.

Exception in thread "main" java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.protocol.handler.pkgs" "read")

Looks quite similar, but it needs a write permission in addition to the read one. Sure it can be fixed by adding one more line, but there’s a shortcut available. Just specify all necessary attributes of the permission on the same line:

grant codeBase "file:target/spring-petclinic-1.4.2.jar" { permission java.lang.RuntimePermission "getProtectionDomain"; permission java.util.PropertyPermission "java.protocol.handler.pkgs", "read,write"; };

Rinse and repeat. Without further ado, the (nearly) final policy can be found online: a whooping ~1800 lines of configuration for the Spring Boot Pet Clinic as an executable JAR.