Security Policy with denying rules

Ondřej Lukáš xondrejlukas at
Fri Jan 17 00:39:17 PST 2014

I've implemented Java Security Manager and Policy for using denying rules
and I think that maybe someone will be interested in it. Standard Java
Policy [1] uses only granting permissions and there are cases when denying
rules are more comfortable than granting rules. I would like to know your
opinion and get some feedback if you'll be interested. Project is called
Prograde (Policy Rules Of GRanting And DEnying) and you can use it as maven


Project is also available through github [2] and some tests are in
progradeTests project [3].

In the README files of these two github projects is some information about
using policy with denying rules. Usage is similar as with standard policy,
but you can write also deny entry (keyword "deny") instead of grant. There
is a new entry named "priority" which is set to grant or deny value - it
says whether grant or deny rule is used if they are in conflict. Some
examples of policy files are used in [3].

I think that the main advantage of this type of policy rules and Prograde
project is simplification of testing. Sometimes you want to know what
behavior will your application have in case that some specific permission
isn't granted. In this case you need to grant everything except that
permission, so a denying rule is the best option.

There are also some imperfections, but I think that they are not so
- Prograde is not able to work with general expansion [4]. (property
expansion works fine)
- Path used in codebase entry must contain only a-z, A-Z, 0-9 and some
symbols defined in encodeSpecialCharacters protected method of
net.sourceforge.prograde.policy.ProgradePolicyFile class.

I am planning to fix it in future releases.

I hope Prograde will be helpful for somebody and I'll be happy for every

Best regards,
Ondrej Lukas

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list