How do I know which granted permission is not needed?
Weijun Wang
weijun.wang at oracle.com
Wed Jun 21 15:20:43 UTC 2017
On 06/21/2017 10:34 PM, Seán Coffey wrote:
> you're mostly likely aware of this debug option but the
> java.security.debug option allows 'access' which should give you alot
> more information about each permission check that's been made. Maybe
> it's a case of scanning the output for permissions not checked and
> seeing if they're really necessary in your policy file.
This is useful, but I still don't know what code source the permission
is granted to.
For example, suppose I have 2 codebases all granting the same
permission. By reading the -Djava.security.debug=access output I cannot
find out if one is actually not needed.
Daniel suggests I can write my own Policy implementation.
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html
>
>
> Regards,
> Sean.
>
> On 21/06/17 12:53, Sean Mullan wrote:
>> On 6/21/17 3:05 AM, Weijun Wang wrote:
>>> Suppose I have a Java program running with a security manager and a
>>> policy file. There are quite a lot of permissions granted in the
>>> policy file but maybe not all of them are necessary.
>>>
>>> Is there a way I can find out which one is not needed?
>>
>> I don't know of any easy way to do that, other than code inspection
>> and writing tests that exercise different code paths.
I didn't meant to achieve that goal. I only want to know what granted
permissions are not checked in one execution.
Thanks
Max
>>
>> --Sean
>>
>>>
>>> I tried to write my own security manager to remember all permission
>>> objects checked and then compare it with the policy file, but if the
>>> policy file has permissions granted to different codebases, I cannot
>>> tell which one is for which.
>>>
>>> Thanks
>>> Max
>
More information about the security-dev
mailing list