How do I know which granted permission is not needed?

Sean Mullan sean.mullan at oracle.com
Wed Jun 21 15:29:40 UTC 2017


On 6/21/17 11:20 AM, Weijun Wang wrote:
> 
> 
> On 06/21/2017 10:34 PM, Seán Coffey wrote:
>> you're mostly likely aware of this debug option but the 
>> java.security.debug option allows 'access' which should give you alot 
>> more information about each permission check that's been made. Maybe 
>> it's a case of scanning the output for permissions not checked and 
>> seeing if they're really necessary in your policy file.
> 
> This is useful, but I still don't know what code source the permission 
> is granted to.
> 
> For example, suppose I have 2 codebases all granting the same 
> permission. By reading the -Djava.security.debug=access output I cannot 
> find out if one is actually not needed.
> 
> Daniel suggests I can write my own Policy implementation.
> 
>>
>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/troubleshooting-security.html 
>>
>>
>> Regards,
>> Sean.
>>
>> On 21/06/17 12:53, Sean Mullan wrote:
>>> On 6/21/17 3:05 AM, Weijun Wang wrote:
>>>> Suppose I have a Java program running with a security manager and a 
>>>> policy file. There are quite a lot of permissions granted in the 
>>>> policy file but maybe not all of them are necessary.
>>>>
>>>> Is there a way I can find out which one is not needed?
>>>
>>> I don't know of any easy way to do that, other than code inspection 
>>> and writing tests that exercise different code paths.
> 
> I didn't meant to achieve that goal. I only want to know what granted 
> permissions are not checked in one execution.

Hmm. Just remove all granted permissions then, and grant them one by one 
until it runs w/o error?

--Sean

> 
> Thanks
> Max
> 
>>>
>>> --Sean
>>>
>>>>
>>>> I tried to write my own security manager to remember all permission 
>>>> objects checked and then compare it with the policy file, but if the 
>>>> policy file has permissions granted to different codebases, I cannot 
>>>> tell which one is for which.
>>>>
>>>> Thanks
>>>> Max
>>


More information about the security-dev mailing list