Trail: Security Features in Java SE
Lesson: Signing Code and Granting It Permissions
Section: Steps for the Code Receiver
Observe the Restricted Application
« PreviousTOCNext »
Signing Code and Granting It Permissions
Steps for the Code Signer
Download and Try the Sample Application
Create a JAR File Containing the Class File
Generate Keys
Sign the JAR File
Export the Public Key Certificate
Steps for the Code Receiver
Observe the Restricted Application
Import the Certificate as a Trusted Certificate
Set Up a Policy File to Grant the Required Permission
Start Policy Tool
Specify the Keystore
Add a Policy Entry with a SignedBy Alias
Save the Policy File
See the Policy File Effects
The last part of the Quick Tour of Controlling Applications lesson shows how an application can be run under a security manager by invoking the interpreter with the new -Djava.security.manager command-line argument. But what if the application to be invoked resides inside a JAR file?

One of the interpreter options is the -cp (for class path) option, that lets you specify a search path for application classes and resources. Therefore, to execute the Count application inside the sCount.jar JAR file, specifying the file C:\TestData\data as its argument, you can type the following command while in the directory containing sCount.jar: 

java -cp sCount.jar Count C:\TestData\data
To execute the application with a security manager, add -Djava.security.manager, as shown below: 
java -Djava.security.manager -cp sCount.jar Count C:\TestData\data
Important:  When you run this command, your Java interpreter will throw an exception shown below: 
Exception in thread "main" java.security.AccessControlException:
access denied (java.io.FilePermission C:\TestData\data read)
    at java.security.AccessControlContext.checkPermission(Compiled Code)
    at java.security.AccessController.checkPermission(Compiled Code)
    at java.lang.SecurityManager.checkPermission(Compiled Code)
    at java.lang.SecurityManager.checkRead(Compiled Code)
    at java.io.FileInputStream.(Compiled Code)
    at Count.main(Compiled Code)

In this example, AccessControlException reported that the count application does not have permission to read the file C:\TestData\data. Your interpreter raised this exception because it will not allow any application running under a security manager to read a file or to access other resources unless it has explicit permission to do so -- usually specified in a grant statement contained in a policy file.

Previous page: Steps for the Code Receiver
Next page: Import the Certificate as a Trusted Certificate