Is there a legal way to add/remove permissions to Java security policy at runtime?
A:
From 1.4 dynamic [ProtectionDomain][1]s can delegate to the Policy. Dynamically removing permissions from code is unlikely to make any sense. The two argument forms of [AccessController.doPrivileged][3] might also be useful.
[1]: http://java.sun.com/javase/6/docs/api/java/security/ProtectionDomain.html#ProtectionDomain(java.security.CodeSource, java.security.PermissionCollection, java.lang.ClassLoader, java.security.Principal[]) [3]: http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction, java.security.AccessControlContext)
Tom Hawtin - tackline
2009-06-18 09:48:59
We're developing an OSGi-based framework, which should be long-running and avoid restarts as much as possible. The framework is SAAS, but customer is able to deploy own bundles (plugins) to the system. So, for us it would be nice to modify permissions at runtime.
2009-06-18 09:58:57
A:
Javadoc says that Policy.refresh() for file-based policy would re-read the file. Thus, it is possible to modify system-wide policy at runtime by editing policy file and then calling Policy.refresh()
You'll find that the permissions have already been copied out of the Policy and into the ProtectionDomains of Classes and ClassLoaders.
Tom Hawtin - tackline
2009-06-18 10:44:53
A:
It is possible to set custom Policy implementation, using Policy.setPolicy() method. For example see JAAS in Action book.