Skip to main content

Java 2 security

The Java 2 security manager allows system administrators to enforce policies that dictate the permissions available to Java code within a JVM.

If you are using the Java 2 security manager with the Java agent, you will need to configure Java security policy files to apply permissions to Java code principals.

Java code principals are typically identified by a CodeSource (like, a JAR), and in rare cases, by the entity that signed the JAR.

For example, in Tomcat’s default catalina.policy file, the policy grants permissions to the JDBC driver JAR:

// The permission granted to your JDBC driver
grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
     permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
};

The Java 2 security manager can be useful in situations where the system administrator can't fully trust the code deployed by users. For example, if you are hosting users' applications on multi-tenant Tomcat instances, you could use the Java 2 security manager to constrain users' applications from taking down their whole service (for example, by disallowing calls to System.exit()).

If you are using the Java 2 security manager with the Contrast Java agent, you should grant the Java agent the full set of permissions in your security policy file (java.security.AllPermission). To do this, replace <YourContrastJarPath> with the path to your Contrast JAR, and use:

grant codeBase "file:<YourContrastJarPath>" {
  permission java.security.AllPermission;
};

If you are using Java 2 security manager and one of these environments, you may also need to complete further configuration: