Restrict java to only execute signed jars?

Question

Java jars can be signed with the JDK jarsigner tool. This, in conjuction with the policytool, appears to only allow you to add privileges to the jar when it is run. I would like a default "Revoke access to run." Is it possible to make java do white-listing in such a way that only jar files that have been signed by a certain set of certificates are allowed to run at all?

Answer 1

If this is for a browser based application, this can be accomplished using a deployment rule set.

https://blogs.oracle.com/java-platform-group/entry/introducing_deployment_rule_sets

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

Answer 2

For Java PlugIn and WebStart on the Oracle JRE since 7u10 there is a relevant custom security setting in the Java Control Panel. Under "Action for untrusted apps on a secure JRE version" select "Don't run". See Setting the Security Level of the Java Client.

Answer 3

As I understand, this is on your computer you can control. Use

 java -Djava.security.manager YourApplication

when starting the application. This installs the default security manager that can be configured through policy files. Policy files allow to configure permissions per signer or per code base along the lines

  grant signedBy "me" {
      permission java.io.FilePermission "/home/me/*", "read,write";
  };

Between various possible permissions, I currently do not see a permission to "run at all" but it seems you can completely disable both networking and filesystem access.

If you have possibility to run your own external application that is a decision maker (to launch or not to launch), you can verify the signature from your code as already discussed.

Also, you can write a wrapper around jarsigner with the -verify switch, as documented here:

jarsigner -verify -keystore mystore hackerApplication.jar 

and capture the "smk" in the output, using some bash-like wrapper.