Note: Permissions requires the use of Java SecurityManager.
Java version 17 deprecated SecurityManager for removal and Java 18 and higher versions, by
default, disallow setting SecurityManager at runtime. Permissions is thus no longer
supported when used in Java 18 or higher versions. Using it in those Java runtime versions
will throw a org.apache.tools.ant.BuildException. Throwing of
BuildException can be relaxed by setting the
ant.securitymanager.usage.warn system or Ant property to true,
which will then cause a warning to be logged instead of the exception being thrown. Even when
ant.securitymanager.usage.warn is set to true,
SecurityManager usage will still be disabled and no security checks will be performed.
It is recommended to no longer use <permissions>
Permissions represents a set of security permissions granted or revoked to a specific part
code executed in the JVM where Apache Ant is running in. The actual Permissions are specified
via a set of nested permission items either <grant>ed
or <revoke>d.
In the base situation a base set of permissions granted. Extra
permissions can be granted. A granted permission can be overruled by revoking a permission. The
security manager installed by the permissions will throw an SecurityException if
the code subject to these permissions try to use an permission that has not been granted or that
has been revoked.
Indicates a specific permission is always granted. Its attributes indicate which permissions are granted.
| Attribute | Description | Required |
|---|---|---|
| class | The fully qualified name of the Permission class. | Yes |
| name | The name of the Permission. The actual contents depends on the Permission class. | No |
| actions | The actions allowed. The actual contents depend on the Permission class and name. | No |
Implied permissions are granted.
Please note that some Permission classes may actually need a name and/or actions in order to function properly. The name and actions are parsed by the actual Permission class.
Indicates a specific permission is revoked.
| Attribute | Description | Required |
|---|---|---|
| class | The fully qualified name of the Permission class. | Yes |
| name | The name of the Permission. The actual contents depends on the Permission class. | No |
| actions | The actions allowed. The actual contents depend on the Permission class and name. | No |
Implied permissions are not resolved and therefore also not revoked.
The name can handle the *
wildcard at the end of the name, in which case
all permissions of the specified class of which the name starts with the specified name
(excluding the *
) are revoked. Note that the -
wildcard often supported by the
granted properties is not supported. If the name is left empty all names match, and
are revoked. If the actions are left empty all actions match, and are revoked.
A permissions set implicitly contains the following permissions:
<grant class="java.net.SocketPermission" name="localhost:1024-" actions="listen"> <grant class="java.util.PropertyPermission" name="java.version" actions="read"> <grant class="java.util.PropertyPermission" name="java.vendor" actions="read"> <grant class="java.util.PropertyPermission" name="java.vendor.url" actions="read"> <grant class="java.util.PropertyPermission" name="java.class.version" actions="read"> <grant class="java.util.PropertyPermission" name="os.name" actions="read"> <grant class="java.util.PropertyPermission" name="os.version" actions="read"> <grant class="java.util.PropertyPermission" name="os.arch" actions="read"> <grant class="java.util.PropertyPermission" name="file.encoding" actions="read"> <grant class="java.util.PropertyPermission" name="file.separator" actions="read"> <grant class="java.util.PropertyPermission" name="path.separator" actions="read"> <grant class="java.util.PropertyPermission" name="line.separator" actions="read"> <grant class="java.util.PropertyPermission" name="java.specification.version" actions="read"> <grant class="java.util.PropertyPermission" name="java.specification.vendor" actions="read"> <grant class="java.util.PropertyPermission" name="java.specification.name" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.specification.version" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.specification.vendor" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.specification.name" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.version" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.vendor" actions="read"> <grant class="java.util.PropertyPermission" name="java.vm.name" actions="read">
These permissions can be revoked via <revoke> elements if necessary.
<permissions> <grant class="java.security.AllPermission"/> <revoke class="java.util.PropertyPermission"/> </permissions>
Grants all permissions to the code except for those handling Properties.
<permissions> <grant class="java.net.SocketPermission" name="foo.bar.com" action="connect"/> <grant class="java.util.PropertyPermission" name="user.home" action="read,write"/> </permissions>
Grants the base set of permissions with the addition of
a SocketPermission to connect to foo.bar.com and the
permission to read and write the user.home system property.