Is there a way to run Java VM (java.exe
) on Windows Server 2008 and disable all network connections using a command line argument or a system variable?
You can do this by enabling default Java security manager. By default no security is enforced so you are allowed to do anything, but if security manager is enabled it will restrict network access, file access and lots of other things unless you specify otherwise in the security policy file.
To enable the default security manager pass this argument to JVM on start.
java -Djava.security.manager=default my.main.Class
By doing this any network access attempt from inside JVM will throw java.net.NetPermission
.
This will also break things like file access, so if you need to allow it you will need to specify those in a special security policy file (-Djava.security.policy=path/to/policy.file
). There should be plenty of examples of how to set it up, just search for "java permissions" to get you started.
I had the same task to test offline installer for our product. All said above is almost right, but creating .policy file is not easy for the first time. Here is what I did:
Crated generic policy file that has no permission to resolve host names (see code snippet below);
Added -Djava.security.manager -Djava.security.policy=pathto/policy.file
in jvm parameters;
generic .policy file content:
grant {
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "*", "read,write";
permission java.lang.RuntimePermission "*";
permission java.net.NetPermission "*";
permission java.lang.reflect.ReflectPermission "*";
};
If something tries to get content outside during the test, it fails with security exception.
Well, I haven't tried that but theoretically you could set the system properties for SOCKS proxy to a non-existent one and according to the documentation all TCP sockets will be tried through the SOCKS proxy - and fail.
Something like this:
java -DsocksProxyHost=127.0.0.1 SomeClass