Class JGuardPolicyExtension
Example usage in build.gradle:
jguardPolicy {
sourceFile = file("src/main/jguard/module-info.jguard")
outputDir = layout.buildDirectory.dir("generated/jguard")
mode = "strict" // strict, permissive, or audit
}
Run with agent: ./gradlew runWithAgent
Properties:
-Pjguard.skip=true- Skip agent enforcement-Pjguard.mode=audit- Override enforcement mode
JSON Output: The Gradle plugin only generates binary policy files (.bin). For JSON output (useful for debugging or documentation), use the jGuard CLI:
jguardc --json -o policy.json src/main/java/module-info.jguard
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionabstract org.gradle.api.provider.Property<Boolean> Whether to allow trusted modules.abstract org.gradle.api.provider.Property<Boolean> Whether to allow policies from unsigned JARs during discovery.abstract org.gradle.api.provider.Property<String> The name of the binary policy file.abstract org.gradle.api.provider.Property<Boolean> Whether to use policy discovery mode (automatic policy detection from JARs).abstract org.gradle.api.provider.Property<Boolean> Whether to generate JSON alongside binary for external policies (for debugging).abstract org.gradle.api.file.DirectoryPropertyThe output directory for compiled external policy.binfiles.abstract org.gradle.api.file.DirectoryPropertyThe source directory containing external policy.jguardfiles.abstract org.gradle.api.provider.Property<Boolean> Whether to enable policy hot reload.abstract org.gradle.api.provider.Property<Integer> The interval in seconds between policy file checks when hot reload is enabled.abstract org.gradle.api.provider.Property<Boolean> Whether to generate a JSON representation alongside the binary.abstract org.gradle.api.provider.Property<String> The path within the JAR where policy files are placed.abstract org.gradle.api.provider.Property<String> The name of the JSON policy file.abstract org.gradle.api.provider.Property<String> The log level for the agent.abstract org.gradle.api.provider.Property<String> getMode()The enforcement mode for the agent.abstract org.gradle.api.file.DirectoryPropertyThe output directory for compiled policy files.abstract org.gradle.api.file.RegularFilePropertyThe source policy descriptor file.abstract org.gradle.api.file.DirectoryPropertyThe output directory for compiled test policy.binfiles.abstract org.gradle.api.file.DirectoryPropertyThe source directory containing test-specific policy.jguardfiles.
-
Constructor Details
-
JGuardPolicyExtension
public JGuardPolicyExtension()
-
-
Method Details
-
getSourceFile
public abstract org.gradle.api.file.RegularFileProperty getSourceFile()The source policy descriptor file.Default:
src/main/jguard/module-info.jguard -
getOutputDir
public abstract org.gradle.api.file.DirectoryProperty getOutputDir()The output directory for compiled policy files.Default:
build/generated/jguard/ -
getIncludeJson
Whether to generate a JSON representation alongside the binary.Default:
falseNote: JSON output is disabled by default because the required Jackson library is excluded from the plugin to avoid JPMS conflicts in Gradle buildSrc. For JSON output, use the jGuard CLI (
jguardc --json). -
getBinName
The name of the binary policy file.Default:
policy.bin -
getJsonName
The name of the JSON policy file.Default:
policy.json -
getJarPath
The path within the JAR where policy files are placed.Default:
META-INF/jguard -
getMode
The enforcement mode for the agent.Valid values:
strict,permissive,auditDefault:
strict -
getLogLevel
The log level for the agent.Valid values:
error,warn,info,debug,traceDefault:
info -
getDiscoveryMode
Whether to use policy discovery mode (automatic policy detection from JARs).When enabled (the default), the agent discovers policies from all module JARs on the classpath instead of loading a single policy file. This works for both single-module and multi-module JPMS applications.
Set to
falseto use explicit single-module mode where the compiled policy file is passed directly to the agent.Default:
true -
getAllowUnsignedPolicies
Whether to allow policies from unsigned JARs during discovery.For development, set this to
truesince JARs are typically not signed during development. For production, leave asfalseto only load policies from signed JARs.Default:
false -
getExternalPoliciesSourceDir
public abstract org.gradle.api.file.DirectoryProperty getExternalPoliciesSourceDir()The source directory containing external policy.jguardfiles.All
*.jguardfiles in this directory will be compiled to binary format and packaged into the JAR atMETA-INF/jguard/external/. These policies provide capabilities for third-party libraries that don't ship with their own jGuard policies.The output filename will be derived from the source filename (e.g.,
io.netty.jguardbecomesio.netty.bin).Default:
src/main/jguard(mirrorssrc/test/jguardfor test policies)Example usage:
// File: src/main/jguard/io.netty.common.jguard security module io.netty.common { entitle io.netty.common.. to threads.create; entitle io.netty.common.. to network.outbound; } -
getExternalPoliciesOutputDir
public abstract org.gradle.api.file.DirectoryProperty getExternalPoliciesOutputDir()The output directory for compiled external policy.binfiles.This directory is automatically included in the JAR at
META-INF/jguard/external/. The agent discovers these policies alongside embedded policies.Default:
build/jguard-policy/META-INF/jguard/external/ -
getExternalPoliciesIncludeJson
Whether to generate JSON alongside binary for external policies (for debugging).Default:
false -
getTestPoliciesSourceDir
public abstract org.gradle.api.file.DirectoryProperty getTestPoliciesSourceDir()The source directory containing test-specific policy.jguardfiles.Test policies extend embedded policies with additional permissions needed during testing (e.g., temp file access, thread creation for test frameworks). These policies are only applied when running tests, not in production.
All
*.jguardfiles in this directory will be compiled to binary format and passed to the agent during test execution.Default:
src/test/jguardExample usage:
// File: src/test/jguard/io.mymodule.jguard security module io.mymodule { entitle io.mymodule.. to fs.write("/tmp", "**"); entitle io.mymodule.. to threads.create; } -
getTestPoliciesOutputDir
public abstract org.gradle.api.file.DirectoryProperty getTestPoliciesOutputDir()The output directory for compiled test policy.binfiles.Default:
build/test-policies/ -
getAllowTrusted
Whether to allow trusted modules.Trusted modules bypass ALL capability checks. This is intended for native libraries (e.g., PyTorch, TensorFlow) that require unrestricted access and cannot be modified.
Security Warning: Only enable this in controlled environments where you trust the policy override files. Trusted modules can perform any operation without restriction.
To mark a module as trusted, create an override policy file:
// File: policies-src/ai.djl.pytorch.jguard security module ai.djl.pytorch { trusted; }Default:
false -
getHotReload
Whether to enable policy hot reload.When enabled, the agent watches for policy file changes and reloads them without requiring a JVM restart. This is useful for:
- Development: quickly iterate on policy definitions
- Operations: adjust permissions without service restarts
- Emergency response: rapidly restrict compromised modules
In discovery mode, hot reload watches the external policy override directory. In explicit policy mode, it watches both the policy file and override directory.
Default:
false -
getHotReloadInterval
The interval in seconds between policy file checks when hot reload is enabled.Lower values provide faster response to changes but increase overhead. Higher values reduce overhead but delay detection of changes.
Default:
5seconds
-