Java Security



SecurityManager class

Each running JVM has at most one SecurityManager installed. SecurityManager is a class in the java.lang package. So, you can subclass this and establish your own security manager using the System.setSecurityManager() method. Once a manager is installed, it cannot be replaced. So, once a program has set the security manager, a SecurityException will be thrown if another attempt is made. No one can maliciously alter its function by replacing it.

 

What it allows you to do:

  • allows you to establish a security policy such that you can trust or restrict the operations of a Java program
  • restrict file i/o
  • restrict network connections
  • restrict access to native code
  • restrict launching of other processes

 

The process:

  • The Java program attempts to do an operation that may be restricted.
  • It checks with the SecurityManager to see if the operation is allowable or denied.
  • If permissions are granted, then the operation is performed.
  • If permission is denied, a SecurityException is thrown. This is a RuntimeException so does not need to be within a try/catch block.

Tip to create your own SecurityManager class

  • When creating your own SecurityManager you normally do not directly subclass SecurityManager. Instead, most people tend to create a NullSecurityManager that extends SecurityManager but opens access to everything. Then, you subclass this manager overriding the checks you wish to restrict.
  • Go to java.sun.com for more tips. (e.g. go here)

 

     
© Lynne Grewe