Spec-Zone .ru
спецификации, руководства, описания, API
|
|
Spec-Zone .ru
спецификации, руководства, описания, API
|
java.lang.SecurityManager
as the Default Security Manager
This document describes changes made to the security manager in the JDK that allow it to be used as-is as the default security manager in applications.
In JDK 1.1, local applications and correctly digitally signed applets were generally trusted to have full access to vital system resources, such as the file system, while unsigned applets were not trusted and could access only limited resources. A security manager was responsible for determining which resource accesses were allowed.The Java SE JDK security architecture is policy-based, and allows for fine-grained access control. When code is loaded, it is assigned "permissions" based on the security policy currently in effect. Each permission specifies a permitted access to a particular resource, such as "read" and "write" access to a specified file or directory, or "connect" access to a given host and port. The policy, specifying which permissions are available for code from various signers/locations, can be initialized from an external configurable policy file. Unless a permission is explicitly granted to code, it cannot access the resource that is guarded by that permission. These new concepts of permission and policy enable the JDK to offer fine-grain, highly configurable, flexible, and extensible access control. Such access control can now not only be specified for applets, but also for all Java code, including applications, beans, and servlets.
For more information on the Java security architecture, please see the security documentaton.
Security Manager Methods
The
SecurityManagerclass contains many methods with names that begin with the wordcheck. Examples arecheckReadandcheckConnect. Various methods in the Java libraries call acheckmethod before performing each potentially security-sensitive operation. The security manager is thereby given an opportunity to prevent completion of the operation by throwing an exception. A security manager routine simply returns if the operation is permitted, but throws a SecurityException if the operation is not permitted. The only exception to this convention ischeckTopLevelWindow, which returns a boolean value.The other main type of methods contained in the
SecurityManagerclass are those related to class loader existence and depth:
- currentClassLoader
- currentLoadedClass
- inClassLoader
- classLoaderDepth
Security Managers in JDK 1.1
In JDK 1.1, the classjava.lang.SecurityManagerwas an abstract class. The default implementations of the security managercheckmethods threw exceptions. The class loader and depth-related classes were appropriately implemented, often in native code.Any application (such as a browser) that wanted to install a security manager had to write their own, providing appropriate concrete implementations of the methods that threw exceptions by default -- primarily the
checkmethods.Security managers based on the JDK 1.1 applet security manager model typically based access control decisions on two things:
- Whether or not a class with a class loader (i.e., an applet in JDK 1.1) was on the stack.
- The class loader depth -- how far down the stack was the most recent occurrence of a method from a class defined using a class loader.
These types of decisions were made by calling the
SecurityManagermethods related to class loader existence and depth. For example, a typical 1.1-style security manager might have acheckExitmethod like the following:public void checkExit(int status) { if (inClassLoader()) { throw new SecurityException(..); } }Such a
checkExitmethod would not allowRuntime.exitto be called when any class defined with a class loader (an applet) was on the stack. This is an example of the first case, checking whether or not a class with a class loader is on the stack. An example of the second case (class loader depth) would be something like:
public void checkCreateClassLoader() { if (classLoaderDepth() == 2) { throw new SecurityException(); } }This method is saying that the class loader depth can't be 2. That is, the method that called the method that called
checkCreateClassLoadermust not be in a class defined with a class loader. For example, the constructor forjava.lang.ClassLoadercallscheckCreateClassLoader, which means the method that calls the constructor forjava.lang.ClassLoadermust not have a class loader. This means applets can't directly create class loaders.Note that there is a big difference between the two methods, even though both attempt to prevent applets from performing actions. In the first case,
checkExitwill throw an exception if an applet is anywhere on the stack. That means even built-in JDK code can't exit the VM if it was called from an applet. In the second case, JDK code is allowed to create a class loader, even if it was called by an applet. That is because the depth of a class with a class loader is used, and not the fact that there is one.Security Managers in the Java SE JDK
In the JDK, the classjava.lang.SecurityManagerhad a number of changes made to it in order to allow it to be used as the default security manager for applications. In particular:
- It is no longer an
abstractclass, and can thus be installed as-is.
- Most
checkmethods call a newcheckPermissionmethod, which by default calls the method of the same name (checkPermission) in the newAccessControllerclass. Those methods that don't callcheckPermissionhave reasonable defaults.
- Methods used in JDK 1.1 to determine if a class loader is on the stack and/or to calculate class loader depth have been modified in the JDK to ignore system class loaders and security contexts that have been granted
java.security.AllPermission.Installing
java.lang.SecurityManageras the Default Security ManagerSince
java.lang.SecurityManageris no longer abstract, you can install and use it as the default security manager. You can do this by setting a system property when launching the VM:java -Djava.security.manager YourAppAlternatively, your application can install it directly via the following line of code:System.setSecurityManager(new SecurityManager());You can customize the behavior of the default security manager by modifying policy files. See the security guide on policy files for more information.Changes to Methods For Class Loaders And Class Loader Depth
In the JDK, the
SecurityManagermethods related to class loaders and class loader depth are not called by any of thecheckmethods, and they are deprecated. They should not be used by any new security managers, and it is recommended that their use be eliminated from existing security managers as well. However, they are left in for backward compatibility and they have been modified in an attempt to enable old 1.1-style security managers to still work under the JDK, without modification.These methods are:
- currentClassLoader
- currentLoadedClass
- inClassLoader
- classLoaderDepth
Modification of Class Loader/Depth-related Methods
The class loader/depth related methods have all been modified in three ways:
- These methods skip system class loaders. A system class loader is defined as being a class loader that is equal to the system class loader (as returned by
ClassLoader.getSystemClassLoader) or one of its ancestors.Since classes loaded by the system class loader include application classes (loaded off of
CLASSPATH), extension classes, and the built-in JDK classes, this modification enables these methods to ignore such code.
Note that if you run an application that installs a custom security manager, and that security manager is loaded off of
CLASSPATHin the JDK, it will have a system class loader associated with it. (Application classes did not have a class loader in JDK 1.1.) If you were to call a method likeclassLoaderDepthfrom within the custom security manager, and that method were not modified to ignore classes loaded by a system class loader, it would always return 0, which would not be very useful. Similarly, if class loader methods weren't changed to skip system classes and a custom security manager was loaded off ofCLASSPATH, then this might also open up security holes in cases where the security manager is making decisions based on, for example, disallowing an operation if "classLoaderDepth() == 2". (It should really be "classLoaderDepth() <= 2".)
- These methods stop checking after they reach a method on the stack that has been marked as "privileged." (See java.security.AccessController.doPrivileged() and API for Privileged Blocks.)
- These methods treat security contexts that have been granted
AllPermissionas if there is no class loader on the stack.As an example of the use of the first two modifications, note that there are now places in the JDK that open files, etc., after a security manager has been installed. Some 1.1-style security managers have a
checkReadmethod that looks like the following:public void checkRead(String file) { if (inClassLoader()) { throw new SecurityException(..); } }Without JDK code modifications, such a check run in the JDK would cause a security exception to be thrown when the JDK itself tries to read a file and there is a class with a non-system class loader on the stack. With the new security model, all such JDK code that tries to perform an operation that its caller might not be allowed to do has a
doPrivilegedblock around it. SinceinClassLoaderjust examines the stack up to and including the frame containing the "privileged" code, and the code at the top of the stack is JDK code, which is loaded by the system class loader or one of its ancestors, theinClassLoadermethod will returnfalse, allowing the read to occur.Maintenance of Class Loader Depths
As noted previously, security managers based on the 1.1 applet security manager based some of their access control decisions on class loader depth. As an example, the
checkCreateClassLoadermethod previously presented is repeated here:public void checkCreateClassLoader() { if (classLoaderDepth() == 2) { throw new SecurityException(); } }In the JDK we have attempted to maintain the stack depth as used in 1.1-style security managers. For example, the constructor for java.security.SecureClassLoader has an explicit call toSecurityManager.checkCreateClassLoadereven though the constructor for its super class (ClassLoader) also does. If the check was not placed in the constructor forSecureClassLoader, then a 1.1-style security manager would allow untrusted code to extendSecureClassLoaderand construct class loaders, as the class loader depth would always be greater than 2.
First and foremost, we highly recommend analyzing all your custom security manager methods before running your security manager under the JDK. Failure to do so could result in a security hole or prevent the proper operation of the JDK. This is due to the fragile nature of 1.1-style security managers.
Where possible, you should just use the default implementation of the 1.2
SecurityManager. This helps give users and administrators consistent behavior. If this is not possible, then you should at least try to callsuper.checkXXXin yourcheckXXXmethod before throwing a security exception. Doing so will allow the access controller algorithm to be used, and will allow the JDK itself to function correctly.In the JDK, any existing code that used to call any of the
SecurityManager checkmethods continues to do so. For new code that requires a security check, calls are made toSecurityManager.checkPermissioninstead of adding a newSecurityManager checkmethod. For example, the newjava.lang.System.setPropertymethod callscheckPermissionwith ajava.util.PropertyPermissionpermission.When extending the SecurityManager class and overriding existing methods, some care should be taken. For example, if you override the
checkRead(String file)method so it always throws a security exception, then the JDK itself may fail to operate properly. That is, if some JDK code needs to open a file (to read a properties file, load a JAR file, etc.) then throwing a security exception for every read attempt would cause such opens to always fail.In general, you should only override the default methods if you intend to loosen security, not to make it stronger. If you want to tighten security, you should modify the default policy files and/or install a custom
java.security.Policyobject. See the security guide on policy files for more information.In general, when overriding security manager methods you should place a call to the
super.checkXXXmethod at the point where your overriddencheckXXXmethod would throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkRead(String file) { if (someCustomSecurityCheckFails()) { super.checkRead(file); } } }If your custom security check fails, thensuper.checkReadgets called. The default implementation ofcheckReadinvokescheckPermission, which by default consults theAccessController. By invoking theAccessController, system code that has done anAccessController.doPrivilegedbefore trying to read a file will succeed in reading that file. All other code will be subjected to the current policy in effect, and an access control exception will be thrown if access to that file has not been granted.Note, there are some
checkXXXmethods in which you should not callsuper.checkXXXmethods when overriding them. That is because the default implementation of these methods may not be as strict as the policy you are implementing in the overridden method. For example, the defaultcheckAccess(ThreadGroup g)method only protects the system thread group. If you intend to protect threads in distinct thread groups from each other (for example applet thread groups), then you would not want to callsuper.checkAccessat the point you would normally throw a security exception, as that would defeat the purpose of your customized check. Instead, you could place a call tosuper.checkAccessas the first statement in your overridden method.For example:
public class AppletSecurityManager extends SecurityManager { public void checkAccess(ThreadGroup g) { // a call to super will throw an exception if someone // is trying to modify the system thread group super.checkAccess(g); ... // now perform checks based on which applet thread group // the current caller is in to see if they can modify thread group g. ... }We describe how to override each method in the following section.
This section lists changes made tojava.lang.SecurityManagermethods in the JDK and provides suggestions regarding any overrides you may wish to make. Please see the Java documentation for theSecurityManagerclass for more information on these methods.protected boolean inCheck
This field has been deprecated, and any uses of this field within the JDK itself have been removed. Instead of using inCheck, you should use
checkPermissionalong withdoPrivileged.public boolean getInCheck();
This method has also been deprecated.
public SecurityManager();
The constructor has been modified to allow multiple SecurityManagers to be created, assuming the caller has the
RuntimePermission("createSecurityManager")permission.protected native Class[] getClassContext();
No changes. This call can be used to emulate the 1.1 behavior of the methods that have been changed in the JDK (
currentClassLoader,currentLoadedClass,classLoaderDepth,inClassLoader).protected ClassLoader currentClassLoader();
The typical use of this method in JDK 1.1-style security managers was to see if there was a class loader on the stack, and if not, treat the code as "trusted" and allow it to do anything. This method has been modified in the JDK to allow trusted JDK code (actually any code granted
java.security.AllPermission) that callsdoPrivilegedto be treated as trusted by 1.1-style security managers. It has also been modified to skip system class loaders. A system class loader is defined as being a class loader that is equal to the system class loader (as returned by ClassLoader.getSystemClassLoader) or one of its ancestors.This method will return
nullin the following three cases:
- All methods on the execution stack are from classes defined using the system class loader or one of its ancestors.
- All methods on the execution stack up to the first "privileged" caller (see java.security.AccessController.doPrivileged) are from classes defined using the system class loader or one of its ancestors.
- A call to checkPermission with
java.security.AllPermissiondoes not result in a SecurityException.This method has been deprecated. Use
checkPermissioninstead.protected Class currentLoadedClass();
This method has been modified in the same fashion as
currentClassLoader, and will returnnullif the current security context has been grantedAllPermissionor all the methods on the stack (up to the first privileged caller, if any) are from classes defined using the system class loader or one of its ancestors.This method has been deprecated. Use
checkPermissioninstead.protected int classDepth(String name);
No changes in behavior. This method has been deprecated. Use
checkPermissioninstead.protected int classLoaderDepth();
This method has been modified in the same fashion as
currentClassLoader, and will return-1if the current security context has been grantedAllPermissionor all the methods on the stack (up to the first privileged caller, if any) are from classes defined using the system class loader or one of its ancestors.This method has been deprecated. Use
checkPermissioninstead.protected boolean inClass(String name);
No changes in behavior. This method has been deprecated. Use
checkPermissioninstead.protected boolean inClassLoader();
This method returns true if
currentClassLoaderreturns a non-null class loader, so it follows the same semantics thatcurrentClassLoaderdoes.This method has been deprecated. Use
checkPermissioninstead.public Object getSecurityContext();
This method returns a
java.security.AccessControlContextobject that is created with a call tojava.security.AccessController.getContext. In JDK1.1 it returnednullby default.public void checkPermission(Permission perm);
This method is new in the JDK. It calls
java.security.AccessController.checkPermissionwith the given permission. Internally, the JDK always callsSecurityManager.checkPermissioninstead of calling theAccessControllerdirectly. This allows people to override this method to provide additional functionality such as auditing and/or GUI dialogs.public void checkPermission(Permission perm, Object context);
This method is new in the JDK. If
contextis an instance ofAccessControlContextthen theAccessControlContext.checkPermissionmethod will be invoked on the given context with the specified permission.If
contextis not an instance ofAccessControlContextthen aSecurityExceptionis thrown.public void checkCreateClassLoader();
This method has been modified to call
checkPermissionwith theRuntimePermission("createClassLoader")permission.If this method is overridden, then a call to
super.checkCreateClassLoadershould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkCreateClassLoader() { if (someCustomSecurityCheckFails()) { super.checkCreateClassLoader(); } } }public void checkAccess(Thread t);
If the thread argument is a system thread (belongs to the thread group with a
nullparent) then this method callscheckPermissionwith theRuntimePermission("modifyThread")permission.Applications that want a stricter policy should override this method.
If this method is overridden, then
super.checkAccessshould be called by the first statement in the overridden method, or the equivalent security check should be placed in the overridden method.If this method is overridden, the method that overrides it should additionally check to see if the calling thread has the
RuntimePermission("modifyThread")permission, and if so, return silently. This is to ensure that code granted that permission (such as the JDK itself) is allowed to manipulate any thread.For example:
public class MySecurityManager extends SecurityManager { public void checkAccess(Thread t) { // a call to super will throw an exception if someone // is trying to modify a system thread super.checkAccess(t); ... if (someCustomSecurityCheckForOtherThreadsFails()) { // if the check fails, instead of throwing an exception, // call checkPermission, which will throw an exception // if need be checkPermission(new RuntimePermission("modifyThread")); } ... } }public void checkAccess(ThreadGroup g);
If the thread group argument is the system thread group (has a
nullparent) then this method callscheckPermissionwith theRuntimePermission("modifyThreadGroup")permission.Applications that want a stricter policy should override this method.
If this method is overridden, then
super.checkAccessshould be called by the first statement in the overridden method, or the equivalent security check should be placed in the overridden method.If this method is overridden, the method that overrides it should additionally check to see if the caller has the
RuntimePermission("modifyThreadGroup")permission, and if so, return silently. This is to ensure that code granted that permission (such as the JDK itself) is allowed to manipulate any thread group.For example:
public class MySecurityManager extends SecurityManager { public void checkAccess(ThreadGroup g) { // a call to super will throw an exception if someone // is trying to modify the system thread group super.checkAccess(g); ... if (someCustomSecurityCheckForOtherThreadGroupsFails()) { // if the check fails, instead of throwing an exception, // call checkPermission, which will throw an exception // if need be checkPermission(new RuntimePermission("modifyThreadGroup")); } ... } }public void checkExit(int status);
This method has been modified to call
checkPermissionwith theRuntimePermission("exitVM")permission.If this method is overridden, then a call to
super.checkExitshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkExit(int status) { if (someCustomSecurityCheckFails()) { super.checkExit(status); } } }public void checkExec(String cmd);
This method has been modified to call
checkPermissionwith aFilePermission. If thecmdis an absolute path (seejava.io.File.isAbsolute) then it is passed as-is as the target for theFilePermission. Ifcmdis not absolute, then the special target "<<ALL FILES>>" is used. This target is used because it is difficult to determine the actual path of the command that will be executed on an individual platform due to things such as environment variables, etc.If this method is overridden, then a call to
super.checkExecshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkExec(String cmd) { if (someCustomSecurityCheckFails()) { super.checkExec(cmd); } } }public void checkLink(String lib);
This method has been modified to call
checkPermissionwith theRuntimePermission("loadLibrary."+lib)permission.If this method is overridden, then a call to
super.checkLinkshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkLink(String lib) { if (someCustomSecurityCheckFails()) { super.checkLink(lib); } } }public void checkRead(FileDescriptor fd);
This method has been modified to call
checkPermissionwith theRuntimePermission("readFileDescriptor")permission.If this method is overridden, then a call to
super.checkReadshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkRead(FileDescriptor fd) { if (someCustomSecurityCheckFails()) { super.checkRead(fd); } } }public void checkRead(String file);
This method has been modified to call
checkPermissionwith theFilePermission(file,"read")permission.If this method is overridden, then a call to
super.checkReadshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkRead(String file) { if (someCustomSecurityCheckFails()) { super.checkRead(file); } } }public void checkRead(String file, Object context);
This method has been modified. If
contextis an instance ofAccessControlContextthen theAccessControlContext.checkPermissionmethod will be invoked on the given context with theFilePermission(file,"read")permission.If
contextis not an instance ofAccessControlContextthen aSecurityExceptionis thrown.If this method is overridden, then a call to
super.checkReadshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkRead(String file, Object context) { if (someCustomSecurityCheckFails()) { super.checkRead(file, context); } } }public void checkWrite(FileDescriptor fd);
This method has been modified to call
checkPermissionwith theRuntimePermission("writeFileDescriptor")permission.If this method is overridden, then a call to
super.checkWriteshould be made at the point the overridden method would normally throw an exception. For Example:public class MySecurityManager extends SecurityManager { public void checkWrite(FileDescriptor fd) { if (someCustomSecurityCheckFails()) { super.checkWrite(fd); } } }public void checkWrite(String file);
This method has been modified to call
checkPermissionwith theFilePermission(file,"write")permission.If this method is overridden, then a call to
super.checkWriteshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkWrite(String file) { if (someCustomSecurityCheckFails()) { super.checkWrite(file); } } }public void checkDelete(String file);
This method has been modified to call
checkPermissionwith theFilePermission(file,"delete")permission.If this method is overridden, then a call to
super.checkDeleteshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkDelete(String file) { if (someCustomSecurityCheckFails()) { super.checkDelete(file); } } }public void checkConnect(String host, int port);
This method has been modified to call
checkPermissionwith theSocketPermission(host+":"+port,"connect")permission if the port is not equal to -1. If the port is equal to -1, then it callscheckPermissionwith theSocketPermission(host,"resolve")permission.This behavior is consistent with JDK 1.1, where a port equal to -1 indicates that an IP address lookup is being performed.
If this method is overridden, then a call to
super.checkConnectshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkConnect(String host, int port) { if (someCustomSecurityCheckFails()) { super.checkConnect(host, port); } } }public void checkConnect(String host, int port, Object context);
This method has been modified. If
contextis an instance ofAccessControlContextthen theAccessControlContext.checkPermissionmethod will be invoked on the given context with theSocketPermission(host+":"+port,"connect")permission if the port is not equal to -1. If the port is equal to -1, then it callscheckPermissionwith theSocketPermission(host,"resolve")permission.If
contextis not an instance ofAccessControlContextthen aSecurityExceptionis thrown.If this method is overridden, then a call to
super.checkConnectshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkConnect(String host, int port, Object context) { if (someCustomSecurityCheckFails()) { super.checkConnect(host, port, context); } } }public void checkListen(int port)
This method has been modified. If port is not 0, it calls
checkPermissionwith theSocketPermission("localhost:"+port,"listen"). If port is zero, it callscheckPermissionwithSocketPermission("localhost:1024-","listen").If this method is overridden, then a call to
super.checkListenshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkListen(int port) { if (someCustomSecurityCheckFails()) { super.checkListen(port); } } }public void checkAccept(String host, int port);
This method has been modified to call
checkPermissionwith theSocketPermission(host+":"+port,"accept")permission.If this method is overridden, then a call to
super.checkAcceptshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkAccept(String host, int port) { if (someCustomSecurityCheckFails()) { super.checkAccept(host, port); } } }public void checkMulticast(InetAddress maddr);
This method has been modified to call
checkPermissionwith theSocketPermission(maddr.getHostAddress(),"accept,connect")permission.If this method is overridden, then a call to
super.checkMulticastshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkMultiCast(InetAddress maddr) { if (someCustomSecurityCheckFails()) { super.checkMultiCast(maddr); } } }public void checkMulticast(InetAddress maddr, byte ttl);
This method has been modified to call
checkPermissionwith theSocketPermission(maddr.getHostAddress(),"accept,connect")permission.If this method is overridden, then a call to
super.checkMulticastshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkMultiCast(InetAddress maddr, byte ttl) { if (someCustomSecurityCheckFails()) { super.checkMultiCast(maddr, ttl); } } }public void checkPropertiesAccess();
This method has been modified to call
checkPermissionwith thePropertyPermission("*", "read,write")permission.If this method is overridden, then a call to
super.checkPropertiesAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkPropertiesAccess() { if (someCustomSecurityCheckFails()) { super.checkPropertiesAccess(); } } }public void checkPropertyAccess(String key);
This method has been modified to call
checkPermissionwith thePropertyPermission(key, "read")permission.If this method is overridden, then a call to
super.checkPropertyAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkPropertyAccess(String key) { if (someCustomSecurityCheckFails()) { super.checkPropertiesAccess(key); } } }public boolean checkTopLevelWindow(Object window);
This method has been modified to call
checkPermissionwith theAWTPermission("showWindowWithoutWarningBanner")permission, and returns true if an SecurityException is not thrown, otherwise it returns false.If this method is overridden, then a call to
super.checkTopLevelWindowshould be made at the point the overridden method would normally return false, and the value ofsuper.checkTopLevelWindowshould be returned. For example:public class MySecurityManager extends SecurityManager { public void checkTopLevelWindow(Object window) { if (someCustomSecurityCheckFails()) { return super.checkTopLevelWindow(window); } else { return true; } } }public void checkPrintJobAccess();
This method has been modified to call
checkPermissionwith theRuntimePermission("queuePrintJob")permission.If this method is overridden, then a call to
super.checkPrintJobAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkPrintJobAccess() { if (someCustomSecurityCheckFails()) { super.checkPrintJobAccess(); } } }public void checkSystemClipboardAccess();
This method has been modified to call
checkPermissionwith theAWTPermission("accessClipboard")permission.If this method is overridden, then a call to
super.checkSystemClipboardAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkSystemClipboardAccess() { if (someCustomSecurityCheckFails()) { super.checkSystemClipboardAccess(); } } }public void checkAwtEventQueueAccess();
This method has been modified to call
checkPermissionwith theAWTPermission("accessEventQueue")permission.If this method is overridden, then a call to
super.checkAwtEventQueueAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkAwtEventQueueAccess() { if (someCustomSecurityCheckFails()) { super.checkAwtEventQueueAccess(); } } }public void checkPackageAccess(String pkg);
This method has been modified. It first gets a list of restricted packages by obtaining a comma-separated list from a call to
java.security.Security.getProperty("package.access"), and checks to see ifpkgstarts with or equals any of the restricted packages. If it does, thencheckPermissiongets called with theRuntimePermission("accessClassInPackage."+pkg)permission.If this method is overridden, then
super.checkPackageAccessshould be called as the first line in the overridden method. For example:public class MySecurityManager extends SecurityManager { public void checkPackageAccess(String pkg) { super.checkPackageAccess(pkg); ... someCustomSecurityCheck(); ... } }public void checkPackageDefinition(String pkg);
This method has been modified. It first gets a list of restricted packages by obtaining a comma-separated list from a call to
java.security.Security.getProperty("package.definition"), and checks to see ifpkgstarts with or equals any of the restricted packages. If it does, thencheckPermissiongets called with theRuntimePermission("defineClassInPackage."+pkg)permission.If this method is overridden, then
super.checkPackageDefinitionshould be called as the first line in the overridden method. For example:public class MySecurityManager extends SecurityManager { public void checkPackageDefinition(String pkg) { super.checkPackageDefinition(pkg); ... someCustomSecurityCheck(); ... } }public void checkSetFactory();
This method has been modified to call
checkPermissionwith theRuntimePermission("setFactory")permission.If this method is overridden, then a call to
super.checkSetFactoryshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkSetFactory() { if (someCustomSecurityCheckFails()) { super.checkSetFactory(); } } }public void checkMemberAccess(Class clazz, int which);
This method has been modified. The default policy is to allow access to PUBLIC members, as well as access to classes that have the same class loader as the caller. In all other cases call
checkPermissionwith theRuntimePermission("accessDeclaredMembers")permission.If this method is overridden, then a call to
super.checkMemberAccesscannot be made, as the default implementation ofcheckMemberAccessrelies on the code being checked being at a stack depth of 4. For example:someCaller[3] java.lang.Class.someReflectionAPI [2] java.lang.Class.checkMemberAccess [1] SecurityManager.checkMemberAccess [0]In order to emulate this behavior, you would need to callgetClassContext, and examine the class loader of the class at index 3, just as the defaultcheckMemberAccessmethod does:if (which != Member.PUBLIC) { Class stack[] = getClassContext(); /* * stack depth of 4 should be the caller of one of the * methods in java.lang.Class that invoke checkMember * access. The stack should look like: * * someCaller [3] * java.lang.Class.someReflectionAPI [2] * java.lang.Class.checkMemberAccess [1] * MySecurityManager.checkMemberAccess [0] * */ if ((stack.length<4) || (stack[3].getClassLoader() != clazz.getClassLoader())) { if (checkMemberAccessPermission == null) checkMemberAccessPermission = new RuntimePermission("accessDeclaredMembers"); checkPermission(checkMemberAccessPermission); } }This is the only security manager method in the JDK that is still based on a caller's depth. This is to allow a caller to reflect on classes from the same class loader it came from.
public void checkSecurityAccess(String target);
This method has been modified to create a
SecurityPermissionobject for the given permission target name and callscheckPermissionwith it.If this method is overridden, then a call to
super.checkSecurityAccessshould be made at the point the overridden method would normally throw an exception. For example:public class MySecurityManager extends SecurityManager { public void checkSecurityAccess(String target) { if (someCustomSecurityCheckFails()) { super.checkSecurityAccess(target); } } }public ThreadGroup getThreadGroup();
This method has not been changed.
Copyright © 1997-2001 All Rights Reserved.
Please send comments to: java-security@sun.com. This is not a subscription list.
Java Software