Java Security Manager
Java SecurityManager javadoc:
/**
* The security manager is a class that allows
* applications to implement a security policy. It allows an
* application to determine, before performing a possibly unsafe or
* sensitive operation, what the operation is and whether
* it is being attempted in a security context that allows the
* operation to be performed. The
* application can allow or disallow the operation.
* <p>
* The <code>SecurityManager</code> class contains many methods with
* names that begin with the word <code>check</code>. These methods
* are called by various methods in the Java libraries before those
* methods perform certain potentially sensitive operations. The
* invocation of such a <code>check</code> method typically looks like this:
* <p><blockquote><pre>
* SecurityManager security = System.getSecurityManager();
* if (security != null) {
* security.check<i>XXX</i>(argument, . . . );
* }
* </pre></blockquote>
* <p>
* The security manager is thereby given an opportunity to prevent
* completion of the operation by throwing an exception. A security
* manager routine simply returns if the operation is permitted, but
* throws a <code>SecurityException</code> if the operation is not
* permitted. The only exception to this convention is
* <code>checkTopLevelWindow</code>, which returns a
* <code>boolean</code> value.
* <p>
* The current security manager is set by the
* <code>setSecurityManager</code> method in class
* <code>System</code>. The current security manager is obtained
* by the <code>getSecurityManager</code> method.
* <p>
* The special method
* {@link SecurityManager#checkPermission(java.security.Permission)}
* determines whether an access request indicated by a specified
* permission should be granted or denied. The
* default implementation calls
*
* <pre>
* AccessController.checkPermission(perm);
* </pre>
*
* <p>
* If a requested access is allowed,
* <code>checkPermission</code> returns quietly. If denied, a
* <code>SecurityException</code> is thrown.
* <p>
* As of Java 2 SDK v1.2, the default implementation of each of the other
* <code>check</code> methods in <code>SecurityManager</code> is to
* call the <code>SecurityManager checkPermission</code> method
* to determine if the calling thread has permission to perform the requested
* operation.
* <p>
* Note that the <code>checkPermission</code> method with
* just a single permission argument always performs security checks
* within the context of the currently executing thread.
* Sometimes a security check that should be made within a given context
* will actually need to be done from within a
* <i>different</i> context (for example, from within a worker thread).
* The {@link SecurityManager#getSecurityContext getSecurityContext} method
* and the {@link SecurityManager#checkPermission(java.security.Permission,
* java.lang.Object) checkPermission}
* method that includes a context argument are provided
* for this situation. The
* <code>getSecurityContext</code> method returns a "snapshot"
* of the current calling context. (The default implementation
* returns an AccessControlContext object.) A sample call is
* the following:
*
* <pre>
* Object context = null;
* SecurityManager sm = System.getSecurityManager();
* if (sm != null) context = sm.getSecurityContext();
* </pre>
*
* <p>
* The <code>checkPermission</code> method
* that takes a context object in addition to a permission
* makes access decisions based on that context,
* rather than on that of the current execution thread.
* Code within a different context can thus call that method,
* passing the permission and the
* previously-saved context object. A sample call, using the
* SecurityManager <code>sm</code> obtained as in the previous example,
* is the following:
*
* <pre>
* if (sm != null) sm.checkPermission(permission, context);
* </pre>
*
* <p>Permissions fall into these categories: File, Socket, Net,
* Security, Runtime, Property, AWT, Reflect, and Serializable.
* The classes managing these various
* permission categories are <code>java.io.FilePermission</code>,
* <code>java.net.SocketPermission</code>,
* <code>java.net.NetPermission</code>,
* <code>java.security.SecurityPermission</code>,
* <code>java.lang.RuntimePermission</code>,
* <code>java.util.PropertyPermission</code>,
* <code>java.awt.AWTPermission</code>,
* <code>java.lang.reflect.ReflectPermission</code>, and
* <code>java.io.SerializablePermission</code>.
*
* <p>All but the first two (FilePermission and SocketPermission) are
* subclasses of <code>java.security.BasicPermission</code>, which itself
* is an abstract subclass of the
* top-level class for permissions, which is
* <code>java.security.Permission</code>. BasicPermission defines the
* functionality needed for all permissions that contain a name
* that follows the hierarchical property naming convention
* (for example, "exitVM", "setFactory", "queuePrintJob", etc).
* An asterisk
* may appear at the end of the name, following a ".", or by itself, to
* signify a wildcard match. For example: "a.*" or "*" is valid,
* "*a" or "a*b" is not valid.
*
* <p>FilePermission and SocketPermission are subclasses of the
* top-level class for permissions
* (<code>java.security.Permission</code>). Classes like these
* that have a more complicated name syntax than that used by
* BasicPermission subclass directly from Permission rather than from
* BasicPermission. For example,
* for a <code>java.io.FilePermission</code> object, the permission name is
* the path name of a file (or directory).
*
* <p>Some of the permission classes have an "actions" list that tells
* the actions that are permitted for the object. For example,
* for a <code>java.io.FilePermission</code> object, the actions list
* (such as "read, write") specifies which actions are granted for the
* specified file (or for files in the specified directory).
*
* <p>Other permission classes are for "named" permissions -
* ones that contain a name but no actions list; you either have the
* named permission or you don't.
*
* <p>Note: There is also a <code>java.security.AllPermission</code>
* permission that implies all permissions. It exists to simplify the work
* of system administrators who might need to perform multiple
* tasks that require all (or numerous) permissions.
* <p>
* See <a href ="../../../technotes/guides/security/permissions.html">
* Permissions in the JDK</a> for permission-related information.
* This document includes, for example, a table listing the various SecurityManager
* <code>check</code> methods and the permission(s) the default
* implementation of each such method requires.
* It also contains a table of all the version 1.2 methods
* that require permissions, and for each such method tells
* which permission it requires.
* <p>
* For more information about <code>SecurityManager</code> changes made in
* the JDK and advice regarding porting of 1.1-style security managers,
* see the <a href="../../../technotes/guides/security/index.html">security documentation</a>.
*
* @author Arthur van Hoff
* @author Roland Schemers
*
* @version %I%, %G%
* @see java.lang.ClassLoader
* @see java.lang.SecurityException
* @see java.lang.SecurityManager#checkTopLevelWindow(java.lang.Object)
* checkTopLevelWindow
* @see java.lang.System#getSecurityManager() getSecurityManager
* @see java.lang.System#setSecurityManager(java.lang.SecurityManager)
* setSecurityManager
* @see java.security.AccessController AccessController
* @see java.security.AccessControlContext AccessControlContext
* @see java.security.AccessControlException AccessControlException
* @see java.security.Permission
* @see java.security.BasicPermission
* @see java.io.FilePermission
* @see java.net.SocketPermission
* @see java.util.PropertyPermission
* @see java.lang.RuntimePermission
* @see java.awt.AWTPermission
* @see java.security.Policy Policy
* @see java.security.SecurityPermission SecurityPermission
* @see java.security.ProtectionDomain
*
* @since JDK1.0
*/
Grant the Required Permissions
Here is a sample of java policy file:
/** Java 2 Access Control Policy for the JAAS Sample Application **/
/* grant the sample LoginModule permissions */
grant codebase "file:./SampleLM.jar" {
permission javax.security.auth.AuthPermission "modifyPrincipals";
};
grant codebase "file:./SampleAcn.jar" {
permission javax.security.auth.AuthPermission "createLoginContext.Sample";
};
Default Policy Implementation and Policy File Syntax
Please refer to java doc: Default Policy Implementation and Policy File Syntax.
Permissions in the Java
Please refer to java doc: Permissions in the JavaTM 2 SDK.
分享到:
相关推荐
6. **安全管理**:JAAS提供了安全管理器(SecurityManager),它监控并控制Java应用程序的行为,确保只有被授权的操作才能被执行。 在实际开发中,理解JAAS的工作原理和配置方式至关重要。例如,开发者需要知道如何...
* 高性能:Java 的确是高性能的,事实上,Java 的运行速度随着 JIT(Just-In-Time)编译器技术的发展越来越接近于 C++。 * 多线程性:在 Java 语言中,线程是一种特殊的对象,它必须由 Thread 类或其子(孙)类来...
现代Java引入了JIT(Just-In-Time)编译器,使得性能接近于编译型语言。 - **多线程**:Java内建了对多线程的支持,允许并发执行多个任务。通过Thread类或实现Runnable接口可以创建线程,同时提供同步机制(如`...
JIT(Just-In-Time)编译器是Java运行时环境的一部分,它可以在运行时将Java字节码转换为本地机器码,以提高程序的运行效率。 最后,报告中提到了AWT事件处理模型,这是Java GUI编程中处理用户输入的方式之一。通过...
Java的安全模型由`SecurityManager`抽象类来实现,它允许开发者定义并实施各种安全策略。`SecurityManager`包含多个`check`方法,用于检查特定操作是否被允许,比如访问网络、读写文件或创建线程。`System....
`System`类提供了系统级的服务,如标准输入、输出流,以及全局变量`out`、`err`和`in`。 `Thread`类是多线程编程的基础,它定义了线程的行为和生命周期。`ThreadGroup`用于管理一组线程,而`ThreadLocal`提供线程...
1. **I/O流**:Java中的I/O流是数据传输的基础,包括标准输入流`InputStream in`、标准输出流`PrintStream out`和标准错误输出流`PrintStream err`。这些流用于程序与用户交互,以及程序之间的数据传递。Java的I/O流...
11. 安全管理器(SecurityManager):安全管理器是JVM用于控制其他代码执行的安全策略执行者,允许程序在执行过程中根据安全管理器的规则进行访问控制。 通过上述知识点,可以看出文件内容中所包含的Java内存分析...
- `System.setSecurityManager(SecurityManager sm)`: 设置安全管理器。 - `System.currentTimeMillis()`: 获取当前时间戳。 #### 三、字符串类 Java中提供了多种处理文本字符串的方式,主要包括: - **String*...
Exception in thread "main" java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) ``` 这表明当前运行环境中的安全策略不允许反射代码忽略访问检查...
Requirements: (Only JDK 11.0.X 64 bit (17 and 18 not contains a java.lang.SecurityManager class needed for sandboxing)), 64-bit OS mod by CXV Press Generate a Key in welcome window - fix all ...
* the environment in which the application is running. The current * runtime can be obtained from the <code>getRuntime</code> method. * * An application cannot create its own instance of this ...
10. **安全管理**:`java.security`包中的类和接口,如`SecurityManager`,展示了Java的安全模型和权限控制。 通过深入研究这些源码,开发者不仅可以提升自己的Java编程技巧,还能更好地理解Java平台的内部运作,为...
6. **JIT编译器**:Just-In-Time(JIT)编译器将频繁执行的热点字节码编译成本地机器码,提高执行效率。JVM中有两种JIT编译器,C1和C2,分别对应服务器和客户端模式。 7. **内存溢出与内存泄漏**:如果JVM无法分配...
5. **编译器与字节码**:Java的编译器将源代码转换为字节码,这部分源码解析有助于理解JIT(Just-In-Time)编译、优化过程,以及如何阅读和理解`.class`文件。 6. **IO/NIO**:Java的I/O系统提供了丰富的文件操作和...
* SecurityManager:限制 JavaScript 代码的安全权限。 * permission 机制:限制 JavaScript 代码的权限。 七、 Nashorn 的性能优化 Nashorn 提供了多种性能优化机制,包括: * Just-In-Time(JIT)编译器:提高 ...
System.out.println("User [" + token.getUsername() + "] logged in successfully."); } } } ``` 2. **基于Realm类的认证**: - 在实际应用中,用户名和密码通常不会直接写在INI文件中,而是存储在数据库中。...