`
george.gu
  • 浏览: 73900 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

SecurityManager in Java

 
阅读更多

Java Security Manager

Java SecurityManager javadoc:

 

 

/**
 * The security manager is a class that allows 
 * applications to implement a security policy. It allows an 
 * application to determine, before performing a possibly unsafe or 
 * sensitive operation, what the operation is and whether 
 * it is being attempted in a security context that allows the
 * operation to be performed. The 
 * application can allow or disallow the operation. 
 * <p>
 * The <code>SecurityManager</code> class contains many methods with 
 * names that begin with the word <code>check</code>. These methods 
 * are called by various methods in the Java libraries before those 
 * methods perform certain potentially sensitive operations. The 
 * invocation of such a <code>check</code> method typically looks like this: 
 * <p><blockquote><pre>
 *     SecurityManager security = System.getSecurityManager();
 *     if (security != null) {
 *         security.check<i>XXX</i>(argument, &nbsp;.&nbsp;.&nbsp;.&nbsp;);
 *     }
 * </pre></blockquote>
 * <p>
 * The security manager is thereby given an opportunity to prevent 
 * completion of the operation by throwing an exception. A security 
 * manager routine simply returns if the operation is permitted, but 
 * throws a <code>SecurityException</code> if the operation is not 
 * permitted. The only exception to this convention is 
 * <code>checkTopLevelWindow</code>, which returns a 
 * <code>boolean</code> value. 
 * <p>
 * The current security manager is set by the 
 * <code>setSecurityManager</code> method in class 
 * <code>System</code>. The current security manager is obtained 
 * by the <code>getSecurityManager</code> method. 
 * <p> 
 * The special method 
 * {@link SecurityManager#checkPermission(java.security.Permission)}
 * determines whether an access request indicated by a specified
 * permission should be granted or denied. The 
 * default implementation calls
 * 
 * <pre>
 *   AccessController.checkPermission(perm);
 * </pre>
 *
 * <p> 
 * If a requested access is allowed, 
 * <code>checkPermission</code> returns quietly. If denied, a 
 * <code>SecurityException</code> is thrown. 
 * <p>
 * As of Java 2 SDK v1.2, the default implementation of each of the other
 * <code>check</code> methods in <code>SecurityManager</code> is to 
 * call the <code>SecurityManager checkPermission</code> method
 * to determine if the calling thread has permission to perform the requested
 * operation.
 * <p> 
 * Note that the <code>checkPermission</code> method with
 * just a single permission argument always performs security checks
 * within the context of the currently executing thread.
 * Sometimes a security check that should be made within a given context
 * will actually need to be done from within a
 * <i>different</i> context (for example, from within a worker thread).
 * The {@link SecurityManager#getSecurityContext getSecurityContext} method 
 * and the {@link SecurityManager#checkPermission(java.security.Permission, 
 * java.lang.Object) checkPermission}
 * method that includes a context argument are provided 
 * for this situation. The 
 * <code>getSecurityContext</code> method returns a "snapshot"
 * of the current calling context. (The default implementation 
 * returns an AccessControlContext object.) A sample call is
 * the following:
 * 
 * <pre>
 *   Object context = null;
 *   SecurityManager sm = System.getSecurityManager();
 *   if (sm != null) context = sm.getSecurityContext(); 
 * </pre>
 * 
 * <p>
 * The <code>checkPermission</code> method
 * that takes a context object in addition to a permission 
 * makes access decisions based on that context,
 * rather than on that of the current execution thread.
 * Code within a different context can thus call that method,
 * passing the permission and the
 * previously-saved context object. A sample call, using the
 * SecurityManager <code>sm</code> obtained as in the previous example, 
 * is the following:
 * 
 * <pre>
 *   if (sm != null) sm.checkPermission(permission, context);
 * </pre> 
 *
 * <p>Permissions fall into these categories: File, Socket, Net, 
 * Security, Runtime, Property, AWT, Reflect, and Serializable. 
 * The classes managing these various
 * permission categories are <code>java.io.FilePermission</code>,
 * <code>java.net.SocketPermission</code>, 
 * <code>java.net.NetPermission</code>, 
 * <code>java.security.SecurityPermission</code>,
 * <code>java.lang.RuntimePermission</code>, 
 * <code>java.util.PropertyPermission</code>, 
 * <code>java.awt.AWTPermission</code>,
 * <code>java.lang.reflect.ReflectPermission</code>, and
 * <code>java.io.SerializablePermission</code>. 
 * 
 * <p>All but the first two (FilePermission and SocketPermission) are 
 * subclasses of <code>java.security.BasicPermission</code>, which itself 
 * is an abstract subclass of the
 * top-level class for permissions, which is 
 * <code>java.security.Permission</code>. BasicPermission defines the 
 * functionality needed for all permissions that contain a name 
 * that follows the hierarchical property naming convention 
 * (for example, "exitVM", "setFactory", "queuePrintJob", etc). 
 * An asterisk 
 * may appear at the end of the name, following a ".", or by itself, to 
 * signify a wildcard match. For example: "a.*" or "*" is valid, 
 * "*a" or "a*b" is not valid.
 *
 * <p>FilePermission and SocketPermission are subclasses of the
 * top-level class for permissions 
 * (<code>java.security.Permission</code>). Classes like these
 * that have a more complicated name syntax than that used by
 * BasicPermission subclass directly from Permission rather than from
 * BasicPermission. For example, 
 * for a <code>java.io.FilePermission</code> object, the permission name is
 * the path name of a file (or directory).
 *
 * <p>Some of the permission classes have an "actions" list that tells 
 * the actions that are permitted for the object.  For example, 
 * for a <code>java.io.FilePermission</code> object, the actions list
 * (such as "read, write") specifies which actions are granted for the
 * specified file (or for files in the specified directory).
 * 
 * <p>Other permission classes are for "named" permissions - 
 * ones that contain a name but no actions list; you either have the
 * named permission or you don't.
 * 
 * <p>Note: There is also a <code>java.security.AllPermission</code>
 * permission that implies all permissions. It exists to simplify the work
 * of system administrators who might need to perform multiple
 * tasks that require all (or numerous) permissions.
 * <p>
 * See <a href ="../../../technotes/guides/security/permissions.html">
 * Permissions in the JDK</a> for permission-related information.
 * This document includes, for example, a table listing the various SecurityManager
 * <code>check</code> methods and the permission(s) the default 
 * implementation of each such method requires. 
 * It also contains a table of all the version 1.2 methods
 * that require permissions, and for each such method tells 
 * which permission it requires.
 * <p>
 * For more information about <code>SecurityManager</code> changes made in 
 * the JDK and advice regarding porting of 1.1-style security managers,
 * see the <a href="../../../technotes/guides/security/index.html">security documentation</a>.
 *
 * @author  Arthur van Hoff
 * @author  Roland Schemers
 *
 * @version %I%, %G%
 * @see     java.lang.ClassLoader
 * @see     java.lang.SecurityException
 * @see     java.lang.SecurityManager#checkTopLevelWindow(java.lang.Object)
 *  checkTopLevelWindow
 * @see     java.lang.System#getSecurityManager() getSecurityManager
 * @see     java.lang.System#setSecurityManager(java.lang.SecurityManager)
 *  setSecurityManager
 * @see     java.security.AccessController AccessController
 * @see     java.security.AccessControlContext AccessControlContext
 * @see     java.security.AccessControlException AccessControlException
 * @see     java.security.Permission 
 * @see     java.security.BasicPermission
 * @see     java.io.FilePermission
 * @see     java.net.SocketPermission
 * @see     java.util.PropertyPermission
 * @see     java.lang.RuntimePermission
 * @see     java.awt.AWTPermission
 * @see     java.security.Policy Policy
 * @see     java.security.SecurityPermission SecurityPermission
 * @see     java.security.ProtectionDomain
 *
 * @since   JDK1.0
 */

 

 

Grant the Required Permissions

Here is a sample of java policy file:

 

/** Java 2 Access Control Policy for the JAAS Sample Application **/

/* grant the sample LoginModule permissions */
grant codebase "file:./SampleLM.jar" {
    permission javax.security.auth.AuthPermission "modifyPrincipals";
};

grant codebase "file:./SampleAcn.jar" {

   permission javax.security.auth.AuthPermission "createLoginContext.Sample";
};
 

 

 

Default Policy Implementation and Policy File Syntax

 

Please refer to java doc: Default Policy Implementation and Policy File Syntax.

 

Permissions in the Java

Please refer to java doc: Permissions in the JavaTM 2 SDK.

分享到:
评论

相关推荐

    Jaas in Action (java 安全)

    6. **安全管理**:JAAS提供了安全管理器(SecurityManager),它监控并控制Java应用程序的行为,确保只有被授权的操作才能被执行。 在实际开发中,理解JAAS的工作原理和配置方式至关重要。例如,开发者需要知道如何...

    JAVA入门.docx

    * 高性能:Java 的确是高性能的,事实上,Java 的运行速度随着 JIT(Just-In-Time)编译器技术的发展越来越接近于 C++。 * 多线程性:在 Java 语言中,线程是一种特殊的对象,它必须由 Thread 类或其子(孙)类来...

    w3school java & java web教程 飞龙整理 20141001

    现代Java引入了JIT(Just-In-Time)编译器,使得性能接近于编译型语言。 - **多线程**:Java内建了对多线程的支持,允许并发执行多个任务。通过Thread类或实现Runnable接口可以创建线程,同时提供同步机制(如`...

    Java实习报告.pdf

    JIT(Just-In-Time)编译器是Java运行时环境的一部分,它可以在运行时将Java字节码转换为本地机器码,以提高程序的运行效率。 最后,报告中提到了AWT事件处理模型,这是Java GUI编程中处理用户输入的方式之一。通过...

    java内核分析.pdf

    Java的安全模型由`SecurityManager`抽象类来实现,它允许开发者定义并实施各种安全策略。`SecurityManager`包含多个`check`方法,用于检查特定操作是否被允许,比如访问网络、读写文件或创建线程。`System....

    java.lang研究

    `System`类提供了系统级的服务,如标准输入、输出流,以及全局变量`out`、`err`和`in`。 `Thread`类是多线程编程的基础,它定义了线程的行为和生命周期。`ThreadGroup`用于管理一组线程,而`ThreadLocal`提供线程...

    重难点之java内核分析.pdf

    1. **I/O流**:Java中的I/O流是数据传输的基础,包括标准输入流`InputStream in`、标准输出流`PrintStream out`和标准错误输出流`PrintStream err`。这些流用于程序与用户交互,以及程序之间的数据传递。Java的I/O流...

    java内存分析.pdf

    11. 安全管理器(SecurityManager):安全管理器是JVM用于控制其他代码执行的安全策略执行者,允许程序在执行过程中根据安全管理器的规则进行访问控制。 通过上述知识点,可以看出文件内容中所包含的Java内存分析...

    高手总结java常用API(免费下载)

    - `System.setSecurityManager(SecurityManager sm)`: 设置安全管理器。 - `System.currentTimeMillis()`: 获取当前时间戳。 #### 三、字符串类 Java中提供了多种处理文本字符串的方式,主要包括: - **String*...

    setAccessible()方法是否破坏了Java的访问规则

    Exception in thread "main" java.security.AccessControlException: access denied (java.lang.reflect.ReflectPermission suppressAccessChecks) ``` 这表明当前运行环境中的安全策略不允许反射代码忽略访问检查...

    JEB Decompiler 4.32.0.202306131555

    Requirements: (Only JDK 11.0.X 64 bit (17 and 18 not contains a java.lang.SecurityManager class needed for sandboxing)), 64-bit OS mod by CXV Press Generate a Key in welcome window - fix all ...

    09 Runtime

    * the environment in which the application is running. The current * runtime can be obtained from the &lt;code&gt;getRuntime&lt;/code&gt; method. * * An application cannot create its own instance of this ...

    jdk1.8 sun源码

    10. **安全管理**:`java.security`包中的类和接口,如`SecurityManager`,展示了Java的安全模型和权限控制。 通过深入研究这些源码,开发者不仅可以提升自己的Java编程技巧,还能更好地理解Java平台的内部运作,为...

    JVM.zip

    6. **JIT编译器**:Just-In-Time(JIT)编译器将频繁执行的热点字节码编译成本地机器码,提高执行效率。JVM中有两种JIT编译器,C1和C2,分别对应服务器和客户端模式。 7. **内存溢出与内存泄漏**:如果JVM无法分配...

    javajdk源码学习-JavaSourceLearn:Jdk源码学习

    5. **编译器与字节码**:Java的编译器将源代码转换为字节码,这部分源码解析有助于理解JIT(Just-In-Time)编译、优化过程,以及如何阅读和理解`.class`文件。 6. **IO/NIO**:Java的I/O系统提供了丰富的文件操作和...

    JDK12-nashorn-users-guide.pdf

    * SecurityManager:限制 JavaScript 代码的安全权限。 * permission 机制:限制 JavaScript 代码的权限。 七、 Nashorn 的性能优化 Nashorn 提供了多种性能优化机制,包括: * Just-In-Time(JIT)编译器:提高 ...

    shiro安全框架-详细介绍

    System.out.println("User [" + token.getUsername() + "] logged in successfully."); } } } ``` 2. **基于Realm类的认证**: - 在实际应用中,用户名和密码通常不会直接写在INI文件中,而是存储在数据库中。...

Global site tag (gtag.js) - Google Analytics