MQP:Java Security
Contents
Overview
Java, since 1.2, has some interesting security features related to access permissions.
More work needs to be done on this page, so if somthing is missing, don't be surprised
Security Architecture Overview
There are many security features dealing with Java's class loaders and assuring that the code is from a trusted source that will not be discussed here. These features are not important to the scope of this project.
Java's security classes reside in the java.security package. The include:
- Permission (Abstract Class)
- Defines a type of permission
- PermissionCollection (Abstract Class)
- Contains a number of related Permission objects
- Permissions (Object Class)
- Contains a number of PermissionClass objects, sorted in a map by the Class of Permissions they contain
- ProtectionDomain (Object Class)
- Defines a group of classes that are protected with similar permissions
- Policy (Abstract Class)
- Defines the security policy (all permission grants) for the running application
- Contains a number of PermissionCollection objects sored in a map, keyed by their ProtectionDomain
- Determines if proper permissions are available for a given Permission based on its existence in the proper ProtectionDomain
- SecurityManager (Object Class)
- Provides permission resolution to the whole program
--Diagram Here--
Using Java Security
Activating the SecurityManager
Applications launched normally (using the java command) do not have security enabled - System.getSecurityManager() will return null, causing all permissions to simply be granted. To turn on the default SecurityManager:
java -Djava.security.manager [Main Class]
To specify your own SecurityManager:
java -Djava.security.manager=[SecurityManager Class] [Main Class]
or, to set it at runtime, use:
SecurityManager sm = new YourSecurityManagerClass(); System.setSecurityManager(sm);
Setting Policy
To set the policy file for the JVM:
java -Djava.security.manager -Djava.security.policy=[URL to policy file]
Using "==" in place of "=" will cause the JVM to ignore other policy files. (not sure what this means...)
References
- An architecture overview - http://articles.techrepublic.com.com/5100-10878_11-6177275.html
- Overview of objects in the security library - http://articles.techrepublic.com.com/5100-10878_11-6178805.html?tag=rbxccnbtr1
- Detailed documentation list - http://java.sun.com/javase/6/docs/technotes/guides/security/index.html
- Details of each of Java's packaged Permission classes - http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html