How does the Security Manager work?

Created May 4, 2012

Lennart Jorelid

A: The Security Manager is the class maintaining the restrictions of the java virtual machine sandbox. Simply put, it is a subclass of java.lang.SecurityManager that performs runtime permission checking of sensitive operations. Such operations include opening a network socket, reading or writing to the local hard drive, creating a new SecurityManager, performing network multicast etc. The SecurityManager class has a multitude of boolean checking methods, which have the form public boolean checkXYZ([args...]);

All such security checking methods throws a SecurityException if the respective permissions could not be granted. Thus, all code that relies on sensitive method calls must be placed inside a try block. A code sample of a class that shows the SecurityManager and usage of the checkXYZ methods is:

package security; import java.awt.*; import java.awt.event.*; import java.applet.*; import java.rmi.RMISecurityManager; /** * The SecurityTester class shows the name of the System * SecurityManager class, and demonstrates the use of the * checkXXX methods. * * @author Lennart Jörelid, jguru.com */ public class SecurityTester extends Applet { boolean isStandalone = false; private TextArea txta; // Constructor, in case we need to run as an application public SecurityTester() { this.init(); } // Init method, in case we need to run as an applet public void init() { // Create all GUI objects this.txta = new TextArea(); this.txta.setEditable(false); // Set Layout of this applet this.setLayout(new BorderLayout()); // Add GUI objects this.add(BorderLayout.CENTER, this.txta); this.runTest(); } // Test the SecurityManager public void runTest() { // Clear the textarea txta.setText(""); // Get the SecurityManager of this application. SecurityManager sm = System.getSecurityManager(); // Printout status information on this SecurityManager if(sm == null) { this.log("System SecurityManager not set. [null]"); this.log(""); this.log("You are most likely running this class as an application."); this.log("Thus, no SecurityManager tests can be done."); return; } // This application has a set SecurityManager this.log("System SecurityManager == " + sm.getClass().getName()); this.log(""); // Run a few tests, just to see some effect of the SecurityManager this.log("Calling a few checkXXX methods:"); // CONNECT permission try { sm.checkConnect("www.jguru.com", 80); this.log("checkConnect("www.jguru.com", 80) := [OK]"); } catch(SecurityException ex) { this.log("checkConnect("www.jguru.com", 80) := [Failed]"); this.log("" + ex); } // LISTEN permission try { sm.checkListen(8901); this.log("sm.checkListen(8901) := [OK]"); } catch(SecurityException ex) { this.log("sm.checkListen(8901) := [Failed]"); this.log("" + ex); } // TOPLEVELWINDOW permission try { Frame aFrame = new Frame( "This is a Frame produced by the SecurityTester class."); boolean result = sm.checkTopLevelWindow(aFrame); aFrame.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { Frame theFrame = (Frame) ev.getSource(); theFrame.setVisible(false); theFrame.dispose(); } }); aFrame.setSize(500, 200); aFrame.setVisible(true); if(result) this.log("sm.checkTopLevelWindow(<aFrame>) := [OK]"); else this.log("sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]"); } catch(SecurityException ex) { this.log("sm.checkTopLevelWindow(<aFrame>) := [Failed completely]"); this.log("" + ex); } } public void log(String msg) { txta.append(msg + " "); } // Main method, to be used in the case we decide // to run as an application public static void main(String[] args) { // Create a new SecurityManager System.setSecurityManager(new RMISecurityManager()); // Create the SecurityApplet SecurityTester applet = new SecurityTester(); applet.isStandalone = true; // Create a frame, and add the applet inside Frame frame = new Frame(); frame.setTitle("Security Applet Frame"); frame.add(applet, BorderLayout.CENTER); frame.setSize(400,320); // Launch the applet. applet.init(); // Register a "Kill" listener frame.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { System.exit(0); } }); // Center the frame on the screen, and show it. Dimension d = Toolkit.getDefaultToolkit().getScreenSize(); frame.setLocation((d.width - frame.getSize().width) / 2, (d.height - frame.getSize().height) / 2); frame.setVisible(true); } }

The results of running the compiled applet through a few browsers are:

// Appletviewer System SecurityManager == sun.applet.AppletSecurity Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] sun.applet.AppletSecurityException: checkconnect.networkhost1 sm.checkListen(8901) := [OK] sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]

// Internet Explorer 5 System SecurityManager == com.ms.security.StandardSecurityManager Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: cannot connect to "www.jguru.com" sm.checkListen(8901) := [Failed] com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: cannot access 8901 sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]

// Netscape 4.7 System SecurityManager == netscape.security.AppletSecurity Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] netscape.security.AppletSecurityException: security.Couldn't connect to 'www.jguru.com' with origin from 'egghead.jguru.se'. sm.checkListen(8901) := [OK] sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]

Post a comment

Email Article

Print Article

Most Popular jGuru Stories

Editor's Picks

Most Popular

The Java Game Development Tutorial

Files and Directories in Java

Load Testing your Applications with Apache JMeter

Unit Testing Java Programs

Using SOAP with Java