How does the Security Manager work?
Created May 4, 2012
A: The Security Manager is the class maintaining the restrictions of the java virtual machine sandbox. Simply put, it is a subclass of java.lang.SecurityManager that performs runtime permission checking of sensitive operations. Such operations include opening a network socket, reading or writing to the local hard drive, creating a new SecurityManager, performing network multicast etc. The SecurityManager class has a multitude of boolean checking methods, which have the form public boolean checkXYZ([args...]);
All such security checking methods throws a SecurityException if the respective permissions could not be granted. Thus, all code that relies on sensitive method calls must be placed inside a try block. A code sample of a class that shows the SecurityManager and usage of the checkXYZ methods is:
package security; import java.awt.*; import java.awt.event.*; import java.applet.*; import java.rmi.RMISecurityManager; /** * The SecurityTester class shows the name of the System * SecurityManager class, and demonstrates the use of the * checkXXX methods. * * @author Lennart Jörelid, jguru.com */ public class SecurityTester extends Applet { boolean isStandalone = false; private TextArea txta; // Constructor, in case we need to run as an application public SecurityTester() { this.init(); } // Init method, in case we need to run as an applet public void init() { // Create all GUI objects this.txta = new TextArea(); this.txta.setEditable(false); // Set Layout of this applet this.setLayout(new BorderLayout()); // Add GUI objects this.add(BorderLayout.CENTER, this.txta); this.runTest(); } // Test the SecurityManager public void runTest() { // Clear the textarea txta.setText(""); // Get the SecurityManager of this application. SecurityManager sm = System.getSecurityManager(); // Printout status information on this SecurityManager if(sm == null) { this.log("System SecurityManager not set. [null]"); this.log(""); this.log("You are most likely running this class as an application."); this.log("Thus, no SecurityManager tests can be done."); return; } // This application has a set SecurityManager this.log("System SecurityManager == " + sm.getClass().getName()); this.log(""); // Run a few tests, just to see some effect of the SecurityManager this.log("Calling a few checkXXX methods:"); // CONNECT permission try { sm.checkConnect("www.jguru.com", 80); this.log("checkConnect("www.jguru.com", 80) := [OK]"); } catch(SecurityException ex) { this.log("checkConnect("www.jguru.com", 80) := [Failed]"); this.log("" + ex); } // LISTEN permission try { sm.checkListen(8901); this.log("sm.checkListen(8901) := [OK]"); } catch(SecurityException ex) { this.log("sm.checkListen(8901) := [Failed]"); this.log("" + ex); } // TOPLEVELWINDOW permission try { Frame aFrame = new Frame( "This is a Frame produced by the SecurityTester class."); boolean result = sm.checkTopLevelWindow(aFrame); aFrame.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { Frame theFrame = (Frame) ev.getSource(); theFrame.setVisible(false); theFrame.dispose(); } }); aFrame.setSize(500, 200); aFrame.setVisible(true); if(result) this.log("sm.checkTopLevelWindow(<aFrame>) := [OK]"); else this.log("sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]"); } catch(SecurityException ex) { this.log("sm.checkTopLevelWindow(<aFrame>) := [Failed completely]"); this.log("" + ex); } } public void log(String msg) { txta.append(msg + " "); } // Main method, to be used in the case we decide // to run as an application public static void main(String[] args) { // Create a new SecurityManager System.setSecurityManager(new RMISecurityManager()); // Create the SecurityApplet SecurityTester applet = new SecurityTester(); applet.isStandalone = true; // Create a frame, and add the applet inside Frame frame = new Frame(); frame.setTitle("Security Applet Frame"); frame.add(applet, BorderLayout.CENTER); frame.setSize(400,320); // Launch the applet. applet.init(); // Register a "Kill" listener frame.addWindowListener(new WindowAdapter() { public void windowClosing(WindowEvent ev) { System.exit(0); } }); // Center the frame on the screen, and show it. Dimension d = Toolkit.getDefaultToolkit().getScreenSize(); frame.setLocation((d.width - frame.getSize().width) / 2, (d.height - frame.getSize().height) / 2); frame.setVisible(true); } } |
// Appletviewer System SecurityManager == sun.applet.AppletSecurity Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] sun.applet.AppletSecurityException: checkconnect.networkhost1 sm.checkListen(8901) := [OK] sm.checkTopLevelWindow(<aFrame>) := [OK; with warning] |
// Internet Explorer 5 System SecurityManager == com.ms.security.StandardSecurityManager Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: cannot connect to "www.jguru.com" sm.checkListen(8901) := [Failed] com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: cannot access 8901 sm.checkTopLevelWindow(<aFrame>) := [OK; with warning] |
// Netscape 4.7 System SecurityManager == netscape.security.AppletSecurity Calling a few checkXXX methods: checkConnect("www.jguru.com", 80) := [Failed] netscape.security.AppletSecurityException: security.Couldn't connect to 'www.jguru.com' with origin from 'egghead.jguru.se'. sm.checkListen(8901) := [OK] sm.checkTopLevelWindow(<aFrame>) := [OK; with warning] |