How does the Security Manager work?

Lennart Jorelid

A: The Security Manager is the class maintaining the restrictions of the java virtual machine sandbox. Simply put, it is a subclass of java.lang.SecurityManager that performs runtime permission checking of sensitive operations. Such operations include opening a network socket, reading or writing to the local hard drive, creating a new SecurityManager, performing network multicast etc. The SecurityManager class has a multitude of boolean checking methods, which have the form public boolean checkXYZ([args...]);

All such security checking methods throws a SecurityException if the respective permissions could not be granted. Thus, all code that relies on sensitive method calls must be placed inside a try block. A code sample of a class that shows the SecurityManager and usage of the checkXYZ methods is:

package security;

import java.awt.*;
import java.awt.event.*;
import java.applet.*;
import java.rmi.RMISecurityManager;

/**
 * The SecurityTester class shows the name of the System
 * SecurityManager class, and demonstrates the use of the
 * checkXXX methods.
 *
 * @author Lennart Jörelid, jguru.com
 */
public class SecurityTester extends Applet
{
   boolean isStandalone = false;
   private TextArea txta;

   // Constructor, in case we need to run as an application
   public SecurityTester()
   {
       this.init();
   }

   // Init method, in case we need to run as an applet
   public void init()
   {
       // Create all GUI objects
       this.txta = new TextArea();
       this.txta.setEditable(false);

       // Set Layout of this applet
       this.setLayout(new BorderLayout());

       // Add GUI objects
       this.add(BorderLayout.CENTER, this.txta);
       this.runTest();
   }

   // Test the SecurityManager
   public void runTest()
   {
       // Clear the textarea
       txta.setText("");

       // Get the SecurityManager of this application.
       SecurityManager sm = System.getSecurityManager();

       // Printout status information on this SecurityManager
       if(sm == null)
       {
            this.log("System SecurityManager not set. [null]");
            this.log("");
            this.log("You are most likely running this class as an application.");
            this.log("Thus, no SecurityManager tests can be done.");
            return;
       }

       // This application has a set SecurityManager
       this.log("System SecurityManager == " + sm.getClass().getName());
       this.log("");

       // Run a few tests, just to see some effect of the SecurityManager
       this.log("Calling a few checkXXX methods:");

       // CONNECT permission
       try
       {
          sm.checkConnect("www.jguru.com", 80);
          this.log("checkConnect("www.jguru.com", 80) := [OK]");
       }
       catch(SecurityException ex)
       {
          this.log("checkConnect("www.jguru.com", 80) := [Failed]");
          this.log("" + ex);
       }

       // LISTEN permission
       try
       {
          sm.checkListen(8901);
          this.log("sm.checkListen(8901) := [OK]");
       }
       catch(SecurityException ex)
       {
          this.log("sm.checkListen(8901) := [Failed]");
          this.log("" + ex);
       }

       // TOPLEVELWINDOW permission
       try
       {
          Frame aFrame = new Frame(
            "This is a Frame produced by the SecurityTester class.");
          boolean result = sm.checkTopLevelWindow(aFrame);

          aFrame.addWindowListener(new WindowAdapter()
          {
             public void windowClosing(WindowEvent ev)
             {
                Frame theFrame = (Frame) ev.getSource();
                theFrame.setVisible(false);
                theFrame.dispose();
             }
          });
          aFrame.setSize(500, 200);
          aFrame.setVisible(true);

          if(result) this.log("sm.checkTopLevelWindow(<aFrame>) := [OK]");
          else this.log("sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]");
       }
       catch(SecurityException ex)
       {
          this.log("sm.checkTopLevelWindow(<aFrame>) := [Failed completely]");
          this.log("" + ex);
       }
   }

   public void log(String msg)
   {
      txta.append(msg + "
");
   }

   // Main method, to be used in the case we decide
   // to run as an application
   public static void main(String[] args)
   {
       // Create a new SecurityManager
       System.setSecurityManager(new RMISecurityManager());

       // Create the SecurityApplet
       SecurityTester applet = new SecurityTester();
       applet.isStandalone = true;

       // Create a frame, and add the applet inside
       Frame frame = new Frame();
       frame.setTitle("Security Applet Frame");
       frame.add(applet, BorderLayout.CENTER);
       frame.setSize(400,320);

       // Launch the applet.
       applet.init();

       // Register a "Kill" listener
       frame.addWindowListener(new WindowAdapter()
       {
          public void windowClosing(WindowEvent ev)
          {
             System.exit(0);
          }
       });

       // Center the frame on the screen, and show it.
       Dimension d = Toolkit.getDefaultToolkit().getScreenSize();
       frame.setLocation((d.width - frame.getSize().width) / 2, 
         (d.height - frame.getSize().height) / 2);
       frame.setVisible(true);
   }
}

The results of running the compiled applet through a few browsers are:

// Appletviewer
    
System SecurityManager == sun.applet.AppletSecurity

Calling a few checkXXX methods:
checkConnect("www.jguru.com", 80) := [Failed]
sun.applet.AppletSecurityException: checkconnect.networkhost1
sm.checkListen(8901) := [OK]
sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]

 

// Internet Explorer 5

System SecurityManager == com.ms.security.StandardSecurityManager

Calling a few checkXXX methods:
checkConnect("www.jguru.com", 80) := [Failed]
com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: 
	cannot connect to "www.jguru.com"
sm.checkListen(8901) := [Failed]
com.ms.security.SecurityExceptionEx[security/SecurityTester.runTest]: 
	cannot access 8901
sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]

 

// Netscape 4.7

System SecurityManager == netscape.security.AppletSecurity

Calling a few checkXXX methods:
checkConnect("www.jguru.com", 80) := [Failed]
netscape.security.AppletSecurityException: security.Couldn't connect 
	to 'www.jguru.com' with origin from 'egghead.jguru.se'.
sm.checkListen(8901) := [OK]
sm.checkTopLevelWindow(<aFrame>) := [OK; with warning]
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

About | Sitemap | Contact