What is the flow of veriyfing a particular opertion for a piece of code?

John Mitchell

I'm not sure what all facets of this problem you're intending to dive into but this entire area is covered by Chapter 6 of Li Gong's Inside Java 2 Platform Security. As he covers in about 70 pages of depth, the general steps are:

  • Get the .class file and run it through bytecode verification
  • Determine the code source and perform any necessary signing verification)
  • Based on the code source, consult the security policy, determine the set of permissions, create Policy object if necessary
  • Create a protection domain based on code source and permission set and then load the class and associate it with the protection domain
  • Allow the class to be instantiated into objects with all of the normal runtime checks
  • When a security check is invoked and any methods of the class are in the call chain then the access controller examines the protection domain and it's permission set to check the permission levels. If it's granted then execution is allowed to continue, otherwise throw an security exception