Java security manager-SecurityManager

Source: Internet
Author: User

Java security manager-SecurityManager

In general, Java security should include two aspects: one is the security of the Java platform (that is, the Java Runtime Environment) and the other is the security of applications developed in Java. Because we are not a developer of the Java language, we do not need to consider the first security. The second security is our key consideration. Generally, we can improve security through the security manager mechanism. The security manager is the security implementer and can be expanded, it provides security measures for applications. By configuring security policy files, you can restrict access to networks, local files, and other parts of the program.

Java provides us with a security management mechanism-security manager from the application layer. Every Java application can have its own security manager, it checks the access permissions of resources to be protected and other prescribed operation permissions during the running phase, and protects the system from malicious operation attacks to achieve the system's security policy. Figure 3-1-5-1 shows the working mechanism of the security manager. When running a Java program, the Security Manager assigns permissions to different modules of the program according to the policy described in the policy file, assume that the application is divided into three parts, each of which has different permissions. The first part has the permission to read a file, and the second part has the permission to read a file and memory at the same time, the third part has the permission to listen to the socket. Through this mechanism, various operation permissions of each part of the program can be well controlled, and security management policies are provided for us at the application layer. Figure 3-1-5-2 shows how the security manager manages file operations. When an application wants to read a local file, securitymanager intercepts the file operations before reading the file, check whether you have the permission to read the file. If yes, the file can be read smoothly. Otherwise, an access exception is thrown. The SecurityManager class provides many methods to check permissions. For example, the checkPermission method checks whether an operation has operation permissions based on the permissions described in the security policy file, the checkRead method is used to determine the object access permission. If you find that you do not have the permission, a security exception is thrown.

Figure 3-1-5-1 Security Management Mechanism

Figure 3-1-5-2 check operation Permissions

Generally, the security manager is not automatically started when the Java program is started. You can start the security manager in either of the following ways:

① It is implicit. The simplest way to start the default security manager is to directly add the-Djava. security. manager parameter to the startup command.

② One is to explicitly instantiate a java. lang. SecurityManager or an object that inherits its subclass, and then set and start a Security Manager through System. setSecurityManager.

When you start the security manager, you can use the-Djava. security. policy option to specify the security policy file. If no path is specified for the policy file, the security manager uses the default security policy file, which is located in the java. policy under the % JAVA_HOME %/jre/lib/security directory. It should be noted that = indicates that this policy file will work with the Default policy file; = indicates that this policy file is used only. The policy file contains multiple grant statements. Each grant describe certain code has certain operation permissions. When the security manager is started, a policy object is generated based on the Policy file. At any time, an application can have only one Policy object.

How can I implement my own security manager and Configure permissions? The following describes the implementation steps through a simple example. The steps are generally divided into the following two steps: ① create a SecurityManager subclass and rewrite some methods as needed. ② Configure the policy file according to the permission of the application code. If you use the default security manager, skip the first step. The following example shows how to use the security manager:

Public classSecurityManagerTest {

Public static voidMain (String [] args)ThrowsFileNotFoundException {

System.Out. Println ("SecurityManager:" + System.GetSecurityManager());

FileInputStreamFiis=NewFileInputStream ("c: \ protect.txt ");

System.Out. Println (System.GetProperty("File. encoding "));

}

}

Run the program in the following situations:

(1) In the absence of a Security Manager, securitymanagerprints nulland reads the protect.txt file and file. encoding attributes.

(2) Add the launch parameter-Djava. security. manager-Djava.security.policy = c:/protect. policy, the two parameters represent the default security manager to start and specify the policy configuration file path, respectively. At this time, SecurityManager is printed out as not null, but the protect. policy does not have any authorization at this time, so the AccessControlExcepti on exception is thrown when the file is read.

(3) Add the following authorization statement to the protect. policy file,

Grant {

Permissionjava. io. FilePermission "c:/protect.txt", "read ";

};

The specified securitymanageris empty and has the permission to read the protect.txt file. However, an AccessControlException exception will still be thrown because the system does not have the permission to read the file. encoding attributes.

(4) change the protect. policy authorization statement to the following:

Grant {

Permissionjava. io. FilePermission "c:/protect.txt", "read ";

Permissionjava. util. PropertyPermission "file. encoding", "read ";

};

This time, you have the permission to read files and read system attributes. The program runs normally and no security exception is thrown.

From the above situations, we have a clear understanding of the use of the security manager, through simple configuration of policy files can achieve application security management. The Permission class of Java is used to define the permissions of the class. Java itself includes some Permission classes, as shown below:

Java. security. AllPermission

Set of all Permissions

Java. util. PropertyPermission

System/environment attribute Permissions

Java. lang. RuntimePermission

Runtime permission

Java.net. SocketPermission

Socket permission

Java. io. FilePermission

File permissions, including read/write, delete, and execute

Java. io. SerializablePermission

Serialization permission

Java. lang. reflect. ReflectPermission

Reflection permission

Java. security. UnresolvedPermission

Unresolved Permissions

Java.net. NetPermission

Network Permissions

Java. awt. AWTPermission

AWT permission

Java. SQL. SQLPermission

Database SQL Permissions

Java. security. SecurityPermission

Security Control Permissions

Java. util. logging. LoggingPermission

Log control permission

Javax.net. ssl. SSLPermission

Security connection permission

Javax. security. auth. AuthPermission

Authentication permission

Javax. sound. sampled. AudioPermission

Access Permissions for audio system resources

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.