Java Security Model framework: Use of secure access control

As a language born of the rise of the Internet, Java from the outset with security considerations, how to ensure that the download to the local Java program on the Internet is safe, how to access the Java program permissions to local resources Limited authorization, these security considerations from the outset to affect the Java Language design and implementation. It can be said that Java in these aspects of exploration and experience, some of the later language and products have brought a positive impact.

This article will introduce the security model in Java and how to use the security http://www.aliyun.com/zixun/aggregation/38609.html "> access control mechanism to achieve some specific goals."

Security model in Java

In Java, the execution program is divided into two local and remote, local code is treated as trustworthy by default, and remote code is considered untrusted. For the local code of the credit, you can access all local resources. For non-credit remote code in the early Java implementation, security relies on the sandbox (Sandbox) mechanism. The sandbox mechanism is to limit the Java code to the specific operational scope of the virtual machine (JVM), and strictly restrict the code's access to the local system's resources, so as to ensure effective isolation of remote code and prevent damage to the local system. As shown in Figure 1,

Graph 1.jdk1.0 Security Model

But such stringent security mechanisms also pose obstacles to the extension of the program's functionality, such as when users want remote code to access files on the local system. As a result, improvements to the security mechanism have been made in subsequent Java1.1 releases, adding security policies that allow users to specify code access to local resources. As shown in Figure 2,

Graph 2.jdk1.1 Security Model

In the Java1.2 version, the security mechanism was again improved and code signing was added. Regardless of the local code or remote code, according to the user's security policy settings, the class loader loaded into the virtual machine in different permissions of the operating space to implement the differentiated Code execution rights control. As shown in Figure 3,

Graph 3.jdk1.2 Security Model

The current implementation of the latest security mechanism introduces the concept of domains (domain). Virtual opportunity loads all the code into different system domains and application domains, and the system domain is specifically responsible for interacting with critical resources, while the individual application domain sections are used by some agents of the system domain to access the various resources that are needed. Different protected domains (Protected domain) in the virtual machine, corresponding to the same permissions (Permission). Class files that exist in different domains have all the permissions of the current domain, as shown in Figure 4:

Figure 4. Latest Security Model

All mentioned above are the basic Java security model concepts, and there are some complex uses of security in application development, the most commonly used API is doprivileged. The Doprivileged method enables a trusted code to gain greater permissions, even more than the application that invokes it, to temporarily access more resources. 8630.html "> Sometimes this is very necessary to deal with some special application scenarios. For example, an application might not have direct access to some system resources, but such an application would have to have these resources to complete the function. In this case, the Java SDK provides a doprivileged method for the domain, allowing the program to break through the current domain permission restrictions and temporarily expand access rights. The following sections explain the use of security-related methods in detail.