The AccessController class is used to obtain a fine-grained access control, which forms a main feature of the new Java security model starting with Java 1.
SecurityManager is still used in Java for backward compatibility; access control is managed now in the AccessController class which is why its implementation of SecurityManager is not recommended in Java 2. For example, you can implement the SecurityManager. Here's how the corresponding method SecurityManager. The AccessController class makes decisions about allowing access with checkPermission method, which determines whether the code must be run as privileged; if so, it would use the doPrivileged method and allows you to get a reference to the current access management context with the getContext method.
The AccessControlContext class encapsulates all the information about access parameters in the application. It can contain one or more ProtectionDomain classes. Each class contains access rights applicable to a particular code section. The ProtectionDomain class contains two classes for that purpose: PermissionCollection for storing a set of rights and CodeSource for keeping information about the code location in the form of a URL. It can also keep signatures' information in the SignedBy class, which in chain contains an array of Certificate objects.
The code received from the same source and signed by the same people i. The checkPermission method of the AccessControlContext object checks access rights related to ProtectionDomain objects set for the current context. The doPrivileged method can be used for actions that require any privileges in running. If doPrivileged is used, a simplified decision making procedure is applied.
It is assumed that the calling protection domain has the permission for running privileged operations. Usually when working with doPrivileged , a PrivilegedAction interface is used, which does not generate any exception.
The second parameter for the doPrivileged method is the AccessControlContext object, which points to a correct context that must be used for access limiting. AccessController has the getcontext method for getting and using context.
Java 2 contains a good permission management platform. The base of this architecture is the abstract class java. Permission, which describes the access rights entity. It contains the target name of the resource e. The Permission. PolicyClassName must specify the fully qualified name of the desired Policy implementation class.
The default security properties file entry for this property is the following:. The policy configuration file s for a JDK or JRE installation specifies what permissions which types of system resource accesses are granted to code from a specified code source, and executed as a specified principal. For an applet or an application running under a security manager to be allowed to perform secured actions such as reading or writing a file , the applet or application must be granted permission for that particular action.
In the Policy reference implementation, that permission must be granted by a grant entry in a policy configuration file. See below and the "Java Security Architecture Specification" for more information. The only exception is that code always automatically has permission to read files from its same URL location, and subdirectories of that location; it does not need explicit permission to do so.
A policy configuration file essentially contains a list of entries. It may contain a "keystore" entry, and contains zero or more "grant" entries. A keystore is a database of private keys and their associated digital certificates such as X. The keystore specified in a policy configuration file is used to look up the public keys of the signers specified in the grant entries of the file. A keystore entry must appear in a policy configuration file if any grant entries specify signer aliases, or if any grant entries specify principal aliases see below.
This entry can appear anywhere outside the file's grant entries. It has the following syntax:. The URL is relative to the policy file location. Thus if the policy file is specified in the security properties file as:.
A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private keys in the keystore and the integrity of the keystore itself. Thus, if the keystore type is "JKS", it does not need to be specified in the keystore entry. Code being executed is always considered to come from a particular "code source" represented by an object of type CodeSource. The code source includes not only the location URL where the code originated from, but also a reference to the certificate s containing the public key s corresponding to the private key s used to sign the code.
Certificates in a code source are referenced by symbolic alias names from the user's keystore. Code is also considered to be executed as a particular principal represented by an object of type Principal , or group of principals.
The basic format of a grant entry is the following:. The signedBy , codeBase , and principal values are optional, and the order of these fields does not matter. A signedBy value indicates the alias for a certificate stored in the keystore.
The public key within that certificate is used to verify the digital signature on the code; you grant the permission s to code signed by the private key corresponding to the public key in the keystore entry specified by the alias.
The signedBy value can be a comma-separated list of multiple aliases. To be more exact, a statement like "Code signed by Adam" means "Code in a class file contained in a JAR which is signed using the private key corresponding to the public key certificate in the keystore whose entry is aliased by Adam".
The signedBy field is optional in that, if it is omitted, it signifies "any signer". It doesn't matter whether the code is signed or not or by whom. The principal set is associated with the executing code by way of a Subject. The " action " is required for many permission types, such as java. FilePermission where it specifies what type of file access is permitted.
It is not required for categories such as java. If present, it indicates a signed permission. That is, the permission class itself must be signed by the given alias es in order for the permission to be granted.
For example, suppose you have the following grant entry:. Then this permission of type Foo is granted if the Foo. An entry is terminated with a semicolon. Case is unimportant for the identifiers permission , signedBy , codeBase , etc. When you are specifying a java.
On Windows systems, whenever you directly specify a file path in a string but not in a codebase URL , you need to include two backslashes for each actual single backslash in the path, as in. The reason this is necessary is because the strings are processed by a tokenizer java.
After the tokenizer has processed the previous file path string, converting double backslashes to single backslashes, the end result is. The following policy configuration file specifies that only code that satisfies the following conditions can call methods in the Security class to add or remove providers or to set Security Properties:. The following is a policy configuration file where codeBase is missing:. The code does not need to be signed. The following is a policy configuration file where neither codeBase nor signedBy is included:.
This allows code downloaded from " www. This assumes that X. For example,. This allows things like. If the value of the " user. If on the other hand the " user. For example, suppose the value of my. Thus on a Windows system, the previous example would get converted to. Property expansion takes place anywhere a double quoted string is allowed in the policy file. Whether or not property expansion is allowed is controlled by the value of the " policy.
If the value of this property is true the default , expansion is allowed. If a property can't be expanded in a grant entry, permission entry, or keystore entry, that entry is ignored. For example, if the system property " foo " is not defined and you have:.
And finally, if you have. The file path specifications on Windows systems should include two backslashes for each actual single backslash.
As mentioned in File Path Specifications on Windows Systems , on Windows systems, when you directly specify a file path in a string but not in a codebase URL , you need to include two backslashes for each actual single backslash in the path, as in. This is because the strings are processed by a tokenizer java. Expansion of a property in a string takes place after the tokenizer has processed the string.
Thus if you have the string. Generalized forms of expansion are also supported in policy files. For example, permission names may contain a string of the following form:.
The exact replacement performed depends upon the contents of the grant clause to which the permission belongs. For example, BarPermission will always be ignored in the following grant clause:. The following example describes a scenario involving both self and Keystore Alias Replacement together:.
In the previous example, " duke " will first be expanded into javax. The protocol, alias , denotes a java. KeyStore alias substitution. The KeyStore used is the one specified in the Keystore Entry. For example:. In the previous example the X. A canonical path is a path that doesn't contain any links or shortcuts. Performing path name canonicalization in a FilePermission object can negatively affect performance.
This allowed a program to access a file using a different name than the name that was granted to a FilePermission object in a policy file, as long as the object pointed to the same file. Because the canonicalization had to access the underlying file system, it could be quite slow.
In JDK 9, path name canonicalization is disabled by default. This is true even if they all point to the same file in the file system.
Therefore, if a path name is granted to a FilePermission object in a policy file, then the program should also access that file using the same path name style. For example, if the path name in the policy file is using a symbolic link, then the program should also use that symbolic link.
Accessing the file with the target path name will fail the permission check. Compatibility Layer. A compatibility layer has been added to ensure that granting a FilePermission object for a relative path will permit applications to access the file with an absolute path and conversely. This works for the default Policy provider and the Limited doPrivileged calls. Customizing Path Name Canonicalization. The system property can be used to enable or disable path name canonicalization in the FilePermission object.
To disable FilePermission path name canonicalization, set jdk. To enable FilePermission path name canonicalization, set jdk. The system property can be used to extend the compatibility layer to support third-party Policy implementations. To disable the system property, set jdk. The FilePermission for a relative path will permit applications to access the file with an absolute path for the default Policy provider and the Limited doPrivileged method.
To extend the compatibility layer to support third-party Policy implementations, set jdk. The FilePermission for a relative path will permit applications to access the file with an absolute path for the default Policy provider, the Limited doPrivileged method, and for third-party Policy implementations. Previous Next JavaScript must be enabled to correctly display this content. Important: The previous statement creates a permission object.
A permission object represents, but does not grant access to, a system resource. Permission objects are constructed and assigned "granted" to code based on the policy in effect. When a permission object is assigned to some code, that code is granted the permission to access the system resource specified in the permission object, in the specified manner.
A permission object may also be constructed by the current security manager when making access decisions. In this case, the target permission object is created based on the requested access, and checked against the permission objects granted to and held by the code making the request. AWTPermission java. FilePermission java. SerializablePermission java. RuntimePermission java. ManagementPermission java.
ReflectPermission java. NetPermission java. URLPermission java. SocketPermission java. LinkPermission java. AllPermission java. SecurityPermission java. UnresolvedPermission java. SQLPermission java. LoggingPermission java. PropertyPermission javax. MBeanPermission javax. MBeanServerPermission javax. MBeanTrustPermission javax. SubjectDelegationPermission javax.
SSLPermission javax. AuthPermission javax. PrivateCredentialPermission javax. DelegationPermission javax. ServicePermission javax. Methods and the Permissions They Require The following table is a list of methods that require permissions, which SecurityManager method they call, and which permission is checked by the default implementation of that SecurityManager method.
Note: This list is not complete; other methods exist that require permissions. Graphics2d public abstract void setComposite Composite comp checkPermission java. Note: The setComposite method is actually abstract and thus can't invoke security checks.
SecurityManager checkPermission method with a java. AWTPermission "createRobot" java. Toolkit public abstract Clipboard getSystemClipboard checkPermission java. Window Window checkPermission If java. AWTPermission "showWindowWithoutWarningBanner" is set, the window will be displayed without a banner warning that the window was created by an applet.
It it's not set, such a banner will be displayed. File public boolean delete public void deleteOnExit checkDelete String java. RuntimePermission "readFileDescriptor" java. File public boolean exists public boolean canRead public boolean isFile public boolean isDirectory public boolean isHidden public long lastModified public long length public String[] list public String[] list FilenameFilter filter public File[] listFiles public File[] listFiles FilenameFilter filter public File[] listFiles FileFilter filter java.
RuntimePermission "writeFileDescriptor" java. ObjectInputStream protected final boolean enableResolveObject boolean enable ; java. SerializablePermission "enableSubstitution" java. SerializablePermission "enableSubclassImplementation" java. Class public static Class forName String name, boolean initialize, ClassLoader loader checkPermission If loader is null, and the caller's class loader is not null, then java.
RuntimePermission "getClassLoader" java. Class public ClassLoader getClassLoader checkPermission If the caller's class loader is null, or is the same as or an ancestor of the class loader for the class whose class loader is being requested, no permission is needed.
Otherwise, java. RuntimePermission "getClassLoader" is required. Otherwise, it requires java. RuntimePermission "accessDeclaredMembers". If this class is in a package, java. RuntimePermission "accessClassInPackage. RuntimePermission "getProtectionDomain" java. RuntimePermission "createClassLoader" java.
ClassLoader public static ClassLoader getSystemClassLoader public ClassLoader getParent checkPermission If the caller's class loader is null, or is the same as or an ancestor of the class loader for the class whose class loader is being requested, no permission is needed.
Runtime public void exit int status public static void runFinalizersOnExit boolean value java. System public static void exit int status public static void runFinalizersOnExit boolean value checkExit status where status is 0 for runFinalizersOnExit java.
RuntimePermission "exitVM. RuntimePermission "shutdownHooks" java. Runtime public void load String lib public void loadLibrary String lib java. RuntimePermission "loadLibrary. SecurityManager methods checkPermission See Table System public static Properties getProperties public static void setProperties Properties props checkPropertiesAccess java.
RuntimePermission "setIO" java. RuntimePermission "setSecurityManager" java. Thread public ClassLoader getContextClassLoader checkPermission If the caller's class loader is null, or is the same as or an ancestor of the context class loader for the thread whose context class loader is being requested, no permission is needed.
RuntimePermission "setContextClassLoader" java. Thread public final void checkAccess public void interrupt public final void suspend public final void resume public final void setPriority int newPriority public final void setName String name public final void setDaemon boolean on checkAccess this java.
RuntimePermission "modifyThread" java. RuntimePermission "modifyThreadGroup" java. Thread public final void stop checkAccess this. Also checkPermission if the current thread is trying to stop a thread other than itself. RuntimePermission "modifyThread". Thread public final synchronized void stop Throwable obj checkAccess this. Also checkPermission if the current thread is trying to stop a thread other than itself or obj is not an instance of ThreadDeath.
Thread Thread ThreadGroup group, ThreadGroup public final void checkAccess public int enumerate Thread list[] public int enumerate Thread list[], boolean recurse public int enumerate ThreadGroup list[] public int enumerate ThreadGroup list[], boolean recurse public final ThreadGroup getParent public final void setDaemon boolean daemon public final void setMaxPriority int pri public final void suspend public final void resume public final void destroy checkAccess this for ThreadGroup methods, or checkAccess group for Thread methods java.
ThreadGroup public final void interrupt checkAccess this Requires java. RuntimePermission "modifyThreadGroup". Also requires java. RuntimePermission "modifyThread" , since the java. Thread interrupt method is called for each thread in the thread group and in all of its subgroups. See the Thread interrupt method. ThreadGroup public final void stop checkAccess this Requires java. RuntimePermission "modifyThread" and possibly java. RuntimePermission "stopThread" , since the java.
Thread stop method is called for each thread in the thread group and in all of its subgroups. See the Thread stop method. AccessibleObject public static void setAccessible ReflectPermission "suppressAccessChecks" java.
0コメント