Java security: Policies and permission management

This article covered the architecture of the Java security model. This week, I delve into other aspects of Java security, namely security managers, access controllers, and access permissions.

Security managers

Security manager is a special class that points out if a class can access a given resource (eg, file access or network connection). To make such a decision, security manager analyses the source of the request. If access is denied, a java.lang.SecurityException is generated. Otherwise, a call is handled in the usual way.

Each Java Virtual Machine (JVM) process allows the presence of only one security manager. In addition, you can configure JVM to deny a replacement of security manager after its creation. In this case, a security manager will exist throughout the JVM's existence. Many JVMs embedded into browsers create a single security manager before the first Java applet is loaded into it. As a result, a hacker's Java applet is unable to replace the default security manager of a Web browser with subsequent unauthorised access to system resources.

It is much easier to create a custom security manager in Java 2 than in previous versions because you can configure the default security manager. If you want to use the default security manager, let the JVM know with a system property in the command line. It must be set up in this way:

java -Djava.security.managerMyApplication
java -Djava.security.manager=default MyApplication

The java.lang.SecurityManager class encapsulates key features for interaction of the application with security manager in scope of the current running JVM. The Java.lang.System.getSecurityManager() method returns a reference to the current SecurityManager object. If it is absent, a null value is returned. You can set your own security manager with the java.lang.System.setSecurityManager() call. If it's forbidden to install new security managers, a SecurityException will be thrown.

The SecurityManager class contains many public methods with the form checkXXX(). Every method checks to see if access to a corresponding resource is allowed; if it is denied, a SecurityException exception will be thrown.

The checkPermission() method combines all checkXXX() methods. In Java 2 implementations, any call to the checkXXX() method will result in a call to checkPermission(). The checkPermission() method, in chain, calls the same method in the java.security.AccessController class.

Access controllers

The AccessController class is used to obtain a fine-grained access control, which forms a main feature of the new Java security model (starting with Java 1.3). SecurityManager is still used in Java for backward compatibility; access control is managed now in the AccessController class (which is why its implementation of SecurityManager is not recommended in Java 2). For example, you can implement the SecurityManager.checkRead(String fileName) method like this:

checkPermission(new FilePermission(fileName,"read"));

Here's how the corresponding method SecurityManager.checkPermission(Permission permission) can look:

java.security.AccessController.checkPermission(permission);

The AccessController class makes decisions about allowing access (with checkPermission() method, which determines whether the code must be run as privileged; if so, it would use the doPrivileged() method) and allows you to get a reference to the current access management context (with the getContext() method).

The AccessControlContext class encapsulates all the information about access parameters in the application. It can contain one or more ProtectionDomain classes. Each class contains access rights applicable to a particular code section. The ProtectionDomain class contains two classes for that purpose: PermissionCollection for storing a set of rights and CodeSource for keeping information about the code location in the form of a URL. It can also keep signatures' information in the SignedBy class, which in chain contains an array of Certificate objects. The code received from the same source and signed by the same people (ie, identities) is in the same Protection Domain. The checkPermission() method of the AccessControlContext object checks access rights related to ProtectionDomain objects set for the current context.

The doPrivileged() method can be used for actions that require any privileges in running. If doPrivileged() is used, a simplified decision making procedure is applied. It is assumed that the calling protection domain has the permission for running privileged operations. Usually when working with doPrivileged(), a PrivilegedAction interface is used, which does not generate any exception.

AccessController.doPrivileged(new PrivilegedAction() {
  Public Object run() {
  // privileged action can return some value or   null
  } 
}
);

The second parameter for the doPrivileged() method is the AccessControlContext object, which points to a correct context that must be used for access limiting. AccessController has the getcontext() method for getting and using context.

Access permissions

Java 2 contains a good permission management platform. The base of this architecture is the abstract class java.security.Permission, which describes the access rights entity. It contains the target name of the resource (eg, file name) and a string of actions that can be done on that resource (eg, "read,write"). The Permission.implies(Permission) method shows if a Permission object given in parameter is allowed -- provided that the current Permission object is also allowed. Object Permission implements the java.security.Guard interface. The permission class contains many subclasses for different purposes. Most of these subclasses have two constructors -- PermissionSubclass(String name) and PermissionSubclass(String name, String actions) -- that target resource name and actions string. Here are four of the default Permissions subclasses:

|> AllPermission(): Permission to all resources.
|> FilePermission(String fileName, String access): Permissions for file access. Access string can contain "read," "write," "delete," and "execute" separated by commas.
|> SocketPermission(String address,String access): Permissions for network socket connections. Address string can be in URL or IP form; access string can contain "accept" and "connect" operations.
|> PropertyPermission(String prop,String access): Permissions for property settings.

Additional resources on Java security

|>Sun's Java SE Security page
|>Java SE 6 security enhancements
|>Use JCE to share Java cryptography keys
|>Add security to applications by using JAAS