...
The applet security manager denies applets all but the most essential privileges. It is designed to protect inadvertent system modification, information leakage, and user impersonation. The use of security managers is not limited to client-side protection. Web servers, such as Tomcat and WebSphere, use this facility to isolate trojan servlets and malicious Java Server Pages (JSP) code as well as to protect sensitive system resources from inadvertent access.
For Java applications that run from the command line , can set a default or custom security manager can be set using a command line flag. Alternatively, it is possible to install a security manager programmatically. Installing a security manager this way helps create a default sandbox that allows or denies sensitive actions on the basis of the security policy in effect.
...
This noncompliant code example passes a null value to the setSecurityManager method that is responsible for setting the expected SecurityManager argument. As a resultConsequently, subsequent code will run without any security manager monitoring access.
...
Note that if a SecurityManager is were already active when this code is invoked, it will would probably prevent the system from removing it, and so causing this code will cause to throw a SecurityException to be thrown.
Compliant Solution (Default Security Manager)
...
This compliant solution demonstrates how to instantiate a custom SecurityManager class called CustomSecurityManager can be instantiated by invoking its constructor with a password; this custom security manager is then installed as the active security manager.
| Code Block | ||
|---|---|---|
| ||
try {
System.setSecurityManager(new CustomSecurityManager("password here"));
} catch (SecurityException se) {
// Cannot set security manager, log appropriately
}
|
...