In the presence of a security manager and a restrictive system-wide security policy, untrusted code is prohibited from performing privileged operations. For example, instantiation of sensitive classes such as java.lang.ClassLoader is prohibited in the context of a web browser. At the same time, it is critical to ensure that untrusted code does not indirectly use the privileges of trusted code to perform privileged operations. Most APIs install security manager checks to prevent this, however, some do not. These APIs are tabulated below, with the exception of the loadLibrary APIs. The loadLibrary APIs throw a security exception if the caller does not have permissions to dynamically link the library code. However, it is listed as unsafe because it uses the immediate caller's class loader to find and load the library. Moreover, because the loadLibrary APIs are typically used from within a doPrivileged block defined in trusted code, untrusted callers can directly invoke it, without requiring any special permissions.
APIs |
|---|
|
|
|
|
|
|
|
|
|
|
...