...
The worst form of non-compliance is not using the the security manager at all. Even when used, there can be cases where the appropriate checks are not installed. In the noncompliant code example that follows, a null value is passed to the setSecurityManager method that is responsible for establishing a current instance of SecurityManager. Moreover, the checkPermission method (or any of the other check* methods) has not been usedAs a result, no security manager will be installed (assuming that the security manager is not installed from the command line either).
| Code Block | ||
|---|---|---|
| ||
try {
System.setSecurityManager(null);
} catch (SecurityException se) { System.out.println("SecurityManager is already set!"); }
|
Noncompliant Code Example
In this noncompliant code example, none of the check* methods have been used even though a custom security manager has been set programatically.
| Code Block | ||
|---|---|---|
| ||
try {
System.setSecurityManager(null(new CustomSecurityManager("password here"));
} catch (SecurityException se) { System.out.println("SecurityManager is already set!"); }
|
...
Any Java program (bean, servlet or application) can instantiate a SecurityManager. However, for applications designed to run locally, an explicit flag must be set to enforce the SecurityManager policy whenever the security manager is not set programatically. Sometimes this is desired when the user operates using a custom security policy and does not want to rely on the vendor supplied security policy. The default security manager at the user end can be installed using the flags as follows:
| Code Block | ||
|---|---|---|
| ||
java -Djava.security.manager -Djava.security.policy=policyURL LocalJavaApp |
In this case, note that If it is known in advance that the user prefers using a custom security policy, the setSecurityManager() method in code can be forgone and substituted with just the getSecurityManager() method as the security manager has already been is installed using the command line flag and need not be set explicitly. A custom security manager can be installed by adding the absolute path to the custom security manager, after an equal-to sign appended immediately after the flag.
The default policy file java.policy grants a few permissions (reading system properties, binding to unprivileged ports and so forth) and can be found in the ~/java.home/lib/security directory on Unix-like systems and its equivalent on Microsoft Windows systems. There is also a user specific policy file in the user's home directory. The union of both these policy files defines the permissions given to a program. Refer to the java.security file to set which policy files should be used. If either of these is deleted, by default no permissions are granted to the implementing code.
...