Java Reference
In-Depth Information
appletviewer -J-Djava.security.manager \
-J-Djava.security.policy==policyURL LocalJavaApp
Note that the policy file specified in the argument is ignored when the
policy.allowSystemProperty
property in the security properties file (
java.security
)
is set to
false
; the default value of this property is
true
. Default Policy Implementation
and Policy File Syntax [Policy 2010] discusses in depth the issues and syntax for writing
policy files.
Noncompliant Code Example (Programmatic Installation)
A
SecurityManager
can also be activated using the static
System.setSecurity-Man-
ager()
method. Only one
SecurityManager
may be active at a time. This method re-
places the currently active
SecurityManager
with the
SecurityManager
provided in its
argument, or no
SecurityManager
if its argument is
null
.
This noncompliant code example deactivates any current
SecurityManager
but does
notinstall another
SecurityManager
inits place. Consequently,subsequent codewill run
with all permissions enabled; there will be no restrictions on any nefarious action the pro-
gram might perform.
try {
System.setSecurityManager(null);
} catch (SecurityException se) {
// Cannot set security manager, log to file
}
An active
SecurityManager
that enforces a sensible security policy will prevent the
system from deactivating it, causing this code to throw a
SecurityException
.
Compliant Solution (Default Security Manager)
This compliant solution instantiates and sets the default security manager.
try {
System.setSecurityManager(new SecurityManager());
} catch (SecurityException se) {