Java Reference
In-Depth Information
Click here to view code image
appletviewer -J-Djava.security.manager \
-J-Djava.security.policy==policyURL LocalJavaApp
Note that the policy file specified in the argument is ignored when the
policy.allowSystemProperty property in the security properties file ( java.security )
is set to false ; the default value of this property is true . Default Policy Implementation
and Policy File Syntax [Policy 2010] discusses in depth the issues and syntax for writing
policy files.
Noncompliant Code Example (Programmatic Installation)
A SecurityManager can also be activated using the static System.setSecurity-Man-
ager() method. Only one SecurityManager may be active at a time. This method re-
places the currently active SecurityManager with the SecurityManager provided in its
argument, or no SecurityManager if its argument is null .
This noncompliant code example deactivates any current SecurityManager but does
notinstall another SecurityManager inits place. Consequently,subsequent codewill run
with all permissions enabled; there will be no restrictions on any nefarious action the pro-
gram might perform.
Click here to view code image
try {
System.setSecurityManager(null);
} catch (SecurityException se) {
// Cannot set security manager, log to file
}
An active SecurityManager that enforces a sensible security policy will prevent the
system from deactivating it, causing this code to throw a SecurityException .
Compliant Solution (Default Security Manager)
This compliant solution instantiates and sets the default security manager.
Click here to view code image
try {
System.setSecurityManager(new SecurityManager());
} catch (SecurityException se) {
Search WWH ::




Custom Search