TIPOS DE COOKIES

In Java 1.1, the same rule applies but a class that is loaded from a jar file may carry with it a digital signature that allows it to be given extra privileges. These privileges are typically all−or−nothing: if you trust the entity that signed the jar file, then that code can do anything it wants. Some browser vendors have extended that behavior using proprietary APIs.

•

In Java 2, only classes in the core API are considered trusted. Other classes must be given explicit permission to perform the operations we've discussed.

•

4.4.2 Differences in the Security Manager Class

In 1.1, the setSecurityManager( ) method can only be called once, and once installed, the security manager cannot be removed. Attempting to call this method after a security manger has already been installed will result in a SecurityException.

4.4.2.1 File access

While 1.1−based browsers like Netscape Navigator 4 and earlier, Internet Explorer, and HotJava all have a default policy that prevents untrusted classes from all file access, some of them allow the user to configure a different policy. HotJava and the appletviewer, for example, allow the user to create a set of directories in which applets can read and write files, and some versions of Internet Explorer allow the user to grant file access to all untrusted classes.

4.4.2.2 Network access

There was a change in the default security policy supplied in 1.0 and in 1.1 with respect to untrusted classes and server sockets (either instances of class ServerSocket or datagram sockets that received data from any source). In 1.0, untrusted classes were typically not allowed to create a server socket at all, which meant that the checkListen( ) and checkAccept( ) methods always threw a security exception when an

applet attempted such an operation. In 1.1 and later, untrusted classes are allowed to create a server socket so long as the port number of that socket is greater than the privileged port number on the machine (typically 1024). Note too that the receive( ) method of the DatagramSocket class in Java 2 now calls the checkAccept( ) rather than the checkConnect( ) method.

Sun's 1.1−based browsers (HotJava and appletviewer) and some versions of Internet Explorer allow you to configure them so that untrusted classes can connect to any host on the network.

4.4.2.3 System access

In 1.1, attempts to redirect the standard input, output, and error streams call the checkExec() method rather than the checkPermission( ) method. In fact, the checkPermission( ) method does not exist at all in 1.1 and earlier releases.

4.4.2.4 Thread access

Thread access policy by appletviewer and popular browsers in 1.0 and 1.1 is, simply put, very confusing.

In 1.1, by default each applet is given an individual thread group, and the threads within that group can manipulate other threads within that group without respect to any additional hierarchy.

The getThreadGroup( ) method is only present in Java 1.1 and subsequent releases. In Java 1.0 (and browsers built on that release), thread security was generally nonexistent: any thread could manipulate the state of any other thread, and applets weren't able to create their own thread groups.

4.4.2.5 Security access

1.1 implements all of the security checks that were listed earlier; in addition, the following methods also call the checkSecurityAccess( ) method: Identity.toString( ) ,

Security.getProviders( ), Security.getProvider( ), and Security.getProperty(

). However, since most browsers (including Netscape Communicator 4.x and Internet Explorer 4.x) do not implement the standard security package at all, none of these checks are performed in those browsers.

4.5 Summary

In this chapter, we've had an overview of the most commonly known feature of Java's security story: the security manager. The security manager is responsible for arbitrating access to what we normally consider operating system features −− files, network sockets, printers, etc. The goal of the security manager is to grant access to each class according to the amount of trust the user has in the class. Often, that means granting full access to trusted classes (that is, classes that have been loaded from the filesystem) while limiting access when the access is requested from an untrusted class (that is, a class that has been loaded from the network).

Although the security manager is the most commonly known feature of Java's security story, it's often

misunderstood: there is no standard security manager among Java implementations, and Java applications, by default, have no security manager at all. Even with the popular Java−enabled browsers, the user often has latitude in what protections the security manager will be asked to enforce.

We examined in this chapter all the times when the security manager is asked to make a decision regarding access; such decisions range from the expected file and network access to more esoteric decisions, such as whether a frame needs a warning banner or what thread group a particular thread should belong to. This gave us a basic understanding of how the security manager is used to enforce a specific policy and the issues involved when defining such a policy. This knowledge will be used as a basis in the next few chapters when

we'll look at how the security manager is generally implemented.

In the last chapter, we looked at the security manager, which provides the security policy interface used by the core Java API. The implementation of most security managers, however, is based entirely upon the access controller. In this chapter, we're going to look at the access controller and its related classes. Along the way, we'll cover a number of important topics:

How to implement and use your own permission classes to extend the mechanism of the Java sandbox to your own applications.

•

How to implement a different security policy so that permissions can be set in new ways (e.g., by reading them from a central server rather than from a collection of files).

•

How the core Java API is able to perform certain operations that other classes cannot.

•

How to create objects that can only be accessed if you have the appropriate permission.

•

The access controller is built upon the four concepts we examined in Chapter 2 :

Code sources

An encapsulation of the location from which certain Java classes were obtained.

Permissions

An encapsulation of a request to perform a particular operation.

Policies

An encapsulation of all the specific permissions that should be granted to specific code sources.

Protection domains

An encapsulation of a particular code source and the permissions granted to that code source.

We'll start by examining how these concepts map to the Java API.