The Java 2 security behavior is specified by its security policy, which is an access-control matrix that specifies which system resources certain code bases can access and who must sign them. The Java 2 Security policy is declarative and it is enforced by the"> method.

The following example depicts the algorithm used...

i = m;
while (i > 0) 
    if (caller i's domain does not have the permission)
        throw AccessControlException;
    else if (caller i is marked as privileged)
    i = i - 1;

The algorithm requires that all the classes or callers on the call stack have the permissions when a">checkPermission() is performed or the request is denied.

If the caller is marked as privileged and the class (caller) is granted the said permissions, the algorithm returns and does not walk the entire call stack. Subsequent classes (callers) do not need the required permission granted.

A exception is thrown as a result of certain classes on the call stack missing the required permissions during a">checkPermission() method. Two possible resolutions to the exception...


Example call stack

The decision as to where to mark the code as privileged is application-specific and is unique in every situation.

Use the PasswordUtil utility to change the password of a user. The user types in the old password and the new password twice to ensure that the correct password is entered. If the old password matches the one stored in the password file, the new password is stored and the password file updates. Assume that none of the stack frame is marked as privileged. According to the">checkPermission() algorithm, the application fails unless all the classes on the call stack are granted write permission to the password file. The client application should not have permission to write to the password file directly and update the password file at will.

However, if the PasswordUtil.updatePasswordFile() method marks the code that accesses the password file as privileged, then the check permission algorithm does not check for the required permission from classes that call the PasswordUtil.updatePasswordFile() method for the required permission as long as the PasswordUtil class is granted the permission. Then the client application can successfully update a password without granting the permission to write to the password file.

The ability to mark code privileged is very flexible and powerful. If this ability is used incorrectly, the overall security of the system can be compromised and security holes can be exposed. Use the ability to mark code privileged carefully.


Resolution to,AccessControlException

There are two possibilities to resolve a exception. Judge these exceptions individually to decide which of the following resolutions is best...

  1. Grant the missing permission to the application.

  2. Mark some code as privileged (considering the concerns and risks).


See Also

Java 2 security policy files
Security: Resources for learning