8.2 Permission-Based Security FundamentalsBefore we launch into a detailed discussion of the MX4J security design, we'll quickly review the fundamental concepts behind Java's permission-based access control mechanism. 8.2.1 PermissionsIn the Java 2 security model a permission is the authority to access a particular resource or to perform a particular operation. The class java.security.Permission and its subclasses represent permissions at runtime. For example, in the statement FilePermission fp = new FilePermission("/etc/passwd", "read, write"); fp represents permission to read and write the /etc/passwd file. In the statement RuntimePermission rp = new RuntimePermission("exitVM"); rp represents permission to shut down the JVM. FilePermission and RuntimePermission are part of the standard set of J2SE permissions. MX4J defines its own permissions to control access to JMX-based resources and operations. 8.2.2 SecurityManagerThe Java SecurityManager class is responsible for enforcing security policy. It does so by determining whether or not the class making a given request has the necessary permission. In code these checks generally take the following form: SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(new <RequiredPermission>(target, action) ); } If the call to checkPermission() succeeds, execution continues normally; otherwise a SecurityException is thrown. The checkPermission() method succeeds if the permissions associated with the class calling it either contain or imply the permission that is passed to it as a parameter; that is, in the preceding example, checkPermission() succeeds if the class calling it has been granted RequiredPermission(target , action) . 8.2.3 PolicyPermissions are granted to classes via Java's policy mechanism. By default, policy is specified by statements in a simple policy language. For example, the policy "any class signed by Root may read and write /etc/passwd " is specified by the following statement: grant signedBy Root { java.io.FilePermission "/etc/passwd", "read,write"; }; Permissions may be granted to code signed by a specific signer as just illustrated , or to code loaded from a specific URL, as here: grant codeSource file:/opt/java/mx4j.jar { java.util.PropertyPermission "java.home", "read"; }; This statement allows code loaded from /opt/java/mx4j.jar to read the java.home system property. A concrete extension of the abstract class java.security.Policy is responsible for reading policy statements and mapping from a class's code source and signer attributes to the corresponding permissions at runtime. In this section we have identified only the principal aspects of the Java 2 security architecture. For a detailed treatment of the topic, see Li Gong's book Inside Java 2 Platform Security: Architecture, API Design, and Implementation (Addison-Wesley, 1999). |