Java Security Manager - What does it check?

Question

This article about Java security says:

Code in the Java library consults the Security Manager whenever a dangerous operation is about to be attempted.

Answer 1

The security manager uses a policy file to see what is permitted and what's not permitted. "Dangerous" operations, as determined by this policy file, is granted or denied during the execution.

You can find more details about the default policy for Sun/Oracle JVM here:

http://download.oracle.com/javase/6/docs/technotes/guides/security/PolicyFiles.html

Answer 2

Using security manager you could control access to :

1. File operations
2. Reflection facility
3. Read/Write IO
4. Thread/Thread group operations
5. Socket operations(listen, accept etc.)
6. Power to create your own classloader.

For each such thing there is a check*() method in SecurityManager

For an exhaustive list check the constants in SecurityConstants

Answer 3

It will only consult the SecurityManager if the code says so. It won't do it for every single operation.

For example in Runtime.exit, you see that the SecurityManager is consulted:

public void exit(int status) {
SecurityManager security = System.getSecurityManager();
if (security != null) {
    security.checkExit(status);
}
Shutdown.exit(status);
}

Similarly, in File, you will see that most methods consult the SecurityManager. Example:

public boolean canWrite() {
SecurityManager security = System.getSecurityManager();
if (security != null) {
    security.checkWrite(path);
}
return fs.checkAccess(this, FileSystem.ACCESS_WRITE);
}

If you are writing a method which might be "dangerous" then you should also consult the SecurityManager.