Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Java Security Architecture Problem - What do I do?  RSS feed

Robert Paris
Ranch Hand
Posts: 585
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Java Security (My Take)
Originally, Java security was such that they (Sun's Java team) expected
different implementations of SecurityManager (this is why it is not a final
class). However, they seem to have overestimated people's love for security.
As a result, they created the AccessController, their own implementation and
a final class. Now most of what the SecurityManager does is simply call the
The Problem
The problem and shift in security here is that there is no longer ONE
manager of security, or rather no FINAL voice on security access. People can
and do call AccessController directly (which does not check with the
security manager)! Imagine that someone calls the security manager (and it's
our implementation called OurSecurityManager) and is rejected (because of
its particular implementation RULES). So what do they do? They go to Daddy (
AccessController ) since Mommy said he couldn't do the action and since
Daddy has different rules, he allows the action. Gulp. (Or you're using
someone else's code and they have no security manager checks, just
accesscontroller.checkpermission() - diff. rules!)
My problem comes about because(as other people have discovered) Java 2 Security implementation is currently inadequate for numerous situations. That is why I wish to create my own SecurityManager implementation. However, what do I do if they call the AccessController directly? Is there anything to intercept that? And why is this API so convoluted/dishonest (since it seems to state that SecurityManager controls access rules, but then puts in a final class that can do that WITHOUT consulting the security manager)?
In my opinion, there should be ONE manager of the whole application that
handles permissions/rights, etc. Can anyone help me here? What should I do
to correctly implement a real security manager that truly manages all access
and will work in any JVM (with Java 2)?
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!