« Excitement over the O'Reilly Maker Faire | Main | Setup for Netgear WGPS606 Print Server »

Java Security Manager

I recently needed to address a problem where I have a digitally-signed Java Applet running in a web browser, and the Applet creates a new native Java process to handle application operations once the Applet goes out of scope. Considering that trust is transitive, the Java application process should propagate the Applet's trust relationship established with the user.

So, I researched strategies that would ensure the Java application process checked the trustworthiness of the components used by the new Java application process. Java 2 includes a Security Manager feature which is responsible for restricting access to resources based on trust relationships established with Principals. To ensure that all Java application components used in the Java application process are trusted by the user (or their system administrator), I added a property to the Java command line invoking the default Java Security Manager:

java -Djava.security.manager -jar foo.jar

This ensures that all application resources must be trusted by the user, with that trust usually being established by way of digitally-signed JARs. Effectively, the Java application process will be run with the same restrictions placed on a Java Applet running in a web browser.

Posted by Scott on March 17, 2006 11:30 AM |