January 12, 2009
Disclaimer: This is not a how-to for implementing security frameworks. It will focus on the research aspects of Java Security Managers. If you need to find out how to implement the code, follow some of the references.
The Java SE platform provides a solid security framework. Aside from the cryptography libraries and Java Cryptography Extension (JCE) specification, it includes an important feature — called Security Managers — which enable a program writer (or the user) to specify the security constraints for a program.
Every call to the system resources goes through the Java Virtual Machine (JVM). The VM includes hooks, which call a Security Manager and request a decision regarding system resource calls. These calls include reading and writing files, opening sockets and listening to ports. The assigned security manager reads the security policy and decides whether the system call should be allowed. If the call is to be granted, the security manager simply returns a value (the nature of which is not important). If it is not to be allowed, a security exception is thrown, which signifies the denial of the call.