- Forward


The Java Security Architecture
An Overview of the Internals


Prof. David Bernstein
James Madison University

Computer Science Department
bernstdh@jmu.edu

Print

The Participants
Back SMYC Forward
  • ClassLoader :
    • Used to load .class files
  • The Bytecode Verifier:
    • Checks the bytecode to ensure that it does not: perform illegal conversions (e.g., integers to pointers), forge pointers, violate access restrictions, overflow the stack
    • Checks the bytecode to ensure that it does: access objects as what they are, call methods with appropriate arguments, and return the appropriate type
The Participants (cont.)
Back SMYC Forward
  • Permission :
    • An encapsulation of a system resource and the operations permitted on that resource
  • Principal :
    • An encapsulation of an entity (e.g., individual, company, ID) on whose behalf code is being executed
  • CodeSource :
    • Encapsulates the origin of a class and the certificate chains (if any) that were used to verify that the code came from the origin
The Participants (cont.)
Back SMYC Forward
  • ProtectionDomain :
    • A convenience class that groups a CodeSource, a collection of Permission objects, and a collection of Principal objects (and the ClassLoader that was used)
  • Policy :
    • An encapsulation of a security policy (essentially a matrix with rows corresponding to Principal objects, columns corresponding to CodeSource objects, and Permission objects in the body)
    • There is only one Policy object installed in the runtime at any point in time
The Participants (cont.)
Back SMYC Forward
  • SecurityManager :
    • Used to implement a Policy (i.e., enables a program to determine if an operation can be performed in a particular context)
  • AccessController :
    • A default delegate for the SecurityManager class (in a sense, it is a default implementation of a SecurityManager)
Steps Taken when Running a Program
Back SMYC Forward
  1. A .class file is read and the bytecodes are (statically) verified
  2. The file's origin is determined and, if one exists, the signature is verified (and the information is encapsulated in a CodeSource object)
  3. The set of static persmissions is determined based on the origin (and encapsulated in Permission objects)
  4. A ProtectionDomain object is created or re-used
  5. The class is loaded (using a ClassLoader)
  6. Objects are instantiated and used; when a security check is invoked and one or more methods of the class is in the call chain, an AccessController is used
    • The Policy is (constructed if necessary and) consulted and the set of permissions to be granted is determined based on the ProtectionDomain
  7. The set of permissions is consulted to determine if the execution can continue (if not, a SecurityException is thrown)
Desirable Features of this Architecture
Back SMYC Forward
  • The contents of a security policy are separated from the implementation
  • The access control algorithm is separated from the semantics of the persmissions it checks
  • Access control permissions can be expressed both statically and dynamically (and hierarchically)
There's Always More to Learn
Back -