Advertisement

Conclusion
The security manager contributes to the JVM's security model by establishing a custom security policy for Java applications. For the security policy to be "bullet proof," both the Java API and the security manager itself must be implemented properly. A bug in either of these can result in a security hole that malicious programmers could exploit.

The customizable nature of the security manager is one of the strengths of Java's security architecture. The security manager's "check" methods are just Java code, so you are free to decide the exact circumstances in which your application will permit potentially unsafe actions. If you can express an algorithm in Java code as a "check" method of the security manager, that algorithm can be part of your application's custom security policy.

Resources

• The book The Java virtual machine Specification (http://www.aw.com/cp/lindholm-yellin.html), by Tim Lindholm and Frank Yellin (ISBN 0-201-63452-X), part of The Java Series (http://www.aw.com/cp/javaseries.html), from Addison-Wesley, is the definitive Java virtual machine reference.
• Secure Computing with Java: Now and the Future (a whitepaper) http://www.javasoft.com/marketing/collateral/security.html
• Applet Security FAQ
  http://www.javasoft.com/sfaq/
• Low Level Security in Java, by Frank Yellin http://www.javasoft.com/sfaq/verifier.html
• The Java Security Home Page http://www.javasoft.com/security/
  
• See the Hostile Applets Home Page http://www.math.gatech.edu/~mladue/HostileApplets.html
  
• For more information about authentication in JDK 1.1, see http://www.javasoft.com/products/jdk/1.1/docs/guide/security/index.html.
  
• A whitepaper that describes the various aspects of Java's overall security strategy is http://www.javasoft.com/security/whitepaper.html.
  
• The book Java Security: Hostile Applets, Holes, and Antidotes, by Dr. Gary McGraw and Ed Felton, gives a thorough analysis of security issues surrounding Java. http://www.rstcorp.com/java-security.html
  

About the author
Bill Venners has been writing software professionally for 12 years. Based in Silicon Valley, he provides software consulting and training services under the name Artima Software Company. Over the years he has developed software for the consumer electronics, education, semiconductor, and life insurance industries. He has programmed in many languages on many platforms: assembly language on various microprocessors, C on Unix, C++ on Windows, Java on the Web. He is author of the book: Inside the Java Virtual Machine, published by McGraw-Hill. Reach Bill at bv@artima.com.

This article was first published under the name Java Security: How to Install the Security Manager and Customize Your Security Policy in JavaWorld, a division of Web Publishing, Inc., October 1997.