Updated: 3/1/2003; 8:04:20 PM.
 
Ockham's Flashlight
Stuart Halloway on software development, technology, and the future.
        

Friday, February 07, 2003

Turn that security manager on!
Most Java developers I know download and execute applications all the time, without using a SecurityManager. (Admit it, you have tried various open source projects.)

The madness stops for me today. Whenever I download some Java app, I am going to start with SecurityManager on, and policy empty. Then, it is simple to read exception traces (or turn on -Djava.security.debug) to figure out what permissions are needed. For example, it took me all of five minutes to produce this policy file for jing:

/* assumes that files are all in the current directory */ grant /* codeBase "jing.jar" */ { permission java.util.PropertyPermission "user.dir", "read"; permission java.io.FilePermission "*", "read"; };

Of course, building these files can be laborious. Maybe somebody should start a repository with sample policy files for key Java applications...
1:26:16 AM    comment []


Classes are not files
This is a hack:

private File getDir() { return new File( getClass().getResource("/" + getClass().getName().replace('.','/') + ".class").getFile() ).getParentFile(); } }

The assumption that classes are files negates the power of Java's class loaders. I'll grant that in a unit test harness this may not be as big a deal as it would be in shipping code, but it still makes me uncomfortable.
12:46:19 AM    comment []


© Copyright 2003 Stuart Halloway.
 
February 2003
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28  
Jan   Mar
About me

Teaching
The book
Speaking
Articles
Bio
CV
Java/COM/Win32 interop
Jawin
Contact

Subscribe to "Ockham's Flashlight" in Radio UserLand.

Click to see the XML version of this web page.