This week's book giveaway is in the JavaFX forum.
We're giving away four copies of Introducing JavaFX 8 Programming and have Herbert Schildt on-line!
See this thread for details.
The moose likes Other JSE/JEE APIs and the fly likes Java security Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Introducing JavaFX 8 Programming this week in the JavaFX forum!
JavaRanch » Java Forums » Java » Other JSE/JEE APIs
Bookmark "Java security" Watch "Java security" New topic

Java security

Anton Hinds

Joined: Dec 16, 2002
Posts: 10
Is there a way to restrict a single class from writing to a file system or calling exec?
I have looked at the Java security API and can only find two ways to do it:
1. Restrict the enclosing codebase (which restricts classes I don't want restricted)
2. Create a SecurityManager that will override checkExec() and checkWrite() with methods that search the call stack for the restricted class (seems kinda kludegy to me)
Am I missing something? Is there a better way?
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1873
hi Anton,
i am sorry but i am not able to understand why we want to restrict "some" class from writing a file whereas others are able to write??
i am not an expert on this but i have a code solution for this if you are able to change the code of the applet downloaded (its an applet , right?)...
what you can do is- if you have a particular class that handles a request for file writing or a method that hanles the request for file writing then you can pass a boolean variable to indiate if the write should really happen or not.
from the calling class you pass 'true' if the class is allowed to write else pass 'false' if you want that class not able to write and throw an exception...
well, this you also might have thought about but i am not sure what you have so i just did put down my thoughts...
there is another possiblity as well,
you can have method enableFileWrite() where you set above mentioned boolean variable for the class that is actually performing File Write and then allow other classes to write the file via that File Writer class's method if that boolean variable is set to be true priorly you you get what i mean here?
i don't think there would be something on higher level that will allow you to restrict certain classes from writing while allowing others from the same code base...
do you have multiple packages that gets downloaded and you want to restrict some other packages' class other than your package or something???
please clarify exact scenario you have...
Anton Hinds

Joined: Dec 16, 2002
Posts: 10
Thanks for the reply. Here is my exact situation:
I am using 3rd party scripting interpreters (beanshell/jython) in my code. I do not want an interpreted script to gain access to the filesystem or to execute native commands.
Since I do not want to go mucking around with the interepter source code, the only way I can see to do this is to restrict the interpreter object from performing these actions at the JVM level. I figured I can use the Java security package for this. I have found a way (see original post)... but I was wondering if there was a better or more standard way.
Maulin Vasavada
Ranch Hand

Joined: Nov 04, 2001
Posts: 1873
i see what u mean. i thought u had some 3rd party thing otherwise you wouldn't want to achieve what you are trying to...
i don't know about any standard way of achieving it. it seems there is a work ahead of you
btw, i have never done anything with this SecurityManager on my own..i wish i would learn it someday...
interesting problem, huh?
Alok Pota
Ranch Hand

Joined: Mar 07, 2001
Posts: 185
Your options are based on what you are willing to do:
1) If you do not want to make severe code changes
The Java SecurityManager and the java.policy file are pretty much the standard ways to impose such kind of a restriction. I would suggest using the
AccessController (instead of SecurityManager)
2) If you want to make code changes
I suggest pulling out code that writes to a file
and executes OS calls into another class and have both these classes (one that does the illegal stuff and one that does not do the illegal stuff) implement an interface and expose that interface to your client calls.
I agree. Here's the link:
subject: Java security
It's not a secret anymore!