Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Java Security, Images Loading and Implications


On Jul 10, 2006, at 5:43 AM, Aleksey Gureev wrote:

Hi Everyone!

We are developing the application that requires loading images from the net. Some sort of news reader. Several times I saw the following exception on our logs:

---
java.lang.SecurityException
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkConnect(Unknown Source)
at sun.awt.image.URLImageSource.checkSecurity(Unknown Source)
at sun.awt.image.ToolkitImage.getHeight(Unknown Source)
...
---


It happens only to some images, I must admit. I decompiled the ToolkitImage and URLImageSource classes to see what are the parameters and found that security context is always set to NULL and the default SecurityManager implementation throws SecurityException if the context is not of an AccessControlContext type. In other words, it means that there should always be an exception, but there's not and it's puzzling me a bit.

Security debug might be useful. I Googled this up related to it. You could probably come up with more formal documentation somewhere.

http://javaalmanac.com/egs/java.security/EnableDebug.html



Anyway, the main question is connected with what I decided to do. I decided to install my own SecurityManager implementation on application startup through the System.setSecurityManager() call. My implementation *never* throws SecurityException. I realize that some security managers installed by the system before my re- installation attempt could refuse to be replaced, but it's not the point. I'm feeling a bit uneasy about whether there are any negative implications connected with a security manager always saying 'Yes'. Does anyone have any experience with this?

I think defining an all permissions security policy is the more modern way to do this. Messing with SecurityManager is supposed to be sort of old-fashioned. I do it too though in an application that is supposed to run arbitrary java code so that I can trap System.exit and keep it from shutting down my application. I don't think I do anything else with it. Also I might be wrong but I think it is no longer true that you can't replace an established SecurityManager.


Mike Hall        mikehall at spacestar dot net
http://www.spacestar.net/users/mikehall
http://sourceforge.net/projects/macnative



Attachment: smime.p7s
Description: S/MIME cryptographic signature

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/java-dev/email@hidden

This email sent to email@hidden
References: 
 >Java Security, Images Loading and Implications (From: Aleksey Gureev <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.