The Default Sandbox
And now, putting this all together, let’s examine the default sandbox of various Java environments:
- Java applications
For applications invoked via the Java command line, the sandbox is initially disabled. To enable the sandbox, you must specify the
java.security.manager
property like this:piccolo%
java -Djava.security.manager <other args>
Applications may also enable the sandbox programatically by installing a security manager, as we discuss in Chapter 4.
Once enabled, the security manager will use the two default policy files to determine the parameters of the sandbox. You can specify an additional policy file to be used with the
java.security.policy
property:piccolo%
java -Djava.security.policy=<URL>
You can specify a full URL (e.g., with an
http:
orfile:
protocol) or simply list a filename. If you want the given policy file to be the only policy file used (bypassing the ones in $JREHOME/lib/security and the user’s home directory), specify two equals signs:piccolo%
java -Djava.security.policy==<URL>
Putting this all together, here’s how we would run the class
PayrollApp
in the default sandbox with additional permissions loaded from the file java.policy in the local directory:piccolo%
java -Djava.security.manager \
-Djava.security.policy=java.policy PayrollApp
- Appletviewer
The appletviewer installs a security manager programatically; it cannot be disabled. It will use the standard policy files; to use additional policy files, specify the appropriate policy ...
Get Java Security, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.