The Java Security Architecture

The Java Security Architecture
An Overview of the Internals

Prof. David Bernstein
James Madison University

Computer Science Department

bernstdh@jmu.edu

The Participants

ClassLoader :
- Used to load .class files
The Bytecode Verifier:
- Checks the bytecode to ensure that it does not: perform illegal conversions (e.g., integers to pointers), forge pointers, violate access restrictions, overflow the stack
- Checks the bytecode to ensure that it does: access objects as what they are, call methods with appropriate arguments, and return the appropriate type

The Participants (cont.)

Permission :
- An encapsulation of a system resource and the operations permitted on that resource
Principal :
- An encapsulation of an entity (e.g., individual, company, ID) on whose behalf code is being executed
CodeSource :
- Encapsulates the origin of a class and the certificate chains (if any) that were used to verify that the code came from the origin

The Participants (cont.)

ProtectionDomain :
- A convenience class that groups a CodeSource, a collection of Permission objects, and a collection of Principal objects (and the ClassLoader that was used)
Policy :
- An encapsulation of a security policy (essentially a matrix with rows corresponding to Principal objects, columns corresponding to CodeSource objects, and Permission objects in the body)
- There is only one Policy object installed in the runtime at any point in time

The Participants (cont.)

SecurityManager :
- Used to implement a Policy (i.e., enables a program to determine if an operation can be performed in a particular context)
AccessController :
- A default delegate for the SecurityManager class (in a sense, it is a default implementation of a SecurityManager)

Steps Taken when Running a Program

A .class file is read and the bytecodes are (statically) verified
The file's origin is determined and, if one exists, the signature is verified (and the information is encapsulated in a CodeSource object)
The set of static persmissions is determined based on the origin (and encapsulated in Permission objects)
A ProtectionDomain object is created or re-used
The class is loaded (using a ClassLoader)
Objects are instantiated and used; when a security check is invoked and one or more methods of the class is in the call chain, an AccessController is used
- The Policy is (constructed if necessary and) consulted and the set of permissions to be granted is determined based on the ProtectionDomain
The set of permissions is consulted to determine if the execution can continue (if not, a SecurityException is thrown)

Desirable Features of this Architecture

The contents of a security policy are separated from the implementation
The access control algorithm is separated from the semantics of the persmissions it checks
Access control permissions can be expressed both statically and dynamically (and hierarchically)