Permissions in JDK1.2

Last Modified: 29 June, 1998

A permission represents access to a system resource. In order for a resource access to be allowed for an applet (or an application running with a security manager), the corresponding permission must be explicitly granted the code attempting the access.

A permission typically has a name (often referred to as a "target name") and, in some cases, a comma-separated list of one or more actions. For example, the following code creates a permission to read the file named "abc" in the /tmp directory:

    perm = new java.io.FilePermission("/tmp/abc", "read");
In this, the target name is "/tmp/abc" and the action string is "read".

This document contains tables that describe the built-in JDK 1.2 permission types and discuss the risks of granting each permission. It also contains tables showing the methods that require permissions to be in effect in order to be successful, and for each lists the required permission.

The tables are the following:

Permission Descriptions and Risks
AllPermission
AWTPermission
FilePermission
NetPermission
PropertyPermission
ReflectPermission
RuntimePermission
SecurityPermission
SerializablePPermission
SocketPermission

Methods and the Permissions They Require
java.lang.SecurityManager Method Permission Checks

For more information about permissions, including the superclasses java.security.Permission and java.security.BasicPermission, and examples of creating permissions, see the Security Architecture Specification.

The policy for a Java runtime (specifying which permissions are available for code from various sources) is represented by a Policy object. In the default Policy implementation, the policy can be specified within one or more policy configuration files. The configuration file(s) specify what permissions are allowed for code from specified code sources. For information about specifying permissions in policy files, see Default Policy Implementation and Policy File Syntax


Permission Descriptions and Risks

The following tables describe the built-in JDK 1.2 permission types and discuss the risks of granting each permission.

AllPermission

The java.security.AllPermission is a permission that implies all other permissions.

Note: Granting AllPermission should be done with extreme care, as it implies all other permissions. Thus, it grants code the ability to run with security disabled. Extreme caution should be taken before granting such a permission to code. This permission should be used only during testing, or in extremely rare cases where an application or applet is completely trusted and adding the necessary permissions to the policy is prohibitively cumbersome.

AWTPermission

A java.awt.AWTPermission is for AWT permissions.

The following table lists all the possible AWTPermission target names, and for each provides a description of what the permission allows and a discussion of the risks of granting code the permission.

java.awt.AWTPermission
Target Name
What the Permission Allows Risks of Allowing this Permission
accessClipboard Posting and retrieval of information to and from the AWT clipboard This would allow malfeasant code to share potentially sensitive or confidential information.
accessEventQueue Access to the AWT event queue After retrieving the AWT event queue, malicious code may peek at and even remove existing events from the system, as well as post bogus events which may purposefully cause the application or applet to misbehave in an insecure manner.
showWindowWithoutWarningBanner Display of a window without also displaying a banner warning that the window was created by an applet Without this warning, an applet may pop up windows without the user knowing that they belong to an applet. Since users may make security-sensitive decisions based on whether or not the window belongs to an applet (entering a username and password into a dialog box, for example), disabling this warning banner may allow applets to trick the user into entering such information.

FilePermission

A java.io.FilePermission represents access to a file or directory. A FilePermission consists of a pathname and a set of actions valid for that pathname.

Pathname is the pathname of the file or directory granted the specified actions. A pathname that ends in "/*" (where "/" is the file separator character, File.separatorChar) indicates a directory and all the files contained in that directory. A pathname that ends with "/-" indicates a directory and (recursively) all files and subdirectories contained in that directory. A pathname consisting of the special token "<<ALL FILES>>" matches any file.

Note: A pathname consisting of a single "*" indicates all the files in the current directory, while a pathname consisting of a single "-" indicates all the files in the current directory and (recursively) all files and subdirectories contained in the current directory.

The actions to be granted are passed to the constructor in a string containing a list of zero or more comma-separated keywords. The possible keywords are "read", "write", "execute", and "delete". Their meaning is defined as follows:

read
read permission
write
write permission
execute
execute permission. Allows Runtime.exec to be called. Corresponds to SecurityManager.checkExec.
delete
delete permission. Allows File.delete to be called. Corresponds to SecurityManager.checkDelete.

The actions string is converted to lowercase before processing.

Be careful when granting FilePermissions. Think about the implications of granting read and especially write access to various files and directories. The "<<ALL FILES>>" permission with write action is especially dangerous. This grants permission to write to the entire file system. One thing this effectively allows is replacement of the system binary, including the JVM runtime environment.

NetPermission

A java.net.NetPermission is for various network permissions. A NetPermission contains a name but no actions list; you either have the named permission or you don't.

The name is the name of the network permission (see below). The naming convention follows the hierarchical property naming convention. Also, an asterisk may appear at the end of the name, following a ".", or by itself, to signify a wildcard match. For example: "foo.*" or "*" is valid, "*foo" or "a*b" is not valid.

The following table lists all the possible NetPermission target names, and for each provides a description of what the permission allows and a discussion of the risks of granting code the permission.

java.net.NetPermission
Target Name
What the Permission Allows Risks of Allowing this Permission
setDefaultAuthenticator The ability to set the way authentication information is retrieved when a proxy or HTTP server asks for authentication Malicious code can set an authenticator that monitors and steals user authentication input as it retrieves the input from the user.
requestPasswordAuthentication The ability to ask the authenticator registered with the system for a password Malicious code may steal this password.

PropertyPermission

A java.util.PropertyPermission is for property permissions.

The name is the name of the property ("java.home", "os.name", etc). The naming convention follows the hierarchical property naming convention. Also, an asterisk may appear at the end of the name, following a ".", or by itself, to signify a wildcard match. For example: "java.*" or "*" is valid, "*java" or "a*b" is not valid.

The actions to be granted are passed to the constructor in a string containing a list of zero or more comma-separated keywords. The possible keywords are "read" and "write". Their meaning is defined as follows:

read
read permission. Allows System.getProperty to be called.
write
write permission. Allows System.setProperty to be called.

The actions string is converted to lowercase before processing.

Care should be taken before granting code permission to access certain system properties. For example, granting permission to access the "java.home" system property gives potentially malevolent code sensitive information about the system environment (the Java installation directory). Also, granting permission to access the "user.name" and "user.home" system properties gives potentially malevolent code sensitive information about the user environment (the user's account name and home directory).

ReflectPermission

A java.lang.reflect.ReflectPermission is for reflective operations. A ReflectPermission is a named permission and has no actions. The only name currently defined is suppressAccessChecks, which allows suppressing the standard Java language access checks -- for public, default (package) access, protected, and private members -- performed by reflected objects at their point of use.

The following table provides a summary description of what the permission allows, and discusses the risks of granting code the permission.

java.lang.reflect.ReflectPermission
Target Name
What the Permission Allows Risks of Allowing this Permission
suppressAccessChecks ability to access fields and invoke methods in a class. Note that this includes not only public, but protected and private fields and methods as well. This is dangerous in that information (possibly confidential) and methods normally unavailable would be accessible to malicious code.

RuntimePermission

A java.lang.RuntimePermission is for runtime permissions. A RuntimePermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.

The target name is the name of the runtime permission (see below). The naming convention follows the hierarchical property naming convention. Also, an asterisk may appear at the end of the name, following a ".", or by itself, to signify a wildcard match. For example: "loadLibrary.*" or "*" is valid, "*loadLibrary" or "a*b" is not valid.

The following table lists all the possible RuntimePermission target names, and for each provides a description of what the permission allows and a discussion of the risks of granting code the permission.

java.lang.RuntimePermission
Target Name
What the Permission Allows Risks of Allowing this Permission
createClassLoader Creation of a class loader This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system. These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.
getClassLoader Retrieval of a class loader (e.g., the class loader for the calling class) This would grant an attacker permission to get the class loader for a particular class. This is dangerous because having access to a class's class loader allows the attacker to load other classes available to that class loader. The attacker would typically otherwise not have access to those classes.
setContextClassLoader Setting of the context class loader used by a thread The context class loader is used by system code and extensions when they need to lookup resources that might not exist in the system class loader. Granting setContextClassLoader permission would allow code to change which context class loader is used for a particular thread, including system threads.
setSecurityManager Setting of the security manager (possibly replacing an existing one) The security manager is a class that allows applications to implement a security policy. Granting the setSecurityManager permission would allow code to change which security manager is used by installing a different, possibly less restrictive security manager, thereby bypassing checks that would have been enforced by the original security manager.
createSecurityManager Creation of a new security manager This gives code access to protected, sensitive methods that may disclose information about other classes or the execution stack.
exitVM Halting of the Java Virtual Machine This allows an attacker to mount a denial-of-service attack by automatically forcing the virtual machine to halt.
setFactory Setting of the socket factory used by ServerSocket or Socket, or of the stream handler factory used by URL This allows code to set the actual implementation for the socket, server socket, or stream handler. An attacker may set a faulty implementation which mangles the data stream.
setIO Setting of System.out, System.in, and System.err This allows changing the value of the standard system streams. An attacker may change System.in to monitor and steal user input, or may set System.err to a "null" OutputSteam, which would hide any error messages sent to System.err.
modifyThread modification of threads, e.g., via calls to Thread stop, suspend, resume, setPriority, and setName methods This allows an attacker to start or suspend any thread in the system. This poses as a threat in that the attacker may either start up rogue threads or mount a denial-of-service attack by killing existing threads.
stopThread Stopping of threads via calls to the Thread stop method This allows code to stop any thread in the system. This poses as a threat, because that code may corrupt the system by killing existing threads.
modifyThreadGroup modification of thread groups, e.g., via calls to ThreadGroup destroy, resume, setDaemon, setMaxPriority, stop, and suspend methods This allows an attacker to create thread groups and set their run priority. The attacker could create rogue thread groups and set their priority at the highest level, ensuring they will run.
getProtectionDomain Retrieval of the ProtectionDomain for a class This allows code to obtain policy information for a particular code source. While obtaining policy information does not compromise the security of the system, it does give attackers additional information, such as local file names for example, to better aim an attack.
readFileDescriptor Reading of file descriptors This would allow code to read the particular file associated with the file descriptor read. This is dangerous if the file contains confidential data.
writeFileDescriptor Writing to file descriptors This allows code to write to a particular file associated with the descriptor. This is dangerous because it may allow malicous code to plant viruses or at the very least, fill up your entire disk.
loadLibrary.{library name} Dynamic linking of the specified library It is dangerous to allow an applet permission to load native code libraries, because the Java security architecture is not designed to and does not prevent malicious behavior at the level of native code.
accessClassInPackage.{package name} Access to the specified package via a class loader's loadClass method when that class loader calls the SecurityManager checkPackageAcesss method This gives code access to classes in packages to which it normally does not have access. Malicious code may use these classes to help in its attempt to compromise security in the system.
defineClassInPackage.{package name} Definition of classes in the specified package, via a class loader's defineClass method when that class loader calls the SecurityManager checkPackageDefinition method. This grants code permission to define a class in a particular package. This is dangerous because malicious code with this permission may define rogue classes in trusted packages like java.security or java.lang, for example.
accessDeclaredMembers Access to the declared members of a class This grants code permission to query a class for its public, protected, default (package) access, and private fields and/or methods. Although the code would have access to the private and protected field and method names, it would not have access to the private/protected field data and would not be able to invoke any private methods. Nevertheless, malicious code may use this information to better aim an attack. Additionally, it may invoke any public methods and/or access public fields in the class. This could be dangerous if the code would normally not be able to invoke those methods and/or access the fields because it can't cast the object to the class/interface with those methods and fields.
queuePrintJob Initiation of a print job request This could print sensitive information to a printer, or simply waste paper.

SecurityPermission

A java.security.SecurityPermission is for security permissions. A SecurityPermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.

The target name is the name of a security configuration parameter (see below). Currently the SecurityPermission object is used to guard access to the Policy, Security, Provider, Signer, and Identity objects.

The following table lists all the possible SecurityPermission target names, and for each provides a description of what the permission allows and a discussion of the risks of granting code the permission.

java.security.SecurityPermission
Target Name
What the Permission Allows Risks of Allowing this Permission
getPolicy Retrieval of the system-wide security policy (specifically, of the currently-installed Policy object) This allows someone to query the policy via the getPermissions call, which discloses which permissions would be granted to a given CodeSource. While revealing the policy does not compromise the security of the system, it does provide malicious code with additional information which it may use to better aim an attack. It is wise not to divulge more information than necessary.
setPolicy Setting of the system-wide security policy (specifically, the Policy object) Granting this permission is extremely dangerous, as malicious code may grant itself all the necessary permissions it needs to successfully mount an attack on the system.
getProperty.{key} Retrieval of the security property with the specified key Depending on the particular key for which access has been granted, the code may have access to the list of security providers, as well as the location of the system-wide and user security policies. while revealing this information does not compromise the security of the system, it does provide malicious code with additional information which it may use to better aim an attack.
setProperty.{key} Setting of the security property with the specified key This could include setting a security provider or defining the location of the the system-wide security policy. Malicious code that has permission to set a new security provider may set a rogue provider that steals confidential information such as cryptographic private keys. In addition, malicious code with permission to set the location of the system-wide security policy may point it to a security policy that grants the attacker all the necessary permissions it requires to successfully mount an attack on the system.
insertProvider.{provider name} Addition of a new provider, with the specified name This would allow somebody to introduce a possibly malicious provider (e.g., one that discloses the private keys passed to it) as the highest-priority provider. This would be possible because the Security object (which manages the installed providers) currently does not check the integrity or authenticity of a provider before attaching it.
removeProvider.{provider name} Removal of the specified provider This may change the behavior or disable execution of other parts of the program. If a provider subsequently requested by the program has been removed, execution may fail. Also, if the removed provider is not explicitly requested by the rest of the program, but it would normally be the provider chosen when a cryptography service is requested (due to its previous order in the list of providers), a different provider will be chosen instead, or no suitable provider will be found, thereby resulting in program failure.
setSystemScope Setting of the system identity scope This would allow an attacker to configure the system identity scope with certificates that should not be trusted, thereby granting applet or application code signed with those certificates privileges that would have been denied by the system's original identity scope
setIdentityPublicKey Setting of the public key for an Identity If the identity is marked as "trusted", this allows an attacker to introduce a different public key (e.g., its own) that is not trusted by the system's identity scope, thereby granting applet or application code signed with that public key privileges that would have been denied otherwise.
SetIdentityInfo Setting of a general information string for an Identity This allows attackers to set the general description for an identity. This may trick applications into using a different identity than intended or may prevent applications from finding a particular identity.
addIdentityCertificate Addition of a certificate for an Identity This allows attackers to set a certificate for an identity's public key. This is dangerous because it affects the trust relationship across the system. This public key suddenly becomes trusted to a wider audience than it otherwise would be.
removeIdentityCertificate Removal of a certificate for an Identity This allows attackers to remove a certificate for an identity's public key. This is dangerous because it affects the trust relationship across the system. This public key suddenly becomes considered less trustworthy than it otherwise would be.
clearProviderProperties.{provider name} "Clearing" of a Provider so that it no longer contains the properties used to look up services implemented by the provider This disables the lookup of services implemented by the provider. This may thus change the behavior or disable execution of other parts of the program that would normally utilize the Provider, as described under the "removeProvider.{provider name}" permission.
putProviderProperty.{provider name} Setting of properties for the specified Provider The provider properties each specify the name and location of a particular service implemented by the provider. By granting this permission, you let code replace the service specification with another one, thereby specifying a different implementation.
removeProviderProperty.{provider name} Removal of properties from the specified Provider This disables the lookup of services implemented by the provider. They are no longer accessible due to removal of the properties specifying their names and locations. This may change the behavior or disable execution of other parts of the program that would normally utilize the Provider, as described under the "removeProvider.{provider name}" permission.
getSignerPrivateKey Retrieval of a Signer's private key It is very dangerous to allow access to a private key; private keys are supposed to be kept secret. Otherwise, code can use the private key to sign various files and claim the signature came from the Signer.
setSignerKeyPair Setting of the key pair (public key and private key) for a Signer This would allow an attacker to replace somebody else's (the "target's") keypair with a possibly weaker keypair (e.g., a keypair of a smaller keysize). This also would allow the attacker to listen in on encrypted communication between the target and its peers. The target's peers might wrap an encryption session key under the target's "new" public key, which would allow the attacker (who possesses the corresponding private key) to unwrap the session key and decipher the communication data encrypted under that session key.

SerializablePermission

A java.io.SerializablePermission is for serializable permissions. A SerializablePermission contains a name (also referred to as a "target name") but no actions list; you either have the named permission or you don't.

The target name is the name of the Serializable permission (see below).

The following table lists all the possible SerializablePermission target names, and for each provides a description of what the permission allows and a discussion of the risks of granting code the permission.

java.io.SerializablePermission
Target Name
What the Permission Allows Risks of Allowing this Permission
enableSubclassImplementation Subclass implementation of ObjectOutputStream or ObjectInputStream to override the default serialization or deserialization, respectively, of objects Code can use this to serialize or deserialize classes in a purposefully malfeasant manner. For example, during serialization, malicious code can use this to purposefully store confidential private field data in a way easily accessible to attackers. Or, during deserializaiton it could, for example, deserialize a class with all its private fields zeroed out.
enableSubstitution Substitution of one object for another during serialization or deserialization This is dangerous because malicious code can replace the actual object with one which has incorrect or malignant data.

SocketPermission

A java.net.SocketPermission represents access to a network via sockets. A SocketPermission consists of a host specification and a set of "actions" specifying ways to connect to that host. The host is specified as
   host = (hostname | IPaddress)[:portrange]
   portrange = portnumber | -portnumber | portnumber-[portnumber]
The host is expressed as a DNS name, as a numerical IP address, or as "localhost" (for the local machine). The wildcard "*" may be included once in a DNS name host specification. If it is included, it must be in the leftmost position, as in "*.sun.com".

The port or portrange is optional. A port specification of the form "N-", where N is a port number, signifies all ports numbered N and above, while a specification of the form "-N" indicates all ports numbered N and below.

The possible ways to connect to the host are

accept
connect
listen
resolve
The "listen" action is only meaningful when used with "localhost". The "resolve" (resolve host/ip name service lookups) action is implied when any of the other actions are present.

As an example of the creation and meaning of SocketPermissions, if the following permissions are created for classes signed by mrm:

  p1 = new SocketPermission("puffin.eng.sun.com:7777", "connect,accept");
  p2 = new SocketPermission("localhost:1024-", "accept,connect,listen");
then classes signedBy mrm can connect to port 7777 on puffin.eng.sun.com, or accept connections on that port. Classes signedBy mrm may also listen on any port between 1024 and 65535, as well as port 0. *

Note: Granting code permission to accept or make connections to remote hosts may be dangerous because malevolent code can then more easily transfer and share confidential data among parties who may not otherwise have access to the data.


Methods and the Permissions They Require

The following table contains a list of all the permissions in JDK1.2, and which methods require them.

A call to a method in the left-hand column can only be successful if the permission specified in the corresponding entry in the right-hand column is allowed by the policy currently in effect. For example, the following row:

Method Permission
java.awt.Toolkit
    getSystemEventQueue(); 
java.awt.AWTPermission "accessEventQueue";

specifies that a call to the getSystemEventQueue method in the java.awt.Toolkit class can only be successful if the following permission is set:

  java.awt.AWTPermission "accessEventQueue";

The convention of:

Method Permission
 some.package.class
   public static void someMethod(String foo); 
SomePermission "{foo}";

means the runtime value of foo replaces the string {foo} in the permission name.

As an example, here is one table entry:

Method Permission
java.io.FileInputStream
    FileInputStream(String name) 
java.io.FilePermission "{name}", "read";

If the FileInputStream method (in this case, a constructor) is called with "/test/MyTestFile" as the name argument, as in

  FileInputStream("/test/MyTestFile");
then in order for the call to succeed, the following permission must be set in the current policy, allowing read access to the file "/test/MyTestFile":
  java.io.FilePermission "/test/MyTestFile", "read";
More specifically, the permission must either be explicitly set, as above, or implied by another permission, such as the following:
  java.io.FilePermission "/test/*", "read";
which allows read access to any files in the "/test" directory.

The following table is ordered by package name. That is, the methods in classes in the java.awt package are listed first, followed by methods in classes in the java.io package, and so on.


Permissions and the methods that check for them
Method Permission
java.awt.Toolkit
  getPrintJob(Frame frame, String jobtitle,
      Properties props);
java.lang.RuntimePermission "queuePrintJob";

Note: The getPrintJob method is actually abstract and thus can't invoke security checks. Each actual implementation of the method should call the java.lang.SecurityManager checkPrintJobAccess method, which is successful only if the java.lang.RuntimePermission "queuePrintJob" permission is currently allowed.

java.awt.Toolkit
  getSystemClipboard();
java.awt.AWTPermission "accessClipboard";

Note: The getSystemClipboard method is actually abstract and thus can't invoke security checks. Each actual implementation of the method should call the java.lang.SecurityManager checkSystemClipboardAccess method, which is successful only if the java.awt.AWTPermission "accessClipboard" permission is currently allowed.

java.awt.Toolkit
  getSystemEventQueue();
java.awt.AWTPermission "accessEventQueue";
java.awt.Window
  Window()
java.awt.AWTPermission "showWindowWithoutWarningBanner";
java.io.File
  public boolean delete();
java.io.FilePermission "{name}", "delete";
java.io.FileInputStream
  FileInputStream(FileDescriptor fdObj);
java.lang.RuntimePermission "readFileDescriptor";
java.io.FileInputStream
  FileInputStream(String name)

java.io.File
  public boolean exists();
  public boolean canRead();
  public boolean isFile();
  public boolean isDirectory();
  public long lastModified();
  public long length();
  public String[] list();
      
java.io.RandomAccessFile
  RandomAccessFile(String name, String mode)
      (where mode is "r")
java.io.FilePermission "{name}", "read";
java.io.FileOutputStream
  FileOutputStream(FileDescriptor fdObj)
java.lang.RuntimePermission "writeFileDescriptor";
java.io.FileOutputStream 
  FileOutputStream(String name)
  FileOutputStream(String name, boolean append)

java.io.File
  public boolean canWrite();
  public boolean mkdir();
  public boolean renameTo(File dest);
java.io.FilePermission "{name}", "write";
java.io.ObjectInputStream
  protected final boolean 
    enableResolveObject(boolean enable);

java.io.ObjectOutputStream
  protected final boolean 
    enableReplaceObject(boolean enable)
java.io.SerializablePermission "enableSubstitution";
java.io.RandomAccessFile
  RandomAccessFile(String name, String mode)
      (where mode is "rw")
java.io.FilePermission "{name}", "read,write";
java.lang.Class
  public ClassLoader getClassLoader();
If the caller's class loader is null, or is the same as or an ancestor of the class loader for the class whose class loader is being requested, no permission is needed. Otherwise,
java.lang.RuntimePermission "getClassLoader"
is required.
java.lang.Class
  public Class[] getDeclaredClasses();
  public Field[] getDeclaredFields();
  public Method[] getDeclaredMethods();
  public Constructor[] getDeclaredConstructors();
  public Field getDeclaredField(String name);
  public Method getDeclaredMethod(...);
  public Constructor getDeclaredConstructor(...);
java.lang.RuntimePermission "accessDeclaredMembers";
java.lang.Class
   public ProtectionDomain getProtectionDomain()
java.lang.RuntimePermission "getProtectionDomain";
java.lang.ClassLoader
  ClassLoader();
  ClassLoader(ClassLoader parent);
java.lang.RuntimePermission "createClassLoader";
java.lang.ClassLoader
  public static ClassLoader getBaseClassLoader();
  public ClassLoader getParent();
If the caller's class loader is null, or is the same as or an ancestor of the class loader for the class whose class loader is being requested, no permission is needed. Otherwise,
java.lang.RuntimePermission "getClassLoader"
is required.
java.lang.Runtime
  public Process exec(String command);
  public Process exec(String command, 
                      String envp[]);
  public Process exec(String cmdarray[]);
  public Process exec(String cmdarray[], 
                      String envp[]);
java.io.FilePermission "{command}", "execute";
java.lang.Runtime
  public void exit(int status);
  public static void 
      runFinalizersOnExit(boolean value);
java.lang.RuntimePermission "exitVM";
java.lang.Runtime
  public void load(String lib);
  public void loadLibrary(String lib);
java.lang.RuntimePermission "loadLibrary.{lib}";
java.lang.System
  public static Properties getProperties();
  public static void 
            setProperties(Properties props);
java.util.PropertyPermission "*", "read,write";
java.lang.System
  public static String getProperty(String key);
  public static String getProperty(String key, 
                                   String def);
java.util.PropertyPermission "{key}", "read";
java.lang.System
  public static void setIn(InputStream in);
  public static void setOut(PrintStream out);
  public static void setErr(PrintStream err);
java.lang.RuntimePermission "setIO";
java.lang.System
  public static String setProperty(String key, 
                                   String value);
java.util.PropertyPermission "{key}", "write";
java.lang.System
  public static synchronized void 
                    setSecurityManager(
                        SecurityManager s)
java.lang.RuntimePermission "setSecurityManager";
java.lang.Thread
  public ClassLoader getContextClassLoader();
If the caller's class loader is null, or is the same as or an ancestor of the context class loader for the thread whose context class loader is being requested, no permission is needed. Otherwise,
java.lang.RuntimePermission "getClassLoader"
is required.
java.lang.Thread
  public void setContextClassLoader
                      (ClassLoader cl);
java.lang.RuntimePermission "setContextClassLoader";
java.lang.Thread
  Thread(...)
  public void interrupt();
  public final void suspend();
  public final void resume();
  public final void setPriority
                     (int newPriority);
  public final void setName(String name);
  public final void setDaemon(boolean on);
java.lang.RuntimePermission "modifyThread";
java.lang.Thread
  public final void stop();
  public final synchronized void 
                    stop(Throwable obj);
If this thread is equal to the current thread (i.e., the current thread is trying to stop itself), and the stop method without any arguments was called (in which case it calls the other stop method, passing it an instance of the Throwable object ThreadDeath), java.lang.RuntimePermission "modifyThread" is required.
Otherwise, java.lang.RuntimePermission "stopThread" is required.
java.lang.ThreadGroup
  ThreadGroup(ThreadGroup parent, String name)
  public final void setDaemon(boolean daemon);
  public final void setMaxPriority(int pri);
  public final void suspend();
  public final void resume();
  public final void destroy();
java.lang.RuntimePermission "modifyThreadGroup";
java.lang.ThreadGroup
  public final void stop();
Requires java.lang.RuntimePermission "modifyThreadGroup".
Also requires java.lang.RuntimePermission "modifyThread" and/or java.lang.RuntimePermission "stopThread", since the java.lang.Thread stop() method is called for each thread in the thread group. See the Thread stop() method.
java.lang.reflect.AccessibleObject
  public static void setAccessible(...);
  public void setAccessible(...);
java.lang.reflect.ReflectPermission "suppressAccessChecks";
java.net.Authenticator
  public static PasswordAuthentication
       requestPasswordAuthentication(
             InetAddress addr,
             int port,
             String protocol,
             String prompt,
             String scheme);
java.net.NetPermission "requestPasswordAuthentication";
java.net.Authenticator
  public static void 
      setDefault(Authenticator a);
java.net.NetPermission "setDefaultAuthenticator";
java.net.MulticastSocket
  public void joinGroup(InetAddress mcastaddr);
  public void leaveGroup(InetAddress mcastaddr);
java.net.SocketPermission( mcastaddr.getHostAddress(), "accept,connect");
java.net.DatagramSocket
  public void send(DatagramPacket p);

java.net.MulticastSocket
  public synchronized void send(DatagramPacket p,
                                byte ttl);
if (p.getAddress().isMulticastAddress()) {
java.net.SocketPermission(
(p.getAddress()).getHostAddress(), "accept,connect")
} else {
port = p.getPort();
host = p.getAddress().getHostAddress();
if (port == -1) java.net.SocketPermission "{host}","resolve";
else java.net.SocketPermission "{host}:{port}","connect"
}
java.net.InetAddress
  public String getHostName();
  public static InetAddress 
                  getAllByName(String host);
  public static InetAddress getLocalHost();

java.net.DatagramSocket
  public InetAddress getLocalAddress();
java.net.SocketPermission "{host}", "resolve";
java.net.ServerSocket
  ServerSocket(int port, int backlog, 
               InetAddress bindAddr)

java.net.DatagramSocket
  DatagramSocket(...)

java.net.MulticastSocket
  MulticastSocket(...)
java.net.SocketPermission "localhost:{port}", "listen";
java.net.ServerSocket
  public Socket accept();
java.net.SocketPermission "{host}:{port}", "accept";
java.net.ServerSocket
  public static synchronized void 
      setSocketFactory(...);

java.net.Socket
  public static synchronized void
      setSocketImplFactory(...);
java.net.URL
  public static synchronized void
      setURLStreamHandlerFactory(...);
 java.net.URLConnection
   public static synchronized void
      setContentHandlerFactory(...);

java.net.HttpURLConnection
   public static void 
       setFollowRedirects(boolean set);

java.rmi.server.RMISocketFactory
   public synchronized static void
      setSocketFactory(...);
java.lang.RuntimePermission "setFactory";
java.net.Socket
  Socket(InetAddress host, int port, 
         boolean stream)

java.net.DatagramSocket
  public void send(DatagramPacket p);
  public synchronized void 
      receive(DatagramPacket p);

java.net.MulticastSocket
  public synchronized void send(DatagramPacket p,
                                byte ttl);
java.net.SocketPermission "{host}:{port}", "connect";
java.security.Identity
  public void addCertificate(...);

java.security.SecurityPermission "addIdentityCertificate";
java.security.Identity
  public void removeCertificate(..);
java.security.SecurityPermission "removeIdentityCertificate";
java.security.Identity
  public void setInfo(String info);
java.security.SecurityPermission "setIdentityInfo";
java.security.Identity
  public void setPublicKey(PublicKey key);
java.security.SecurityPermission "setIdentityPublicKey";
java.security.IdentityScope
  protected static void setSystemScope();
java.security.SecurityPermission "setSystemScope";
java.security.Policy
  public static Policy getPolicy();
java.security.SecurityPermission "getPolicy";
java.security.Policy
  public static void setPolicy(Policy policy);
java.security.SecurityPermission "setPolicy";
java.security.Provider
  public synchronized void clear();
java.security.SecurityPermission "clearProviderProperties.{name}"; where name is the provider name.
java.security.Provider
  public synchronized Object put(Object key,
                                 Object value);
java.security.SecurityPermission "putProviderProperty.{name}"; where name is the provider name.
java.security.Provider
  public synchronized Object remove(Object key);
java.security.SecurityPermission "removeProviderProperty.{name}"; where name is the provider name.
java.security.Security
  public static void getProperty(String key);
java.security.SecurityPermission "getProperty.{key}";
java.security.Security
  public static int 
    insertProviderAt(Provider provider,
                     int position);
java.security.SecurityPermission "insertProvider.{name}";
java.security.Security
  public static void removeProvider(String name);
java.security.SecurityPermission "removeProvider.{name}";
java.security.Security
  public static void setProperty(String key,
                                 String datum);
java.security.SecurityPermission "setProperty.{key}";
java.security.Signer
  public PrivateKey getPrivateKey();
java.security.SecurityPermission "getSignerPrivateKey";
java.security.Signer
  public final void setKeyPair(KeyPair pair) 
java.security.SecurityPermission "setSignerKeypair";
java.util.Locale
  public static synchronized void 
            setDefault(Locale newLocale)
java.util.PropertyPermission "user.language","write";



java.lang.SecurityManager Method Permission Checks

java.lang.SecurityManager methods and corresponding permission checks
Method Permission
public void checkAccept(String host, int port); java.net.SocketPermission "{host}:{port}", "accept";
public void checkAccess(Thread g); java.lang.RuntimePermission "modifyThread");
public void checkAccess(ThreadGroup g); java.lang.RuntimePermission "modifyThreadGroup");
public void checkAwtEventQueueAccess(); java.awt.AWTPermission "accessEventQueue";
public void checkConnect(String host, int port); if (port == -1) java.net.SocketPermission "{host}","resolve";
else java.net.SocketPermission "{host}:{port}","connect";
public void checkCreateClassLoader(); java.lang.RuntimePermission "createClassLoader";
public void checkDelete(String file); java.io.FilePermission "{file}", "delete";
public void checkExec(String cmd); if cmd is an absolute path: java.io.FilePermission "{cmd}", "execute";
else java.io.FilePermission "-", "execute";
public void checkExit(int status); java.lang.RuntimePermission "exitVM");
public void checkLink(String lib); java.lang.RuntimePermission "loadLibrary.{lib}";
public void checkListen(int port); if (port == 0) java.net.SocketPermission "localhost:1024-","listen";
else java.net.SocketPermission "localhost:{port}","listen";
public void checkMemberAccess(Class clazz, int which); if (which != Member.PUBLIC) { if (currentClassLoader() != clazz.getClassLoader()) { checkPermission( new java.lang.RuntimePermission("accessDeclaredMembers")); } }
public void checkMulticast(InetAddress maddr); java.net.SocketPermission(maddr.getHostAddress(),"accept,connect");
public void checkMulticast(InetAddress maddr, byte ttl); java.net.SocketPermission(maddr.getHostAddress(),"accept,connect");
public void checkPackageAccess(String pkg); java.lang.RuntimePermission "accessClassInPackage.{pkg}";
public void checkPackageDefinition(String pkg); java.lang.RuntimePermission "defineClassInPackage.{pkg}";
public void checkPrintJobAccess(); java.lang.RuntimePermission "queuePrintJob";
public void checkPropertiesAccess(); java.util.PropertyPermission "*", "read,write";
public void checkPropertyAccess(String key); java.util.PropertyPermission "{key}", "read,write";
public void checkRead(FileDescriptor fd); java.lang.RuntimePermission "readFileDescriptor";
public void checkRead(String file); java.io.FilePermission "{file}", "read";
public void checkSecurityAccess(String action); java.security.SecurityPermission "{action}";
public void checkSetFactory(); java.lang.RuntimePermission "setFactory";
public void checkSystemClipboardAccess(); java.awt.AWTPermission "accessClipboard";
public boolean checkTopLevelWindow(Object window); java.awt.AWTPermission "showWindowWithoutWarningBanner";
public void checkWrite(FileDescriptor fd); java.lang.RuntimePermission "writeFileDescriptor";
public void checkWrite(String file); java.io.FilePermission "{file}", "write";
public SecurityManager(); java.lang.RuntimePermission "createSecurityManager";


Copyright © 1997-98 Sun Microsystems, Inc. All Rights Reserved.

Please send comments to: java-security@java.sun.com
Sun
Java Software Division