- Network java.net.NetPermission
- Properties java.util.PropertyPermission
- Reflection java.lang.reflect.ReflectPermission
- Runtime java.lang.RuntimePermission
- Security java.security.SecurityPermission
- Serialization java.io.SerializablePermission
- Sockets java.net.SocketPermission
All but FilePermission and SocketPermission are subclasses of
java.security.BasicPermission, which itself is an abstract subclass of the top-level class for
permissions, which is java.security.Permission. BasicPermission defines a simple permission
based on the name. For example, the RuntimePermission with name "exitVM" represents the
permission to invoke Runtime.exit to shutdown the virtual machine. Here are some other basic
RuntimePermission names and what they represent:
- "createClassLoader" Invoke the ClassLoader constructors.
- "setSecurityManager" Invoke System.setSecurityManager.
"modifyThread" Invoke Thread methods interrupt, setPriority, setDaemon, or
setName.
•
Basic permissions are something you either have or you don't. The names for basic permissions follow the
hierarchical naming scheme used for system properties (see page 663). An asterisk may appear at the end of
the name, following a "." or by itself, to signify a wildcard match. For example: "java." or "" are
valid; "java" or "xy" are not valid.
FilePermission and SocketPermission are subclasses of Permission. These classes can have a
more complicated name syntax than that used for basic permissions. For example, for a FilePermission
object, the permission name is the pathname of a file (or directory) and can cover multiple files by using "*"
to mean all files in the specified directory and using "-" to mean all files in the specified directory as well as
all files in all subdirectories.
All permissions can also have an action list associated with them that defines the different actions permitted
by that object. For example, the action list for a FilePermission object can contain any combination of
"read", "write", "execute", or "delete", specifying actions that can be performed on the named
file (or directory). Many basic permissions do not use the action list, but some, such as
PropertyPermission do. The name of a PropertyPermission is the name of the property it
represents and the actions can be "read" or "write", which let you invoke System.getProperty and
System.setProperty, respectively, with that property name. For example, a PropertyPermission
with the name "java.*" and action "read" allows you to retrieve the values of all system properties that
start with "java.".
23.5.3. Security Policies
The security policy for a given execution of the runtime system is represented by a
java.security.Policy object or, more specifically, by a concrete subclass of the abstract Policy
class. The Policy object maintains the sets of permissions that have been assigned to the different protection
domains, according to their code source. How the security policy is communicated to the Policy object is a
function of the actual implementation of that policy. The default implementation is to use policy files to list
the different permissions that are granted to each code source.
For example, a sample policy file entry granting code from the /home/sysadmin directory read access to
the file /tmp/abc is
grant codeBase "file:/home/sysadmin/" {