Class SecurityManager

 SecurityManager sm = System.getSecurityManager();
 if (sm != null)
   sm.checkABC(argument, ...);
 

 Object context = null;
 SecurityManager sm = System.getSecurityManager();
 if (sm != null)
   context = sm.getSecurityContext(); // defaults to an AccessControlContext
 // now, in worker thread
 if (sm != null)
   sm.checkPermission(permission, context);
 

Deprecated: Use {@link #checkPermission(Permission)} instead.

Tells whether or not the SecurityManager is currently performing a security check.

Construct a new security manager. There may be a security check, of RuntimePermission("createSecurityManager").

Throws: SecurityException if permission is denied

Check if the current thread is allowed to accept a connection from a particular host on a particular port. This method is called by ServerSocket.implAccept(). The default implementation checks SocketPermission(host + ":" + port, "accept"). If you override this, call super.checkAccept rather than throwing an exception.

Parameters: host the host which wishes to connect port the port the connection will be on

Throws: SecurityException if permission is denied NullPointerException if host is null

See Also: accept

Check if the current thread is allowed to modify another Thread. This is called by Thread.stop(), suspend(), resume(), interrupt(), destroy(), setPriority(), setName(), and setDaemon(). The default implementation checks RuntimePermission("modifyThread") on system threads (ie. threads in ThreadGroup with a null parent), and returns silently on other threads.

If you override this, you must do two things. First, call super.checkAccess(t), to make sure you are not relaxing requirements. Second, if the calling thread has RuntimePermission("modifyThread"), return silently, so that core classes (the Classpath library!) can modify any thread.

Parameters: thread the other Thread to check

Throws: SecurityException if permission is denied NullPointerException if thread is null

See Also: stop suspend resume Thread setName Thread

Check if the current thread is allowed to modify a ThreadGroup. This is called by Thread.Thread() (to add a thread to the ThreadGroup), ThreadGroup.ThreadGroup() (to add this ThreadGroup to a parent), ThreadGroup.stop(), suspend(), resume(), interrupt(), destroy(), setDaemon(), and setMaxPriority(). The default implementation checks RuntimePermission("modifyThread") on the system group (ie. the one with a null parent), and returns silently on other groups.

If you override this, you must do two things. First, call super.checkAccess(t), to make sure you are not relaxing requirements. Second, if the calling thread has RuntimePermission("modifyThreadGroup"), return silently, so that core classes (the Classpath library!) can modify any thread.

Parameters: g the ThreadGroup to check

Throws: SecurityException if permission is denied NullPointerException if g is null

See Also: Thread ThreadGroup stop suspend resume interrupt ThreadGroup ThreadGroup

Check if the current thread is allowed to use the AWT event queue. This method is called by Toolkit.getSystemEventQueue(). The default implementation checks AWTPermission("accessEventQueue"). you override this, call super.checkAwtEventQueueAccess rather than throwing an exception.

Throws: SecurityException if permission is denied

Since: 1.1

See Also: getSystemEventQueue

Check if the current thread is allowed to connect to a given host on a given port. This method is called from Socket.Socket(). A port number of -1 indicates the caller is attempting to determine an IP address, so the default implementation checks SocketPermission(host, "resolve"). Otherwise, the default implementation checks SocketPermission(host + ":" + port, "connect"). If you override this, call super.checkConnect rather than throwing an exception.

Parameters: host the host to connect to port the port to connect on

Throws: SecurityException if permission is denied NullPointerException if host is null

See Also: Socket

Check if the current thread is allowed to connect to a given host on a given port, using the given security context. The context must be a result of a previous call to getSecurityContext. A port number of -1 indicates the caller is attempting to determine an IP address, so the default implementation checks AccessControlContext.checkPermission(new SocketPermission(host, "resolve")). Otherwise, the default implementation checks AccessControlContext.checkPermission(new SocketPermission(host + ":" + port, "connect")). If you override this, call super.checkConnect rather than throwing an exception.

Parameters: host the host to connect to port the port to connect on context the context to determine access for

Throws: SecurityException if permission is denied, or if context is not an AccessControlContext NullPointerException if host is null

See Also: getSecurityContext checkPermission

Check if the current thread is allowed to create a ClassLoader. This method is called from ClassLoader.ClassLoader(), and checks RuntimePermission("createClassLoader"). If you override this, you should call super.checkCreateClassLoader() rather than throwing an exception.

Throws: SecurityException if permission is denied

See Also: ClassLoader

Check if the current thread is allowed to delete the given file. This method is called from File.delete(). The default implementation checks FilePermission(filename, "delete"). If you override this, call super.checkDelete rather than throwing an exception.

Parameters: filename the full name of the file to delete

Throws: SecurityException if permission is denied NullPointerException if filename is null

See Also: delete

Check if the current thread is allowed to execute the given program. This method is called from Runtime.exec(). If the name is an absolute path, the default implementation checks FilePermission(program, "execute"), otherwise it checks FilePermission("<<ALL FILES>>", "execute"). If you override this, call super.checkExec rather than throwing an exception.

Parameters: program the name of the program to exec

Throws: SecurityException if permission is denied NullPointerException if program is null

See Also: (String[], String[], File)

Check if the current thread is allowed to exit the JVM with the given status. This method is called from Runtime.exit() and Runtime.halt(). The default implementation checks RuntimePermission("exitVM"). If you override this, call super.checkExit rather than throwing an exception.

Parameters: status the status to exit with

Throws: SecurityException if permission is denied

See Also: Runtime Runtime

Check if the current thread is allowed to link in the given native library. This method is called from Runtime.load() (and hence, by loadLibrary() as well). The default implementation checks RuntimePermission("loadLibrary." + filename). If you override this, call super.checkLink rather than throwing an exception.

Parameters: filename the full name of the library to load

Throws: SecurityException if permission is denied NullPointerException if filename is null

See Also: load

Check if the current thread is allowed to listen to a specific port for data. This method is called by ServerSocket.ServerSocket(). The default implementation checks SocketPermission("localhost:" + (port == 0 ? "1024-" : "" + port), "listen"). If you override this, call super.checkListen rather than throwing an exception.

Parameters: port the port to listen on

Throws: SecurityException if permission is denied

See Also: ServerSocket

Check if the current thread is allowed to get certain types of Methods, Fields and Constructors from a Class object. This method is called by Class.getMethod[s](), Class.getField[s](), Class.getConstructor[s], Class.getDeclaredMethod[s](), Class.getDeclaredField[s](), and Class.getDeclaredConstructor[s](). The default implementation allows PUBLIC access, and access to classes defined by the same classloader as the code performing the reflection. Otherwise, it checks RuntimePermission("accessDeclaredMembers"). If you override this, do not call super.checkMemberAccess, as this would mess up the stack depth check that determines the ClassLoader requesting the access.

Parameters: c the Class to check memberType either DECLARED or PUBLIC

Throws: SecurityException if permission is denied, including when memberType is not DECLARED or PUBLIC NullPointerException if c is null

Since: 1.1

See Also: Class DECLARED PUBLIC

Check if the current thread is allowed to read and write multicast to a particular address. The default implementation checks SocketPermission(addr.getHostAddress(), "accept,connect"). If you override this, call super.checkMulticast rather than throwing an exception.

Parameters: addr the address to multicast to

Throws: SecurityException if permission is denied NullPointerException if host is null

Since: 1.1

Deprecated: use {@link #checkPermission(Permission)} instead

Check if the current thread is allowed to read and write multicast to a particular address with a particular ttl (time-to-live) value. The default implementation ignores ttl, and checks SocketPermission(addr.getHostAddress(), "accept,connect"). If you override this, call super.checkMulticast rather than throwing an exception.

Parameters: addr the address to multicast to ttl value in use for multicast send

Throws: SecurityException if permission is denied NullPointerException if host is null

Since: 1.1

Check if the current thread is allowed to access the specified package at all. This method is called by ClassLoader.loadClass() in user-created ClassLoaders. The default implementation gets a list of all restricted packages, via Security.getProperty("package.access"). Then, if packageName starts with or equals any restricted package, it checks RuntimePermission("accessClassInPackage." + packageName). If you override this, you should call super.checkPackageAccess before doing anything else.

Parameters: packageName the package name to check access to

Throws: SecurityException if permission is denied NullPointerException if packageName is null

See Also: ClassLoader getProperty

Check if the current thread is allowed to define a class into the specified package. This method is called by ClassLoader.loadClass() in user-created ClassLoaders. The default implementation gets a list of all restricted packages, via Security.getProperty("package.definition"). Then, if packageName starts with or equals any restricted package, it checks RuntimePermission("defineClassInPackage." + packageName). If you override this, you should call super.checkPackageDefinition before doing anything else.

Parameters: packageName the package name to check access to

Throws: SecurityException if permission is denied NullPointerException if packageName is null

See Also: ClassLoader getProperty

Check if the current thread is allowed to perform an operation that requires the specified Permission. This defaults to AccessController.checkPermission.

Parameters: perm the Permission required

Throws: SecurityException if permission is denied NullPointerException if perm is null

Since: 1.2

Check if the current thread is allowed to perform an operation that requires the specified Permission. This is done in a context previously returned by getSecurityContext(). The default implementation expects context to be an AccessControlContext, and it calls AccessControlContext.checkPermission(perm).

Parameters: perm the Permission required context a security context

Throws: SecurityException if permission is denied, or if context is not an AccessControlContext NullPointerException if perm is null

Since: 1.2

See Also: getSecurityContext checkPermission

Check if the current thread is allowed to create a print job. This method is called by Toolkit.getPrintJob(). The default implementation checks RuntimePermission("queuePrintJob"). If you override this, call super.checkPrintJobAccess rather than throwing an exception.

Throws: SecurityException if permission is denied

Since: 1.1

See Also: Toolkit

Check if the current thread is allowed to read or write all the system properties at once. This method is called by System.getProperties() and setProperties(). The default implementation checks PropertyPermission("*", "read,write"). If you override this, call super.checkPropertiesAccess rather than throwing an exception.

Throws: SecurityException if permission is denied

See Also: getProperties setProperties

Check if the current thread is allowed to read a particular system property (writes are checked directly via checkPermission). This method is called by System.getProperty() and setProperty(). The default implementation checks PropertyPermission(key, "read"). If you override this, call super.checkPropertyAccess rather than throwing an exception.

Parameters: key the key of the property to check

Throws: SecurityException if permission is denied NullPointerException if key is null IllegalArgumentException if key is ""

See Also: getProperty

Check if the current thread is allowed to read the given file using the FileDescriptor. This method is called from FileInputStream.FileInputStream(). The default implementation checks RuntimePermission("readFileDescriptor"). If you override this, call super.checkRead rather than throwing an exception.

Parameters: desc the FileDescriptor representing the file to access

Throws: SecurityException if permission is denied NullPointerException if desc is null

See Also: FileInputStream

Check if the current thread is allowed to read the given file. This method is called from FileInputStream.FileInputStream(), RandomAccessFile.RandomAccessFile(), File.exists(), canRead(), isFile(), isDirectory(), lastModified(), length() and list(). The default implementation checks FilePermission(filename, "read"). If you override this, call super.checkRead rather than throwing an exception.

Parameters: filename the full name of the file to access

Throws: SecurityException if permission is denied NullPointerException if filename is null

See Also: File FileInputStream RandomAccessFile

Check if the current thread is allowed to read the given file. using the given security context. The context must be a result of a previous call to getSecurityContext(). The default implementation checks AccessControlContext.checkPermission(new FilePermission(filename, "read")). If you override this, call super.checkRead rather than throwing an exception.

Parameters: filename the full name of the file to access context the context to determine access for

Throws: SecurityException if permission is denied, or if context is not an AccessControlContext NullPointerException if filename is null

See Also: getSecurityContext checkPermission

Test whether a particular security action may be taken. The default implementation checks SecurityPermission(action). If you override this, call super.checkSecurityAccess rather than throwing an exception.

Parameters: action the desired action to take

Throws: SecurityException if permission is denied NullPointerException if action is null IllegalArgumentException if action is ""

Since: 1.1

Check if the current thread is allowed to set the current socket factory. This method is called by Socket.setSocketImplFactory(), ServerSocket.setSocketFactory(), and URL.setURLStreamHandlerFactory(). The default implementation checks RuntimePermission("setFactory"). If you override this, call super.checkSetFactory rather than throwing an exception.

Throws: SecurityException if permission is denied

See Also: setSocketImplFactory setSocketFactory setURLStreamHandlerFactory

Check if the current thread is allowed to use the system clipboard. This method is called by Toolkit.getSystemClipboard(). The default implementation checks AWTPermission("accessClipboard"). If you override this, call super.checkSystemClipboardAccess rather than throwing an exception.

Throws: SecurityException if permission is denied

Since: 1.1

See Also: getSystemClipboard

Check if the current thread is allowed to create a top-level window. If it is not, the operation should still go through, but some sort of nonremovable warning should be placed on the window to show that it is untrusted. This method is called by Window.Window(). The default implementation checks AWTPermission("showWindowWithoutWarningBanner"), and returns true if no exception was thrown. If you override this, use return super.checkTopLevelWindow rather than returning false.

Parameters: window the window to create

Returns: true if there is permission to show the window without warning

Throws: NullPointerException if window is null

See Also: Window

Check if the current thread is allowed to write the given file using the FileDescriptor. This method is called from FileOutputStream.FileOutputStream(). The default implementation checks RuntimePermission("writeFileDescriptor"). If you override this, call super.checkWrite rather than throwing an exception.

Parameters: desc the FileDescriptor representing the file to access

Throws: SecurityException if permission is denied NullPointerException if desc is null

See Also: FileOutputStream

Check if the current thread is allowed to write the given file. This method is called from FileOutputStream.FileOutputStream(), RandomAccessFile.RandomAccessFile(), File.canWrite(), mkdir(), and renameTo(). The default implementation checks FilePermission(filename, "write"). If you override this, call super.checkWrite rather than throwing an exception.

Parameters: filename the full name of the file to access

Throws: SecurityException if permission is denied NullPointerException if filename is null

See Also: File canWrite mkdir renameTo FileOutputStream RandomAccessFile

Deprecated: use {@link #checkPermission(Permission)} instead

Get the depth of a particular class on the execution stack.

Parameters: className the fully-qualified name to search for

Returns: the index of the class on the stack, or -1

Deprecated: use {@link #checkPermission(Permission)} instead

Get the depth on the execution stack of the most recent non-system class. A non-system class is one whose ClassLoader is not equal to {@link ClassLoader#getSystemClassLoader()} or its ancestors. This will return -1 in three cases:

• All methods on the stack are from system classes
• All methods on the stack up to the first "privileged" caller, as created by {@link AccessController#doPrivileged(PrivilegedAction)}, are from system classes
• A check of java.security.AllPermission succeeds.

Returns: the index of the most recent non-system Class on the stack

Deprecated: use {@link #checkPermission(Permission)} instead

Find the ClassLoader of the first non-system class on the execution stack. A non-system class is one whose ClassLoader is not equal to {@link ClassLoader#getSystemClassLoader()} or its ancestors. This will return null in three cases:

• All methods on the stack are from system classes
• All methods on the stack up to the first "privileged" caller, as created by {@link AccessController#doPrivileged(PrivilegedAction)}, are from system classes
• A check of java.security.AllPermission succeeds.

Returns: the most recent non-system ClassLoader on the execution stack

Deprecated: use {@link #checkPermission(Permission)} instead

Find the first non-system class on the execution stack. A non-system class is one whose ClassLoader is not equal to {@link ClassLoader#getSystemClassLoader()} or its ancestors. This will return null in three cases:

• All methods on the stack are from system classes
• All methods on the stack up to the first "privileged" caller, as created by {@link AccessController#doPrivileged(PrivilegedAction)}, are from system classes
• A check of java.security.AllPermission succeeds.

Returns: the most recent non-system Class on the execution stack

Get a list of all the classes currently executing methods on the Java stack. getClassContext()[0] is the currently executing method (ie. the class that CALLED getClassContext, not SecurityManager).

Returns: an array of classes on the Java execution stack

Deprecated: use {@link #checkPermission(Permission)} instead

Tells whether or not the SecurityManager is currently performing a security check.

Returns: true if the SecurityManager is in a security check

See Also: inCheck

Get an implementation-dependent Object that contains enough information about the current environment to be able to perform standard security checks later. This is used by trusted methods that need to verify that their callers have sufficient access to perform certain operations.

Currently the only methods that use this are checkRead() and checkConnect(). The default implementation returns an AccessControlContext.

Returns: a security context

See Also: SecurityManager SecurityManager AccessControlContext getContext

Get the ThreadGroup that a new Thread should belong to by default. Called by Thread.Thread(). The default implementation returns the current ThreadGroup of the current Thread. Spec Note: it is not clear whether the new Thread is guaranteed to pass the checkAccessThreadGroup() test when using this ThreadGroup, but I presume so.

Returns: the ThreadGroup to put the new Thread into

Since: 1.1

Deprecated: use {@link #checkPermission(Permission)} instead

Tell whether the specified class is on the execution stack.

Parameters: className the fully-qualified name of the class to find

Returns: whether the specified class is on the execution stack

Deprecated: use {@link #checkPermission(Permission)} instead

Tell whether there is a class loaded with an explicit ClassLoader on the stack.

Returns: whether a class with an explicit ClassLoader is on the stack