This chapter covers the Java security implemented in JNode. This involves the security manager, access controller and privileged actions.
It does not involve user management.
The Java security in JNode is an implementation of the standard Java security API. This means that permissions are checked against an AccessControlContext which contains ProtectionDomain's. See the Security Architecture for more information.
In JNode the security manager is always on. This ensures that permissions are always checked.
The security manager (or better the AccessController) executes the security policy implemented by JNodePolicy. This policy is an implementation of the standard java.security.Policy class.
This policy contains some static permissions (mainly for access to certain system properties) and handles dynamic (plugin) permissions.
The dynamic permissions are plugin based. Every plugin may request certain permissions. The Policy implementation decides if these permissions are granted to the plugin.
To request permissions for a plugin, add an extension to the plugin-descriptor on connected to the "org.jnode.security.permission" extension-point.
This extension has the following structure:
class | The full classname of the permission. e.g. "java.util.PropertyPermission" |
name | The name of the permission. This attribute is permission class dependent. e.g. "os.name" |
actions | The actions of the permission. This attribute is permission class dependent. e.g. "read" |
Multiple permission's can be added to a single extension.
If you need specific permissions, make sure to run that code in a PrivilegedAction. Besides you're own actions, the following standard PrivilegedAction's are available:
gnu.java.security.actions.GetPropertyAction | Wraps System.getProperty |
gnu.java.security.actions.GetIntegerAction | Wraps Integer.getInteger |
gnu.java.security.actions.GetBooleanAction | Wraps Boolean.getBoolean |
gnu.java.security.actions.GetPolicyAction | Wraps Policy.getPolicy |
gnu.java.security.actions.InvokeAction | Wraps Method.invoke |