Re: Changing Java Security Policy

On Mar 23, 11:24 pm, Tom Hawtin <use...@tackline.plus.com> wrote:


....


I only checked one of the URL's, but all I
saw was an *assertion*. The assertion was
that this line of code..
  System.setSecurityManager(null);
...could be called from within an applet to
remove the security manager.

OK - lets turn that into a simple *example*.

<sscce>
import java.applet.Applet;

public class NoSecurityApplet extends Applet {
  public void init() {
    try {
      System.out.println("java.version: " +
        System.getProperty("java.version") );
      System.setSecurityManager(null);
    } catch(Throwable t) {
      t.printStackTrace();
    }
  }
}
</sscce>

Both AppletViewer and IE produced similar
results, here is the output from AppletViewer.

java.version: 1.6.0
java.security.AccessControlException: access denied
(java.lang.RuntimePermission
 setSecurityManager)
   at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:
323)
   at
java.security.AccessController.checkPermission(AccessController.java:
546)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:
532)
   at java.lang.System.setSecurityManager0(System.java:273)
   at java.lang.System.setSecurityManager(System.java:264)
   at NoSecurityApplet.init(NoSecurityApplet.java:8)
   at sun.applet.AppletPanel.run(AppletPanel.java:417)
   at java.lang.Thread.run(Thread.java:619)

So. I feel fairly confident in calling
that assertion 'a load of old cobblers'.
If it was a security bug in some obscure
old version of the JVM - it has apparently
been fixed* (as I would have expected).

( * Fortunately, to spare us the the idiotic
games of people like this foul mouthed OP. ;)

Andrew T.