The basic entity that the access controller operates on is a permission object -- an instance of the Permission class (java.security.Permission). This class, of course, is the basis of the types that are listed in a policy file for the default security policy. The Permission class itself is an abstract class that represents a particular operation. The nomenclature here is a little misleading because a permission object can reflect two things. When it is associated with a class (through a code source and a protection domain), a permission object represents an actual permission that has been granted to that class. Otherwise, a permission object allows us to ask if we have a specific permission.

For example, if we construct a permission object that represents access to a file, possession of that object does not mean we have permission to access the file. Rather, possession of the object allows us to ask if we have permission to access the file.

An instance of the Permission class represents one specific permission. A set of permissions -- e.g., all the permissions that are given to classes signed by a particular individual -- is represented by an instance of the Permissions class (java.security.Permissions). We’ve seen how administrators use the class in order to modify security policies; now we’ll look into the programming behind this class, including defining your own permission classes.