Recall the Server example of Chapter 5. That generic server class dynamically loaded and ran Service implementations. Suppose that you are a system administrator in charge of the Server program, and that you don’t trust the programmers who are developing the Service implementations; you’re afraid that they’ll accidentally (or maliciously) include damaging code in their Service classes. Java makes it easy to run these untrusted classes with access-control mechanisms in place, to prevent them from doing anything they shouldn’t.

Access control in Java is performed by the SecurityManager and AccessController classes. When a security manager has been registered, Java checks with it every time it is asked to perform any operation that might be restricted, such as reading or writing a file or establishing a network connection. In Java 1.2 and later, the SecurityManager class uses the AccessController class to perform these access-control checks, and the AccessController in turn refers to a Policy file that describes exactly which Permission objects are granted to what code.

As of Java 1.2, it is quite simple to run code under the watchful eye of a security manager. Simply run the Java interpreter using the -D option to set the java.security.manager property. For example, to run the Server class under a security manager, start it like this:

% java -Djava.security.manager je3.net.Server \
-control password 4000

When you do this, both the Server class and the control ...