From the docs: The AccessControlContext of the thread that created the instance of URLClassLoader will be used when subsequently loading classes and resources. The classes that are loaded are by default granted permission only to access the URLs specified when the URLClassLoader was created. The URLClassLoader is doing exactly as its says, the AccessControlContext is … Read more
It isn’t possible to define a security policy that will prevent code from creating and starting a new thread using the standard Java SecurityManager. Let’s say you have the following code: public class Test { public static void main(String [] args) { System.out.println(System.getSecurityManager() != null ? “Secure” : “”); Thread thread = new Thread( new … Read more
It depends on what you are trying to restrict. In general, publicly accessible API is not restricted. However, as long as you don’t grant the untrustworthy code the ReflectPermission(“suppressAccessChecks”) permission, it won’t be able to get access to non-public API in another package. If you have a list of packages to which you want to … Read more
Remote class loading can be tricky. The original post doesn’t include any information about the code base. It may be that the client’s security configuration is correct, but it has no access to the remote code. The classes are loaded directly from the “code base” by the client. They are not presented to the client … Read more
There is a blog post here, http://jroller.com/ethdsy/entry/disabling_system_exit Basically it installs a security manager which disables System.exit() with code from here, private static class ExitTrappedException extends SecurityException { } private static void forbidSystemExitCall() { final SecurityManager securityManager = new SecurityManager() { public void checkPermission( Permission permission ) { if( “exitVM”.equals( permission.getName() ) ) { throw new … Read more