[jboss-dev] SecurityManager

[Anil Saldhana]

Emmanuel Bernard wrote:
> I'm making Hibernate Validator SecurityManager friendly. I have a few  
> question wrt Java security.
>
> I have been told to wrap any reflection call into
> AccessController.doPrivileged
>   
You should in addition to things such as:
Thread.currentThread().getContextClassLoader
System.getProperty
System.setProperty
> so that if HV is granted reflection privilege, the SM won't complain.
>
> Now I do not want to wrap all my reflection calls into  
> AccessController.doPrivileged
> Here are my questions:
>   - how do I know that a SecurityManager as been activated?
>     It seems to me that System.getSecurityManager() != null does the  
> trick
>   
I would not bother to do the SM != null check. The modern jvms are smart 
enough
to do that themselves and speed up.
>   - how "slow" is this AccessController.doPrivileged wrapping in  
> practice?
>   
if there is no security mgr enabled, then not much of a difference as 
the jvm does
do some optimization (in the absence of SM).  With SM enabled, there is 
some overhead in
the permission checking across call stacks.

>   - does JBoss use a SM OOTB?
>
>   
The JBossAS testsuite includes a test target that runs a bunch of tests 
while the AS is running under a sec mgr.
There are users of AS who run it under a SM.

> Thanks
>
> Emmanuel