Now blogging at diego's weblog. See you over there!

java & security


The security scheme of Java 1.2 (which exists on all JDK versions above and including 1.2) is too fine-grained for many applications. It's hard to see how the use of the java.policy file makes things easier or more secure. It seems like the worst of both worlds: it's possible to override all security with the appropriate settings, but simple things (like the RMI requirements to be able to open sockets to listen for connections) require special settings in the policy file, or an additional policy file included with the program.

The process is always the same: I'm doing something that is not allowed by default in the policy file, so I have to look up the privileges that are needed, add those privileges into a policy file or the JDK policy, then try again. Sometimes the policy file might be in the wrong directory, so I have to specify its location to the java interpreter... then I get it working and I forget about it. It's little things like this that make Java programs harder to deploy than native programs (and let's not even mention how cumbersome it is to create a signed Java application accessible through Java Web Start). Now, I'm not saying that Java should revert to the windows technique of allowing any program to wipe out the machine without problems if they wanted to, but maybe a healthy middle ground would be nice.

At the very list, these tasks should be properly automated in the major IDEs...

Categories: technology
Posted by diego on July 18 2002 at 4:46 PM

Copyright © Diego Doval 2002-2011.
Powered by
Movable Type 4.37