1

A recent question on SO lead me to an older answer about the Java Security Manager. My question about this line in that answer:

The security manager impacts performances though, and it is rarely used on the server side.

Can someone please back this up or refute? I thought there is always a security manager, a custom one or the default and that containers use it all the time.

Community
  • 1
  • 1
Miserable Variable
  • 28,432
  • 15
  • 72
  • 133

1 Answers1

1

In server-side code that you yourself write, I can't think for any need for you to use a SecurityManager, since if you are writing the code to perform some operation in your application, it's unlikely that you need to check if your code has the permissions that you have given it.

For instance, a lot of the methods in SecurityManager are related to IO operations - checkDelete(), checkRead(), checkWrite(), etc. The JDK library classes will call these methods when you try to create/write/read/delete a file, so calling them yourself would be pointless.

So it's unlikely that your server-side code would make much use of the SecurityManager. However, the code that your code runs in - if you are deployed in a servlet container for instance - might make use of these methods, because they are interested in determining if your code has some level of permission that they give it.

matt b
  • 138,234
  • 66
  • 282
  • 345
  • If I understand you right, you mean that the top level container on server *will* use a `SecurityManager` to implement security policies on (arbitrary) content deployed to it but there is no need to use on in the individual deployed units themselves. Correct? – Miserable Variable Feb 15 '13 at 21:41
  • Yes, at least I cannot think of a need. A administrator of Tomcat, for instance, might set certain permissions as to what the contained web applications can do. – matt b Feb 15 '13 at 21:56