Skip to main content

Change the Locks

Posted by editor on September 30, 2008 at 8:37 AM PDT

The case against checkPermission()

A few years back, Denis Pilipchuk wrote a four-part series on Java versus .NET Security from a number of angles, including code containment, crypto, code protection, authorization and authentication, and more. The series was later assembled into a "Short Cut" PDF. Editing these articles, I have to say I was a little overwhelmed by the depth with which he delved into the topic. For the layman, the application developer who wants to be security-aware without having to become a security expert, you often just want to know if Java security is "good enough".

And that raises the question "good enough... how?" Secure enough? Configurable enough? Flexible enough? Practical enough? Performant enough? All of these factors often tend to work against each other: offer too much flexibility and you might unwittingly open a security hole. But be too stringent and application developers can't do anything interesting.

Denis re-frames the discussion in today's Feature Article,
Pitfalls of the Java Permissions Model, taking a historical look at how the call-stack based concept of permissions emerged:

The Java SE Access Control model, built around various permission classes and code-based security, has not been able to grow up with the Java platform and cannot satisfy the requirements of today's enterprise systems. This article analyzes the root causes of the problem, and suggests alternative approaches.

In Java Today,

Caciocavallo project co-founder Roman Kennke has apparently made the first OpenJDK commit by someone with no Sun ties. As he explains in his blog, "Ok, I'm not the first one, but most (or all?) non-Sunnies I've seen committing have been ex-Sun-employees. That was good timing. Not that I care much if I do the commit or some guy inside Sun, as long as I can get a good patch in, but it is a big nice step in the right direction."

Noted in Kirill Grouchnikov's Swing Links of the Week, Maxim Zakharenkov has posted the slides (PDF) for his JavaZone presentation on debugging with SwingExplorer. The slides show a simple but buggy Swing application, and how SwingExplorer can be used to track down problems with layout, painting, event-listening, and misuse of the event-dispatch thread

Don't forget that the 2009 Mobile, Media, and eMbedded Developer Days Call for Papers closes today, September 30, for technical sessions, panel sessions, hands on talks, and lightning talks. If you want to submit any of these for consideration, visit the Call for Papers page and follow the instructions there.

Today's Weblogs begin with Eamonn McManus' announcement
JMX Namespaces now available in JDK 7. "The JMX Namespace feature has now been integrated into the JDK 7 platform. You can read about it in detail in the online documentation for Here's my quick summary."

Kohsuke Kawaguchi follows up yesterday's announcement of an easier-to-install Hudson for Windows with winsw: Windows service wrapper in less restrictive license. "I wrote a little program that can host any executable (Java included) as a Windows service, and made it available in the BSD license."

Finally, in GlassFish Migration: WebLogic's Split Directory to Ear, Sekhar Vajjhala writes, "in my one my previous blogs, I wrote about how GlassFish verifier can be used to verify an archive when migrating J2EE/Java EE applications to GlassFish. Here I will show how to generate an Java EE ear file starting from WebLogic's Split Directory Development. "

In today's Forums, Fabian Ritzmann
explains where JAX-WS keeps its Maven POMs in the follow-up
Re: Using WSIT with maven. "JAX-WS has a number of POMs that you might be able to use. WSIT doesn't really add that many dependencies. XWSS and FastInfoset are the ones I can think of from the top of my head. You can find the POMs in CVS:


Repository = jax-ws-sources/repo"

whartung explains the purpose and application of SOAP in
Re: Publishing a web API using glassfish, is there an easy way? "Believe it or not, SOAP is the big winner here for you. It pretty much does what you want to do Is it complicated? Yes, it CAN be. But if you're looking to do simple things, then SOAP is simple (well, simple enough), particularly in Glassfish. SOAP suffers from several things. It's biggest problem is simply that it has been moving SO fast in the past several years. By the time folks implement and agree on one aspect, they're adding more to it."

Finally, Shai Almog offer a tip for LWUIT customization in
Re: How to change the "background selection color" of the command list. "The menu is a list hence the component within the list is the default cell renderer. The default cell renderer doesn't have its on UIID and so it uses the Label UIID which it derives. To replace that you can replace the menu renderer with any renderer you want that carries any UIID style you desire."

Current and upcoming Java

Registered users can submit event listings for the href=""> Events Page using our href="">events submission form.
All submissions go through an editorial review before being posted to the

Archives and Subscriptions: This blog is delivered weekdays as
the Java
Today RSS feed
. Also, once this page is no longer featured as the
front page of it will be
archived along with other past issues in the href=""> Archive.

The case against checkPermission()