(Lack of) Java Security

Ted Neward wrote an entry today on Java Security. This post started out as a comment on that, but it got too long.

Are there any java open source projects that actually use any Java Security (ignoring spec implementations where it is required)?

Some frameworks have some support for using it, but apart from that I think even the best projects fail to use it.

I'm not blaming the authors for that – I know there are times when I've thought that I should be using Java security, but it's a whole area I know I don't understand as well as I should, and while I think I'm very secuity conscious as programmers go, I suspect there may be others in the same position.

I'd love to see some sample code for using the principle-of-least-privilege in Java. Java programmers often shout about how much more secure it is than C, but at least in C you do see code that deliberatly reduces the permissions it requires.

Leave a Reply

Your email address will not be published. Required fields are marked *