Protection Domains (Java Security)

5.4. Protection Domains

A protection domain is a grouping of a code source and permissions--that is, a protection domain represents all the permissions that are granted to a particular code source. In the default implementation of the Policy class, a protection domain is one grant entry in the file. A protection domain is an instance of the ProtectionDomain class (java.security.ProtectionDomain) and is constructed as follows:

public ProtectionDomain(CodeSource cs, PermissionCollection p): Construct a protection domain based on the given code source and set of permissions.

When associated with a class, a protection domain means that the given class was loaded from the site specified in the code source, was signed by the public keys specified in the code source, and should have permission to perform the set of operations represented in the permission collection object. Each class in the virtual machine may belong to one and only one protection domain, which is set by the class loader when the class is defined.

However, not all class loaders have a specific protection domain associated with them: classes that are loaded by the primordial class loader have no protection domain. In particular, this means that classes that exist as part of the system class path (that is, the Java API classes) have no explicit protection domain. We can think of these classes as belonging to the system protection domain.

A protection domain is set for a class inside the defineClass() method. A protection domain is assigned to a class depending upon one of the following cases:

The defineClass() method accepts a protection domain as a parameter. In this case, the given protection domain is assigned to the class. This case is typically unused, since that method exists in only the ClassLoader class and not in the SecureClassLoader class.
The defineClass() method accepts a code source as a parameter. In this case, the getPermissions() method of the SecureClassLoader is used to determine the protection domain for the code source. By default, this just uses the getPermissions() class of the Policy class to find the permissions that are defined for the given code base. A secure class loader (including a URL class loader) has the option of overriding the getPermissions() method to enhance the permissions a particular class might have. We'll see an example of this in Chapter 6, "Implementing Security Policies", when we discuss network permissions in the class loader.
The defineClass() method accepts neither of these parameters. In this case, a protection domain is defined based on a code source with null parameters and a set of permissions that have been defined by the system's security policy (retrieved with the getPermissions() method). This case will include the default grant entry we listed earlier.

There are three utility methods of the ProtectionDomain class:

public CodeSource getCodeSource(): Return the code source that was used to construct this protection domain.
public PermissionCollection getPermissions(): Return the permission collection object that was used to construct this protection domain.
public boolean implies(Permission p): Indicate whether the given permission is implied by the permissions object contained in this protection domain.