Protection Domains 

The ProtectionDomainContext interface enables you to manage collections of resources with defined security constraints. You can use this interface to manage units in the server or application that need to have secured permissions or restrictions applied to them. Such units can also be referred to as principals, since a principal is the entity in the system that has permissions applied to it.

A subject can be a user or a service that represents the source of the authentication request, which must be checked so that it can be granted access to the system resources. When the subject is authenticated, it receives an associated identity – that is a principal. One subject can have many principals and also its own security-related attributes. Such attributes are referred to as credentials of the subject.

One security domain on the SAP J2EE Engine consists of a number of classes whose instances have the same set of permissions applied to them. A domain is uniquely identified by a CodeSource. The CodeSource contains the codebase and the set of certificates for the public keys that correspond to the private keys that signed the code in the domain. This is why when classes are signed from the same URL, or the same keys, the classes are placed in one and the same domain.

The protection domain also includes the permissions granted to the code in the domain. The way to do this is defined by the current security policy configuration.

The interface instance can be obtained using the SecurityContext interface.

Classes that have the same permissions, but are from different code sources, belong to different domains. One class can be only in one protection domain.

See also:

 

·        Java Security Architecture

·        Managing Protection Domains in the Administration Manual