Performing Code-Based Security Checks 

Use

All code-based permissions are granted using:

securityConnector.grantCodePermission(String domainName, String[] actions),

where the domainName is appropriate for the current J2EE application (the corresponding one taken from securityConnector.getApplicationDomainNames()) and the actions have the following format:

<action> [, <view_alias> [, (<entry_alias> | <property_alias>)]]

For more information about the actions allowed, see Key Storage Actions.

Procedure

keystoreManager.getKeystore(“my_view”)

will be granted by

securityConnector.grantCodePermission(    < current_domain_name >,    new String[] { KeyStoreConstants.GET_VIEW, "my_view" });

and

securityConnector.isCodeGranted(    new String[] { KeyStoreConstants.GET_VIEW, "my_view" })

will check if keystoreManager.getKeystore(“my_view”), called from the same code, will pass the code based security check.

Example

A J2EE_APP_1 calls J2EE_app_2 calls Key Storage Service, and J2EE_APP_2 creates or uses Key Storage views and entries, the appropriate default code permissions will be granted only to the J2EE_app_2 protection domain. Avoid such cases if possible. Otherwise, execute all Key Storage Service operation in a privileged block:

J2EE_app_1.use_J2EE_app_2_method() {    J2EE_app_2.use_KeystoreService(); } J2EE_app_2.use_KeystoreService() {    Object result = AccessController.doPrivileged(new PrivilegedAction() {       public Object run() {          keystoreManager.createView("my_view", null);          KeyStore keystore = keystoreManager.getKeystore("my_view");          ...       }    } }

If there is a requirement that only J2EE_app_1 can use the “my_view” Keystore view, a custom code-based check should be added to:

J2EE_app_2.use_KeystoreService() {    AccessController.checkPermission(new J2EE_app_1_permission());    ... }

and J2EE_app_1_permission should be added to the J2EE_app_1 protection domain.