Other SecurityManager implementations available?

Question

Is there any other implementation (e.g. in an OSS project) of a Java SecurityManager available which has more features than the one in the JDK?

I'm looking for features like

• configurable at runtime
• policies updateable at runtime, read from other data sources than a security.policy file
• Thread-aware, e.g. different policies per Thread
• Higher-level policies, e.g. "Disable network functions, but allow JDBC traffic"
• Common predefined policies, e.g. "Allow read-access to usual system properties like file.encoding or line.separator, but disallow read-access to user.home"
• Monitoring and audit trace logging, e.g. "Log all file access, log all network access going NOT to knownhost.example.org"
• Blocking jobs "requesting" a permission until an administrator grants permission, letting the thread/job continue
• ...

I'm pretty sure that application servers (at least the commercial ones) have their own SecurityManager implementation or at least their own policy configuration. I'm wondering if there is any free project with similar requirements.

Answer 1

I'm not aware of a standalone SecurityManager project. Any application server (JBoss, Glassfish) will contain one to control what a loaded application can do.

Here are some links I found on the subject of rolling your own:

• Writing a Security Manager
• Java2s SecurityManager examples
• Java World: Java Tip 20 - a bit old, but a interesting (ab)use of a SM

Answer 2

• Dynamic ProtectionDomains (introduced in 1.4 IIRC), delegate to the modifiable Policy.
• Determining permissions by thread is, erm, tricky. The applet security managaer does it by ThreadGroup, which is generally considered a bad thing.
• You can allow connections to specific ports. Similarly you can have a privileged JDBC driver that perhaps proxies onto another driver asserting particular privileges through AccessController.doPrivileged.
• Permissions for system properties can be specified for each individual key.
• AccessController in the Sun/Oracle implementation does have tracing features.
• Applets/WebStart will show a dialog on, for instance, printing. But the JNLP services approach is much better.

"Glossitope" attempted to have a system that sprung up a dialog box every time a permission was requested. Of course, the request makes no sense to the user that just wants to see the dancing pigs. (Glossitope was an attempt at a Java version of the Vista side panel thing. The features added to 6u10 (drag-and-drop install, non-rectangular windows, warning icon instead of banner, JNLP services) make it mostly redundant.)