Java.security.manager ?

My understanding about Java SecurityManager is when you want to use it,
it have to be installed. It can be installed through
using -Djava.security.manager
option with java command or calling setSecurityManager() in the application.
I'm sure that WLS startup script marketed with WLS5.1
used -Djava.security.manager
option, however, WLS6.1 and WLS7.0's script don't use the option. Do they
install a SecurityManager through setSecurityManager() method?
I'm just curious to know why they are different between WLS5.1 and
WLS6.1/7.0.
Thanks in advance,
Koji Sekiguchi

6.1 and 7.0 do not install a SecurityManager programattically. It was
decided that most people do not make use of the added security provided
by the security manager and that it has a significant performance hit on
the VM (I think we found 6-7% degradation but it was a long time ago so
I may be way off) so that it did not make sense to run with it by
default. Instead we tell people to turn it on who need it. It seems
better because all of the security conscious people know to look for it
and all of the security unaware folk don't know enough to turn it off so
they are stuck with the degradation.
The SecurityManager is really most helpful if you are installing
untrusted applications on your app server (something most users don't
do). It does next-to-nothing to prevent remote attacks.
Neil Smithline
Koji Sekiguchi wrote:
My understanding about Java SecurityManager is when you want to use it,
it have to be installed. It can be installed through
using -Djava.security.manager
option with java command or calling setSecurityManager() in the application.
I'm sure that WLS startup script marketed with WLS5.1
used -Djava.security.manager
option, however, WLS6.1 and WLS7.0's script don't use the option. Do they
install a SecurityManager through setSecurityManager() method?
I'm just curious to know why they are different between WLS5.1 and
WLS6.1/7.0.
Thanks in advance,
Koji Sekiguchi

Similar Messages

Trouble with java security manager

I have set up a security manager for my webapp running on Tomcat. The application enables the user to write his own scripts using Javascript, that's why I need to set up a security manager.
Using Rhino as script interpreter, it is possible to use the standard java security mechanisms, e.g. using the security manager to handle the scripts' rights.
I've added the following lines to my policy file:
// give server all rights
grant codeBase "file:webapp/WEB-INF/-" {
     permission java.security.AllPermission;
//rights granted to scripts
grant codeBase "file:restrictedClient" {
     permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
I've assigned the scripts to the "restrictedClient" code base. However, the script execution fails as the script does not have the permission to access or define classes of any package (even standard java packages like java.lang or java.math).
In java.security, I have found the following comment:
# List of comma-separated packages that start with or equal this string
# will cause a security exception to be thrown when
# passed to checkPackageDefinition unless the
# corresponding RuntimePermission ("defineClassInPackage."+package) has
# been granted.
# by default, no packages are restricted for definition, and none of
# the class loaders supplied with the JDK call checkPackageDefinition.
#package.definition=
I now wonder, why the checkPackageDefinition is checked though there's no entry for any package to be checked.
Extending the policy file like
grant codeBase "file:restrictedClient" {
     permission java.lang.RuntimePermission "accessClassInPackage.webapp/WEB-INF/classes/org/mozilla/javascript";
     permission java.io.FilePermission "webapp/WEB-INF/lib/js.jar", "read";
     permission java.lang.RuntimePermission "defineClassInPackage.java.io";
     permission java.lang.RuntimePermission "defineClassInPackage.java.util";
     permission java.lang.RuntimePermission "defineClassInPackage.java.net";
     permission java.lang.RuntimePermission "defineClassInPackage.java.sql";
     permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
     permission java.lang.RuntimePermission "defineClassInPackage.java.math";
     permission java.lang.RuntimePermission "de.methodpark.pkit.facade.impl";
works, but an unpleasant feeling remains :-).
Rhino creates an own classloader for script execution. Could that be the source of the strange behaviour?
Any help would be appreciated!
Regards,
Matthias

David,
I was glad to see your post regarding WLS 9.2 and the troubles with enabling Java Security Manager.
Were you able to learn any more on things like - why doesn't the admin console work when the security manager is enabled with the default policy file. Also, why is it so difficult to add permissions for your own applications and get them to actually work.
I'd be curious to see if you were able to get it to work or if you have any insights or resources that can help with this as we are really struggling to get a restrictive policy file that works.
Thanks,
D

WebLogic Admin Console won't work with java security manager enabled.

By just enabling the security manager on the command line with -Djava.security.manager and using the default weblogic.policy in the server/lib directory, the admin console will not work. I just see a blank page when I try to access the admin console with permission errors all over on the server console.
In looking at the admin console's weblogic.xml it should have access to everything since it contains:
grant {
permission java.security.AllPermission;
Are there known issues with this? If I add this permission to the weblogic.policy file everything works fine but then I might as well not turn on the security manager.
Thanks,
Dave

David,
I was glad to see your post regarding WLS 9.2 and the troubles with enabling Java Security Manager.
Were you able to learn any more on things like - why doesn't the admin console work when the security manager is enabled with the default policy file. Also, why is it so difficult to add permissions for your own applications and get them to actually work.
I'd be curious to see if you were able to get it to work or if you have any insights or resources that can help with this as we are really struggling to get a restrictive policy file that works.
Thanks,
D

Java Security Manager in Multi-threaded application

I am writing a multi-threaded application listening (TCP and UDP) to several ports. To help implement certain security features (eg. refusing connections from certain ip address), I'm using the java.lang.SecurityManager (by subclassing it). I am having a few problems and queries and am hoping someone here can help me.
1. As all the threads are calling the checkAccept(host, port) method. Is there a way to know which thread is currently accessing the security manager? For example if host A were to make 2 connections to the application, one to thread 1 (say listening to port 5001) and the other to to thread 2 (say listening to port 5002). I intend to refuse the connection to thread 2 but there is not way of differentiating the 2 connections since they are from the same host and there isnt any way of knowing their port number.
2. Are calls to the Security Manager thread safe?
I have been having this problem for a long time, would appreciate if someone can help point me to the right direction. cheers.

1. As all the threads are calling the
checkAccept(host, port) method. Is there a way to
know which thread is currently accessing the security
manager?Just use Thread.currentThread(). As specified in the Javadoc for e.g. SecurityManager.checkAccept().
2. Are calls to the Security Manager thread safe? No.

Cannot start OC4J instance after specifying default java.security.manager

Hi All,
I am using OracleiAS 10.1.3.4 and trying to make use of the new User and Role APIs introduced in 10.1.3.1.
While trying to get an object of IdentityStore using the following code, I got this error -
java.security.PrivilegedActionException: oracle.security.idm.ConfigurationException: java.security.AccessControlException: access denied (oracle.security.jazn.JAZNPermission getOC4JIntegrationData)
oidFactory = (IdentityStoreFactory) AccessController.doPrivileged(
new PrivilegedExceptionAction()
public Object run() throws IMException
IdentityStoreFactoryBuilder builder =
new IdentityStoreFactoryBuilder();
return builder.getIdentityStoreFactory();
I then tried specifying the default security manager in start JAVA options for my oc4j instance - Djava.security.manager. I also verified that my java policy file is present under $ORACLE_HOME/j2ee/oc4j_soa/config/java2.policy. But the issue is - once I put this default secirity manager in startup options in opmn.xml, the oc4j instance does not get started, it gives following error -
08/12/30 02:58:22 Start process
Dec 30, 2008 2:58:24 AM com.evermind.server.XMLDataSourcesConfig parseRootNode
INFO: Legacy datasource detected...attempting to convert to new syntax.
08/12/30 02:58:29 WARNING: Application.setConfig Application: default is in failed state as initialization failed.
java.lang.ExceptionInInitializerError
08/12/30 02:58:29 Error initializing server: Application: default is in failed state as initialization failed
08/12/30 02:58:32 Fatal error: server exiting
Any idea ? Any pointers please ?
Thanks,
Ankit

Ankit,
Check your syntax for the datasource. If you migrated from file-based to OID, then you should look at this link:
http://download.oracle.com/docs/cd/E12524_01/relnotes.1013/e12523/oc4j.htmThere is a known issue when migrating from file-based to OIM\OID. Navigate to:
12.2 JAZNMigration Tool Does Not Migrate ADFPrincipal Type Correctly
-Michael

How to get Java source in applet stack trace to debug Java security manager

How can I get line numbers for Java source in stack traces for my applet? I'm having a problem with my code-signing certificate. On one of my applets, I consistently get a NullPointerException inside the security dialog code in the JDK. As a result, either the "trust this applet" dialog never appears, or even though it appears, it defaults to untrusted because of the exception, so I can't access any local files (and that's a bit of a problem for an applet whose sole purpose is to upload files to our server). I unzipped src.zip in my JDK directory and set the debug flag for my Ant <javac> task as well as set debuglevel to "lines." Anything else? Here's the trace that I'm getting so far. See that after the NullPointerException it assumes that the user has denied permission. If I could read this Java source maybe I could figure out why it hates my code-signing certificate (jarsigner, BTW, never complains when I verify my jar).
security: Blacklist file not found or revocation check is disabled
security: Accessing keys and certificate in Mozilla user profile: null
security: Loading Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loaded Root CA certificates from D:\Program Files (x86)\Java\jre6\lib\security\cacerts
security: Loading Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
security: Loaded Deployment certificates from C:\Users\Rich\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Start to check whether root CA is replaced
security: The root CA has been replaced
security: No timestamping info available
security: Found jurisdiction list file
security: Start checking trusted extension for this certificate
security: Start comparing to jurisdiction list with this certificate
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
security: Checking if certificate is in Deployment session certificate store
java.lang.NullPointerException
     at com.sun.deploy.ui.UIFactory.showSecurityDialog(Unknown Source)
     at com.sun.deploy.security.TrustDeciderDialog.showDialog(Unknown Source)
     at com.sun.deploy.security.X509Util.showSecurityDialog(Unknown Source)
     at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.isTrustedByTrustDecider(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.getTrustedCodeSources(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.strategy(Unknown Source)
     at com.sun.deploy.security.CPCallbackHandler$ParentCallback.openClassPathElement(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$700(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$JarLoader.<init>(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source)
     at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
security: User has denied the priviledges to the code
security: Adding certificate in Deployment denied certificate store
security: Added certificate in Deployment denied certificate store
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Start to check whether root CA is replaced
security: The root CA has been replaced
security: No timestamping info available
security: Found jurisdiction list file
security: Start checking trusted extension for this certificate
security: Start comparing to jurisdiction list with this certificate
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment denied certificate store

Rats, now that I look at the stack trace and compare to what's in the JDK srce.zip, it appears that most of this code is not part of the JDK source. I don't see any com/sun/deploy, etc.

PDK-Java Security manager: controlling portlet appearance in portlet list

Hi,
The Understanding PDK-Java Portlet Security article says: "Portlet security is handled at two main points in Oracle9iAS Portal. It is used when a user view the list of portlets available from a provider. It is also used when rendering the portlet on a portal page."
I don't see how a portlet can control its appearance in the list of available portlets. Is the article inaccurate, or am I overlooking something?
Thanks,
Peter

The article is correct.
Before showing a portlet in the portlet repository, the provider is contacted by the portal to determine if the current user should be able to see the portlet. This is the isRunnable call.
In release 3.0.9, a feature was added allowing a provider to instruct the portal to cache the results of this call. There are 2 portlet properties associated with this feature:
<portlet>
<callIsRunnable>true/false</callIsRunnable>
<callGetPortlet>true/false</callGetPortlet>
</portlet>
The second property affects whether a call to get a portlet's metadata is made before displaying it in the portlet repository.

Java.security.AccessControlException: access denied

Hi all
While deploying my portal application lots of following exceptions are thrown. Please guide me how I can solve this issue
<Aug 16, 2007 12:27:43 PM PKT> <Warning> <Management> <BEA-400409> <Exception fr
om ApplicationFilePoller while checking for changes in application appsdirDteP
ortal_dir, directory GHQPortal.
java.security.AccessControlException: access denied (java.io.FilePermission D:\b
ea\user_projects\domains\portalDomain\applications\DtePortal\GHQPortal read)
at java.security.AccessControlContext.checkPermission(Ljava.security.Per
mission;)V(AccessControlContext.java:269)
at java.security.AccessController.checkPermission(Ljava.security.Permiss
ion;)V(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(Ljava.security.Permission;)
V(Unknown Source)
at java.lang.SecurityManager.checkRead(Ljava.lang.String;)V(Unknown Sour
ce)
at java.io.File.list()[Ljava.lang.String;(Unknown Source)
        at java.io.File.list(Ljava.io.FilenameFilter;)[Ljava.lang.String;(Unknow
n Source)
        at com.bea.p13n.management.ApplicationFilePoller.searchDirs(Ljava.lang.S
tring;Ljava.util.Map;)V(ApplicationFilePoller.java:719)
        at com.bea.p13n.management.ApplicationFilePoller.searchDirs()Ljava.util.
Map;(ApplicationFilePoller.java:708)
        at com.bea.p13n.management.ApplicationFilePoller.check()V(ApplicationFil
ePoller.java:671)
        at com.bea.p13n.management.ApplicationFilePoller.access$200(Lcom.bea.p13
n.management.ApplicationFilePoller;)V(ApplicationFilePoller.java:145)
        at com.bea.p13n.management.ApplicationFilePoller$PollerThread.checkAllPo
llers()V(ApplicationFilePoller.java:997)
        at com.bea.p13n.management.ApplicationFilePoller$PollerThread.run()V(App
licationFilePoller.java:953)
        at java.lang.Thread.run()V(Unknown Source)
        at java.lang.Thread.startThreadFromVM(Ljava.lang.Thread;)V(Unknown Sourc
e)
Thanks

Hi
Thanks for reply bposner. I am using 'weblogic' user to deploy the application. Please help me to dig out this problem.
This problem seems linked with Java Security manager. How can I disable Java Security Manager or what permission should I add in security file to resolve this problem.
Thanks
Edited by arafique393 at 08/16/2007 11:23 PM
Edited by arafique393 at 08/17/2007 4:47 AM

Specifying system properties/security manager for OC4J

I have a couple of related questions regarding OC4J/orion.jar:
1. Generically, how can we specify system properties to orion.jar? Being an executable JAR, simply using -D does not work.
2. Specifically, I need to launch the OC4J app server with a Java security manager (with associated security policies, etc.) Java's way of doing this is via -Djava.security.manager=... but this does not work with executable JARs it seems. I tried specifying these parameters via -D and I got a security exception:
Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyP
rmission java.protocol.handler.pkgs write)
at java.security.AccessControlContext.checkPermission(Unknown Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.System.setProperty(Unknown Source)
at com.evermind.server.ApplicationServer.initProtocolHandlers(ApplicationServer.java:652)
at com.evermind.server.ApplicationServer.launchCommandline(ApplicationServer.java:319)
at com.evermind.server.ApplicationServer.main(ApplicationServer.java:314)
So, how do I install the Java security manager with orion.jar? Is there any other way to specify system properties to this, or is there any other way to install the Java security manager for OC4J?
Any help much appreciated.
..Hrishi

Thanks, that seemed to work. However it seems that spawned another little problem. I was using the -Xbootclasspath/a option while firing up orion.jar because I needed to append something to OC4J's default classpath (that is specified in orion.jar's Manifest). Now, when I start OC4J with the -D options for the security policy, it seems to ignore the -Xbootclasspath argument. I have not yet been able to confirm this fact, but based on the ClassNotFoundError I'm running into, that does seem to be the problem.
So I guess my question is, could specifying the -D options to the executable JAR cause it to ignore any other options you may be passing to it (such as -Xbootclasspath)? Is there any sequence in which these args need to be passed?
Thanks.
..Hrishi
Hi,
You can try this :
- Check if you have a file java2.policy in <OC4J_HOME>\config\policy and check if the permission java.util.PropertyPermission "read,write" is granted to <OC4J_HOME>.
if there is no file, you can create one based on <JAVA_HOME>\lib\security\java.policy and grant the approriate privileges.
- Launch OC4J :
java -Djava.security.manager -Djava.security.policy=<OC4J_HOME>/config/java2.policy -jar orion.jar
OR java -Djava.security.manager -Djava.security.policy=<PATH_TO_FILE_POLICY>/<YOUR_FILE>.policy -jar orion.jar
Maher

Security manager enabled w/o -Djava.security.manager

Hi all,
I am facing an issue where java.policy is being enforced w/o a -Djava.security.manager specified on the command line.
from ps -ef | grep java, I found the java process and it does not have -Djava.security.manager. However, when I modify jdk/jre/lib/security/java.policy, I can see the effect of the security setting when I restart the java process. I scanned through the source code, I do not find any setSecurityManager() API call either.
Given the above, does anyone have suggestion on how the security manager is enabled in this case?
Regards,
Tom

System.setProperty("java.security.manager","true");
System.getProperties().setProperty("java.security.manager","true");
Properties p = System.getProperties();
p.setProperty("java.security.manager","true");
// etc

Enable security manager netbeans - where/how ?

How do I enable the java security manager in netbeans ?
for example -
the way I do on command line is :
java -Djava.security.policy=/Desktop/TestSecurity/pol.txt -Djava.security.manager test
Where do I give these options -Djava.security.policy=/Desktop/TestSecurity/pol.txt -Djava.security.manager while working in netbeans...

* reply to peter lawrey
my browser hs gone crazy..
nope,
the link talks about command line argument, this one is vm argument.
Edited by: javaflex on Jul 28, 2008 1:31 PM

It does not matter what I do, I cannot get Java security settings to allow an applet to run.

I have gone to just about every extreme possible, and no matter what I do, I cannot get Java to allow an applet to run. I have been trying to do a J-Track on some satellites on the NASA/JPL website, and no matter what I do, and from the totally useless "help" sites here in the Firefox "help" pages, I cannot get the &^%$#@ applet to run.

Did you try to clear the Java cache?
*http://www.java.com/en/download/help/5000020300.xml - How do I clear the Java cache?
*Control Panel > Java > General tab > "Temporary Internet Files" > Settings > Delete Files
Did you add an exception to the Java security manager?
*https://support.mozilla.org/kb/how-allow-java-trusted-sites
*http://www.java.com/en/download/help/appsecuritydialogs.xml

Weblogic 6.1 and -Djava.security.manager license failed

I just tried to run (under jbuilder6), weblogic 6.1 sp3 (evaluation) and I have
got a :
$$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
Unable to start WebLogic Server !!
Null public key
$$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
The VM parameters I use are :
-ms64m -mx64m
-Djava.library.path=C:/bea/wlserver6.1/bin
-Dbea.home=C:/bea
-Dweblogic.Domain=cyradeladomain -Dweblogic.Name=name
-Djava.security.policy==C:/bea/wlserver6.1/lib/weblogic.policy --Dweblogic.management.password=xxxxxxx
-Djava.security.manager
-Djava.security.debug=failure
Did I missed some VM parameters ? What should I do to bypass this error?
thanks!

I'm getting the same problem running weblogic 7.0 with sp 1.
Any other ideas on how to solve it?
"kirann" <[email protected]> wrote:
do you need to run the server with java security manager if not required
then remove -Djava.security.manager
else given full permission to the code based weblogic is in!
thanks
kiran
"ezablith" <[email protected]> wrote in message
news:3ddce60a$[email protected]..
I just tried to run (under jbuilder6), weblogic 6.1 sp3 (evaluation)and I
have
got a :
$$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
Unable to start WebLogic Server !!
Null public key
$$$$$$$$$$$$$$$$ License Exception $$$$$$$$$$$$$$$$
The VM parameters I use are :
-ms64m -mx64m
-Djava.library.path=C:/bea/wlserver6.1/bin
-Dbea.home=C:/bea
-Dweblogic.Domain=cyradeladomain -Dweblogic.Name=name
-Djava.security.policy==C:/bea/wlserver6.1/lib/weblogic.policy --Dweblogic..management.password=xxxxxxx
-Djava.security.manager
-Djava.security.debug=failure
Did I missed some VM parameters ? What should I do to bypass this error?
thanks!

Load security manager by default?

I'm trying to improve security on Windows XP desktop machines. On the system in question, it is impossible for an ordinary user to run exe or any script files that are not located in specific directories (as per a standard software restriction policy). Unfortunately it seems that this does not apply to jar files since they are just archives which are opened with the java virtual machine. Even if specifically blocking .jar extensions worked, it is still possible to change the file extension and still run it from the command line using eg 'javaw.exe -jar file.txt'.
It seems like the java security manager would be useful to enforce this, or at least sandbox code from outside the trusted directories, but it seems that java trusts all code on the local machine regardless of where may have come from. While it is possible to specifically call the security manager per run of an application, or even include it in a shortcut or change the default action in windows to call it, it is still very easy to simply use the command line or a shortcut to get around this.
Is it possible to force the security manager to always run whenever javaw.exe loads? Alternatively, is there any other way to prevent certain java code from executing short of actually removing the JRE (which would disable certain applications and web services)?
Thanks

hello, yes you can do that - for the principle method of locking certain preferences please refer to this article: http://kb.mozillazine.org/Locking_preferences
in your case you'd have to put this line in your lockfile:
lockPref("signon.rememberSignons", false);

Security manager & mention "Java Applet Window"

A simple program that displays a frame with one button in it.
The frame displays, no problem.
When a security manager is added "System.setSecurityManager(new SecurityManager());"
and the program is run again a "status bar" is added at the bottom of the frame
mentioning "Java Applet Window".
Why is that, and can it be suppressed ? (I am working in JDK 1.4)
Any tip greatly appreciated

I was dealing with this myself and just discovered that the adding the following line to my security policy removed the message:
permission java.awt.AWTPermission "showWindowWithoutWarningBanner";

Java.security.manager ?

Similar Messages

Maybe you are looking for