Java has classes, objects, methods, and byte code run by Java virtual machine (JVM). Code can come from anywhere. - local system, remote host (mobile code) and can come signed Protection domains within JVM 1. Origin of the code 2. Signer of the code > To decide where the code comes from and whether it should have access, we look at the *policy file*. ```java grant CodeBase http://www.game.com/- { permission java.lang.RuntimePermission(“screen”); permission java.net.SocketPermission “server.game.com” permission java.io.FilePermission “/home/highscore” “read, write” } grant CodeBase http://www.graphic.com/- Signed by “GraphicCo” {................} ``` We go from code that came from the (1) game → (2) graphics → (3) java systems. ![[attachments/Screenshot 2023-06-08 at 9.51.23 PM.png]] #### Stack introspection Check the stack, and every active invocation. When you are at level (3), you should have the same access granted to (2) graphics and (1) game. Therefore, the stack introspection tells that the permission at this level should be the minimum of permissions from all the previous levels. If you have multiple objects in the stack all of the objects in the stack must have access to perform whatever action you are performing. This is called **stack introspection**. So in the case that our stack has game->graphics->java systems all on the stack, each one of them must give permissions for the actions being performed. ```java while !domainStack.empty() { domain d=domainStack.pop() if !(here.implies(to check)) return false; } ``` How do we know if needed access rights are available? - Depends on policy file and execution time path to where request is made - We can limit how far we go back in a call path. We can put code inside a `doPrivileged` block to limit stack introspection >[!tip]- Can only the policy file tell us who has access? >- No, it also depends on the actual code. If someone added a `doPrivileged` block to limit stack introspection, it would change the controls as defined by the policy file for that block.