Other SecurityManager implementations available?

Is there any other implementation (e.g. in an OSS project) of a Java SecurityManager available which has more features than the one in the JDK?

I'm looking for features like

• configurable at runtime
• policies updateable at runtime, read from other data sources than a security.policy file
• Thread-aware, e.g. different policies per Thread
• Higher-level policies, e.g. "Disable network functions, but allow JDBC traffic"
• Common predefined policies, e.g. "Allow read-access to usual system properties like file.encoding or line.separator, but disallow read-access to user.home"
• Monitoring and audit trace logging, e.g. "Log all file access, log all network access going NOT to knownhost.example.org"
• Blocking jobs "requesting" a permission until an administrator grants permission, letting the thread/job continue
• ...

I'm pretty sure that application servers (at least the commercial ones) have the开发者_Go百科ir own SecurityManager implementation or at least their own policy configuration. I'm wondering if there is any free project with similar requirements.

• Dynamic ProtectionDomains (introduced in 1.4 IIRC), delegate to the modifiable Policy.
• Determining permissions by thread is, erm, tricky. The applet security managaer does it by ThreadGroup, which is generally considered a bad thing.
• You can allow connections to specific ports. Similarly you can have a privileged JDBC driver that perhaps proxies onto another driver asserting particular privileges through AccessController.doPrivileged.
• Permissions for system properties can be specified for each individual key.
• AccessController in the Sun/Oracle implementation does have tracing features.
• Applets/WebStart will show a dialog on, for instance, printing. But the JNLP services approach is much better.

"Glossitope" attempted to have a system that sprung up a dialog box every time a permission was requested. Of course, the request makes no sense to the user that just wants to see the dancing pigs. (Glossitope was an attempt at a Java version of the Vista side panel thing. The features added to 6u10 (drag-and-drop install, non-rectangular windows, warning icon instead of banner, JNLP services) make it mostly redundant.)

I'm not aware of a standalone SecurityManager project. Any application server (JBoss, Glassfish) will contain one to control what a loaded application can do.

Here are some links I found on the subject of rolling your own:

• Writing a Security Manager
• Java2s SecurityManager examples
• Java World: Java Tip 20 - a bit old, but a interesting (ab)use of a SM