Java Speech API 2.0 Security

Addendum to the Java Speech API 2.0 (JSR 113)

Preface

This document, Java Speech API 2.0 Security, is an addendum to the Java Speech API 2.0 (JSAPI 2.0) for the JavaTM Platform, Micro Edition. This addendum specifically addresses security for the Mobile Information Device Profile (MIDP) version 2 (JSR 118), the Connected Device Configuration (CDC), Version 1 (JSR 36), and platforms using java.security.Permissions in general.

The terminology used herein is defined by the above specifications except where noted.

Who Should use this Document

The audience for this document is the Java Community Process (JCP) experts, implementers of JSAPI 2.0, application developers using MIDP or CDC and JSAPI 2.0, service providers deploying MIDP or CDC applications, and wireless operators deploying the infrastructure to support MIDP or CDC devices. This document specifically targets network operators, manufacturers, and service and application providers operating in GSM and UMTS networks.

Scope of this Document

This document identifies the security concerns of JSAPI 2.0 and the corresponding security policy identifiers (permission names) when used in conjunction with MIDP2, CDC, or platforms using java.security.Permissions in general.

The security framework and how it functions are specified and implemented by the implementing platform (e.g., MIDP2 or CDC).

Implementations of JSAPI 2.0 must follow the security definitions for the implementing platform as described in this document.

General

The JSAPI 2.0 specification does not define an independent security framework. Implementations of JSAPI 2.0 are subject to the security mechanisms of the underlying implementing platform. Some methods of JSAPI 2.0 specify that a SecurityException will be thrown when called without the appropriate security permissions from the caller.

An implementation MUST guarantee that:

  1. the SecurityException is thrown when the caller does not have the appropriate security permissions to execute the method; and
  2. the method can be used when the appropriate permissions are granted.

Security Concerns

The following table summarizes the security concerns for JSAPI 2.0. In order to perform any security sensitive actions using JSAPI 2.0, the application MUST be granted permission to do so.

JSAPI 2.0 Permissions
Security Concern Permission
Access to AudioSegments. javax.speech.AudioSegment.openInputStream
Changes to default audio behavior. javax.speech.AudioManager.control
Conversion of audio into text. javax.speech.recognition.Recognizer.allocate
Application additions to default Engine support. javax.speech.EngineManager.registerEngineListFactory
Manipulation of speaker information. javax.speech.recognition.SpeakerManager
Access to speaker information. javax.speech.recognition.SpeakerProfile
Changes to models of tokens. javax.speech.recognition.FinalResult.tokenCorrection
Updates to default vocabulary. javax.speech.VocabularyManager.update

The following table shows the correspondence between a permission, the corresponding methods that require the permission in JSAPI 2.0, and the Function Group as defined in MIDP2. The Function Group mapping provides a user-friendly way of indicating acceptance at a higher level than the individual permissions.

JSAPI 2.0 Permissions and Methods
Permission Permitted API Calls Function Group
javax.speech.AudioSegment.openInputStream AudioSegment.openInputStream() Multimedia recording
javax.speech.AudioManager.control AudioManager.setMediaLocator()
AudioManager.audioStart()
AudioManager.audioStop()		 Multimedia recording
javax.speech.EngineManager.registerEngineListFactory EngineManager.registerEngineListFactory() Multimedia recording
javax.speech.recognition.Recognizer.allocate Recognizer.allocate() Multimedia recording
javax.speech.recognition.SpeakerManager Recognizer.getSpeakerManager() Write User Data Access
javax.speech.recognition.SpeakerProfile RecognizerMode.getSpeakerProfiles() Read User Data Access
javax.speech.recognition.FinalResult.tokenCorrection FinalResult.tokenCorrection() Write User Data Access
javax.speech.VocabularyManager.update VocabularyManager.addWord()
VocabularyManager.addWords()
VocabularyManager.removeWord()
VocabularyManager.removeWords()		 Write User Data Access

Implementations using security permissions based on java.security.Permission (e.g., CDC) must include the class javax.speech.SpeechPermission. In this case, an "action" is used rather than a permission. Implementations of the methods corresponding to the permissions MUST perform permission checks.

JSAPI 2.0 Actions corrsponding to Permissions
Permission Action
javax.speech.AudioSegment.openInputStream "AudioSegment.openInputStream"
javax.speech.AudioManager.control "AudioManager.control"
javax.speech.recognition.Recognizer.allocate "Recognizer.allocate"
javax.speech.EngineManager.registerEngineListFactory "EngineManager.registerEngineListFactory"
javax.speech.recognition.SpeakerManager "SpeakerManager"
javax.speech.recognition.SpeakerProfile "SpeakerProfile"
javax.speech.recognition.FinalResult.tokenCorrection "FinalResult.tokenCorrection"
javax.speech.VocabularyManager.update "VocabularyManager.update"

In addition to the permissions defined by JSAPI 2.0, other permissions may be needed as well. For example, if an implementation uses JSR 135 as part of the AudioManager implementation, then security settings related to JSR 135 may affect the JSAPI 2.0 implementation. Also, for JSAPI 2.0 implemented on MIDP2, methods that access content on an HTTP server MUST follow the MIDP2 security practices for network access.

References
Free Web Hosting