The java.security.AccessController
class is part of Java's security mechanism, and ; it is responsible for enforcing whatever security policy is applied to code. This class's static method doPrivileged()
can be used to execute a block of code while relaxing a security policy. So the block of code effectively runs with elevated privileges.
Consequently, any method that contains a doPrivileged()
method call must assume responsibility for enforcing its own security on the code block supplied to doPrivileged()
. Likewise any code in the {[doPrivileged()}} method must take care to prevent sensitive information from leaking out of a trust boundary. This may indicate that said information must not escape from the doPrivileged()
block itself, or it may be permitted within part of the application and excluded from other parts.
For example, suppose that a web application must maintain a sensitive file of passwords for a web service, and suppose further that it must also run untrusted code as well. The application could then enforce a security policy preventing most of itself, including any the majority of its own code, and all untrusted code, from accessing the sensitive file. But since Because it must also provide mechanisms for adding and changing passwords, it can use the doPrivileged()
method to temporarily bypass its own security policy for the purpose of managing passwords. In this case, any privileged block must prevent any information about passwords from being accessible to untrusted code.
...
Compliant Solution (Hiding Exceptions)
The Both the previous noncompliant code example and the previous compliant solution would both throw a FileNotFoundException
if when the password file did not existis missing. But suppose that the existence of the password file is considered sensitive information, and should not be thrown revealed to potentially untrusted code?
This compliant solution suppresses the exception, using a null return value to indicate that the file does not exist. It uses the simpler PrivilegedAction
class rather than PrivilegedExceptionAction
, because it does not allow any exceptions to propagate to prevent exceptions from propagating out of the doPrivileged()
block.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="919a9b9a4a06c9ea-56c8b28d-4b7443f1-a50f9243-bb9d9921bf9f89f0b2bdb1f5"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method doPrivileged() | http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="24f2114b5de6af8f-3d008855-4bac46ec-b726a87b-73cdf1f7b06693600a49f2b1"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | Sections 6.4, AccessController and 9.5 Privileged Code | ]]></ac:plain-text-body></ac:structured-macro> |
...