The static method java.security.AccessController.doPrivileged() affirms that the invoking method assumes responsibility for enforcing its own privileges and that the access permissions of its callers should be ignored. For example, an application could have permissions to operate on a sensitive file, however, a caller of the application may be allowed to operate with only the basic permissions. Invoking doPrivileged() in this context allows the application operating with basic permissions to use the sensitive file, for instanceexample, when a user password change request requires an unprivileged application to use a more privileged application to set the new password.This rule concerns sensitive information escaping from a doPrivileged() block. For information about untrusted information entering a doPrivileged() block, see SEC01-J. Do not allow tainted variables in doPrivileged blocks.
Noncompliant Code Example
In this noncompliant code example, the doPrivileged() method is called from the openPasswordFile() method. The openPasswordFile() method is privileged and returns a FileInputStream for the sensitive password file to its caller. Since Because the method is public, it could be invoked by an untrusted caller.
...
This compliant solution mitigates the vulnerability by declaring openPasswordFile() to be private. Consequently, an untrsuted untrusted caller can call changePassword() but cannot directly access the open password fileinvoke openPasswordFile().
| Code Block | ||
|---|---|---|
| ||
class Password {
public static void changePassword() {
// ...
}
private static FileInputStream openPasswordFile() {
// ...
}
}
|
...
But if none of the possible exceptions reveals sensitive information, we can use an equivalent mechanism that allows exceptions to be wrapped , consequently providing to provide better diagnostic information for to the caller. For example, an applet that lacks read-access to system files that contain fonts can accomplish the task from a privileged block without revealing any sensitive information. When non-sensitive exceptions provide more information, the client is better able to recognize the symptoms of a read failure.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dbff27be95df14a3-106fc07c-410449f8-8be7971c-35da47fdac0944a8c69679af"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [method doPrivileged() | http://java.sun.com/javase/6/docs/api/java/security/AccessController.html#doPrivileged(java.security.PrivilegedAction)] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="52a47491a4de621e-a67a39dc-445144cd-ab11b9ff-99ea6f75ee20f4f23a9c4bab"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | Sections 6.4, AccessController and 9.5 Privileged Code | ]]></ac:plain-text-body></ac:structured-macro> |
...