Page History

The permission java.security.AllPermission implies all permissions and grants all possible permissions to code. This facility was included for routine testing purposes to make it less cumbersome to deal with a multitude of permissions and for use when the code is completely trusted. Code is typically granted AllPermission using the security policy file but it is also possible to associate AllPermission with a ProtectionDomain, programatically. This permission is dangerous in production environments and must never be granted to untrusted code.

Noncompliant Code Example (Security Policy File)

This noncompliant example grants AllPermission to the klib library.

// Grant the klib library AllPermission  
grant codebase "file:${klib.home}/j2se/home/klib.jar" { 
  permission java.security.AllPermission; 
}; 

The permission itself is specified in the security policy file used by the security manager. Alternatively, a permission object can be obtained in the code by subclassing the java.security.Permission class (or any subclass such as BasicPermission). AllPermission can be granted to a ProtectionDomain using such an object. This is again a bad practice.

Compliant Solution

This compliant solution shows a policy file that can be used to enforce fine-grained permissions.

grant codeBase "file:${klib.home}/j2se/home/klib.jar", signedBy "Admin" {
  permission java.io.FilePermission "/tmp/*", "read";
  permission java.io.SocketPermission "*", "connect";
};

To check whether the caller has the requisite permissions, standard Java APIs use code such as the following:

// Security manager code
perm = new java.io.FilePermission("/tmp/JavaFile", "read");
AccessController.checkPermission(perm);
// ...

Always assign appropriate permissions to code. When more control over the granularity of permissions is required, define custom permissions. (See guideline SEC10-J. Define custom security permissions for fine grained security for more information.)

Noncompliant Code Example (PermissionCollection)

This noncompliant example shows an overridden getPermissions() method, defined in a custom class loader. It grants java.security.AllPermission to any class that it loads.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = new Permissions();
  pc.add(new java.security.AllPermission());   
  // other permissions
  return pc;
}

This example also violates guideline SEC11-J. Call the superclass's getPermissions method when writing a custom class loader.

Compliant Solution

This compliant solution does not grant the java.security.AllPermission to any class that it loads.

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  // add fine-grained permissions
  return pc;
}

Exceptions

ENV03-EX1: It may be necessary to grant AllPermission to trusted library code so that callbacks work as expected. For example, it is a common practice to grant AllPermission to the optional Java packages (extension libraries):

// Standard extensions extend the core platform and are granted all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
  permission java.security.AllPermission;
};

Risk Assessment

Granting AllPermission to untrusted code allows it to perform privileged operations.

Automated Detection

TODO

Related Vulnerabilities

CVE-2007-5342

References

\[[API 2006|AA. Java References#API 06]\] [Class AllPermission|http://java.sun.com/javase/6/docs/api/java/security/AllPermission.html]
\[[Gong 2003|AA. Java References#Gong 03]\]
\[[Security 2006|AA. Java References#Security 06]\] [Security Architecture|http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html]

ENV02-J. Create a secure sandbox using a Security Manager      01. Runtime Environment (ENV)      ENV04-J. Do not grant ReflectPermission with target suppressAccessChecks