...
Many of the Java SE APIs perform security manager checks by default before performing sensitive operations. For example, the constructor of class java.io.FileInputStream throws a SecurityException if the caller does not have the permission to read a file. Because SecurityException is a subclass of RuntimeException, the declarations of some API methods (e.g. those of the java.io.FileReader class) may lack a throws clause that lists the SecurityException. Avoid depending on the presence or absence of security manager checks that are not specified in the API method's documentation.
Noncompliant Code Example (Command Line Installation)
This noncompliant code example fails to install the security manager from the command line.
| Code Block | ||
|---|---|---|
| ||
java LocalJavaApp |
Compliant Solution (Default Policy File)
Any Java program can attempt to install a SecurityManager programmatically; a default global security manager may forbid this operation. Applications designed to run locally can specify a default global security manager by use of a flag on the command line at invocation.
...
The default security policy file {{java.policy}}â”found in the /path/to/java.home/lib/security directory on UNIX-like systems and its equivalent on Microsoft Windows systemsâ”grants a few permissions (reading system properties, binding to unprivileged ports, and so forth). There may also be a user-specific policy file located in the user's home directory. The union of these policy files specifies the permissions granted to a program. The java.security file can specify which policy files are used. If either of the system-wide java.policy or java.security files is deleted, no permissions are granted to the executing Java program.
Compliant Solution (Custom Policy File)
Use double equals (==) instead of the single equals = when overriding the global Java security policy file with a custom policy file.
| Code Block | ||
|---|---|---|
| ||
java -Djava.security.manager -Djava.security.policy==policyURL LocalJavaApp |
Compliant Solution (Additional Policy Files)
The appletviewer automatically installs a security manager with the standard policy file. To specify additional policy files, use the -J flag.
...
| Wiki Markup |
|---|
Note that the policy file specified in the argument is ignored when the {{policy.allowSystemProperty}} property in the security properties file ({{java.security}}) is set to {{false}}; the default value of this property is {{true}}. The document "Default Policy Implementation and Policy File Syntax" \[[Policy 2002|AA. Bibliography#Policy 02]\] discusses in depth the issues of and syntax for writing policy files. |
Noncompliant Code Example (Programmatic Installation)
When the SecurityManager API is used instead of the command line to install the security manager, there are instances where the appropriate checks are omitted.
...
| Code Block | ||
|---|---|---|
| ||
try {
System.setSecurityManager(null);
} catch (SecurityException se) {
// cannot set security manager, log to file
}
|
Compliant Solution (Default Security Manager)
This compliant solution instantiates and sets the default security manager.
| Code Block | ||
|---|---|---|
| ||
try {
System.setSecurityManager(new SecurityManager());
} catch (SecurityException se) {
// cannot set security manager, log to file
}
|
Compliant Solution (Custom Security Manager)
This compliant solution demonstrates how a custom SecurityManager class called CustomSecurityManager can be instantiated by invoking its constructor with a password; this security manager is then installed as the security manager.
...
After this code executes, APIs that perform security checks use the custom security manager. As noted earlier, custom security managers should be installed only when the default security manager lacks the required functionality.
Risk Assessment
All Java security depends on the existence of a SecurityManager. In the absence of a SecurityManager, arbitrary code can execute, which can include code provided by an attacker.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ENV02-J | high | probable | low | P18 | L1 |
Automated Detection
Programmatic detection of the presence or absence of a SecurityManager at runtime is straightforward. Static analysis can address the presence or absence of code that would attempt to install a SecurityManager if the code were executed. Checking whether the SecurityManager is installed early enough, specifies the desired properties, or is guaranteed to be installed may be possible in some special cases, but is not feasible in full generality.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
MITRE CWE: CWE-358 "Improperly Implemented Security Check for Standard"
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\] [Class SecurityManager|http://java.sun.com/javase/6/docs/api/java/lang/SecurityManager.html], Class AccessControlContext, Class AccessController \[[Gong 2003|AA. Bibliography#Gong 03]\] Section 6.1, Security Manager \[[Pistoia 2004|AA. Bibliography#Pistoia 04]\] Section 7.4, The Security Manager \[[Policy 2002|AA. Bibliography#Policy 02]\]\[[SecuritySpec 2008|AA. Bibliography#SecuritySpec 08]\] 6.2 SecurityManager versus AccessController |
...