The java.security.AllPermission class grants all possible permissions to the caller. This facility was included for routine testing purposes to make it less cumbersome to deal with a multitude of permissions or for use when the code is completely trusted. It should never find place in production code.
...
Noncompliant Code Example
This non-compliant noncompliant example grants AllPermission to a library (klib). The permission itself is specified in the security policy file used by the security manager. Alternatively, a permission object can be obtained in the code by subclassing the Permission class (or any subclass like BasicPermission) in the java.security package.
| Code Block | ||
|---|---|---|
| ||
/* grant the klib library AllPermission */
grant codebase "file:${klib.home}/j2ee/home/klib.jar" {
permission java.security.AllPermission;
};
|
Compliant Solution
The policy file can be signed and made to provide more restrictive permissions.
...
| Code Block | ||
|---|---|---|
| ||
//security manager code
perm = new java.io.FilePermission("/tmp/JavaFile","read");
//other code
|
...
Risk Assessment
TODO
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SEC31-J | ?? | ?? | ?? | P?? | L?? |
Automated Detection
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
(h2. Ref)erences
Inside Java 2 Platform Security
Java documentation http://java.sun.com/j2se/1.4.2/docs/api/java/security/AllPermission.html
Java Documentation http://java.sun.com/j2se/1.4.2/docs/guide/security/spec/security-spec.doc3.html