...
This noncompliant code example instantiates a Hashtable and defines a removeEntry() method to allow the removal of its entries. This method is considered sensitive, perhaps because the hash table might contain contains sensitive information. However, the method is public and nonfinal, which leaves it susceptible exposed to malicious callers.
| Code Block | ||
|---|---|---|
| ||
class SensitiveHash {
Hashtable<Integer,String> ht = new Hashtable<Integer,String>();
public void removeEntry(Object key) {
ht.remove(key);
}
}
|
...
This compliant solution installs a security check to protect entries from being maliciously removed from the Hashtable instance. A SecurityException is thrown if the caller does not possess lacks the java.security.SecurityPermission removeKeyPermission.
...
The SecurityManager.checkSecurityAccess() method determines whether the action controlled by the particular permission is allowed or not.
Noncompliant Code Example (check*())
...
- eliminating the need to hard-code names of checks in method names.
- encapsulating the complicated algorithms and code for examining the Java runtime in a single
checkPermission()method. - supporting introduction of additional permissions by subclassing the
Permissionclass.
...
This compliant solution shows the single argument checkPermission() method and allows files in the local directory with the dtd extension to be read. DTDPermission is a custom permission that enforces this level of access. Even if the java.io.FilePermission is granted to the application with the action "read", DTD files are subject to additional access control.
| Code Block | ||
|---|---|---|
| ||
SecurityManager sm = System.getSecurityManager();
if (sm != null) { //check ifwhether file can be read or not
DTDPermission perm = new DTDPermission("/local/", "readDTD");
sm.checkPermission(perm);
}
|
...
A cleaner approach to making a security check from a different context is to take a snapshot of the execution context in which the check must be performed, using the java.security.AccessController.getContext() method that returns an AccessControlContext object. The AccessControlContext class itself defines a checkPermission() method that encapsulates a context instead of accepting the current executing context as a parameteran argument. This allows the check to be performed at a later time, as shown in the following example.
| Code Block | ||
|---|---|---|
| ||
// Take the snapshot of the required context, store in acc and pass it to another context AccessControlContext acc = AccessController.getContext(); // Accept acc in another context and invoke checkPermission() on it acc.checkPermission(perm); |
Risk Assessment
Failing Failure to enforce security checks in code that performs sensitive operations can lead to malicious tampering of sensitive data.
...
Given knowledge of which operations are sensitive, as well as which specific security checks must be enforced for those operationseach operation, an automated tool could reasonably enforce the invariant that the sensitive operations are invoked only from contexts where the required security checks have been performed.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="481cda65b09bc8df-b0eaa3b7-47094e55-a87c981a-563db18d5372240ea08ed79e"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
...