SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 11

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
According to the principle of least privilege, every program and every user of the system should operate using the least set of privileges necessary to complete their particular task \[[Saltzer 1974|AA. Bibliography#SaltzerReferences#Saltzer 74], [Saltzer 1975|AA. Bibliography#SaltzerReferences#Saltzer 75]\]. The Build Security In website \[[DHS 2006|AA. Bibliography#DHSReferences#DHS 06]\] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code.  These principles can be applied in various ways to Java language programming. Occasionally a system will have components, most of which require only a base set of privileges, but a few require more privileges than the base set; these are said to run with elevated privileges.

...

Wiki Markup
Regarding the implementation and use of custom security managers, as opposed to default ones, the Java Security Architecture Specification \[java:[SecuritySpec 2008|AA. Bibliography#SecuritySpecReferences#SecuritySpec 08]\] states

We encourage the use of AccessController in application code, while customization of a security manager (via subclassing) should be the last resort and should be done with extreme care. Moreover, a customized security manager, such as one that always checks the time of the day before invoking standard security checks, could and should utilize the algorithm provided by AccessController whenever appropriate.

...

Wiki Markup
According to the Java API \[java:[API 2006|AA. Bibliography#APIReferences#API 06]\] the {{ClassLoader.checkPackageAccess()}} method documentation:

...

Wiki Markup
In 2004, Schoenefeld \[java:[Schoenefeld 2004|AA. Bibliography#SchoenefeldReferences#Schoenefeld 04]\] discovered a vulnerability in Opera v7.54 in that the default security policy granted the runtime permission {{"accessClassInPackage.sun.*"}} to unprivileged applets so that they could access internal Sun packages. This allowed attackers to obtain sensitive local information and crash the client web browser.

...

Wiki Markup
As an example of what constitutes the immediate caller and the object, consider the method {{java.lang.Class.newInstance()}}. Here, the immediate caller is the class that contains this method call whereas the object on which the {{newInstance()}} method is being invoked is referred to as the {{Class}} object ({{classObjectName.newInstance()}}). According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLSReferences#JLS 05]\], the method {{getClass()}} returns the {{Class}} object that represents the class of the object.

...