SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 82

changes.mady.by.user Fred Long

Saved on

compared with

New Version 83

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
According to the Java API \[[API 2006|AA. References#API 06]\], class {{SecurityManager}} documentation,

The security manager is a class that allows applications to implement a security policy. It allows an application to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed. The application can allow or disallow the operation.

The applet security manager denies applets all but the most essential privileges. It is designed to protect inadvertent system modification, information leakage, and user impersonation. The use of security managers is not limited to client-side protection. WebserversWeb servers, such as Tomcat and WebsphereWebSphere, use this facility to isolate trojan servlets and malicious Java Server Pages (JSP) code , as well as to protect sensitive system resources from inadvertent access.

For Java applications that run from the command line, a default or custom security manager can be set using a special flag. Alternatively, it is possible to install a security manager programaticallyprogrammatically. Installing a security manager this way helps create a default sandbox that allows or denies sensitive actions based on the basis of the security policy in effect.

From Java 2 SE Platform onwardsonward, SecurityManager is a non-abstract nonabstract class. As a result, there is no explicit requirement of overriding its methods. To create and use a security manager programaticallyprogrammatically, the code must have the runtime permissions createSecurityManager (to instantiate SecurityManager) and setSecurityManager (to install it). These permissions are checked only if a security manager is already installed. This is useful for situations where there is in which a global-default security manager is in place, such as on a virtual host, and individual hosts need to be denied the requisite permissions for overriding the default security manager with a custom one.

The security manager is closely tied to the AccessController class. The former is used as a hub for access control, whereas the latter is the actual implementer of the access control algorithm. The security manager supports

...

Wiki Markup
Regarding the implementation and use of custom security managers, as opposed to default ones, the Java Security Architecture Specification \[[SecuritySpec 2008|AA. References#SecuritySpec 08]\] states:

We encourage the use of AccessController in application code, while customization of a security manager (via subclassing) should be the last resort and should be done with extreme care. Moreover, a customized security manager, such as one that always checks the time of the day before invoking standard security checks, could and should utilize the algorithm provided by AccessController whenever appropriate.

Many of the Java SE APIs perform security manager checks by default before performing sensitive operations. For example, the constructor of class java.io.FileInputStream throws a SecurityException if the caller does not have the permission to read a file. Because SecurityException is a subclass of RuntimeException, the declarations of some API methods (e.g., those of the java.io.FileReader class) may lack a throws clause that lists the SecurityException. Avoid depending on the presence or absence of security manager checks that are not specified in the API method's documentation.

Noncompliant Code Example (Command-Line Installation)

This noncompliant code example fails to install the security manager from the command line.

...

Any Java program can attempt to install a SecurityManager programmatically; a default global security manager may forbid this operation. Applications designed to run locally can specify a default global security manager by use of a flag on the command line at invocation.

The command-line option is preferred when applications must be prohibited from installing custom security managers programmatically and , thus, are required to abide by the default global security policy under all circumstances. This compliant solution installs the default security manager using the appropriate command-line flags. The security policy file grants permissions to the application for its intended actions.

Code Block
bgColor#ccccff
java -Djava.security.manager -Djava.security.policy=policyURL LocalJavaApp

The command-line flag can specify a custom security manager whose policies are enforced globally. Use the -Djava.security.manager flag, as follows:

...

The default security policy file {{java.policy}}—found in the /path/to/java.home/lib/security directory on UNIX-like systems and its equivalent on Microsoft Windows systems—grants a few permissions (reading system properties, binding to unprivileged ports, and so forth). There may also be Also, a user-specific policy file may be located in the user's home directory. The union of these policy files specifies the permissions granted to a program. The java.security file can specify which policy files are used. If either of the system-wide systemwide java.policy or java.security files is deleted, no permissions are granted to the executing Java program.

...

When the SecurityManager API is used instead of the command line to install the security manager, there are instances where the appropriate checks are omitted in several instances.

This noncompliant code example passes a null value to the setSecurityManager method that is responsible for setting the expected SecurityManager argument. As a result, no security manager is installed programmatically. In the case where the command line failed to install a security manager, this noncompliant code example would execute in the total absence of any security manager.

...

Programmatic detection of the presence or absence of a SecurityManager at runtime is straightforward. Static analysis can address the presence or absence of code that would attempt to install a SecurityManager if the code were executed. Checking whether the SecurityManager is installed early enough, specifies the desired properties, or is guaranteed to be installed may be possible in some special cases , but is not feasible in full generality.

...