...
This noncompliant code example instantiates a Hashtable and defines a removeEntry() method to allow the removal of its entries. This method is considered sensitive, perhaps because the hashtable might contain sensitive information. However, the method is public and non-final, which leaves it susceptible to malicious callers.
...
The SecurityManager.checkSecurityAccess() method determines whether the action controlled by the particular permission is allowed.
Noncompliant Code Example (check*())
This noncompliant code example uses the SecurityManager.checkRead() method to check whether the file schema.dtd can be read from the file system. The check*() methods lack support for fine grained access control. For example, the check*() methods are insufficient to enforce a policy permitting read access to all files with the dtd extension and forbidding read access to all other files. New code should rarely must not use the check*() methods because the default implementations of the Java libraries already use these methods to protect sensitive operations.
| Code Block | ||
|---|---|---|
| ||
SecurityManager sm = System.getSecurityManager();
if (sm != null) { // check whether file may be read
sm.checkRead("/local/schema.dtd");
}
|
Compliant Solution (checkPermission())
J2SE 1.2 added two methodsâ”checkPermission(Permission perm) and {{checkPermission(Permission perm, Object context)}}â”to the SecurityManager class. The motivations for this change included
...
This compliant solution shows the single argument checkPermission() method and allows files in the local directory with the dtd extension to be read. DTDPermission is a custom permission that enforces this level of access. (See rule SEC10-J. Define custom security permissions for fine grained security for details on creating custom permissions). Even if the java.io.FilePermission is granted to the application with the action "read", DTD files will be subject to additional access control.
| Code Block | ||
|---|---|---|
| ||
SecurityManager sm = System.getSecurityManager();
if(sm != null) { //check if file can be read
DTDPermission perm = new DTDPermission("/local/", "readDTD");
sm.checkPermission(perm);
}
|
Compliant Solution (Multiple threads)
Sometimes the security check code exists in one context (such as a worker thread) while the check has to be conducted on a different context, like another thread. The two argument checkPermission() method is used in this case. It accepts an AccessControlContext instance as the context argument. The effective permissions are not computed as the intersection of the permissions of the two contexts and consist of the permissions of the context argument only.
...