Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Wiki Markup
Notably, the policy file specified in the argument is ignored when the {{policy.allowSystemProperty}} property in the security properties file ({{java.security}}) is set to {{false}}. Its default value is {{true}}. The document ""Default Policy Implementation and Policy File Syntax"" \[[Policy 02|AA. Java References#Policy 02]\] discusses writing policy files in depth.

...

Code Block
bgColor#ccccff
try {
  System.setSecurityManager(new CustomSecurityManager(""password here""));
} catch (SecurityException se) {
  // cannot set security manager, log to file
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Class SecurityManager|http://java.sun.com/javase/6/docs/api/java/lang/SecurityManager.html], Class AccessControlContext, Class AccessController
\[[Policy 02|AA. Java References#Policy 02]\]
\[[Pistoia 04|AA. Java References#Pistoia 04]\] Section 7.4, The Security Manager
\[[Gong 03|AA. Java References#Gong 03]\] Section 6.1, Security Manager
\[[SecuritySpec 08|AA. Java References#SecuritySpec 08]\] 6.2 SecurityManager versus AccessController
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 358|http://cwe.mitre.org/data/definitions/358.html] ""Improperly Implemented Security Check for Standard""

...

ENV01-J. Place all privileged code in a single package and seal the package            01. Runtime Environment (ENV)            ENV03-J. Never grant AllPermission to untrusted code