When a custom class loader must override the getPermissions()
method, the implementation must consult the default system policy by explicitly invoking the superclass's getPermissions()
method before assigning arbitrary permissions to the code source. A custom class loader that ignores the superclass's getPermissions()
could load untrusted classes with elevated privileges. ClassLoader
is abstract and must not be directly subclassed.
Noncompliant Code Example
This noncompliant code example shows a fragment of a custom class loader that extends the class URLClassLoader
. It overrides the getPermissions()
method but does not call its superclass's more restrictive getPermissions()
method. Consequently, a class defined using this custom class loader has permissions that are completely independent of those specified in the systemwide policy file. In effect, the class's permissions override them.
Code Block | ||
---|---|---|
| ||
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = new Permissions(); // allowAllow exit from the VM anytime pc.add(new RuntimePermission("exitVM")); return pc; } |
...
In this compliant solution, the getPermissions()
method calls super.getPermissions()
. As a result, the default systemwide security policy is applied , in addition to the custom policy.
Code Block | ||
---|---|---|
| ||
protected PermissionCollection getPermissions(CodeSource cs) { PermissionCollection pc = super.getPermissions(cs); // allowAllow exit from the VM anytime pc.add(new RuntimePermission("exitVM")); return pc; } |
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SEC07-J | high High | probable Probable | low Low | P18 | L1 |
Automated Detection
Violations of this rule can be discovered with a heuristic checker in the style of FindBugs. As with all heuristic checks, achieving a low false-positive rate is essential.
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7e2601c4-11b7-4baf-82b0-f6266600b1d7"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class | http://java.sun.com/javase/6/docs/api/java/lang/ClassLoader.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7e60afd6-35b4-4f4e-a96a-4dc91adbb5d0"><ac:plain-text-body><![CDATA[ | [[Oaks 2001 | AA. Bibliography#Oaks 01]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3881e152-16a0-45db-aa62-a51526480d3e"><ac:plain-text-body><![CDATA[ | [[Security 2006 | AA. Bibliography#Security 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
.
Android Implementation Details
The java.security
package exists on Android for compatibility purposes only, and it should not be used.
Bibliography
...
14. Platform Security (SEC) SEC08-J. Define wrappers around native methods