SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#ccccff
// Standard extensions extend the core platform and are granted all permissions by default
grant codeBase "TODO" {
  permission java.security.AllPermission;
};

Risk Assessment

Granting AllPermission to untrusted code allows it to perform privileged operations.

...

CVE-2007-5342 describes a vulnerability in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15. The security policy used in the JULI logging component failed to restrict certain permissions for web applications. An attacker could modify the log level, directory, or prefix attributes in the org.apache.juli.FileHandler handler, permitting them to modify logging configuration options and overwrite arbitrary files.

Related Guidelines

MITRE CWE

CWE-732, Incorrect Permission Assignment for Critical Resource

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used. Android uses another permission mechanism for security purposes.

Bibliography

[API 2014]

Class AllPermission
Class ReflectPermission
Class RuntimePermission

[Gong 2003]


[Long 2005]

Section 2.5, "Reflection"

[Permissions 2008]

Section "ReflectPermission"

[Reflect 2006]

[Security 2006]

Security Architecture
Section "RuntimePermission"


...