
Certain combinations of permissions can produce significant capability increases and should not be granted. Other permissions should be granted only to special code.
AllPermission
The permission java.security.AllPermission
grants all possible permissions to code. This facility was included to reduce the burden of managing a multitude of permissions during routine testing as well as when a body of code is completely trusted. Code is typically granted AllPermission
via the security policy file; it is also possible to programmatically associate AllPermission
with a ProtectionDomain
. This permission is dangerous in production environments. Never grant AllPermission
to untrusted code.
ReflectPermission
, suppressAccessChecks
Granting ReflectPermission
on the target suppressAccessChecks
suppresses all standard Java language access checks when the permitted class attempts to operate on package-private, protected, or private members of another class. Consequently, the permitted class can obtain permissions to examine any field or invoke any method belonging to an arbitrary class [Reflect 2006]. As a result, ReflectPermission
must never be granted with target suppressAccessChecks
.
According to the technical note Permissions in the Java SE 6 Development Kit [Permissions 2008], Section ReflectPermission, target suppressAccessChecks
:
Warning: Extreme caution should be taken before granting this permission to code, for it provides the ability to access fields and invoke methods in a class. This includes not only public, but protected and private fields and methods as well.
RuntimePermission
, createClassLoader
The permission java.lang.RuntimePermission
applied to target createClassLoader
grants code the permission to create a ClassLoader
object. This permission is extremely dangerous because malicious code can create its own custom class loader and load classes by assigning them arbitrary permissions. A custom class loader can define a class (or ProtectionDomain
) with permissions that override any restrictions specified in the systemwide security policy file.
Permissions in the Java SE 6 Development Kit [Permissions 2008] states:
This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system. These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.