Java Reference
In-Depth Information
Whenpassedanullaccesscontrolcontext,thetwo-argument
doPrivileged()
method
fails to reduce the current privileges to those of the previously saved context. Conse-
quently,thiscodecangrantexcessprivilegeswhenthe
accessControlContext
argument
isnull.Programmerswhointendtocall
AccessController.doPrivileged()
withanull
access control context should explicitly pass the
null
constant or use the one-argument
version of
AccessController.doPrivileged()
.
Compliant Solution
This compliant solution prevents granting of excess privileges by ensuring that
ac-
cessControlContext
is non-null:
if (accessControlContext == null) {
throw new SecurityException("Missing AccessControlContext");
}
AccessController.doPrivileged(
new PrivilegedAction<Void>() {
public Void run() {
// ...
}
}, accessControlContext);
Applicability
Security-sensitive methods must be thoroughly understood and their parameters validated
to prevent corner cases with unexpected argument values (such as null arguments). If un-
expected argument values are passed to security-sensitive methods, arbitrary code execu-
tion becomes possible, and privilege escalation becomes likely.
Bibliography
[API 2013]
AccessController.doPrivileged()
,
System.setSecurityManager()
