Java Reference
In-Depth Information
Bibliography
[API 2013]
Class
IdentityHashMap
[Hawtin 2006]
[drlvm][kernel_classes] ThreadLocal vulnerability
16. Avoid granting excess privileges
A Java security policy grants permissions to code to allow access to specific system re-
sources. A
code source
(an object of type
CodeSource
), to which a permission is gran-
ted,consistsofthecodelocation(URL)andareferencetothecertificate(s) containingthe
publickey(s)correspondingtotheprivatekey(s)usedtodigitallysignthecode.Reference
to the certificate(s) is pertinent only if the code was digitally signed. A
protection domain
encompasses a
CodeSource
and the permissions granted to code from that
CodeSource
,
as determined by the security policy currently in effect. Consequently, classes signed by
the same key and originating from the same URL are placed in the same protection do-
main. A class belongs to one and only one protection domain. Classes that have the same
permissions but are from different code sources belong to different domains.
Each Java class runs in its appropriate domain, as determined by its code source. For
any code running under a security manager to perform a secured action such as reading or
writing a file, the code must be granted permission to perform that particular action. Priv-
ileged code can access privileged resources on behalf of an unprivileged caller by using
the
AccessController.doPrivileged()
method. This is necessary, for example, when
a system utility needs to open a font file on behalf of the user to display a document, but
the application lacks permission to do so. To perform this action, the system utility uses
its full privileges for obtaining the fonts, ignoring the privileges of the caller. Privileged
coderunswithalltheprivileges oftheprotection domainassociated withthecodesource.
These privileges often exceed those required to perform the privileged operation. Ideally,
code should be granted only the minimum set of privileges required to complete its oper-
ation.
scribes another approach to eliminating excess privileges.
Noncompliant Code Example
This noncompliant code example shows a library method that allows callers to perform a
privilegedoperation(readingafile)usingthewrappermethod
performActionOnFile()
:
