Java Reference
In-Depth Information
}
}
Callers that lack permission to create an appropriate
AccessControlContext
can re-
quest one using
AccessController.getContext()
to create the instance.
Applicability
Failure to follow the principle of least privilege can result in untrusted, unprivileged code
performing unintended privileged operations. However, carefully restricting privileges
adds complexity. This added complexity and the associated reduction of maintainability
must be traded off against any security improvement.
Bibliography
[API 2013]
Class
AccessController
[Oracle 2013a]
API for Privileged Blocks
17. Minimize privileged code
Programs must comply with the principle of least privilege not only by providing priv-
ilegedblockswiththeminimumpermissionsrequiredforcorrectoperation(see
Guideline
16
,
“
Avoidgrantingexcessprivileges
”
),butalsobyensuringthatprivilegedcodecontains
only
thoseoperations thatrequireincreased privileges. Superfluouscodecontained within
aprivilegedblockmustoperatewiththeprivilegesofthatblock,increasingtheattacksur-
face.
Noncompliant Code Example
This noncompliant code example contains a
changePassword()
method that attempts to
open a password file within a
doPrivileged
block and performs operations using that
file. The
doPrivileged
block also contains a superfluous
System.loadLibrary()
call
that loads the authentication library.
public void changePassword(String currentPassword,
String newPassword) {
final FileInputStream f[] = { null };