SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 45

changes.mady.by.user Robert Seacord (Manager)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Sensitive operations must be protected by security manager checks. Refer to rule void ENV02-J. Create a secure sandbox using a Security Manager to learn about the importance of performing security checks and limiting code to a secure sandbox.

Noncompliant Code Example

...

This noncompliant code example uses the SecurityManager.checkRead() method to check whether the file schema.dtd can be read from the file system. The check*() methods lack support for fine grained access control. For example, the check*() methods are insufficient inadequate to enforce a policy permitting read access to all files with the dtd extension and forbidding read access to all other files. New code must not use the check*() methods because the default implementations of the Java libraries already use these methods to protect sensitive operations.

...

J2SE 1.2 added two methods — checkPermission(Permission perm) and checkPermission(Permission perm, Object context) — to the SecurityManager class. The motivations for this change included

  • Eliminating the necessity need to hardcode hard code names of checks in method names.
  • Encapsulating the complicated algorithms and code for examining the Java runtime in a single checkPermission() method.
  • Supporting introduction of additional permissions by subclassing the Permission class.

...

This compliant solution shows the single argument checkPermission() method and allows files in the local directory with the dtd extension to be read. DTDPermission is a custom permission that enforces this level of access. Even if the java.io.FilePermission is granted to the application with the action "read", DTD files will be are subject to additional access control.

Code Block
bgColor#ccccff
SecurityManager sm = System.getSecurityManager();

if (sm != null) {  //check if file can be read
  DTDPermission perm = new DTDPermission("/local/",  "readDTD");
  sm.checkPermission(perm);
}

Compliant Solution (Multiple

...

Threads)

Sometimes Occasionally, the security check code exists in one context (such as a worker thread) while the check has to be conducted on a different context, like such as another thread. The two argument checkPermission() method is used in this case. It accepts an AccessControlContext instance as the context argument. The effective permissions are those of the context argument only and are not computed as the intersection of the permissions of the two contexts and consist of the permissions of the context argument only.

Both the single and double argument checkPermission() methods defer to the single argument java.security.AccessController.checkPermission(Permission perm) method. When invoked directly, this method operates only on the current execution context and, as a result, does not supersede the security manager's two argument version.

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d10a0b01f2315757-291d1ab3-421d4f98-89dc949f-a0e4a23eede18c032c6b7655"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

...