...
| Code Block | ||
|---|---|---|
| ||
private FileInputStream openFile() {
final FileInputStream f[] = {null};
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
try {
f[0] = new FileInputStream("file");
} catch(FileNotFoundException fnf) {
// Forward to handler
}
return null;
}
});
return f[0];
}
// wrapper method
public void performActionOnFile() {
openFile();
}
|
The corresponding code is granted security policy that applies to this code may grant the permissions to both read and write to the file in the security policy. However, the caller only requires read access to the file. This Consequently, this code violates the principle of least privilege by also providing the caller with superfluous write access.
Compliant Solution
The two-argument form of doPrivileged() accepts an AccessControlContext object from the caller and restricts the privileges of the contained code to the intersection of the permissions of the current execution context's domains and those of the context passed as the second argument. Consequently, a caller that requires only read permission to the file can pass a context that has only the file read permission.
...