 
                            ...
This noncompliant example contains a privileged block that is used to perform two sensitive operation:. operations, loading a library and setting the default exception handler. Fortunately, when the default security manager is used, it does not permit loading the library unless the RuntimePermission "loadLibrary.awt" is granted in the policy file. Quite deplorably, the programmer does not guard a caller from performing the second sensitive operation - setting the default exception reporterhandler. This security weakness can be exploited, for example, by setting the verbosity of the handler to high so that the privilege separation mechanism envisioned by the rightful observers of the log files or error messages, is broken. This example also violates the advice of SEC36-J. Guard doPrivileged blocks against untrusted invocations by using a privileged block for carrying out multiple operations at varying privilege leadslevels. 
| Code Block | ||
|---|---|---|
| 
 | ||
| 
class LoadLibrary {
  private void loadLibrary() {
    AccessController.doPrivileged(new PrivilegedAction() {
      public Object run() {
        // privileged code
        System.loadLibrary("awt");
        // perform some sensitive operation like setting the default exception handler
        MyExceptionReporter.setExceptionReporter(reporter); 
        return null; 
      }
    });		  
  }
}
 | 
...
Define a custom permission ExceptionReporterPermission " exc.reporter" to prohibit illegitimate callers from setting the default exception handler. This can be achieved by subclassing BasicPermission which allows binary style permissions (either allow or disallow). By default permissions cannot be determined defined with actions using BasicPermission but the actions can be implemented in the subclass if required. BasicPermission is abstract even though it contains no abstract methods; it defines all the methods it extends from the Permission class. The custom defined subclass of BasicPermission class has to define two constructors to call the most appropriate (single or double argument) superclass constructor (the superclass lacks a default constructor). The two-argument constructor also accepts an action even though a basic permission does not use it. This is required for constructing permission objects from the policy file.
...
Assuming that the above sources reside in the c:\package directory on a Windows based system, for example, the policy file needs to grant two permissions, ExceptionReporterPermission " exc.reporter" and the RuntimePermission " loadlibrary.awt".
| Code Block | 
|---|
| 
grant codeBase "file:c:\\package" {  // For *nix, file:${user.home}/package/ 
  permission ExceptionReporterPermission "exc.reporter";
  permission java.lang.RuntimePermission "loadLibrary.awt"; 
};
 | 
...