I'm trying to get myself familiar with the SecurityManager
but even this simple scenario fails. When I run the following from inside my IDE or from command line I get the following exception;
access denied ("java.util.PropertyPermission" "java.home" "read")
I thought I allowed everything with this code:
Policy.setPolicy(new Policy() { @Override public PermissionCollection getPermissions(CodeSource codesource) { Permissions perm = new Permissions(); perm.add(new AllPermission()); return perm; } }); System.setSecurityManager(new SecurityManager()); System.out.println(System.getProperty("java.home"));
Has this something to-do with the derived policy from the JVM? How can I cleanly setPolicy()
?
The same misunderstanding seems to happen for the following code:
System.setSecurityManager(new SecurityManager());
final Permissions allPermission = new Permissions();
allPermission.add(new AllPermission());
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
System.out.println(System.getProperty("java.home"));
return null;
}, new AccessControlContext(new ProtectionDomain[]{new ProtectionDomain(null, allPermission)}));
Update: the second case is understandable as the provided permission is only a further restriction: (javadoc) The action is performed with the intersection of the permissions possessed by the caller's protection domain, and those possessed by the domains represented by the specified AccessControlContext
A security manager is an object that defines a security policy for an application. This policy specifies actions that are unsafe or sensitive. Any actions not allowed by the security policy cause a SecurityException to be thrown. An application can also query its security manager to discover which actions are allowed.
The security manager is a class that allows applications to implement a security policy. It allows an application to determine, before performing a possibly unsafe or sensitive operation, what the operation is and whether it is being attempted in a security context that allows the operation to be performed.
Fortunately, the JVM has a system to restrict those operations. Unfortunately, it's not set by default. In order to activate the SecurityManager, just launch the JVM with the java. security.
I was able to recreate your case with an extra Policy.getPolicy()
before the Policy.setPolicy()
call, the reason why it affects the behaviour is that with the get policy call, you trigger a default policy creation, and permissions from java.policy
are set, but without a setSecurityManager()
they are not activated, that is the reason when you do a custom AllPermission
policy set, you still get a "java.util.PropertyPermission" "java.home" "read"
issue, for many of such default policies are not overridden with the set policy. Very confusing structure indeed.
Policy.getPolicy();
Policy.setPolicy(policyWithAllPermission);
System.setSecurityManager(new SecurityManager());
System.out.println(System.getProperty("java.home"));
// results in 'access denied ("java.util.PropertyPermission" "java.home" "read")'
But if you use the following custom policy;
Policy allPermissionPolicy = new Policy() {
@Override
public boolean implies(ProtectionDomain domain, Permission permission) {
return true;
}
};
It overrides all permission definitions, and lets all actions through, a possible fix for this confusion.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With