Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Reflection Security

Tags:

java

security

reflection

policy

securitymanager

How to enforce reflection security by not allow the Method, Field, Constructor object to call setAccessible(true) ? SecurityPolicy File or something else?

Normally for stand-alone Java applications there is no SecurityManager registered.

I using this System.setSecurityManager(new SecurityManager());

This approach will work for calling methods.

I would like to enforce the whole jar or client code that uses the jar is not allow to call setAccessible(true);

Any better approach ?

Thanks.

like image 488
nicholas Avatar asked Feb 01 '13 04:02

nicholas

1 Answers

Um, it does work for setAccessible. See:

class A {
  private String method1() {
    return "Hello World!";
  }
}

and

import java.lang.reflect.Method;

class B {
  public static void main(String[] args) throws Exception {
    System.setSecurityManager(new SecurityManager());
    Class clazz = A.class;
    Method m = clazz.getDeclaredMethod("method1");
    m.setAccessible(true);
  }
}

Results in

Exception in thread "main" java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.security.AccessControlContext.checkPermission(Unknown Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.reflect.AccessibleObject.setAccessible(Unknown Source)
        at B.main(B.java:8)

One reason it might've not worked for you is that according to comments in this post it didn't use to work in Java 1.5, but works in 6 and thereafter.

Edit: to deny it for specific jars, you need to either use a policy file, example:

// specific file
grant codeBase "file:/test/path/tools.jar" {
  // no permissions for this one
};

// default to giving all
grant {
  permission java.security.AllPermission;
};

There's two ways of specifying the policy file, either give it as additions to default, or give only those that are specified (source):

If you use

java -Djava.security.manager -Djava.security.policy==someURL SomeApp

(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.

...or implement a custom security manager, which doesn't look that hard. Haven't done that myself though.

like image 92
eis Avatar answered Oct 12 '22 23:10

eis
Sign in to Comment

Related questions

java.io.IOException: error=2, No such file or directory
How to run Tests when developing javaagents?
Need Fool Proof Synchronization of ArrayList in A Multi-threaded Environment
Performance of coin splitting algorithm
Is Socket.getInputStream().read(byte[]) guaranteed to not block after at least some data is read?
Embed Tomcat with App in One Fat Jar
Automatic row numbering in javafx table
Java EE 5 dependency injection?
Complexity of Prims Algorithm using Priority Queue?
Request method 'POST' not supported when throwing exception
How to set width and margin of <p:column> in a <p:dataTable> ? primefaces
How can I get the property of an older version of a node in jackrabbit?
OpenCV: Dominoes circular spots/disks detection
Secret Android build process
Intermittent "sslv3 alert handshake failure" under Python
Apache Camel: What is actually being routed?
How to make my application system
activemq http proxy
How to override the Open button of Java SWT FileDialog class
Java: How to remove default KeyStrokes from any JComponent?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!