Access control in Java -- Permission check order

  sonic0002        2016-03-07 04:17:40       4,259        0    

Previously we showed you how to turn on SecurityManager in Java. After SecurityManager is turned on, a series of permission checks will be applied on the code you are calling in your application to protect some resources against malicious access such as files, sockets etc.

To perform these permission checks, a set of Permissions will be created and checked using the AccessController. The AccessController has three purposes :

  • To decide whether an access to a critical system resource is to be allowed or denied, based on the security policy currently in effect,
  • To mark code as being "privileged", thus affecting subsequent access determinations
  • To obtain a "snapshot" of the current calling context so access-control decisions from a different context can be made with respect to the saved context

The AccessController provides a static method to perform the permission check for the current calling stack-- AccessController.checkPermission(), it will take a Permission object which is to be checked as parameter. This Permission will be checked on all protection domains in the current calling stack. If any protection domain fails this check, the permission check fails. 

To grant access to some classes to access some resources, Java provides a policy file at jre/lib/security/java.policy which contains the predefined permissions granted to all classes and Java core API classes. The policy file can be updated to grant specific permission to your application if needed.

Now let's move on to details how the permission check is performed for each protection domain on the calling stack. For example, if we have three classes : AccessTestprotectiondomain.b.B and protectiondomain.a.A. Each class is in a different protection domain, AccessTest is in System Domain, protectiondomain.b.B is in protection domain http://b.test.com and protectiondomain.a.A is in protection domain http://a.test.com.

If we have following stacktrace after calling AcessTest,main() :

at protectiondomain.a.A.test0(A.java:12)
at protectiondomain.a.A.test(A.java:6)
at protectiondomain.b.B.test(B.java:9)
at AccessTest.main(AccessTest.java:7)

In protectiondomain.a.A.test0(), there is a call to System.getProperty("os.name"). When SecurityManager is turned on, the method call System.getProperty("os.name") will internally invoke a permission check to see whether the calling class protectiondomain.a.A has the proper read permission of the system property os.name

From the stack trace, there are three protection domains in the calling stack, they are http://a.test.com, http://b.test.com, and System Domain. So the check will first start for protection http://a.test.com, if it has the read permission of os.name, then the check will proceed for protection domain http://b.test.com, if it also has the read permission, then the check will proceed for System Domain, if System Domain also has the read permission, then the AccessController.checkPermission() will silently return and the check is successful. Otherwise, if for example http://b.test.com does not have the read permission for os.name, then the  AccessController.checkPermission() will throw an AccessControlException immediately.

What if sometimes you may want to give temporary access to some class in some protection domain which initially doesn't have the proper permission to access some resource? AccessController provides a few doPrivileged() methods which can grant temporary permission. 

We will cover the purpose of doPrivileged() and how permission checks will be done in doPrivileged() in a future post.

JAVA  SECURITY  ACCESSCONTROLLER 

       

  RELATED


  0 COMMENT


No comment for this article.



  RANDOM FUN

Daily life of developer