tags:

views:

291

answers:

2
+2  Q: 

When should AccessController.doPrivileged() be used?

If I understand http://stackoverflow.com/questions/852453/accesscontroller-doprivileged correctly, it is saying that untrusted code should be able to invoke methods requiring permissions (such as System.getProperty()) through an intermediate method that does have permissions.

That brings up the question: when should AccessController.doPrivileged() be used? When should untrusted code be allowed to invoke privileged code through intermediate methods? When should it fail?

Following your reasoning, please explain why ClassLoader creation should always be allowed: http://findbugs.sourceforge.net/bugDescriptions.html#DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED

+2  A: 

  1. ..through an intermediate method that does have permissions . No, the final effective permissions is the intersection of all permissions in the domain stack. So suppose an operation requires a permission B to execute, and say some intermediate LIB has two permissions B and A. Now when some untrusted code with only permission A calls through LIB, the effective permission set is (A intersect (A+B)) = A. Hence the untrusted code cannot exploit intermediate LIB to gain extra permissions.

  2. When should doPriveleged be used?-> There are lot of operations in Java that require the caller domain to have certain permissions for successful execution of those operations. System.getProperty is one of those operations. All file related operations also need special permissions. When you use AccessController.doPrivileged to invoke those operations, the operation is executed with all the rights(permissions) of your protection domain. Hence if your code has enough rights only then it could execute those operations.

Suraj Chandran  2010-02-10 02:44:14
@Suraj, "When you use AccessController.doPrivileged to invoke those operations, the operation is executed with all the rights(permissions) of your protection domain". Can you please provide an example of what permissions would be with and without the use of doPrivileged()?
Gili  2010-02-11 03:41:25
@Gilli..this will asnwer your question.."Technically, whenever a resource access is attempted, all code traversed by the execution thread up to that point must have permission for that resource access, unless some code on the thread has been marked as "privileged" by a doPriveleged block"
Suraj Chandran  2010-02-11 04:45:08
@Gilli...Suppose a thread traverses through three code bases A,B and C before executing a secured operation. A and C don't have permission for that operation but B does. If you dont use doPriveleged in B and end up calling the secured operation, you will get a SecurityException as C does not have enough permissions. But if you use a doPriveleged block in B before callling in to C, then even C will also execute with those permissions, hence you can now ecexute the secure operation.
Suraj Chandran  2010-02-11 04:50:07
@Suraj, I agree that if A calls B a privileged block is required to adopt only B's permissions. But if B then calls through to C (even from within a privileged block), won't it fail if C's context doesn't have the required permissions? Doesn't it still start calling up from the permission "stack" again? (I haven't done anything in this area for a while to test it - just working off the AccessController docs).
Ash  2010-02-11 09:04:30
+1  A: 

Agree with Suraj's answer, but thought I'd add a specific example where I've required the use of a privileged block.

Imagine you've built an application that provides a number of services to pluggable modules. So your app and its services are trusted code. The pluggable modules, however, are not necessarily trusted and are loaded in their own class loaders (and have their own protection domains).

When a pluggable module invokes a service, you are implementing custom security checks ("does pluggable module X have permission to use this service"). But the service itself might require some core Java permission (read a system property, write to a file, etc). The code that requires these permissions is wrapped in a doPrivileged() so that the insufficient permissions from the untrusted pluggable modules are effectively ignored - only the privileges of your trusted services module apply.

Ash  2010-02-11 08:57:31
@Ash, given A which has permission to invoke X but B does not, and A invokes B which invokes X. Does doPrivileged() mean "B doesn't have permission to invoke X, but I do and I vouch for him. So A is now allowed to invoke X"?
Gili  2010-02-11 18:14:52
@Gili, my understanding is that the doPrivileged() block assumes the permissions of the current protection domain, excluding anything further back in the stack. It won't necessarily pass permissions forward to future calls that themselves have lesser permissions (I'm kind of working from memory and interpreting the documentation - see my comment in Suraj's answer).
Ash  2010-02-12 10:25:54

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java