Most Permission objects also include an "actions" list that tells the actions that are permitted for the object. For example, for a java. FilePermission object, the permission name is the pathname of a file or directory , and the actions list such as "read, write" specifies which actions are granted for the specified file or for files in the specified directory.
The actions list is optional for Permission objects, such as java. RuntimePermission , that don't need such a list; you either have the named permission such as "system. An important method that must be implemented by each subclass is the implies method to compare Permissions.
Basically, "permission p1 implies permission p2" means that if one is granted permission p1, one is naturally granted permission p2. Thus, this is not an equality test, but rather more of a subset test. Permission objects are similar to String objects in that they are immutable once they have been created.
Subclasses should not provide methods that can change the state of a permission once it has been created. This must be implemented by subclasses of Permission, as they are the only ones that can impose semantics on a Permission object. The implies method is used by the AccessController to determine whether or not a requested permission is implied by another permission that is known to be valid in the current execution context.
Alex Alex 4, 2 2 gold badges 16 16 silver badges 58 58 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Podcast Helping communities build their own LTE networks. Podcast Making Agile work for data science. Featured on Meta. New post summary designs on greatest hits now, everywhere else eventually. Linked 0. Related 1.
Hot Network Questions. Question feed. Stack Overflow works best with JavaScript enabled. Accept all cookies Customize settings. For each name, the table provides a description of exactly what that permission allows, as well as a discussion of the risks of granting code the permission.
The following table contains a list of all the methods that require permissions, and for each tells which SecurityManager method it calls and which permission is checked for by the default implementation of that SecurityManager method.
Thus, with the default SecurityManager method implementations, a call to a method in the left-hand column can only be successful if the permission specified in the corresponding entry in the right-hand column is allowed by the policy currently in effect. For example, the following row:. Toolkit class results in a call to the checkAwtEventQueueAccess SecurityManager method, which can only be successful if the following permission is granted to code on the call stack:. More specifically, the permission must either be explicitly set, as above, or implied by another permission, such as the following:.
In some cases, a term in braces is not exactly the same as the name of a specific method argument but is meant to represent the relevant value. Here is an example:. Here, the appropriate host and port values are calculated by the receive method and passed to checkAccept.
In most cases, just the name of the SecurityManager method called is listed. Where the method is one of multiple methods of the same name, the argument types are also listed, for example for checkRead String and checkRead FileDescriptor. In other cases where arguments may be relevant, they are also listed.
The following table is ordered by package name. That is, the methods in classes in the java. Note: The getPrintJob method is actually abstract and thus can't invoke security checks. Each actual implementation of the method should call the java. SecurityManager checkPrintJobAccess method, which is successful only if the java. RuntimePermission "queuePrintJob" permission is currently allowed. Note: The getSystemClipboard method is actually abstract and thus can't invoke security checks.
SecurityManager checkSystemClipboardAccess method, which is successful only if the java. AWTPermission "accessClipboard" permission is currently allowed. This table shows which permissions are checked for by the default implementations of the java.
SecurityManager methods. Each of the specified check methods calls the SecurityManager checkPermission method with the specified permission, except for the checkConnect and checkRead methods that take a context argument. Those methods expect the context to be an AccessControlContext and they call the context's checkPermission method with the specified permission. Skip to Content. Permission Descriptions and Risks. Methods and the Permissions They Require.
SecurityManager Method Permission Checks. All rights reserved. Extreme care must be taken when granting this permission. Malicious code could create a DomainCombiner that augments the set of permissions granted to code, and even grant the code AllPermission.
This allows someone to query the policy via the getPermissions call, which discloses which permissions would be granted to a given CodeSource. While revealing the policy does not compromise the security of the system, it does provide malicious code with additional information which it may use to better aim an attack. It is wise not to divulge more information than necessary. Retrieval of the system-wide security policy specifically, of the currently-installed Policy object.
Granting this permission is extremely dangerous, as malicious code may grant itself all the necessary permissions it needs to successfully mount an attack on the system. Granting this permission enables code to obtain a Policy object.
Malicious code may query the Policy object to determine what permissions have been granted to code other than itself. Depending on the particular key for which access has been granted, the code may have access to the list of security providers, as well as the location of the system-wide and user security policies.
This could include setting a security provider or defining the location of the system-wide security policy. Malicious code that has permission to set a new security provider may set a rogue provider that steals confidential information such as cryptographic private keys.
In addition, malicious code with permission to set the location of the system-wide security policy may point it to a security policy that grants the attacker all the necessary permissions it requires to successfully mount an attack on the system.
This would allow somebody to introduce a possibly malicious provider e. This would be possible because the Security object which manages the installed providers currently does not check the integrity or authenticity of a provider before attaching it.
This may change the behavior or disable execution of other parts of the program. If a provider subsequently requested by the program has been removed, execution may fail. Also, if the removed provider is not explicitly requested by the rest of the program, but it would normally be the provider chosen when a cryptography service is requested due to its previous order in the list of providers , a different provider will be chosen instead, or no suitable provider will be found, thereby resulting in program failure.
This disables the lookup of services implemented by the provider. This may thus change the behavior or disable execution of other parts of the program that would normally utilize the Provider, as described under the "removeProvider. The provider properties each specify the name and location of a particular service implemented by the provider.
By granting this permission, you let code replace the service specification with another one, thereby specifying a different implementation. They are no longer accessible due to removal of the properties specifying their names and locations. This may change the behavior or disable execution of other parts of the program that would normally utilize the Provider, as described under the "removeProvider.
This would allow an attacker to configure the system identity scope with certificates that should not be trusted, thereby granting applet or application code signed with those certificates privileges that would have been denied by the system's original identity scope. If the identity is marked as "trusted", this allows an attacker to introduce a different public key e. This allows attackers to set the general description for an identity.
This may trick applications into using a different identity than intended or may prevent applications from finding a particular identity.
This allows attackers to set a certificate for an identity's public key. This is dangerous because it affects the trust relationship across the system. This public key suddenly becomes trusted to a wider audience than it otherwise would be.
This allows attackers to remove a certificate for an identity's public key. This public key suddenly becomes considered less trustworthy than it otherwise would be. Viewing the name of a principal and optionally the scope in which it is used, and whether or not it is considered "trusted" in that scope. The scope that is printed out may be a filename, in which case it may convey local system information.
It is very dangerous to allow access to a private key; private keys are supposed to be kept secret. Otherwise, code can use the private key to sign various files and claim the signature came from the Signer.
This would allow an attacker to replace somebody else's the "target's" keypair with a possibly weaker keypair e.
This also would allow the attacker to listen in on encrypted communication between the target and its peers. The target's peers might wrap an encryption session key under the target's "new" public key, which would allow the attacker who possesses the corresponding private key to unwrap the session key and decipher the communication data encrypted under that session key.
After retrieving the AWT event queue, malicious code may peek at and even remove existing events from the system, as well as post bogus events which may purposefully cause the application or applet to misbehave in an insecure manner.
This would allow malicious code to add tray icons to the system tray. First, such an icon may look like the icon of some known application such as a firewall or anti-virus and order a user to do something unsafe with help of balloon messages. Second, the system tray may be glutted with tray icons so that no one could add a tray icon anymore. Robot object allows code to generate native-level mouse and keyboard events as well as read the screen.
It could allow malicious code to control the system, run other programs, read the display, and deny mouse and keyboard access to the user. Entering full-screen exclusive mode allows direct access to low-level graphics card memory.
This could be used to spoof the system, since the program is in direct control of rendering. After adding an AWT event listener, malicious code may scan all AWT events dispatched in the system, allowing it to read all user input such as passwords. Each AWT event listener is called from within the context of that event queue's EventDispatchThread , so if the accessEventQueue permission is also enabled, malicious code could modify the contents of AWT event queues system-wide, causing the application or applet to misbehave in an insecure manner.
Interfaces such as the java. Composite interface which allow arbitrary code to examine pixels on the display enable malicious code to snoop on the activities of the user.
When a SecurityManager is installed, the invoking thread must be granted this permission in order to replace the current KeyboardFocusManager.
If permission is not granted, a SecurityException will be thrown. Malicious code could set an applet's stub and result in unexpected behavior or denial of service to an applet.
The malicious window might make itself look and behave like a real full desktop, so that information entered by the unsuspecting user is captured and subsequently misused. Display of a window without also displaying a banner warning that the window was created by an applet. Without this warning, an applet may pop up windows without the user knowing that they belong to an applet. Since users may make security-sensitive decisions based on whether or not the window belongs to an applet entering a username and password into a dialog box, for example , disabling this warning banner may allow applets to trick the user into entering such information.
When a toolkit-modal dialog is shown from an applet, it blocks all other applets in the browser. When launching applications from Java Web Start, its windows such as the security dialog may also be blocked by toolkit-modal dialogs, shown from these applications. Constantly watching the mouse pointer, an applet can make guesses about what the user is doing, i.
If a virtual keypad is used so that keyboard is emulated using the mouse, an applet may guess what is being typed. Permission to execute. Allows Runtime. Corresponds to SecurityManager. Permission to delete. Allows File. Implementing a subclass of ObjectOutputStream or ObjectInputStream to override the default serialization or deserialization, respectively, of objects.
Code can use this to serialize or deserialize classes in a purposefully malfeasant manner. For example, during serialization, malicious code can use this to purposefully store confidential private field data in a way easily accessible to attackers.
Or, during deserializaiton it could, for example, deserialize a class with all its private fields zeroed out. This is dangerous because malicious code can replace the actual object with one which has incorrect or malignant data.
Warning: Extreme caution should be taken before granting this permission to code , for it provides the ability to access fields and invoke methods in a class. This includes not only public, but protected and private fields and methods as well. This is dangerous in that information possibly confidential and methods normally unavailable would be accessible to malicious code.
This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system.
These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.
This would grant an attacker permission to get the class loader for a particular class. This is dangerous because having access to a class's class loader allows the attacker to load other classes available to that class loader. The attacker would typically otherwise not have access to those classes. The context class loader is used by system code and extensions when they need to lookup resources that might not exist in the system class loader.
Granting setContextClassLoader permission would allow code to change which context class loader is used for a particular thread, including system threads. Granting enableContextClassLoaderOverride permission would allow a subclass of Thread to override the methods that are used to get or set the context class loader for a particular thread. The security manager is a class that allows applications to implement a security policy. Granting the setSecurityManager permission would allow code to change which security manager is used by installing a different, possibly less restrictive security manager, thereby bypassing checks that would have been enforced by the original security manager.
This gives code access to protected, sensitive methods that may disclose information about other classes or the execution stack. This would allow code to read the value, or determine the existence, of a particular environment variable. This is dangerous if the variable contains confidential data. This allows an attacker to mount a denial-of-service attack by automatically forcing the virtual machine to halt. Note: The "exitVM. Also, the "exitVM" permission is equivalent to "exitVM.
This allows an attacker to register a malicious shutdown hook that interferes with the clean shutdown of the virtual machine. This allows code to set the actual implementation for the socket, server socket, stream handler, or RMI socket factory.
An attacker may set a faulty implementation which mangles the data stream. This allows changing the value of the standard system streams. An attacker may change System. Modification of threads, e. This allows code to stop any thread in the system provided that it is already granted permission to access that thread. This poses as a threat, because that code may corrupt the system by killing existing threads.
Modification of thread groups, e. This allows code to obtain policy information for a particular code source. While obtaining policy information does not compromise the security of the system, it does give attackers additional information, such as local file names for example, to better aim an attack.
This allows code to obtain file system information such as disk usage or disk space available to the caller. This is potentially dangerous because it discloses information about the system hardware configuration and some information about the caller's privilege to write files. This would allow code to read the particular file associated with the file descriptor read. This is dangerous if the file contains confidential data.
This allows code to write to a particular file associated with the descriptor. This is dangerous because it may allow malicous code to plant viruses or at the very least, fill up your entire disk.
It is dangerous to allow an applet permission to load native code libraries, because the Java security architecture is not designed to and does not prevent malicious behavior at the level of native code.
Access to the specified package via a class loader's loadClass method when that class loader calls the SecurityManager checkPackageAcesss method. This gives code access to classes in packages to which it normally does not have access.
0コメント