Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

security manager, policy file and writing permission

45 views
Skip to first unread message

Dror Matalon

unread,
Oct 10, 2002, 2:31:49 PM10/10/02
to

Hi,

I'm trying to run a java program with the security manager enabled and allow
only a specific class the permissions to write. So I have two files
TestWrite.java and FileWrite.java. The first calls the second, and the
second one does the actual file IO.
This works fine without a security manager. It also works fine if
assign the permissions to TestWrite.java. But if I try to assign
*write* permissions (read permissions work fine) to FileWrite.java
it doesn't work. I still get the exception. The whole idea though
is to allow the writing in a specific class rather than to the whole
application.

I must be missing something, but I looked at quite a few security
resources online and couldn't find an answer for this. Any help would
be appreciated.

Dror



This doesn't work
-------------------------------------------------
grant codeBase "file:/usr/home/dror/java/jakarta-tomcat-4.0.1/classes/write.jar" {
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};

grant codeBase "file:/usr/home/dror/java/test/-" {
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.home", "read";
};
-------------------------------------------------

This does work
-------------------------------------------------
grant codeBase "file:/usr/home/dror/java/jakarta-tomcat-4.0.1/classes/write.jar" {
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};

grant codeBase "file:/usr/home/dror/java/test/-" {
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};
-------------------------------------------------

TestWrite.java
-------------------------------------------------
import java.lang.*;
import java.security.*;
import java.io.*;

class TestWrite {

public static void main(String[] args) {

/* Test reading properties w & w/out security manager */

String s;
String fullPath = "/usr/home/dror/java/test/test.new";
System.out.println("Path: " + fullPath);
com.jevu.FileWrite foo = new com.jevu.FileWrite(fullPath);
//File foo = new File(fullPath);


try {
if (foo.exists())
System.out.println("Exists: " + fullPath);
else {
System.out.println("Creating<p>");
boolean created = foo.createNewFile();
System.out.println("Created returned " + created + " <p>");
}


} catch (Exception e) {
e.printStackTrace();
System.err.println("Caught exception " + e.toString());
}

}

}
-------------------------------------------------
com/jevu/FileWrite.java
-------------------------------------------------
package com.jevu;

import java.io.File;
import java.security.Policy;

public class FileWrite {
File file = null;

public FileWrite (String path) {

file = new File(path);

}

public boolean exists() {
return file.exists();
}

public boolean createNewFile() throws java.io.IOException {
return file.createNewFile();
}


}
-------------------------------------------------

java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.exists(File.java:546)
at com.jevu.FileWrite.exists(FileWrite.java:26)
at TestWrite.main(TestWrite.java:19)
Caught exception java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
--

Dror Matalon 1700 MLK Way
Zapatec Inc Berkeley, CA 94709
http://www.zapatec.com

VK

unread,
Oct 12, 2002, 12:54:30 AM10/12/02
to
Security heritage - this is what you are missing.

No one class can have higher security permission than the class-caller
(constructor). Otherwise it would be enough to write a simple class loader
which could be capable to do anything on your system through the loaded /
built / RMI'ed classes. An evident security mesure.


Dror Matalon <dr...@matal.com> wrote in message
news:pIjp9.37958$Ik.8...@typhoon.sonic.net...

Peter Kunze

unread,
Oct 14, 2002, 9:15:55 AM10/14/02
to
Dror Matalon wrote:
>
> Hi,

> This doesn't work
> -------------------------------------------------
> grant codeBase "file:/usr/home/dror/java/jakarta-tomcat-4.0.1/classes/write.jar" {
> permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
> };
>
> grant codeBase "file:/usr/home/dror/java/test/-" {
> permission java.util.PropertyPermission "user.home", "read";
> permission java.util.PropertyPermission "java.home", "read";
> };
I think you should give 'execute'-Permission to change Directory.

> java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
> at java.security.AccessController.checkPermission(AccessController.java:399)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
> at java.io.File.exists(File.java:546)
> at com.jevu.FileWrite.exists(FileWrite.java:26)
> at TestWrite.main(TestWrite.java:19)
> Caught exception java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)

It looks like that.

I don't know why VK means that - I think it should be OK in your way.

Greetings Peter

Dror Matalon

unread,
Oct 15, 2002, 12:58:56 AM10/15/02
to

Hi,

Actually what was missing was in the code . Needed to do a
AccessController.doPrivileged(). Once I did that it worked fine.
Here's the new method that worked.


public Boolean createNewFile() {
Boolean success = (Boolean) AccessController.doPrivileged(
new PrivilegedAction() {
public Object run() {
boolean result;
try {
result = file.createNewFile();
}
catch (java.io.IOException e) {
result = false;
}
return new Boolean (result);
}
}
);
return (success);
}


Dror

In article <aWNp9.18302$ue4.1...@bgtnsc04-news.ops.worldnet.att.net>,

0 new messages