I'm trying to run a java program with the security manager enabled and allow
only a specific class the permissions to write. So I have two files
TestWrite.java and FileWrite.java. The first calls the second, and the
second one does the actual file IO.
This works fine without a security manager. It also works fine if
assign the permissions to TestWrite.java. But if I try to assign
*write* permissions (read permissions work fine) to FileWrite.java
it doesn't work. I still get the exception. The whole idea though
is to allow the writing in a specific class rather than to the whole
application.
I must be missing something, but I looked at quite a few security
resources online and couldn't find an answer for this. Any help would
be appreciated.
Dror
This doesn't work
-------------------------------------------------
grant codeBase "file:/usr/home/dror/java/jakarta-tomcat-4.0.1/classes/write.jar" {
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};
grant codeBase "file:/usr/home/dror/java/test/-" {
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.home", "read";
};
-------------------------------------------------
This does work
-------------------------------------------------
grant codeBase "file:/usr/home/dror/java/jakarta-tomcat-4.0.1/classes/write.jar" {
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};
grant codeBase "file:/usr/home/dror/java/test/-" {
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.io.FilePermission "/usr/home/dror/java/test/*", "read, write, delete, execute";
};
-------------------------------------------------
TestWrite.java
-------------------------------------------------
import java.lang.*;
import java.security.*;
import java.io.*;
class TestWrite {
public static void main(String[] args) {
/* Test reading properties w & w/out security manager */
String s;
String fullPath = "/usr/home/dror/java/test/test.new";
System.out.println("Path: " + fullPath);
com.jevu.FileWrite foo = new com.jevu.FileWrite(fullPath);
//File foo = new File(fullPath);
try {
if (foo.exists())
System.out.println("Exists: " + fullPath);
else {
System.out.println("Creating<p>");
boolean created = foo.createNewFile();
System.out.println("Created returned " + created + " <p>");
}
} catch (Exception e) {
e.printStackTrace();
System.err.println("Caught exception " + e.toString());
}
}
}
-------------------------------------------------
com/jevu/FileWrite.java
-------------------------------------------------
package com.jevu;
import java.io.File;
import java.security.Policy;
public class FileWrite {
File file = null;
public FileWrite (String path) {
file = new File(path);
}
public boolean exists() {
return file.exists();
}
public boolean createNewFile() throws java.io.IOException {
return file.createNewFile();
}
}
-------------------------------------------------
java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
at java.security.AccessController.checkPermission(AccessController.java:399)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
at java.io.File.exists(File.java:546)
at com.jevu.FileWrite.exists(FileWrite.java:26)
at TestWrite.main(TestWrite.java:19)
Caught exception java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
--
Dror Matalon 1700 MLK Way
Zapatec Inc Berkeley, CA 94709
http://www.zapatec.com
No one class can have higher security permission than the class-caller
(constructor). Otherwise it would be enough to write a simple class loader
which could be capable to do anything on your system through the loaded /
built / RMI'ed classes. An evident security mesure.
Dror Matalon <dr...@matal.com> wrote in message
news:pIjp9.37958$Ik.8...@typhoon.sonic.net...
> java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
> at java.security.AccessControlContext.checkPermission(AccessControlContext.java:272)
> at java.security.AccessController.checkPermission(AccessController.java:399)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:545)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:890)
> at java.io.File.exists(File.java:546)
> at com.jevu.FileWrite.exists(FileWrite.java:26)
> at TestWrite.main(TestWrite.java:19)
> Caught exception java.security.AccessControlException: access denied (java.io.FilePermission /usr/home/dror/java/test/test.new read)
It looks like that.
I don't know why VK means that - I think it should be OK in your way.
Greetings Peter
Actually what was missing was in the code . Needed to do a
AccessController.doPrivileged(). Once I did that it worked fine.
Here's the new method that worked.
public Boolean createNewFile() {
Boolean success = (Boolean) AccessController.doPrivileged(
new PrivilegedAction() {
public Object run() {
boolean result;
try {
result = file.createNewFile();
}
catch (java.io.IOException e) {
result = false;
}
return new Boolean (result);
}
}
);
return (success);
}
Dror
In article <aWNp9.18302$ue4.1...@bgtnsc04-news.ops.worldnet.att.net>,