Package org.opensearch.secure_sm

Class SecureSM

java.lang.Object
java.lang.SecurityManager
org.opensearch.secure_sm.SecureSM
public class SecureSM
extends java.lang.SecurityManager
Extension of SecurityManager that works around a few design flaws in Java Security.

There are a few major problems that require custom SecurityManager logic to fix:

  • exitVM permission is implicitly granted to all code by the default Policy implementation. For a server app, this is not wanted.
  • ThreadGroups are not enforced by default, instead only system threads are protected out of box by modifyThread/modifyThreadGroup. Applications are encouraged to override the logic here to implement a stricter policy.
  • System threads are not even really protected, because if the system uses ThreadPools, modifyThread is abused by its shutdown checks. This means a thread must have modifyThread to even terminate its own pool, leaving system threads unprotected.
This class throws exception on exitVM calls, and provides a whitelist where calls from exit are allowed.

Additionally it enforces threadgroup security with the following rules:

  • modifyThread and modifyThreadGroup are required for any thread access checks: with these permissions, access is granted as long as the thread group is the same or an ancestor (sourceGroup.parentOf(targetGroup) == true).
  • code without these permissions can do very little, except to interrupt itself. It may not even create new threads.
  • very special cases (like test runners) that have ThreadPermission can violate threadgroup security rules.

If java security debugging (java.security.debug) is enabled, and this SecurityManager is installed, it will emit additional debugging information when threadgroup access checks fail.

See Also:
SecurityManager.checkAccess(Thread), SecurityManager.checkAccess(ThreadGroup), http://cs.oswego.edu/pipermail/concurrency-interest/2009-August/006508.html

  • Constructor Summary

    Constructors 
    Constructor Description
    SecureSM()
    Creates a new security manager where no packages can exit nor halt the virtual machine.
    SecureSM​(java.lang.String[] classesThatCanExit)
    Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.

  • Method Summary

    Modifier and Type Method Description
    void checkAccess​(java.lang.Thread t)  
    void checkAccess​(java.lang.ThreadGroup g)  
    void checkExit​(int status)  
    protected void checkThreadAccess​(java.lang.Thread t)  
    protected void checkThreadGroupAccess​(java.lang.ThreadGroup g)  
    static SecureSM createTestSecureSM()
    Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine.
    protected void innerCheckExit​(int status)
    The "Uwe Schindler" algorithm.

    Methods inherited from class java.lang.SecurityManager

    checkAccept, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPermission, checkPermission, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • SecureSM

      public SecureSM()
      Creates a new security manager where no packages can exit nor halt the virtual machine.

    • SecureSM

      public SecureSM​(java.lang.String[] classesThatCanExit)
      Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.
      Parameters:
      classesThatCanExit - the list of classes that can exit or halt the virtual machine

  • Method Details

    • createTestSecureSM

      public static SecureSM createTestSecureSM()
      Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine. The packages that can exit are:
      • org.apache.maven.surefire.booter.
      • com.carrotsearch.ant.tasks.junit4.
      • org.eclipse.internal.junit.runner.
      • com.intellij.rt.execution.junit.
      Returns:
      an instance of SecureSM where test packages can halt or exit the virtual machine

    • checkAccess

      public void checkAccess​(java.lang.Thread t)
      Overrides:
      checkAccess in class java.lang.SecurityManager

    • checkAccess

      public void checkAccess​(java.lang.ThreadGroup g)
      Overrides:
      checkAccess in class java.lang.SecurityManager

    • checkThreadAccess

      protected void checkThreadAccess​(java.lang.Thread t)

    • checkThreadGroupAccess

      protected void checkThreadGroupAccess​(java.lang.ThreadGroup g)

    • checkExit

      public void checkExit​(int status)
      Overrides:
      checkExit in class java.lang.SecurityManager

    • innerCheckExit

      protected void innerCheckExit​(int status)
      The "Uwe Schindler" algorithm.
      Parameters:
      status - the exit status