Package org.opensearch.secure_sm

Class SecureSM

  • public class SecureSM
extends java.lang.SecurityManager
    Extension of SecurityManager that works around a few design flaws in Java Security.

    There are a few major problems that require custom SecurityManager logic to fix:

    • exitVM permission is implicitly granted to all code by the default Policy implementation. For a server app, this is not wanted.
    • ThreadGroups are not enforced by default, instead only system threads are protected out of box by modifyThread/modifyThreadGroup. Applications are encouraged to override the logic here to implement a stricter policy.
    • System threads are not even really protected, because if the system uses ThreadPools, modifyThread is abused by its shutdown checks. This means a thread must have modifyThread to even terminate its own pool, leaving system threads unprotected.
    This class throws exception on exitVM calls, and provides an allowlist where calls from exit are allowed.

    Additionally it enforces threadgroup security with the following rules:

    • modifyThread and modifyThreadGroup are required for any thread access checks: with these permissions, access is granted as long as the thread group is the same or an ancestor (sourceGroup.parentOf(targetGroup) == true).
    • code without these permissions can do very little, except to interrupt itself. It may not even create new threads.
    • very special cases (like test runners) that have ThreadPermission can violate threadgroup security rules.

    If java security debugging (java.security.debug) is enabled, and this SecurityManager is installed, it will emit additional debugging information when threadgroup access checks fail.

    See Also:
    SecurityManager.checkAccess(Thread), SecurityManager.checkAccess(ThreadGroup), http://cs.oswego.edu/pipermail/concurrency-interest/2009-August/006508.html

    • Constructor Summary

      Constructors 
      Constructor Description
      SecureSM()
      Creates a new security manager where no packages can exit nor halt the virtual machine.
      SecureSM​(java.lang.String[] classesThatCanExit)
      Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.

    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void checkAccess​(java.lang.Thread t)  
      void checkAccess​(java.lang.ThreadGroup g)  
      void checkExit​(int status)  
      protected void checkThreadAccess​(java.lang.Thread t)  
      protected void checkThreadGroupAccess​(java.lang.ThreadGroup g)  
      static SecureSM createTestSecureSM()
      Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine.
      protected void innerCheckExit​(int status)
      The "Uwe Schindler" algorithm.

      • Methods inherited from class java.lang.SecurityManager

        checkAccept, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPermission, checkPermission, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SecureSM

        public SecureSM()
        Creates a new security manager where no packages can exit nor halt the virtual machine.

      • SecureSM

        public SecureSM​(java.lang.String[] classesThatCanExit)
        Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.
        Parameters:
        classesThatCanExit - the list of classes that can exit or halt the virtual machine

    • Method Detail

      • createTestSecureSM

        public static SecureSM createTestSecureSM()
        Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine. The packages that can exit are:
        • org.apache.maven.surefire.booter.
        • com.carrotsearch.ant.tasks.junit4.
        • org.eclipse.internal.junit.runner.
        • com.intellij.rt.execution.junit.
        Returns:
        an instance of SecureSM where test packages can halt or exit the virtual machine

      • checkAccess

        public void checkAccess​(java.lang.Thread t)
        Overrides:
        checkAccess in class java.lang.SecurityManager

      • checkAccess

        public void checkAccess​(java.lang.ThreadGroup g)
        Overrides:
        checkAccess in class java.lang.SecurityManager

      • checkThreadAccess

        protected void checkThreadAccess​(java.lang.Thread t)

      • checkThreadGroupAccess

        protected void checkThreadGroupAccess​(java.lang.ThreadGroup g)

      • checkExit

        public void checkExit​(int status)
        Overrides:
        checkExit in class java.lang.SecurityManager

      • innerCheckExit

        protected void innerCheckExit​(int status)
        The "Uwe Schindler" algorithm.
        Parameters:
        status - the exit status