[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about serialization
From: |
Chris Gray |
Subject: |
Re: question about serialization |
Date: |
Mon, 4 Aug 2003 11:33:17 +0200 |
On Monday 04 August 2003 11:02, Bryce McKinlay wrote:
> On Monday, Aug 4, 2003, at 19:57 Pacific/Auckland, Chris Gray wrote:
> > Sure. But to call AccessibleObject.setAccessible() you need
> > ReflectPermission, which the user code that initiated serialisation
> > does not
> > necessarily have. So the java.io serialisation stuff needs to have
> > this
> > permission, and it seems to me that it needs to call
> > AccessibleObject.setAccessible() from inside a PrivilegedAction.
>
> Isn't the security context of any given class is based on which
> ClassLoader that loaded the class, rather than what called it?
No. The security context of a given method invocation is the set of classes
"on the stack" at the time of the invocation, and the resulting set of
privileges is the intersection of the privileges of all those classes. So if
com.acme.FooApp has permission to read all files, and com.ibm.KoolThing has
read/write access to the user's directory only, when FooApp calls a method of
KoolThing the latter just gets read access to the user's files.
> Since
> ObjectOutputStream etc should always be loaded by the system
> classloader, it doesn't need a PrivilegedAction. ie: regardless of the
> code that calls it, the ObjectOutputStream class itself always has full
> privileges (assuming the default security policies). Note that the
> serialization classes have their own security checks to prevent them
> being used maliciously by untrusted code.
PrivilegedAction means "the buck stops here": it tells the AccessController
not to look any further back on the stack, if the class making the
PrivilegedAction has the right permissions then it doesn't who called it.
This is the mechanism used by classes which have their own security checks to
prevent them being used maliciously by untrusted code.
> > Granting AllPermission to everything loaded by the system class loader
> > is
> > IMHO acceptable, *iff* by system class loader you mean the class
> > loader which
> > loads java.* classes from a trusted location. Not to be confused with
> > the
> > application class loader which loads from the -classpath, which is the
> > one
> > returned by ClassLoader.getSystemClassLoader() (aaargh).
>
> By default, the application/system class loader gets all permissions -
> why would you want to restrict access the access of applications?
To enable unstrusted applications to be run without compromising the system.
True, that's not the standard desktop computing model, but I don't think the
class libraries should prejudge the issue.
--
Chris Gray /k/ Embedded Java Solutions
Embedded & Mobile Java, OSGi http://www.kiffer.be/k/
address@hidden +32 477 599 703
- Re: question about serialization, David P Grove, 2003/08/03
- Re: question about serialization, Tom Tromey, 2003/08/02
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization, Chris Gray, 2003/08/04
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization,
Chris Gray <=
- Re: question about serialization, Bryce McKinlay, 2003/08/04
- Re: question about serialization, Tom Tromey, 2003/08/04
- Re: question about serialization, Ingo Prötel, 2003/08/05
- Re: question about serialization, Tom Tromey, 2003/08/05
- Re: question about serialization, Mark Wielaard, 2003/08/05
- Re: question about serialization, Chris Gray, 2003/08/05