< prev index next >
src/java.base/share/classes/java/security/SecurityPermission.java
Print this page
*** 47,94 ****
*
* <table class="striped">
* <caption style="display:none">target name, what the permission allows, and associated risks</caption>
* <thead>
* <tr>
! * <th>Permission Target Name</th>
! * <th>What the Permission Allows</th>
! * <th>Risks of Allowing this Permission</th>
* </tr>
* </thead>
* <tbody>
*
* <tr>
! * <td>authProvider.{provider name}</td>
* <td>Allow the named provider to be an AuthProvider for login and
* logout operations. </td>
* <td>This allows the named provider to perform login and logout
* operations. The named provider must extend {@code AuthProvider}
* and care must be taken to grant to a trusted provider since
* login operations involve sensitive authentication information
* such as PINs and passwords. </td>
* </tr>
*
* <tr>
! * <td>createAccessControlContext</td>
* <td>Creation of an AccessControlContext</td>
* <td>This allows someone to instantiate an AccessControlContext
* with a {@code DomainCombiner}. Extreme care must be taken when
* granting this permission. Malicious code could create a DomainCombiner
* that augments the set of permissions granted to code, and even grant the
* code {@link java.security.AllPermission}.</td>
* </tr>
*
* <tr>
! * <td>getDomainCombiner</td>
* <td>Retrieval of an AccessControlContext's DomainCombiner</td>
* <td>This allows someone to retrieve an AccessControlContext's
* {@code DomainCombiner}. Since DomainCombiners may contain
* sensitive information, this could potentially lead to a privacy leak.</td>
* </tr>
*
* <tr>
! * <td>getPolicy</td>
* <td>Retrieval of the system-wide security policy (specifically, of the
* currently-installed Policy object)</td>
* <td>This allows someone to query the policy via the
* {@code getPermissions} call,
* which discloses which permissions would be granted to a given CodeSource.
--- 47,94 ----
*
* <table class="striped">
* <caption style="display:none">target name, what the permission allows, and associated risks</caption>
* <thead>
* <tr>
! * <th scope="col">Permission Target Name</th>
! * <th scope="col">What the Permission Allows</th>
! * <th scope="col">Risks of Allowing this Permission</th>
* </tr>
* </thead>
* <tbody>
*
* <tr>
! * <th scope="row">authProvider.{provider name}</th>
* <td>Allow the named provider to be an AuthProvider for login and
* logout operations. </td>
* <td>This allows the named provider to perform login and logout
* operations. The named provider must extend {@code AuthProvider}
* and care must be taken to grant to a trusted provider since
* login operations involve sensitive authentication information
* such as PINs and passwords. </td>
* </tr>
*
* <tr>
! * <th scope="row">createAccessControlContext</th>
* <td>Creation of an AccessControlContext</td>
* <td>This allows someone to instantiate an AccessControlContext
* with a {@code DomainCombiner}. Extreme care must be taken when
* granting this permission. Malicious code could create a DomainCombiner
* that augments the set of permissions granted to code, and even grant the
* code {@link java.security.AllPermission}.</td>
* </tr>
*
* <tr>
! * <th scope="row">getDomainCombiner</th>
* <td>Retrieval of an AccessControlContext's DomainCombiner</td>
* <td>This allows someone to retrieve an AccessControlContext's
* {@code DomainCombiner}. Since DomainCombiners may contain
* sensitive information, this could potentially lead to a privacy leak.</td>
* </tr>
*
* <tr>
! * <th scope="row">getPolicy</th>
* <td>Retrieval of the system-wide security policy (specifically, of the
* currently-installed Policy object)</td>
* <td>This allows someone to query the policy via the
* {@code getPermissions} call,
* which discloses which permissions would be granted to a given CodeSource.
*** 97,124 ****
* which it may use to better aim an attack. It is wise
* not to divulge more information than necessary.</td>
* </tr>
*
* <tr>
! * <td>setPolicy</td>
* <td>Setting of the system-wide security policy (specifically,
* the Policy object)</td>
* <td>Granting this permission is extremely dangerous, as malicious
* code may grant itself all the necessary permissions it needs
* to successfully mount an attack on the system.</td>
* </tr>
*
* <tr>
! * <td>createPolicy.{policy type}</td>
* <td>Getting an instance of a Policy implementation from a provider</td>
* <td>Granting this permission enables code to obtain a Policy object.
* Malicious code may query the Policy object to determine what permissions
* have been granted to code other than itself. </td>
* </tr>
*
* <tr>
! * <td>getProperty.{key}</td>
* <td>Retrieval of the security property with the specified key</td>
* <td>Depending on the particular key for which access has
* been granted, the code may have access to the list of security
* providers, as well as the location of the system-wide and user
* security policies. while revealing this information does not
--- 97,124 ----
* which it may use to better aim an attack. It is wise
* not to divulge more information than necessary.</td>
* </tr>
*
* <tr>
! * <th scope="row">setPolicy</th>
* <td>Setting of the system-wide security policy (specifically,
* the Policy object)</td>
* <td>Granting this permission is extremely dangerous, as malicious
* code may grant itself all the necessary permissions it needs
* to successfully mount an attack on the system.</td>
* </tr>
*
* <tr>
! * <th scope="row">createPolicy.{policy type}</th>
* <td>Getting an instance of a Policy implementation from a provider</td>
* <td>Granting this permission enables code to obtain a Policy object.
* Malicious code may query the Policy object to determine what permissions
* have been granted to code other than itself. </td>
* </tr>
*
* <tr>
! * <th scope="row">getProperty.{key}</th>
* <td>Retrieval of the security property with the specified key</td>
* <td>Depending on the particular key for which access has
* been granted, the code may have access to the list of security
* providers, as well as the location of the system-wide and user
* security policies. while revealing this information does not
*** 127,137 ****
* an attack.
</td>
* </tr>
*
* <tr>
! * <td>setProperty.{key}</td>
* <td>Setting of the security property with the specified key</td>
* <td>This could include setting a security provider or defining
* the location of the system-wide security policy. Malicious
* code that has permission to set a new security provider may
* set a rogue provider that steals confidential information such
--- 127,137 ----
* an attack.
</td>
* </tr>
*
* <tr>
! * <th scope="row">setProperty.{key}</th>
* <td>Setting of the security property with the specified key</td>
* <td>This could include setting a security provider or defining
* the location of the system-wide security policy. Malicious
* code that has permission to set a new security provider may
* set a rogue provider that steals confidential information such
*** 142,152 ****
* an attack on the system.
</td>
* </tr>
*
* <tr>
! * <td>insertProvider</td>
* <td>Addition of a new provider</td>
* <td>This would allow somebody to introduce a possibly
* malicious provider (e.g., one that discloses the private keys passed
* to it) as the highest-priority provider. This would be possible
* because the Security object (which manages the installed providers)
--- 142,152 ----
* an attack on the system.
</td>
* </tr>
*
* <tr>
! * <th scope="row">insertProvider</th>
* <td>Addition of a new provider</td>
* <td>This would allow somebody to introduce a possibly
* malicious provider (e.g., one that discloses the private keys passed
* to it) as the highest-priority provider. This would be possible
* because the Security object (which manages the installed providers)
*** 156,166 ****
* more information).
* </td>
* </tr>
*
* <tr>
! * <td>removeProvider.{provider name}</td>
* <td>Removal of the specified provider</td>
* <td>This may change the behavior or disable execution of other
* parts of the program. If a provider subsequently requested by the
* program has been removed, execution may fail. Also, if the removed
* provider is not explicitly requested by the rest of the program, but
--- 156,166 ----
* more information).
* </td>
* </tr>
*
* <tr>
! * <th scope="row">removeProvider.{provider name}</th>
* <td>Removal of the specified provider</td>
* <td>This may change the behavior or disable execution of other
* parts of the program. If a provider subsequently requested by the
* program has been removed, execution may fail. Also, if the removed
* provider is not explicitly requested by the rest of the program, but
*** 169,198 ****
* a different provider will be chosen instead, or no suitable provider
* will be found, thereby resulting in program failure.</td>
* </tr>
*
* <tr>
! * <td>clearProviderProperties.{provider name}</td>
* <td>"Clearing" of a Provider so that it no longer contains the properties
* used to look up services implemented by the provider</td>
* <td>This disables the lookup of services implemented by the provider.
* This may thus change the behavior or disable execution of other
* parts of the program that would normally utilize the Provider, as
* described under the "removeProvider.{provider name}" permission.</td>
* </tr>
*
* <tr>
! * <td>putProviderProperty.{provider name}</td>
* <td>Setting of properties for the specified Provider</td>
* <td>The provider properties each specify the name and location
* of a particular service implemented by the provider. By granting
* this permission, you let code replace the service specification
* with another one, thereby specifying a different implementation.</td>
* </tr>
*
* <tr>
! * <td>removeProviderProperty.{provider name}</td>
* <td>Removal of properties from the specified Provider</td>
* <td>This disables the lookup of services implemented by the
* provider. They are no longer accessible due to removal of the properties
* specifying their names and locations. This
* may change the behavior or disable execution of other
--- 169,198 ----
* a different provider will be chosen instead, or no suitable provider
* will be found, thereby resulting in program failure.</td>
* </tr>
*
* <tr>
! * <th scope="row">clearProviderProperties.{provider name}</th>
* <td>"Clearing" of a Provider so that it no longer contains the properties
* used to look up services implemented by the provider</td>
* <td>This disables the lookup of services implemented by the provider.
* This may thus change the behavior or disable execution of other
* parts of the program that would normally utilize the Provider, as
* described under the "removeProvider.{provider name}" permission.</td>
* </tr>
*
* <tr>
! * <th scope="row">putProviderProperty.{provider name}</th>
* <td>Setting of properties for the specified Provider</td>
* <td>The provider properties each specify the name and location
* of a particular service implemented by the provider. By granting
* this permission, you let code replace the service specification
* with another one, thereby specifying a different implementation.</td>
* </tr>
*
* <tr>
! * <th scope="row">removeProviderProperty.{provider name}</th>
* <td>Removal of properties from the specified Provider</td>
* <td>This disables the lookup of services implemented by the
* provider. They are no longer accessible due to removal of the properties
* specifying their names and locations. This
* may change the behavior or disable execution of other
*** 211,229 ****
*
* <table class="striped">
* <caption style="display:none">target name, what the permission allows, and associated risks</caption>
* <thead>
* <tr>
! * <th>Permission Target Name</th>
! * <th>What the Permission Allows</th>
! * <th>Risks of Allowing this Permission</th>
* </tr>
* </thead>
*
* <tbody>
* <tr>
! * <td>insertProvider.{provider name}</td>
* <td>Addition of a new provider, with the specified name</td>
* <td>Use of this permission is discouraged from further use because it is
* possible to circumvent the name restrictions by overriding the
* {@link java.security.Provider#getName} method. Also, there is an equivalent
* level of risk associated with granting code permission to insert a provider
--- 211,229 ----
*
* <table class="striped">
* <caption style="display:none">target name, what the permission allows, and associated risks</caption>
* <thead>
* <tr>
! * <th scope="col">Permission Target Name</th>
! * <th scope="col">What the Permission Allows</th>
! * <th scope="col">Risks of Allowing this Permission</th>
* </tr>
* </thead>
*
* <tbody>
* <tr>
! * <th scope="row">insertProvider.{provider name}</th>
* <td>Addition of a new provider, with the specified name</td>
* <td>Use of this permission is discouraged from further use because it is
* possible to circumvent the name restrictions by overriding the
* {@link java.security.Provider#getName} method. Also, there is an equivalent
* level of risk associated with granting code permission to insert a provider
*** 236,292 ****
* currently does not check the integrity or authenticity of a provider
* before attaching it.</td>
* </tr>
*
* <tr>
! * <td>setSystemScope</td>
* <td>Setting of the system identity scope</td>
* <td>This would allow an attacker to configure the system identity scope with
* certificates that should not be trusted, thereby granting applet or
* application code signed with those certificates privileges that
* would have been denied by the system's original identity scope.</td>
* </tr>
*
* <tr>
! * <td>setIdentityPublicKey</td>
* <td>Setting of the public key for an Identity</td>
* <td>If the identity is marked as "trusted", this allows an attacker to
* introduce a different public key (e.g., its own) that is not trusted
* by the system's identity scope, thereby granting applet or
* application code signed with that public key privileges that
* would have been denied otherwise.</td>
* </tr>
*
* <tr>
! * <td>setIdentityInfo</td>
* <td>Setting of a general information string for an Identity</td>
* <td>This allows attackers to set the general description for
* an identity. This may trick applications into using a different
* identity than intended or may prevent applications from finding a
* particular identity.</td>
* </tr>
*
* <tr>
! * <td>addIdentityCertificate</td>
* <td>Addition of a certificate for an Identity</td>
* <td>This allows attackers to set a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes trusted to a wider audience than it otherwise would be.</td>
* </tr>
*
* <tr>
! * <td>removeIdentityCertificate</td>
* <td>Removal of a certificate for an Identity</td>
* <td>This allows attackers to remove a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes considered less trustworthy than it otherwise would be.</td>
* </tr>
*
* <tr>
! * <td>printIdentity</td>
* <td>Viewing the name of a principal
* and optionally the scope in which it is used, and whether
* or not it is considered "trusted" in that scope</td>
* <td>The scope that is printed out may be a filename, in which case
* it may convey local system information. For example, here's a sample
--- 236,292 ----
* currently does not check the integrity or authenticity of a provider
* before attaching it.</td>
* </tr>
*
* <tr>
! * <th scope="row">setSystemScope</th>
* <td>Setting of the system identity scope</td>
* <td>This would allow an attacker to configure the system identity scope with
* certificates that should not be trusted, thereby granting applet or
* application code signed with those certificates privileges that
* would have been denied by the system's original identity scope.</td>
* </tr>
*
* <tr>
! * <th scope="row">setIdentityPublicKey</th>
* <td>Setting of the public key for an Identity</td>
* <td>If the identity is marked as "trusted", this allows an attacker to
* introduce a different public key (e.g., its own) that is not trusted
* by the system's identity scope, thereby granting applet or
* application code signed with that public key privileges that
* would have been denied otherwise.</td>
* </tr>
*
* <tr>
! * <th scope="row">setIdentityInfo</th>
* <td>Setting of a general information string for an Identity</td>
* <td>This allows attackers to set the general description for
* an identity. This may trick applications into using a different
* identity than intended or may prevent applications from finding a
* particular identity.</td>
* </tr>
*
* <tr>
! * <th scope="row">addIdentityCertificate</th>
* <td>Addition of a certificate for an Identity</td>
* <td>This allows attackers to set a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes trusted to a wider audience than it otherwise would be.</td>
* </tr>
*
* <tr>
! * <th scope="row">removeIdentityCertificate</th>
* <td>Removal of a certificate for an Identity</td>
* <td>This allows attackers to remove a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes considered less trustworthy than it otherwise would be.</td>
* </tr>
*
* <tr>
! * <th scope="row">printIdentity</th>
* <td>Viewing the name of a principal
* and optionally the scope in which it is used, and whether
* or not it is considered "trusted" in that scope</td>
* <td>The scope that is printed out may be a filename, in which case
* it may convey local system information. For example, here's a sample
*** 294,313 ****
* marked not trusted in the user's identity database:<br>
* carol[/home/luehe/identitydb.obj][not trusted]</td>
*</tr>
*
* <tr>
! * <td>getSignerPrivateKey</td>
* <td>Retrieval of a Signer's private key</td>
* <td>It is very dangerous to allow access to a private key; private
* keys are supposed to be kept secret. Otherwise, code can use the
* private key to sign various files and claim the signature came from
* the Signer.</td>
* </tr>
*
* <tr>
! * <td>setSignerKeyPair</td>
* <td>Setting of the key pair (public key and private key) for a Signer</td>
* <td>This would allow an attacker to replace somebody else's (the "target's")
* keypair with a possibly weaker keypair (e.g., a keypair of a smaller
* keysize). This also would allow the attacker to listen in on encrypted
* communication between the target and its peers. The target's peers
--- 294,313 ----
* marked not trusted in the user's identity database:<br>
* carol[/home/luehe/identitydb.obj][not trusted]</td>
*</tr>
*
* <tr>
! * <th scope="row">getSignerPrivateKey</th>
* <td>Retrieval of a Signer's private key</td>
* <td>It is very dangerous to allow access to a private key; private
* keys are supposed to be kept secret. Otherwise, code can use the
* private key to sign various files and claim the signature came from
* the Signer.</td>
* </tr>
*
* <tr>
! * <th scope="row">setSignerKeyPair</th>
* <td>Setting of the key pair (public key and private key) for a Signer</td>
* <td>This would allow an attacker to replace somebody else's (the "target's")
* keypair with a possibly weaker keypair (e.g., a keypair of a smaller
* keysize). This also would allow the attacker to listen in on encrypted
* communication between the target and its peers. The target's peers
< prev index next >