Re: Getting rid of AllPermission

Jan Luehe (luehe@laguna.eng.sun.com)
Mon, 19 Jul 1999 08:40:54 -0700 (PDT)

Message-Id: <199907191540.IAA25160@laguna.eng.sun.com>
Date: Mon, 19 Jul 1999 08:40:54 -0700 (PDT)
From: Jan Luehe <luehe@laguna.eng.sun.com>
Subject: Re: Getting rid of AllPermission
To: java-security@java.sun.com, jan@ise.canberra.edu.au

Jan:

There is a system property "java.security.debug" that you can
set, as follows:

java -Djava.security.debug=help <some_class_file>

This will print out all the possible values for that system
property:

all turn on all debugging
access print all checkPermission results
jar jar verification
policy loading and granting
scl permissions SecureClassLoader assigns

The following can be used with access:

stack include stack trace
domain dumps all domains in context
failure before throwing exception, dump stack
and domain that didn't have permission

Therefore, you could specify the following:

java -Djava.security.debug=access <your_program>

to get more information about the permission checks
being performed.

Jan


> X-Authentication-Warning: pandonia.canberra.edu.au: jan owned process doing
-bs
> Date: Wed, 14 Jul 1999 11:31:54 +1000 (EST)
> From: Jan Newmarch <jan@ise.canberra.edu.au>
> X-Sender: jan@pandonia.canberra.edu.au
> To: java-security@java.sun.com
> Subject: Getting rid of AllPermission
> MIME-Version: 1.0
>
> To avoid security issues during development I set the policy
>
> permission java.security.AllPermission "", "";
>
> Now I want to go for something more sensible. The problem is that
> I am building on top of layers of libraries (Jini, RMI, etc) and
> don't actually know what permissions were getting granted by this
> generous policy. So when I start with an empty policy I don't
> know what I should be adding to get the application to work.
>
> It shows up in
> - some security exceptions get thrown. Good, I can handle these
>
> - the application goes into a timeout holdup somewhere. Bad - I
> don't know what permission request is holding up the system
>
> - the application hangs indefinitely. Bad, for the same reason.
> Worse, it never runs
>
> Searching the doco and code of all of these libraries is
> time-consuming and not always profitable. I tried subclassing my
> security manager to print out info
>
> class MyRMISecurityManager extends RMISecurityManager {
> public void checkPermission(Permission perm) {
> System.out.println(perm.toString());
> super.checkPermission(perm);
> }
> }
>
> and got into an infinite recursion. (see below)
>
> Is there a "verbose" mode that I can turn on (maybe by some
> property setting), or any other reasonable way I can find out
> what permissions are being granted for my app by AllPermission?
>
> Thanks,
>
> Jan
> --
>
> Here is _part_ of the stack trace when it overflows:
>
> .... omitted stuff above here ....
> at client.MyRMISecurityManager.checkPermission(Compiled
> Code)
> at java.security.Security.getProperty(Compiled Code)
> at
> sun.security.provider.PolicyFile.initPolicyFile(Compiled Code)
> at sun.security.provider.PolicyFile.access$0(Compiled
> Code)
> at sun.security.provider.PolicyFile$1.run(Compiled Code)
> at java.security.AccessController.doPrivileged(Native
> Method)
> at sun.security.provider.PolicyFile.init(Compiled Code)
> at
> sun.security.provider.PolicyFile.getPermissions(Compiled Code)
> at sun.security.provider.PolicyPermissions.init(Compiled
> Code)
> at
> sun.security.provider.PolicyPermissions.implies(Compiled Code)
> at java.security.ProtectionDomain.implies(Compiled Code)
> at
> java.security.AccessControlContext.checkPermission(Compiled Code)
> at
> java.security.AccessController.checkPermission(Compiled Code)
> at java.lang.SecurityManager.checkPermission(Compiled
> Code)
> at client.MyRMISecurityManager.checkPermission(Compiled
> Code)
> at java.security.Security.getProperty(Compiled Code)
> at
> sun.security.provider.PolicyFile.initPolicyFile(Compiled Code)
> at sun.security.provider.PolicyFile.access$0(Compiled
> Code)
> at sun.security.provider.PolicyFile$1.run(Compiled Code)
> at java.security.AccessController.doPrivileged(Native
> Method)
> at sun.security.provider.PolicyFile.init(Compiled Code)
> at
> sun.security.provider.PolicyFile.getPermissions(Compiled Code)
> at sun.security.provider.PolicyPermissions.init(Compiled
> Code)
> at
> sun.security.provider.PolicyPermissions.implies(Compiled Code)
> at java.security.ProtectionDomain.implies(Compiled Code)
> at
> java.security.AccessControlContext.checkPermission(Compiled Code)
> at
> java.security.AccessController.checkPermission(Compiled Code)
> at java.lang.SecurityManager.checkPermission(Compiled
> Code)
> at client.MyRMISecurityManager.checkPermission(Compiled
> Code)
> at java.security.Security.getProperty(Compiled Code)
> at
> sun.security.provider.PolicyFile.initPolicyFile(Compiled Code)
> at sun.security.provider.PolicyFile.access$0(Compiled
> Code)
> at sun.security.provider.PolicyFile$1.run(Compiled Code)
> at java.security.AccessController.doPrivileged(Native
> Method)
> at sun.security.provider.PolicyFile.init(Compiled Code)
> at
> sun.security.provider.PolicyFile.getPermissions(Compiled Code)
> at sun.security.provider.PolicyPermissions.init(Compiled
> Code)
> at
> sun.security.provider.PolicyPermissions.implies(Compiled Code)
> at java.security.ProtectionDomain.implies(Compiled Code)
> at
> java.security.AccessControlContext.checkPermission(Compiled Code)
> at
> java.security.AccessController.checkPermission(Compiled Code)
> at java.lang.SecurityManager.checkPermission(Compiled
> Code)
> at client.MyRMISecurityManager.checkPermission(Compiled
> Code)
> at java.lang.SecurityManager.checkPropertyAccess(Compiled
> Code)
> at java.lang.System.getProperty(Compiled Code)
> at java.lang.Integer.getInteger(Compiled Code)
> at java.lang.Integer.getInteger(Compiled Code)
> at sun.security.action.GetIntegerAction.run(Compiled
> Code)
> at java.security.AccessController.doPrivileged(Native
> Method)
>
> at java.lang.System.setSecurityManager(Compiled Code)
> at client.TestFileClassifier.<init>(Compiled Code)
> at client.TestFileClassifier.main(Compiled Code)
>
>
>
> Jan Newmarch, Information Science and Engineering,
> University of Canberra, PO Box 1, Belconnen, Act 2616
> Australia. Tel: (61) 2-62012422. Fax: (61) 2-62015041
> AARNet: jan@ise.canberra.edu.au
> WWW: http://pandonia.canberra.edu.au
>
> "Microsoft sells you Windows. Linux gives you the whole house."
>