Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
My company is trying to use Framework Security to allow customers to upload custom java plugins to our platform without a security review of the java code. Among the set of permissions we're applying is denying access to all IP addresses in a 16 bit subnet. This cannot be accomplished through the standard socket or URL permissions.
Our hope was to write our own SubnetSocketPermission that can imply SocketPermissions, but we found that the framework does not support this. In the Permissions.implies method in v2.4.0, you can find this code:
collection = target.newPermissionCollection();
if (collection == null)
{
collection = new DefaultPermissionCollection();
}
for (int i = 0; i < m_permissionInfos.length; i++)
{
PermissionInfo permissionInfo = m_permissionInfos[i];
String infoType = permissionInfo.getType();
String permissionType = targetClass.getName();
if (infoType.equals(permissionType))
{
Permission permission = createPermission(
permissionInfo, targetClass);
if (permission != null)
{
collection.add(permission);
}
}
}
It has two pieces that prevent us from accomplishing our goal:
- The only way to get your permission added to the PermisisonCollection that is checked is to have the exact same class name as the permission in question
- The target permission's PermissionCollection is used to check permissions, and the SocketPermissionCollection class doesn't even use the SocketPermission.implies method
Was this use case purposefully not supported or is it simply a matter of working through the most efficient way to support it?