Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Not A Bug
-
2.8.0
-
None
-
Important
Description
Several points in the code hide SecurityException. These must always break the regular control flow, if you're not the SecurityManager.
UseCase A: One wants to configure the SecurityManager and grant permissions. Part of the application is to delete a file. If the permission is missing, cleaning does not work. The missing exception does not allow to recognize that.
UseCase B: One has activated the SecurityManager. An attacker abuses the relevant method. The missing SecurityException hides this attempt, ones IDS can't alarm.
UseCase C: One utilizes the SecurityManager to test the system, to ensure every property (like file location) is set properly. The missing SecurityException does not support this UseCase.