Package ognl.security

Class OgnlSecurityManager

  • public class OgnlSecurityManager
extends java.lang.SecurityManager
    Wraps current security manager with JDK security manager if is inside OgnlRuntime user's methods body execution.

    Add the `-Dognl.security.manager` to JVM options to enable.

    Note: Due to potential performance and concurrency issues, try this only if you afraid your app can have an unknown "expression injection" flaw or you afraid you cannot prevent those in your app's internal sandbox comprehensively e.g. you cannot discover and maintain all attack vectors over time because of many dependencies and also their change over time.

    This tries to provide an option to you to enable a security manager that disables any sensitive action e.g. exec and exit even if attacker had a successful "expression injection" in any unknown way into your app. However, also honors previous security manager and policies if any set, as parent, and rolls back to them after method execution finished.

    Since:
    3.1.24

    • Constructor Summary

      Constructors 
      Constructor Description
      OgnlSecurityManager​(java.lang.SecurityManager parentSecurityManager)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      void checkPermission​(java.security.Permission perm)  
      void checkPermission​(java.security.Permission perm, java.lang.Object context)  
      java.lang.Long enter()  
      private boolean install()  
      private boolean isAccessDenied​(java.security.Permission perm)  
      void leave​(long token)  
      private void uninstall()  

      • Methods inherited from class java.lang.SecurityManager

        checkAccept, checkAccess, checkAccess, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkExit, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • OGNL_SANDBOX_CLASS_NAME

        private static final java.lang.String OGNL_SANDBOX_CLASS_NAME
        See Also:
        Constant Field Values

      • CLASS_LOADER_CLASS

        private static final java.lang.Class<?> CLASS_LOADER_CLASS

      • FILE_PERMISSION_CLASS

        private static final java.lang.Class<?> FILE_PERMISSION_CLASS

      • parentSecurityManager

        private final java.lang.SecurityManager parentSecurityManager

      • residents

        private final java.util.List<java.lang.Long> residents

      • rnd

        private final java.security.SecureRandom rnd

    • Constructor Detail

      • OgnlSecurityManager

        public OgnlSecurityManager​(java.lang.SecurityManager parentSecurityManager)

    • Method Detail

      • isAccessDenied

        private boolean isAccessDenied​(java.security.Permission perm)

      • checkPermission

        public void checkPermission​(java.security.Permission perm)
        Overrides:
        checkPermission in class java.lang.SecurityManager

      • checkPermission

        public void checkPermission​(java.security.Permission perm,
                            java.lang.Object context)
        Overrides:
        checkPermission in class java.lang.SecurityManager

      • enter

        public java.lang.Long enter()

      • leave

        public void leave​(long token)
           throws java.lang.SecurityException
        Throws:
        java.lang.SecurityException

      • install

        private boolean install()

      • uninstall

        private void uninstall()