java.lang.Object
java.lang.SecurityManager
org.elasticsearch.secure_sm.SecureSM

public class SecureSM extends SecurityManager
Extension of SecurityManager that works around a few design flaws in Java Security.

There are a few major problems that require custom SecurityManager logic to fix:

  • exitVM permission is implicitly granted to all code by the default Policy implementation. For a server app, this is not wanted.
  • ThreadGroups are not enforced by default, instead only system threads are protected out of box by modifyThread/modifyThreadGroup. Applications are encouraged to override the logic here to implement a stricter policy.
  • System threads are not even really protected, because if the system uses ThreadPools, modifyThread is abused by its shutdown checks. This means a thread must have modifyThread to even terminate its own pool, leaving system threads unprotected.
This class throws exception on exitVM calls, and provides a whitelist where calls from exit are allowed.

Additionally it enforces threadgroup security with the following rules:

  • modifyThread and modifyThreadGroup are required for any thread access checks: with these permissions, access is granted as long as the thread group is the same or an ancestor (sourceGroup.parentOf(targetGroup) == true).
  • code without these permissions can do very little, except to interrupt itself. It may not even create new threads.
  • very special cases (like test runners) that have ThreadPermission can violate threadgroup security rules.

If java security debugging (java.security.debug) is enabled, and this SecurityManager is installed, it will emit additional debugging information when threadgroup access checks fail.

See Also:
  • Constructor Details

    • SecureSM

      public SecureSM()
      Creates a new security manager where no packages can exit nor halt the virtual machine.
    • SecureSM

      public SecureSM(String[] classesThatCanExit)
      Creates a new security manager with the specified list of regular expressions as the those that class names will be tested against to check whether or not a class can exit or halt the virtual machine.
      Parameters:
      classesThatCanExit - the list of classes that can exit or halt the virtual machine
  • Method Details

    • createTestSecureSM

      public static SecureSM createTestSecureSM()
      Creates a new security manager with a standard set of test packages being the only packages that can exit or halt the virtual machine. The packages that can exit are:
      • org.apache.maven.surefire.booter.
      • com.carrotsearch.ant.tasks.junit4.
      • org.eclipse.internal.junit.runner.
      • com.intellij.rt.execution.junit.
      Returns:
      an instance of SecureSM where test packages can halt or exit the virtual machine
    • checkAccess

      public void checkAccess(Thread t)
      Overrides:
      checkAccess in class SecurityManager
    • checkAccess

      public void checkAccess(ThreadGroup g)
      Overrides:
      checkAccess in class SecurityManager
    • checkThreadAccess

      protected void checkThreadAccess(Thread t)
    • checkThreadGroupAccess

      protected void checkThreadGroupAccess(ThreadGroup g)
    • checkExit

      public void checkExit(int status)
      Overrides:
      checkExit in class SecurityManager
    • innerCheckExit

      protected void innerCheckExit(int status)
      The "Uwe Schindler" algorithm.
      Parameters:
      status - the exit status