Package org.elasticsearch
Class SpecialPermission
org.elasticsearch.SpecialPermission
- All Implemented Interfaces:
,
public final class SpecialPermission
extends
Elasticsearch-specific permission to check before entering
Instead do this;
AccessController.doPrivileged() blocks.
We try to avoid these blocks in our code and keep security simple, but we need them for a few special places to contain hacks for third party code, or dangerous things used by scripting engines.
All normal code has this permission, but checking this before truncating the stack prevents unprivileged code (e.g. scripts), which do not have it, from gaining elevated privileges.
In other words, don't do this:
// throw away all information about caller and run with our own privs
AccessController.doPrivileged(
...
);
Instead do this;
// check caller first, to see if they should be allowed to do this
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
// throw away all information about caller and run with our own privs
AccessController.doPrivileged(
...
);
- See Also:
- Serialized Form
-
Field Summary
Fields -
Constructor Summary
ConstructorsConstructorDescriptionCreates a new SpecialPermission object.name, actions)Creates a new SpecialPermission object. -
Method Summary
Methods inherited from class java.security.
, , , ,Methods inherited from class java.security.
, ,Methods inherited from class java.lang.
, , , , , , ,
-
Field Details
-
INSTANCE
-
-
Constructor Details
-
SpecialPermission
public SpecialPermission()Creates a new SpecialPermission object. -
SpecialPermission
public SpecialPermission( name, actions)Creates a new SpecialPermission object. This constructor exists for use by thePolicyobject to instantiate new Permission objects.- Parameters:
name- ignoredactions- ignored
-
-
Method Details
-
check
public static void check()Check that the current stack has .
-