Package ognl.security
Class OgnlSecurityManager
- java.lang.Object
-
- java.lang.SecurityManager
-
- ognl.security.OgnlSecurityManager
-
@Deprecated public class OgnlSecurityManager extends java.lang.SecurityManagerDeprecated.will be removed in 3.5.xWraps current security manager with JDK security manager if is inside OgnlRuntime user's methods body execution.Add the `-Dognl.security.manager` to JVM options to enable.
Note: Due to potential performance and concurrency issues, try this only if you afraid your app can have an unknown "expression injection" flaw or you afraid you cannot prevent those in your app's internal sandbox comprehensively e.g. you cannot discover and maintain all attack vectors over time because of many dependencies and also their change over time.
This tries to provide an option to you to enable a security manager that disables any sensitive action e.g. exec and exit even if attacker had a successful "expression injection" in any unknown way into your app. However, also honors previous security manager and policies if any set, as parent, and rolls back to them after method execution finished.
- Since:
- 3.1.24
-
-
Field Summary
Fields Modifier and Type Field Description private static java.lang.Class<?>CLASS_LOADER_CLASSDeprecated.private static java.lang.Class<?>FILE_PERMISSION_CLASSDeprecated.private static java.lang.StringOGNL_SANDBOX_CLASS_NAMEDeprecated.private java.lang.SecurityManagerparentSecurityManagerDeprecated.private java.util.List<java.lang.Long>residentsDeprecated.private java.security.SecureRandomrndDeprecated.
-
Constructor Summary
Constructors Constructor Description OgnlSecurityManager(java.lang.SecurityManager parentSecurityManager)Deprecated.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description voidcheckPermission(java.security.Permission perm)Deprecated.voidcheckPermission(java.security.Permission perm, java.lang.Object context)Deprecated.java.lang.Longenter()Deprecated.private booleaninstall()Deprecated.private booleanisAccessDenied(java.security.Permission perm)Deprecated.voidleave(long token)Deprecated.private voiduninstall()Deprecated.-
Methods inherited from class java.lang.SecurityManager
checkAccept, checkAccess, checkAccess, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkExit, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup
-
-
-
-
Field Detail
-
OGNL_SANDBOX_CLASS_NAME
private static final java.lang.String OGNL_SANDBOX_CLASS_NAME
Deprecated.- See Also:
- Constant Field Values
-
CLASS_LOADER_CLASS
private static final java.lang.Class<?> CLASS_LOADER_CLASS
Deprecated.
-
FILE_PERMISSION_CLASS
private static final java.lang.Class<?> FILE_PERMISSION_CLASS
Deprecated.
-
parentSecurityManager
private final java.lang.SecurityManager parentSecurityManager
Deprecated.
-
residents
private final java.util.List<java.lang.Long> residents
Deprecated.
-
rnd
private final java.security.SecureRandom rnd
Deprecated.
-
-
Method Detail
-
isAccessDenied
private boolean isAccessDenied(java.security.Permission perm)
Deprecated.
-
checkPermission
public void checkPermission(java.security.Permission perm)
Deprecated.- Overrides:
checkPermissionin classjava.lang.SecurityManager
-
checkPermission
public void checkPermission(java.security.Permission perm, java.lang.Object context)Deprecated.- Overrides:
checkPermissionin classjava.lang.SecurityManager
-
enter
public java.lang.Long enter()
Deprecated.
-
leave
public void leave(long token) throws java.lang.SecurityExceptionDeprecated.- Throws:
java.lang.SecurityException
-
install
private boolean install()
Deprecated.
-
uninstall
private void uninstall()
Deprecated.
-
-