Package ognl.security

Class OgnlSecurityManager

java.lang.Object

java.lang.SecurityManager

ognl.security.OgnlSecurityManager

@Deprecated
public class OgnlSecurityManager
extends SecurityManager

Deprecated.

will be removed in 3.5.x

Wraps current security manager with JDK security manager if is inside OgnlRuntime user's methods body execution.

Add the `-Dognl.security.manager` to JVM options to enable.

Note: Due to potential performance and concurrency issues, try this only if you afraid your app can have an unknown "expression injection" flaw or you afraid you cannot prevent those in your app's internal sandbox comprehensively e.g. you cannot discover and maintain all attack vectors over time because of many dependencies and also their change over time.

This tries to provide an option to you to enable a security manager that disables any sensitive action e.g. exec and exit even if attacker had a successful "expression injection" in any unknown way into your app. However, also honors previous security manager and policies if any set, as parent, and rolls back to them after method execution finished.

Since:

3.1.24

Field Summary

Fields

Modifier and Type	Field	Description
private static final Class<?>	CLASS_LOADER_CLASS	Deprecated.
private static final Class<?>	FILE_PERMISSION_CLASS	Deprecated.
private static final String	OGNL_SANDBOX_CLASS_NAME	Deprecated.
private final SecurityManager	parentSecurityManager	Deprecated.
private final List<Long>	residents	Deprecated.
private final SecureRandom	rnd	Deprecated.

Constructor Summary

Constructors

Constructor	Description
OgnlSecurityManager(SecurityManager parentSecurityManager)	Deprecated.

Method Summary

Modifier and Type	Method	Description
void	checkPermission(Permission perm)	Deprecated.
void	checkPermission(Permission perm, Object context)	Deprecated.
Long	enter()	Deprecated.
private boolean	install()	Deprecated.
private boolean	isAccessDenied(Permission perm)	Deprecated.
void	leave(long token)	Deprecated.
private void	uninstall()	Deprecated.

Methods inherited from class java.lang.SecurityManager

checkAccept, checkAccess, checkAccess, checkConnect, checkConnect, checkCreateClassLoader, checkDelete, checkExec, checkExit, checkLink, checkListen, checkMulticast, checkMulticast, checkPackageAccess, checkPackageDefinition, checkPrintJobAccess, checkPropertiesAccess, checkPropertyAccess, checkRead, checkRead, checkRead, checkSecurityAccess, checkSetFactory, checkWrite, checkWrite, getClassContext, getSecurityContext, getThreadGroup

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

OGNL_SANDBOX_CLASS_NAME

private static final String OGNL_SANDBOX_CLASS_NAME

Deprecated.

See Also:

• Constant Field Values

CLASS_LOADER_CLASS

private static final Class<?> CLASS_LOADER_CLASS

Deprecated.

FILE_PERMISSION_CLASS

private static final Class<?> FILE_PERMISSION_CLASS

Deprecated.

parentSecurityManager

private final SecurityManager parentSecurityManager

Deprecated.

residents

private final List<Long> residents

Deprecated.

rnd

private final SecureRandom rnd

Deprecated.

Constructor Details

OgnlSecurityManager

public OgnlSecurityManager(SecurityManager parentSecurityManager)

Deprecated.

Method Details

isAccessDenied

private boolean isAccessDenied(Permission perm)

Deprecated.

checkPermission

public void checkPermission(Permission perm)

Deprecated.

Overrides:

checkPermission in class SecurityManager

checkPermission

public void checkPermission(Permission perm,
 Object context)

Deprecated.

Overrides:

checkPermission in class SecurityManager

enter

public Long enter()

Deprecated.

leave

public void leave(long token)
           throws SecurityException

Deprecated.

Throws:

SecurityException

install

private boolean install()

Deprecated.

uninstall

private void uninstall()

Deprecated.