The purpose of AccessController is to perform an operation requiring escalated permissions on behalf of code that doesn't have that permission. For example, maybe you need to implement an authenticate(String user, String password) function that needs to read from a password file that calling code doesn't have permission to read from. The call stack might look something like:
checkUser <--- Untrusted caller doesn't have permission to read /etc/passwd authenticate <-- Your code does have permission. AccessController.doPrivileged <-- Escalate to your code's permission levels readFromEtcPasswdAndCheck <-- Now can do privileged read for untrusted code In the context of GAE, all code in your application runs with the same permissions. This means AccessController isn't needed, and you can write any application without it. However, we whitelist AccessController, because it improves compatibility. For example, there are several Java libraries which need to use AccessController when not running on GAE. By whitelisting AccessController, we help these libraries run portably on GAE. On Tue, Mar 2, 2010 at 4:20 AM, Yiming Li <[email protected]> wrote: > Hi All, > When I was looking at the whitelist of GAE Java, it is > interesting that I found java.security.AccessController class, and I > don't quite understand in what scenario we need to use this class. > On the other hand, it may introduce some security issues, > think about this code in a servlet: > > public void doGet(HttpServletRequest req, final HttpServletResponse > resp) > throws IOException { > > AccessController.doPrivileged(new PrivilegedAction() { > public Object run() { > File dir2 = new File("/etc"); > String[] children2 = dir2.list(); > if (children2 == null) { > > } > else { for (int i=0; i<children2.length; i++) > { > try { > resp.getWriter().println(children2[i]); > } catch (IOException e) { > e.printStackTrace(); > } > } > Thread t= new Thread(){ > > public void run() { > try { > > resp.getWriter().println("waaaaaaaaaaaaaaa"); > } catch (IOException e) { > e.printStackTrace(); > } > } > > };t.run(); > > return null; > } > }); > } > The result page will print all file names under /etc > directory, with "waaaaaaaaaaaaaaa", which is the output of thread t. > But fortunately, this will happen only on development > server, and only if you have the permission to do view all files under > /etc directory(but if you run the dev server with root permission > accidentally, you can basically do anything). > So my point is with java.security.AccessController class, > you can easily get rid of the restriction of the sandbox, although > only on the dev server. Can anybody give me an example of using > java.security.AccessController in a legitimate way? > Thank you very much. > > -- > Yiming > MS student of CS Department @UCSB > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine for Java" group. > To post to this group, send email to > [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine-java%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine-java?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine for Java" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine-java?hl=en.
