Prevent privilege escalation through AccessController.doPrivileged()

Tom Hawtin tom.hawtin at
Thu Jul 4 17:04:36 UTC 2013

On 04/07/2013 15:44, Florian Weimer wrote:
> Is there a way to prevent future calls to
> AccessController.doPrivileged() from the same thread from actually
> increasing privilege?

No. If the code has the relevant permissions it can call doPrivileged 
together with the 1.0/1.1 legacy and new caller-sensitive methods. If 
doPrivileged were blocked, things like class loading would break. And 
wouldn't work for untrusted code as it could find some other thread to 
run on (because of all the global state hanging around).

> Reducing these privileges with a separate class loader seems to be the
> official way to achieve that.  Is there a way to get there without
> defining and installing your own (global) security manager.


ProtectionDomain is the way to assign permission to code (optionally, 
since 1.4, through Policy). Typically you would need also to use a 
separate class loader if instead of attempting "least privilege" you 
really didn't trust the code (see, for instance, the "mixed-code fix" 
which uses a pair of class loader for a single applet context). You 
shouldn't need to use a custom security manager.


More information about the core-libs-dev mailing list