Package org.elasticsearch

Class SpecialPermission

java.lang.Object
java.security.Permission
java.security.BasicPermission
org.elasticsearch.SpecialPermission
All Implemented Interfaces:
java.io.Serializable, java.security.Guard
public final class SpecialPermission
extends java.security.BasicPermission
Elasticsearch-specific permission to check before entering AccessController.doPrivileged() blocks.

We try to avoid these blocks in our code and keep security simple, but we need them for a few special places to contain hacks for third party code, or dangerous things used by scripting engines.

All normal code has this permission, but checking this before truncating the stack prevents unprivileged code (e.g. scripts), which do not have it, from gaining elevated privileges.

In other words, don't do this: 


   // throw away all information about caller and run with our own privs
   AccessController.doPrivileged(
    ...
   );

Instead do this; 

   // check caller first, to see if they should be allowed to do this
   SecurityManager sm = System.getSecurityManager();
   if (sm != null) {
     sm.checkPermission(new SpecialPermission());
   }
   // throw away all information about caller and run with our own privs
   AccessController.doPrivileged(
    ...
   );
See Also:
Serialized Form

  • Field Summary

    Fields
    Modifier and Type Field Description
    static SpecialPermission INSTANCE  

  • Constructor Summary

    Constructors
    Constructor Description
    SpecialPermission()
    Creates a new SpecialPermission object.
    SpecialPermission​(java.lang.String name, java.lang.String actions)
    Creates a new SpecialPermission object.

  • Method Summary

    Modifier and Type Method Description
    static void check()
    Check that the current stack has SpecialPermission access according to the SecurityManager.

    Methods inherited from class java.security.BasicPermission

    equals, getActions, hashCode, implies, newPermissionCollection

    Methods inherited from class java.security.Permission

    checkGuard, getName, toString

    Methods inherited from class java.lang.Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

  • Field Details

  • Constructor Details

    • SpecialPermission

      public SpecialPermission()
      Creates a new SpecialPermission object.

    • SpecialPermission

      public SpecialPermission​(java.lang.String name, java.lang.String actions)
      Creates a new SpecialPermission object. This constructor exists for use by the Policy object to instantiate new Permission objects.
      Parameters:
      name - ignored
      actions - ignored

  • Method Details

    • check

      public static void check()
      Check that the current stack has SpecialPermission access according to the SecurityManager.