org.elasticsearch.SpecialPermission

All Implemented Interfaces:: Serializable, Guard

public final class SpecialPermission extends BasicPermission

Elasticsearch-specific permission to check before entering AccessController.doPrivileged() blocks.

We try to avoid these blocks in our code and keep security simple, but we need them for a few special places to contain hacks for third party code, or dangerous things used by scripting engines.

All normal code has this permission, but checking this before truncating the stack prevents unprivileged code (e.g. scripts), which do not have it, from gaining elevated privileges.

In other words, don't do this:


   // throw away all information about caller and run with our own privs
   AccessController.doPrivileged(
    ...
   );

Instead do this;


   // check caller first, to see if they should be allowed to do this
   SecurityManager sm = System.getSecurityManager();
   if (sm != null) {
     sm.checkPermission(new SpecialPermission());
   }
   // throw away all information about caller and run with our own privs
   AccessController.doPrivileged(
    ...
   );

See Also:: Serialized Form

Field Summary

Fields

Modifier and Type

Field

Description

static SpecialPermission

INSTANCE
Constructor Summary

Constructors

Constructor

Description

SpecialPermission()

Creates a new SpecialPermission object.

SpecialPermission(String name, String actions)

Creates a new SpecialPermission object.
Method Summary

Modifier and Type

Method

Description

static void

check()

Check that the current stack has SpecialPermission access according to the SecurityManager.

Methods inherited from class java.security.BasicPermission
equals, getActions, hashCode, implies, newPermissionCollection

Methods inherited from class java.security.Permission
checkGuard, getName, toString

Methods inherited from class java.lang.Object
clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Details
- INSTANCE
  
  public static final SpecialPermission INSTANCE
Constructor Details
- SpecialPermission
  
  public SpecialPermission()
  
  Creates a new SpecialPermission object.
- SpecialPermission
  
  public SpecialPermission(String name, String actions)
  
  Creates a new SpecialPermission object. This constructor exists for use by the Policy object to instantiate new Permission objects.
  
  Parameters:
  
  name - ignored
  
  actions - ignored
Method Details
- check
  
  public static void check()
  
  Check that the current stack has SpecialPermission access according to the SecurityManager.

Class SpecialPermission

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.security.BasicPermission

Methods inherited from class java.security.Permission

Methods inherited from class java.lang.Object

Field Details

INSTANCE

Constructor Details

SpecialPermission

SpecialPermission

Method Details

check