Access control exception

The Java 2 security behavior is specified by its security policy. The security policy is an access-control matrix that specifies which system resources certain code bases can access and who must sign them. The Java 2 security policy is declarative and it is enforced by the method.

The following example depicts the algorithm for the method. For the complete algorithm, refer to the Java 2 security check permission algorithm in the Security: Resources for learning article.

i = m;
while (i > 0) {
if (caller i's domain does not have the permission)
throw AccessControlException;
else if (caller i is marked as privileged)
i = i - 1;

The algorithm requires that all the classes or callers on the call stack have the permissions when a method is performed or the request is denied and a exception is created. However, if the caller is marked as privileged and the class (caller) is granted these permissions, the algorithm returns and does not traverse the entire call stack. Subsequent classes (callers) do not need the required permission granted.

A exception is created when certain classes on the call stack are missing the required permissions during a method. Two possible resolutions to the exception are as follows:


Example call stack

This example of a call stack indicates where application code is using a third-party API utility library to update the password.

The following example is presented to illustrate the point. The decision of where to mark the code as privileged is application-specific and is unique in every situation. This decision requires great depth of domain knowledge and security expertise to make the correct judgement. A number of well written publications and books are available on this topic. Referencing these materials for more detailed information is recommended.

Use the PasswordUtil utility to change the password of a user. The utility types in the old password and the new password twice to verify the correct password is entered. If the old password matches the one stored in the password file, the new password is stored and the password file updates. Assume that none of the stack frame is marked as privileged. According to the algorithm, the application fails unless all the classes on the call stack are granted write permission to the password file. The client application does not have permission to write to the password file directly and to update the password file at will.

However, if the PasswordUtil.updatePasswordFile method marks the code that accesses the password file as privileged, then the check permission algorithm does not check for the required permission from classes that call thePasswordUtil.updatePasswordFile method for the required permission as long as the PasswordUtil class is granted the permission. The client application can successfully update a password without granting the permission to write to the password file.

The ability to mark code privileged is very flexible and powerful. If this ability is used incorrectly, the overall security of the system can be compromised and security holes can be exposed. Use the ability to mark code privileged carefully.


Resolution to the exception

As described previously, we have two approaches to resolve a exception. Judge these exceptions individually to decide which of the following resolutions is best:

  1. Grant the missing permission to the application.

  2. Mark some code as privileged, after considering the issues and risks.



Security: Links
Java 2 security policy files
Java Mail security permissions best practices