Skip to main content

Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Equinox » Security Manager confusion(someone adding AllPermissions to my context?)
Security Manager confusion [message #558211] Fri, 10 September 2010 14:17
Peter M. Murray is currently offline Peter M. MurrayFriend
Messages: 24
Registered: July 2009
Junior Member
Please excuse me if this is an obvious question, but I'm a bit of a noob on java security framework issues.

I'm trying to ensure a strict sandbox for running groovy scripts within my application, but am running into what appears to be rogue insertion of AllPermissions into my stack's AccessControlContext when running within Equinox. This does not appear to happen when running without Equinox.

Below is some code that demonstrates the issue. When run directly as a Java Application, it runs property - the script Context does not have the tested permission. However, when run as an Eclipse IApplication, the script context DOES have the tested permission. Examination in the debugger shows that when run within Equinox, the /groovy/script ProtectionDomain has all of the "generic" ProtectionDomain permissions plus AllPermissions.

package test;

import groovy.lang.GroovyShell;



public class TestSecurity implements IApplication
	public static void main(String[] args)

		if (System.getSecurityManager() != null)
			throw new RuntimeException("Already configured!");

		System.setProperty("", "/tmp/test.policy");
		System.setSecurityManager(new SecurityManager());

		System.out.println("Inline has permission - GOOD");

		GroovyShell shell = new GroovyShell();
			check((AccessControlContext) shell.evaluate(";"));
			System.out.println("Script has permission - BAD!!!");
		catch ( e)
			System.out.println("Script has NO permission - GOOD");

	private static void check(AccessControlContext context)
		context.checkPermission(new"/tmp/foo", "read"));

	public Object start(IApplicationContext context) throws Exception
		return IApplication.EXIT_OK;

	public void stop()

Here is /tmp/test.policy:
grant codebase "file:/home/pete/-" { permission; };

All of the groovy code is generated with a code source url of "file:/groovy/script" or "file:/groovy/shell" - so it should not match my uber grant in test.policy (and doesn't when run via direct main() invocation.

Does anyone have any insight into this? Seems like I must be missing something.



Previous Topic:Software updates - can't add update sites
Next Topic:Software updates in p2 product - giving up
Goto Forum:

Current Time: Sat Jun 23 02:59:42 GMT 2018

Powered by FUDForum. Page generated in 0.02182 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top