4

We are running untrusted user code in a JVM with a security manager installed. That untrusted code should be able to use the Jackson libraries, and some operations in those libraries require the accessDeclaredMembers runtime permission.

I don't want to grant that permission to the untrusted code directly. If all access to Jackson was through wrapper classes we provide, I could use a doPrivileged block... but I am trying to avoid creating such wrappers.

Is there a good design that would allow the untrusted code to (indirectly) execute an operation that requires the privilege if and only if the operation is called from a Jackson class?

Thanks! Franck

franck102
  • 221
  • 4
  • 14
  • Not sure what you mean? I could try to recursively create dynamic proxies, but the JAX-RS APIs are pretty deep and the resulting code would be pretty unmanageable. – franck102 Sep 12 '18 at 09:52
  • Just in case that you are using JEE beans you can try use interceptors. – fhofmann Sep 20 '18 at 07:12
  • Don't let the untrusted code supply its own Jackson jars. Load them from a trusted location and make them available to the untrusted code. Set a policy to deny the access by default. Then, grant the access to the trusted Jackson jars. – Devon_C_Miller Sep 21 '18 at 19:27
  • I supply the jars from a trusted location. I don’t understand the rest of your answer, things are not that simple, the default manager will check the whole stack and will deny access when reaching the untrusted code’s codesource. – franck102 Sep 23 '18 at 03:36
  • The "Java2 Security Model", such that it is, depends upon the stack walking. There's no reason to expect doing the *rough* equivalent of `doPrivileged` **everywhere** would be safe. – Tom Hawtin - tackline Apr 11 '20 at 05:31

0 Answers0