Name: sg39081 Date: 10/29/99
It is my belief that this is a bug, as it allows code downloaded
into an application to mount a DOS attack by simply killing the
application. This is documented in the JDK API, but does not seem
to work like the rest of the security checks.
//In the code, I don't setup a security manager, as this is done
//by specifying the java.security.manager property at the command
//line.
//Note: The JavaDoc for the JDK states in Runtime.exit() that:-
"throws SecurityException - If a security manager is present and its
checkExit method does not permit exiting with the specified status"
This means that a call to System.exit(0) which merely delegates to
Runtime.exit() should first check for the appropriate permissions and
throw a security exception or AccessControlException if that permission
does not exit.
public static void main( String[] args ) throws Exception {
//We could setup a security manager here, or do it on the
//cmd line.
//Example of doing it here.
//System.setSecurityManager( new SecurityManager() );
//This fails if the appropriate permission is left out of
//mypolicy. The failure is an AccessControlException.
System.getProperty("java.home", "not specified");
//This should fail since that permission is not granted.
System.exit( 0 );
}
//Here, we specify that the default security manager should be used, and
//that the policies should include the "mypolicy" file.
Cmd Line> java -Djava.security.policy=mypolicy -Djava.security.manager tests.SecurityTest
//This is the policy file. Note the lack of a permission, namely,
// permission java.lang.RuntimePermission "exitVM";
//According to the docs, this should result in a security exception
//being thrown when the appropriate System.exit() method is called.
>policy file = mypolicy
grant codeBase "file:/d:/work/java/-" {
permission java.util.PropertyPermission "java.*", "read";
};
>java -version
java version "1.3beta"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3beta-O)
Java(TM) HotSpot Client VM (build 1.3beta-O, mixed mode)
>java -fullversion
java full version "1.3beta-O"
(Review ID: 96704)
======================================================================