prohibit the call to System.exit

Asked 25/11, 2011 at 14:14 Answered 11/1, 2013 at 18:41

I'm trying to prohibit the call to System.exit(int); in some jars.

These jars will be developed by external teams and loaded by our "container" application .

My first reflex is to use the java security manager:

-Djava.security.manager-Djava.security.debug=all

with the simplest ${user.home}/.java.policy file :

grant {};

Although I can no longer call such as System.getProperties () (since I do not have java.util.PropertyPermission), I can do a System.exit (0) !!

The option java.security.debug=all gives the following console:

scl: getPerms ProtectionDomain (file: my-bin-path <no sign certificates>)
sun.misc.Launcher $ AppClassLoader @ 10385c1
<no principals>
java.security.Permissions @ 15b7986 (
(java.lang.RuntimePermission exitVM)
(java.io.FilePermission \my-bin-path\- read)
)

Why do all classes in my-bin-path have java.lang.RuntimePermission exitVM granted ?????

thanks

Glynda answered 25/11, 2011 at 14:14 Comment(6)

Apparently java.lang.RuntimePermission exitVM is granted by default, maybe you have to deny it explicitly. – Shifty 25/11, 2011 at 14:16

I would expect the exitVM permission to be on by default. If a piece of Java code reaches the end of its execution then maybe it needs to implicitly call System.exit(0) to tell the VM it is done. – Kingcup 25/11, 2011 at 14:23

I'm assuming though that you want to know how to turn it off, would recommend editing the question to specifically ask that. – Kingcup 25/11, 2011 at 14:24

What does the system wide policy file look like? ${java.home}/lib/security/java.security – Pi 25/11, 2011 at 14:26

From my understanding, java.policy files grant permission only. So I though that "not turning it on <=> let it turned off" since jre/lib/security/java.policy was not grant java.lang.RuntimePermission exitVM... – Glynda 25/11, 2011 at 14:33

Found in the javadoc for java.lang.RuntimePermission : Permission Target Name "exitVM.{exit status}" : Note: The "exitVM.*" permission is automatically granted to all code loaded from the application class path, thus enabling applications to terminate themselves. – Glynda 25/11, 2011 at 16:51

According to the bug report, https://bugs.java.com/bugdatabase/view_bug?bug_id=4286238, the policy file wasn't dis-allowing System.exit() calls. I'm running an application with Java 1.6 and am still seeing this bug despite it being "resolved." Similar to the OP, I have a system wide policy file which does not include a permission for exitVM. However, I am able to exit the application without any exception being thrown.

My understanding of including a custom policy file is that all permissions are blacklisted except those included in the policy file. Since exitVM is not included it should be disallowed (overriding the default permission mentioned by MicSim). But this is not the case.

Halfback answered 11/1, 2013 at 18:41 Comment(0)

From the Javadoc of RuntimePermission:

Note: The "exitVM.*" permission is automatically granted to all code loaded from the application class path, thus enabling applications to terminate themselves.

Reading this, it seems you have to explicitly deny this permission by writing your own SecurityManager. (For an example, see this answer: Prevent System.exit to actually exit the JVM)

Opalina answered 25/11, 2011 at 16:24 Comment(0)

Alternatively you could do AOP and intercept System.exit. Doing that yourself would be: create your own class loader and use BPEL to trace System.exit, and patch those calls. Really not a large effort.

Osteoma answered 25/11, 2011 at 17:28 Comment(0)

Recommended topics

Hot tags