Login/Register
Is there a way to execute unsafe code (disable security manager) in Java?
Asked Answered
javatreemapsecuritymanagerpackage-private
K

3

9

Please don't post an answer saying "you shouldn't do this." I don't plan to use this in production code, but only for some hacking fun.

In answering this question, I wanted to run some arbitrary unsafe Java code for fun. The code in question involves finding just the leaf nodes of a Java TreeMap.

Running the below code results in

Exception in thread "main" java.lang.SecurityException: Prohibited package name: java.util

According to this question, I can use System.setSecurityManager(null) to get around most of these restrictions. But I can't do this because the error pops up as my class is loaded.

I'm already aware that I can do everything I want to using reflection after disabling the security manager. But that would make the code much uglier. How do the core Java developers write their unit tests, for example, if they can't package things in java.util?

I also tried -Djava.security.manager=... but this causes a JVM initialization error when I set it to null, and I'm not sure what else I can set it to. Any ideas?

package java.util;

import java.util.TreeMap.Entry;

public class TreeMapHax {

    static <K,V> List<Entry<K, V>> getLeafEntries(TreeMap<K, V> map) {      
        Entry<K, V> root = map.getFirstEntry();
        while( root.parent != null ) root = root.parent;

        List<Entry<K,V>> l = new LinkedList<Entry<K,V>>();
        visitInOrderLeaves(root, l);
        return l;
    }

    static <K,V> void visitInOrderLeaves(Entry<K, V> node, List<Entry<K, V>> accum) {       
        if( node.left != null ) visitInOrderLeaves(node.left, accum);       
        if( node.left == null && node.right == null ) accum.add(node);      
        if( node.right != null ) visitInOrderLeaves(node.right, accum);
    }

    public static void main(String[] args) {
        TreeMap<String, Integer> map = new TreeMap<String, Integer>();

        for( int i = 0; i < 10; i++ )
            map.put(Integer.toString(i), i);

        System.out.println(getLeafEntries(map));
    }

}
Katheleenkatherin answered 22/3, 2013 at 6:3 Comment(3)
I would guess that the core developers are either happy placing their tests in different packages (since they should be testing the public interface) or have a JVM build without those security restrictions. After all, Oracle is the company that writes the JVM code.Antiscorbutic
perhaps try getting the source (iced tea or something like it), sneaking your file in to the "correct" package, and compiling the whole thing? i dont know if that would work but it might be enough to trick the system. that's what i'd try.Homophonous
You can use the bootstrap classpath. Create your own jar which contains everything from the rt.jar plus this class. This is an ugly hack, but you said you do want to hack.Davidadavidde
F
3

to simply answer your question, there is no usual way

the classes in java.* are restricted not by security manager, they are restricted by the class loader.

todo what you want, you somehow need to find a way to hack the jvm. or just do as you mentioned, do it with reflection. or just create a copy (source clone) of treemap in your own package.

Fleischer answered 22/3, 2013 at 8:59 Comment(0)
K
0

If you create a custom java.lang.SecurityManager with all the security logic stubbed out, and compile it into a custom JVM, you should be able to reference it afterwards by setting your "java.security.manager" property to your custom manager.

Since the property is read by the Launcher before your program starts, you must have your custom SecurityManager in the JVM endorsed classpath rather than your own program (e.g. bundled in the core rt.jar file).

To answer your question about how the core developers deal with this: these kind of tests will likely be run against a custom JVM since they do not adhere to the traditional security of a production JVM. One example of such a stub can be found here.

Keddah answered 22/3, 2013 at 9:33 Comment(0)
R
0

I think you might try creating jar for your custom Java package and putting it to $JRE_HOME/lib/ext and see the magic!!

Racklin answered 22/3, 2013 at 11:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.