- java.lang.Object
-
- java.security.Policy
-
- org.postgresql.pljava.policy.TrialPolicy
-
public class TrialPolicy extends Policy
An implementation ofPolicy
intended for temporary use while identifying needed permission grants for existing code.This policy is meant to operate as a fallback in conjunction with the normal PL/Java policy specified with the
pljava.policy_urls
configuration setting. This policy is activated by specifying an additional policy file URL with-Dorg.postgresql.pljava.policy.trial=
url in thepljava.vmoptions
setting.Permission checks that are allowed by the normal policy in
pljava.policy_urls
are allowed with no further checking. Permissions denied by that policy are checked in this one. If denied in this policy, that is the end of the matter. A permission check that is denied by the normal policy but allowed by this one is allowed, with a message to the server log.The log message begins with
POLICY DENIES/TRIAL POLICY ALLOWS:
and the requested permission, followed by an abbreviated stack trace. To minimize log volume, the stack trace includes a frame above and below each crossing of a module or protection domain boundary; a single...
replaces intermediate frames within the same module and domain. At the position in the trace of the protection domain that failed the policy check, a line is inserted with the domain's code source and principals, such as>> sqlj:examples [PLPrincipal.Sandboxed: java] <<
. This abbreviated trace should be well suited to the purpose of determining where any additional permission grants ought to be made.Because each check that is logged is then allowed, it can be possible to see multiple log entries for the same permission check, one for each domain in the call stack that is not granted the permission in the normal policy.
About false positives
It is not uncommon to have software that checks in normal operation for certain permissions, catches exceptions, and proceeds to function normally. Use of this policy, if it is configured to grant the permissions being checked, will produce log entries for those 'hidden' checks and may create the appearance that permissions need to be granted when, in fact, the software would show no functional impairment without them. It is difficult to distinguish such false positives from other log entries for permissions that do need to be granted for the software to properly function.One approach would be to try to determine, from the log entries, which functions of the software led to the permission checks that were logged, and specifically test those functions in a database session that has been set up with a different policy file that does not grant those permissions. If the software then functions without incident, it may be concluded that those log entries were false positives.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
TrialPolicy.Permission
A permission likejava.security.AllPermission
, but without anyFilePermission
(the real policy's sandboxed/unsandboxed grants should handle those), nor a couple dozen varieties ofRuntimePermission
,SecurityPermission
, andReflectPermission
that would typically not be granted without clear intent.-
Nested classes/interfaces inherited from class java.security.Policy
Policy.Parameters
-
-
Field Summary
-
Fields inherited from class java.security.Policy
UNSUPPORTED_EMPTY_COLLECTION
-
-
Constructor Summary
Constructors Constructor Description TrialPolicy(String limitURI)
-
Method Summary
Modifier and Type Method Description PermissionCollection
getPermissions(CodeSource codesource)
PermissionCollection
getPermissions(ProtectionDomain domain)
boolean
implies(ProtectionDomain domain, Permission permission)
void
refresh()
-
Methods inherited from class java.security.Policy
getInstance, getInstance, getInstance, getParameters, getPolicy, getProvider, getType, setPolicy
-
-
-
-
Constructor Detail
-
TrialPolicy
public TrialPolicy(String limitURI) throws NoSuchAlgorithmException
- Throws:
NoSuchAlgorithmException
-
-
Method Detail
-
getPermissions
public PermissionCollection getPermissions(CodeSource codesource)
- Overrides:
getPermissions
in classPolicy
-
getPermissions
public PermissionCollection getPermissions(ProtectionDomain domain)
- Overrides:
getPermissions
in classPolicy
-
implies
public boolean implies(ProtectionDomain domain, Permission permission)
-
-