Interface RulesApplier

public interface RulesApplier
Defines and applies common sets of rules.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    applyRulesTo(RulesBuilder builder)
    Applies a set of rules to the given builder.
    static RulesApplier
    checkReflection()
    Returns an applier which allows reflection operations, but they are checked to ensure that the corresponding constructor or method is allowed by the other rules.
    static RulesApplier
    java_base()
    Returns an applier of rules for the java.base module, which denies operations that are considered harmful.

  • Method Details

    • applyRulesTo

      void applyRulesTo(RulesBuilder builder)
      Applies a set of rules to the given builder.

    • java_base

      static RulesApplier java_base()
      Returns an applier of rules for the java.base module, which denies operations that are considered harmful. This consists of:

      • Reading and writing arbitrary files, directly or indirectly
      • Creating network sockets
      • Opening URLs
      • Starting processes
      • Loading native code or calling restricted FFM operations (*)
      • Using reflection to bypass any rules
      • Reading resources from other ClassLoaders or Modules
      • Reading sensitive system properties or changing the system properties
      • Altering shared settings (current locale, time zone, etc.)
      • Creating ObjectInputStreams
      • Defining new Modules
      • Exiting the current process
      • Changing sensitive thread settings (priority, etc. **)
      • Using the spi packages in the java.base module
      • Altering Provider properties
      • Closing or shutting down ForkJoinPools
      • Loading classes into ProtectionDomains

      * Loading native code or calling restricted FFM operations is allowed when:

      • the --enable-native-access option is used
      • the caller is a named module
      • and the Java version is at least 22. (see also JEP 454)

      ** A few thread settings can be changed if the thread hasn't started yet: name, daemon status, the context ClassLoader, and the thread's own uncaught exception handler.

    • checkReflection

      static RulesApplier checkReflection()
      Returns an applier which allows reflection operations, but they are checked to ensure that the corresponding constructor or method is allowed by the other rules. These rules applied automatically when the java_base rules are applied.

      Access is checked when Constructor and Method instances are acquired, and not when they're invoked. Custom deny rules perform a check at that time, possibly resulting in an exception being thrown. For methods which return an array (example: Class.getMethods), a filtering step is applied which removes elements which cannot be accessed.

      The following Class methods have custom deny actions applied:

      Methods which return MethodHandle instances are checked using the same strategy as for reflection. Custom deny actions are defined for the following Lookup methods, which can throw a NoSuchMethodException:

      Methods defined by AccessibleObject which enable access to class members are denied. Calling setAccessible causes an InaccessibleObjectException to be thrown, except when the caller module is the same as the target module. Calling trySetAccessible does nothing, and instead the caller gets a result of false.

      Calling Proxy.newProxyInstance throws a SecurityException if any of the given interfaces have any denied operations. Without this check, an InvocationHandler could get access to a denied Method, bypassing the other reflection checks, and thus allowing method calls on other instances.