cute(?) behavior of SocketPermission

with the default security manager and no special policy, the line
    new Socket("host", 80)
will throw a SecurityException complaining that "host" cannot be resolved. however, if you add a permission like
    permission java.net.SocketPermission "10.0.0.2", "connect"
where 10.0.0.2 is the IP address of "host", the line will happily go through. so it's a little strange here: how does it know that "host" is 10.0.0.2, without my explicit permission of resolving it?

it turns out that when dealing with the name/address at security check, java does a secret DNS with check turned off. it silently compares the IP addresses under there. the final result is you can write either IP or hostname in the policy file. this is why we see this line in the standard javadoc:

The action "resolve" refers to host/ip name service lookups.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog has a comments managing system that requires me to approve each comment manually. Please do not re-post and I will reply it (if I have an answer) when I get pinged.

Search

Top Tags
Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today