About Question enthuware.ocpjp.v11.2.3620 :

Help and support on OCA OCP Java Programmer Certification Questions
1Z0-808, 1Z0-809, 1Z0-815, 1Z0-816, 1Z0-817

Moderator: admin

Post Reply
driesva
Posts: 2
Joined: Sun May 02, 2021 9:33 am
Contact:

About Question enthuware.ocpjp.v11.2.3620 :

Post by driesva »

typo: priviledeges -> privileges

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by admin »

Fixed.
thank you for your feedback!
If you like our products and services, please help us by posting your review here.

sohamdatey22
Posts: 28
Joined: Sun Sep 11, 2022 3:55 am
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by sohamdatey22 »

Passing the access control does not checks the permission,
This implementation provided in example explanation, only checks the nullability of the access control passed,

That implies that run method will run with given privileges in acc.

We must either check the permission using accesscontroller. Checkpermission(some permission)

Or must use three argument overload of the do privileged, which also takes a permission to be checked.

Are we on same page with this??

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by admin »

No, the null check is done only where the acc is being saved in the instance variable.
The check will be done in the run method.
If you like our products and services, please help us by posting your review here.

sohamdatey22
Posts: 28
Joined: Sun Sep 11, 2022 3:55 am
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by sohamdatey22 »

sir, I had another, understanding,
I understand when we pass, the accesscontrolcontext to the doprivileged, method, it run with the permissions only given in the subset of the
"acc",
to actually check if the caller has the given permission or not, happens under ,
AccessController.checkPermission...,

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by admin »

You don't have to necessarily check. AccessController.doPrivileged will check it automatically and if the permission is not there for the given AccessControlContext, the call will fail.
If you like our products and services, please help us by posting your review here.

sohamdatey22
Posts: 28
Joined: Sun Sep 11, 2022 3:55 am
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by sohamdatey22 »

Sir, I think we are not on the same page here,
after reading the secure coding guide, of oracle again and again,
I have come to conclusion that :
the doPrivileged below will run, with the set of permission in the perms collection, that, is, it does not care if the
caller of run has that access or not, is says, I am letting you run method with these set of privileges,
Hence if user of run method, lets say, does something which is not provided, in the perms collection, user will not be able to do that.

Its like, giving user Security badge/id card, which have certain access, that is the Perms collection, which gives user those privileges while running the run methods,

but user should have those ID cards or not, should still be checked, using: AccessContoller.checkPermissions, so that the access is not elevated.


Code: Select all

// Execute task with the single permission only.
    PermissionCollection perms = perm.newPermissionCollection();
    perms.add(perm);
    AccessController.doPrivileged(new PrivilegedAction<Void>() {
        public Void run() {
            task.run();
            return null;
        }},
        new AccessControlContext(
            new ProtectionDomain[] {
                new ProtectionDomain(null, perms)
            }
        )
    );

admin
Site Admin
Posts: 10036
Joined: Fri Sep 10, 2010 9:26 pm
Contact:

Re: About Question enthuware.ocpjp.v11.2.3620 :

Post by admin »

Again, you don't have to necessarily check. All the permissions are already there (or not there) in AccessControlControl. If you want to check again that's fine. But it is not a necessity. It is not like the code will do unpermitted actions if you don't check.
The main objective here, from security perspective, is that a code should not be allowed to perform an unpermitted operation and for that call to checkPermission is not required.
If you like our products and services, please help us by posting your review here.

Post Reply

Who is online

Users browsing this forum: Bing [Bot] and 51 guests