From f7e3cea3bb2e1ef64911dfc00810a04f9dc32b15 Mon Sep 17 00:00:00 2001 From: Terry Quigley Date: Tue, 30 Apr 2024 11:09:09 +0100 Subject: [PATCH] Additional Exception Handling for Restricted Environments --- .../java/com/password4j/PropertyReader.java | 29 +++++++++++++------ src/test/com/password4j/PasswordTest.java | 29 ++++++++++++++++++- 2 files changed, 48 insertions(+), 10 deletions(-) diff --git a/src/main/java/com/password4j/PropertyReader.java b/src/main/java/com/password4j/PropertyReader.java index d514bd67..3d201ce6 100755 --- a/src/main/java/com/password4j/PropertyReader.java +++ b/src/main/java/com/password4j/PropertyReader.java @@ -23,6 +23,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.security.AccessControlException; import java.util.Properties; @@ -113,19 +114,29 @@ private static String readString(String key) static void init() { - String customPath = System.getProperty(CONFIGURATION_KEY, null); + String customPath = null; - InputStream in; - if (customPath == null || customPath.length() == 0) - { - in = getResource('/' + FILE_NAME); - } - else - { - in = getResource(customPath); + try { + customPath = System.getProperty(CONFIGURATION_KEY, null); + } catch (AccessControlException ex) { + LOG.debug("Cannot access configuration key property", ex); } + InputStream in = null; Properties props = new Properties(); + try { + if (customPath == null || customPath.length() == 0) + { + in = getResource('/' + FILE_NAME); + } + else + { + in = getResource(customPath); + } + } catch (AccessControlException ex) { + LOG.debug("Cannot access properties file", ex); + props.setProperty("global.banner", "false"); + } if (in != null) { diff --git a/src/test/com/password4j/PasswordTest.java b/src/test/com/password4j/PasswordTest.java index 52e51926..5701af71 100755 --- a/src/test/com/password4j/PasswordTest.java +++ b/src/test/com/password4j/PasswordTest.java @@ -19,11 +19,14 @@ import java.io.ByteArrayOutputStream; import java.io.PrintStream; import java.nio.charset.StandardCharsets; +import java.security.CodeSource; +import java.security.PermissionCollection; +import java.security.Permissions; +import java.security.Policy; import java.security.Provider; import java.security.SecureRandom; import java.security.Security; import java.util.Random; -import java.util.Set; import org.junit.Assert; import org.junit.Test; @@ -1233,6 +1236,30 @@ public void testBalloon4() Assert.assertTrue(Password.check(plainTextPassword, hashed).addPepper(pepper).addSalt(salt).withBalloonHashing()); } + @Test + public void testRestrictedPermissions() + { + // GIVEN + Policy.setPolicy(new Policy(){ + @Override + public PermissionCollection getPermissions(CodeSource codesource) { + Permissions permissions = new Permissions(); + permissions.add(new RuntimePermission("setSecurityManager")); + return permissions; + } + }); + System.setSecurityManager(new SecurityManager()); + + // WHEN + Hash hash1 = Password.hash(PASSWORD).addPepper(PEPPER).addSalt(SALT).withPBKDF2(); + Hash hash2 = Password.hash(PASSWORD).addPepper(PEPPER).withBcrypt(); + Hash hash3 = Password.hash(PASSWORD).addPepper(PEPPER).addSalt(SALT).withScrypt(); + // THEN + assertTrue(Password.check(PASSWORD, hash1)); + assertTrue(Password.check(PASSWORD, hash2)); + assertTrue(Password.check(PASSWORD, hash3)); + System.setSecurityManager(null); + } }