Is there a way to execute unsafe code (disable security manager) in Java?

Question

Please don't post an answer saying "you shouldn't do this." I don't plan to use this in production code, but only for some hacking fun.

In answering this question, I wanted to run some arbitrary unsafe Java code for fun. The code in question involves finding just the leaf nodes of a Java TreeMap.

Running the below code results in

Exception in thread "main" java.lang.SecurityException: Prohibited package name: java.util

According to this question, I can use System.setSecurityManager(null) to get around most of these restrictions. But I can't do this because the error pops up as my class is loaded.

I'm already aware that I can do everything I want to using reflection after disabling the security manager. But that would make the code much uglier. How do the core Java developers write their unit tests, for example, if they can't package things in java.util?

I also tried -Djava.security.manager=... but this causes a JVM initialization error when I set it to null, and I'm not sure what else I can set it to. Any ideas?

package java.util;

import java.util.TreeMap.Entry;

public class TreeMapHax {

    static <K,V> List<Entry<K, V>> getLeafEntries(TreeMap<K, V> map) {      
        Entry<K, V> root = map.getFirstEntry();
        while( root.parent != null ) root = root.parent;

        List<Entry<K,V>> l = new LinkedList<Entry<K,V>>();
        visitInOrderLeaves(root, l);
        return l;
    }

    static <K,V> void visitInOrderLeaves(Entry<K, V> node, List<Entry<K, V>> accum) {       
        if( node.left != null ) visitInOrderLeaves(node.left, accum);       
        if( node.left == null && node.right == null ) accum.add(node);      
        if( node.right != null ) visitInOrderLeaves(node.right, accum);
    }

    public static void main(String[] args) {
        TreeMap<String, Integer> map = new TreeMap<String, Integer>();

        for( int i = 0; i < 10; i++ )
            map.put(Integer.toString(i), i);

        System.out.println(getLeafEntries(map));
    }

}

Answer 1

I think you might try creating jar for your custom Java package and putting it to $JRE_HOME/lib/ext and see the magic!!

Answer 2

If you create a custom java.lang.SecurityManager with all the security logic stubbed out, and compile it into a custom JVM, you should be able to reference it afterwards by setting your "java.security.manager" property to your custom manager.

Since the property is read by the Launcher before your program starts, you must have your custom SecurityManager in the JVM endorsed classpath rather than your own program (e.g. bundled in the core rt.jar file).

To answer your question about how the core developers deal with this: these kind of tests will likely be run against a custom JVM since they do not adhere to the traditional security of a production JVM. One example of such a stub can be found here.

Answer 3

to simply answer your question, there is no usual way

the classes in java.* are restricted not by security manager, they are restricted by the class loader.

todo what you want, you somehow need to find a way to hack the jvm. or just do as you mentioned, do it with reflection. or just create a copy (source clone) of treemap in your own package.