Merge pull request #154 from terryquigleysas/additional_exception_handling

firaja · web-flow · commit 69ff99e1080f · 2024-05-01T17:40:15.000+02:00
Additional Exception Handling for Restricted Environments
diff --git a/src/main/java/com/password4j/PropertyReader.java b/src/main/java/com/password4j/PropertyReader.java
@@ -23,6 +23,7 @@
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.security.AccessControlException;
 import java.util.Properties;
 
 
@@ -113,19 +114,29 @@ private static String readString(String key)
 
     static void init()
     {
-        String customPath = System.getProperty(CONFIGURATION_KEY, null);
+        String customPath = null;
 
-        InputStream in;
-        if (customPath == null || customPath.length() == 0)
-        {
-            in = getResource('/' + FILE_NAME);
-        }
-        else
-        {
-            in = getResource(customPath);
+        try {
+            customPath = System.getProperty(CONFIGURATION_KEY, null);
+        } catch (AccessControlException ex) {
+            LOG.debug("Cannot access configuration key property", ex);
         }
 
+        InputStream in = null;
         Properties props = new Properties();
+        try {
+            if (customPath == null || customPath.length() == 0)
+            {
+                in = getResource('/' + FILE_NAME);
+            }
+            else
+            {
+                in = getResource(customPath);
+            }
+        } catch (AccessControlException ex) {
+            LOG.debug("Cannot access properties file", ex);
+            props.setProperty("global.banner", "false");
+        }
 
         if (in != null)
         {
diff --git a/src/test/com/password4j/PasswordTest.java b/src/test/com/password4j/PasswordTest.java
@@ -19,11 +19,14 @@
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
 import java.nio.charset.StandardCharsets;
+import java.security.CodeSource;
+import java.security.PermissionCollection;
+import java.security.Permissions;
+import java.security.Policy;
 import java.security.Provider;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.util.Random;
-import java.util.Set;
 
 import org.junit.Assert;
 import org.junit.Test;
@@ -1233,6 +1236,30 @@ public void testBalloon4()
         Assert.assertTrue(Password.check(plainTextPassword, hashed).addPepper(pepper).addSalt(salt).withBalloonHashing());
     }
 
+    @Test
+    public void testRestrictedPermissions()
+    {
+        // GIVEN
+        Policy.setPolicy(new Policy(){
+            @Override
+            public PermissionCollection getPermissions(CodeSource codesource) {
+                Permissions permissions = new Permissions();
+                permissions.add(new RuntimePermission("setSecurityManager"));
+                return permissions;
+            }
+        });
+        System.setSecurityManager(new SecurityManager());
+
+        // WHEN
+        Hash hash1 = Password.hash(PASSWORD).addPepper(PEPPER).addSalt(SALT).withPBKDF2();
+        Hash hash2 = Password.hash(PASSWORD).addPepper(PEPPER).withBcrypt();
+        Hash hash3 = Password.hash(PASSWORD).addPepper(PEPPER).addSalt(SALT).withScrypt();
 
+        // THEN
+        assertTrue(Password.check(PASSWORD, hash1));
+        assertTrue(Password.check(PASSWORD, hash2));
+        assertTrue(Password.check(PASSWORD, hash3));
 
+        System.setSecurityManager(null);
+    }
 }
