Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The SecurityManager is an example of ambient authority, exactly the kind of design that the article is criticizing.

There's at most one SecurityManager per application, meaning you can't in general use it for fine-grained confinement. It's only "granular" in the sense that requested permissions can be arbitrarily finely subdivided. There's no notion of intra-application invocation contexts, making it vulnerable to "confused deputy" problems, including things like the event-stream incident.




This is the clearest simple summary I have seen of this limitation of SecurityManager (and other such security monitors). Thanks!




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: