Secure Coding Guidelines for the Java Programming Language

though I’m here to present you today’s you secure coding guidelines for the java programming language and i’m member of the java vulnerability team and we are the team to evangelize and present these guidelines and we also work on vulnerabilities to have them fixed in updates so this is something you may have seen studies is slowly it’s very important so good so this is introduction for today we go a little bit into details then we see introduction then I want to show you a little bit of Java security lots basics then we go into Vaughn abilities itself followed by as a guidelines anti patterns and examples and we conclude with the summary so Who am I I have a professional background in programming since 20 years so I joined the Oracle Java vulnerability team in office 2010 before that I was with a major German data center and this redhead oh the Java Research Java security research over a decade so presented blackhat and wrote diseases at uni bamberg and did number of talks on Java security also did some other ethical hacking and foreign parks in not only Jie but only Windows kernel O’s X Firefox and others so what you will be seeing today is about the risk of insecure coding how the secure coding guidelines and the anti patterns will help you to address and avoid anti patterns and programming bugs and thereby vulnerabilities you may want to switch the perspectives to reduce text surface we’re going to try to give you help is that an invitation to think like an attacker to identify violations of the guidelines and identify the weak spots your own applications so with the target audience that’s probably a mix of a Java programmer a security engineer and risk manager so nowadays everybody is everything so welcome so Java security what is Java security so it’s once run time security which is the behavior enforced by the runtime in turntables and applications to run in the safety environments we have the crypto API is PKI authentication and policy secure communications pluggable implementations of code to providers for example we have tools like e tool Joss ina and policy tool but today we going to be concentrating on the first aspect runtime security so runtime security what is that at the language security that’s implicit memory management garbage collection the very important by thought verification security manager access controller jazz this constrains what’s allowed to run and how it is a lot run is constrained by fine granola policies you want to have these privilege protection remains secure defaults for untrusted codes like applets or Java Web Start applications and this is normally and for us by code separation with class loaders so into graphic you see a class and a class calls another class and it goes into twice the code the code is constrained by the security manager and by cohn pairing what is on the stick and what is allowed see access to the resources either granted or denied so what can go wrong the man reads of strong handshake set computer security is hard the attacker only years to find one network floor while the defender has to find fix and every floor so the attacker has probably easier game while you have to defend and the same in soccer the one who scores the goal has the advantage and becomes famous there’s also a scientific definition of availability flow of weakness that could be exploited to violate the system security policy like written down in the year Internet security Gloucester II can’t leave version 2 and what is the causes it

might be designed so faulty assumptions in the application architecture may be the implementation in secure programming practices what we call anti-pattern later or in the composition and setup of applications often errors on configuration for example so what types of vulnerabilities can be distinct they are one see if not a bar abt also is a security weakness the first one always has a direct impact it allows an attacker to get more privileges so normally in signed by a policy so you would have breaches in confidentiality integrity or availability an exam plus works could be a buffer overflow and that finally leads to an operating system takeover so that is probably something you want to fix very fast or you have security weaknesses which is not directly exploitable but can be used in conjunction with exploit the vulnerability to a extensive impact of an attack so make a small bar ability a little bit bigger for example if you’re not following the world of these privileges so you’re not closing enough the gaps that are they are and the attacker has more possibilities than you want him to have so where are vulnerabilities listed where can you find information so for example at me trip as a public database CVE common vulnerability enumeration database at Mitra their lists vulnerabilities and every vulnerability as an ID like CDE 2010 four four seven six remember what that was I will see later I’ll give you a hint 8th of February 2011 now ring Belling ok their references vendor details and detail reports but CVE does not keep us go so that’s how it looks in the CV database and that’s the description of CDE 2010 4 4 7 6 and that was if you may remember as a double Bock double Bock that for example could bring a tomcat server to a halt so but CBE itself has no scores CDE only lists the vulnerabilities the SS standardized model for rating vulnerabilities by the first organization set designed CBS s standard and the scores are listed in the nvd database they receive is escalator and they you could look up see vulnerability scores how do availability scores are computed so you would have metrics and scores metrics illustrate the nature of availability which split up an ox Portability and impact and the base core is a scaled value from 0 to 10 so it would have the vulnerability exploitability which is the excess vector which could be local or an address on network on the network so a network attack probably scores higher than the local attack this is also with access complexity which could be high medium and low and low access complexity scores higher so now i what so probably little committed but it is this way authentication there could be multiple single or none so of course the none also indication vulnerabilities cause higher there could be confidentiality impact which could be none partial or partial plus or complete and the complete ones cause higher integrity availability similar so how was a double box squat we see cde2007 four four seven six are weeded second column is here component which was a Java Runtime environment what was a protocol you could reach it while multiple protocols triple HTTP was a signals v1 the sub component was in the language packages and was a remote exploit possible with autoscent occasion yes so the base code was five because it has a network access it was a net

network access vulnerability with lo with lo complex complexity and no authentication and you would have no authentication no confidentiality no integrity but a partial availability impact so and you will also be interested in Z versions so 6 update 23 and 5 up to 27 folks other fixed see you showed so that’s what you find in the corresponding Oracle security alert so if you found that bar ability you would have written that to circular underscore us Oracle calm or as a customer you would have gone to support Oracle calm if you find other vulnerabilities please read the detailed information in the listed URL so these are all abilities in a nutshell let’s get down to the guidelines so who is using guidelines in its organization security guidelines and are the developers following those guidelines I don’t hear much yes so it could be or could be no so you probably want to have another set of guidelines an important thing is something that you have counter examples that you want to avoid an anti-pattern for example is such a construct that allows you to avoid bad practices so it may look beneficial in the first place but it has bad consequences it’s a negative counterpart to a design pattern but you to is it will say the values had an educational purpose so implementing for speed could be good but if you don’t validate parameters it could harm your security so you have to way is what is more important so antipatterns are not certain stones there may be exceptions there may be priorities but of course you have to understand the consequences they may exist in various locations system code application code third-party library set you may have support very important or in Jie extensions you can read up in this nice book about this serie of ng patterns so anti-patterns you may have heard about C and C++ C++ implementations what can go wrong they enable memory explodes is both languages like heap and buffer overflow because to native code it runs directly on the processor there is no sandbox or something Java is different Java uses safely memory management it performs automatic bounce checks it has no explicit point arithmetic s– java often executes untrusted code thereby you have to protect the access to these resources you probably don’t have also an authorization tool so this results probably in a different set of coding anti-patterns and see well it’s still important to know about these anti patterns once you program and j nyah because with john i you have all these c c++ problems that you want to avoid this job so what can go wrong in java code they are common misconceptions that lead to a larger tech surface so like neglecting to verify that input formatting giving unnecessary permissions misusing public static variables super classes if you change superclass the may have impact on your subclasses you may assume that exceptions are harmless integers are sometimes very tricky to handle because of the behavior of new to ask user input but to user input it does not obey two invariants when you use construction constructors enter constructor fails what is the expected behavior they are Samsung something we believe that it will be destroyed in all cases believing that this civilization is unrelated to constructors but this realizing is a

hidden way to construct objects so we have to know that where can you find out about the guidelines you can find out at this web page I guess these slides will be made available too so you don’t have to make notes um these are the official guidelines now in generation four and they are evolving topic so expect new versions coming up once a sand each foot and there’s also check third party guidelines collections like the book and the wiki from cert about secure coding there is a cwe author from the Mito organization that shows bad exams and anti patterns if you’re more into web applications you may find the OS top 10 interesting or go to sans and browse their top 25 software errors but the guideline from the source will be our guidelines you listen you see on the top they are Java specific whereas others may be generic so be sure to address the Java guidelines first how those guidelines split up so first we have the fundamentals there is a chapter about denial of service confidential information so this addresses the confidentiality impact then we go more into integrity injection and inclusion accessibility and extensibility input validation very important if you deal with objects which object states mutability is very interesting the lifecycle shown with object construction serialization and how you would constrain code is shown in chapter 9 now we go through the guideline chapters house yet guidelines address the top-level concerns when you want to write secure code for each of those we show an example from an older Jacob release shows a problem and the attack scenario with an anti-pattern and we briefly describe the proper secure coding guidelines and you have seen URL you can go into depth with even referenced online documentation so differs the fundamentals prefer to have no obvious flaws and no obviously no flaws of others and no obvious flaws these are meta rule design api’s to avoid security concern you want to avoid the application you want to restrict privileges trust boundaries minimize the number of Commission checks undo encapsulation why do you want to do that well it’s probably your hope but security vulnerabilities will never be eliminated but you probably have it easier if you have well designed and tested code and these privilege by design prevents insecure surprises even if the code itself is not written very secure so this has obviously no flaw but can you fight out here this is probably not too good to find out so after three months of audit you probably come to this picture and you will not issue work at all so you probably prefer that one set phone and compose your system out of obvious blocks that obviously flaws think about if you use generated code second design ap is to avoid security concern you probably want to get the security into the design you cannot or you can budget for very costly to retrofit security and it’s error-prone and difficult so for example make classes final s default which will prevent malicious Club subclass from adding fertilizers from cloning overriding calling protected methods also having to behave the subclass in a somehow unsafe manner attackers are very

creative so expect the unexpected so we use a voice application you can’t say it often enough a key characteristics of a secure program is to maximize we use because you don’t have to maintain so much because other people do it for you like Oracle they maintain standard libraries which you can reuse therefore we use is king and the Duke of course must have a crown in this case so restrict privileges not all calling flaws will be limited even in bearer reviewed code whenever possible follow the principle of these privileges we’d use privileges means we use potential impact of exports you can do that either statically through policy files may not be everybody’s tastes ok I can do it also this dynamically with two privileges with dynamic protection domains you can also decide to leave jar files unsigned so they don’t get elevated privileges from the beginning that depends on your current situation what you want to do and what technology you want to apply establish trust boundaries you probably want to have simple API is to clearly distinguish who can a trust n who is outside of my trans boundary that’s a simple meta rule that first pops up when you violate it it minimize the number of permission checks prefer an easy point of access this easy is consistent a nexus policy after an initial permission check you probably want to provide clients with an immutable capability object or more and you want to consider jars to reuse a standard API so you don’t have to write that all by yourself which probably has bugs encapsulate you want to group current functionality you do not want to expose implementation details and hope that people poke in your public non final fields you want to have a simple and stable API which documented behavior you want to consider Builders and factories to have abstraction lifecycle control and invariance check these are not only goals for security but for well-designed software at all so this was a fundamental section now we come into security topics denial of service how can you plan against the null of service before we want to do that in the design phase you want to use strong passes prover XML DTD over other civilization types in overall don’t let the attackers bring down your server so you want to be there effective ities that may use this appropriate resources you want to release the resources in our cases you don’t want to your memory to be filled up with zombie objects resource limit checks should not suffer from integer overflow so all these are goals you want to have you want to follow to avoid denial-of-service what can cause this appropriate resource consumption that can be either media stuff like large image processing integer overflows complex object graphs careless decompression zip bombs for example billion laughs attacks as with XML external entity inclusion parsing and processing complex Verma’s expose reg X all this kind of very powerful languages but with unpredictable parsing times deterioration anomalies logging with inappropriate detail and parsing corner cases that may cause infinite loops like in the double-up case so resource limit checks what can go wrong if you look at this example what is the problem you have been to my job talk no yeah ok that’s the integer overflow and where’s ETH overflow

yes and it can overflow so this protection of the native methods will be circumvented off plus lengths it will be larger than the maximum value of integer and it will be negative and therefore this comparison will fail so the interpreter is believing the value space of integers is unbounded of course this is bounded so what what you would do the java language provides bounds checking on arrays which mitigates the vespa non-veg majority of integer overflow attacks however the primitive types silently overflows which are characters bytes Long’s integers so they allow potentially bypass of Java level ability checks to native code and once they are once these checks are bypassed you put course memory corruption out-of-bounds rights and have probably your JVM crash so you would look into your code if you want to protect your native code and replace this suspicious check for example that does the direct addition with a subtraction construct which is the same which has the same effect but uses more space of the integer value range so resource limit checks they can cause integer overflows and what you have to take home is that this comparison is better then the direct comparison which blows okay now we see in we’ve seen how we protect the goal of availability we look into confidentiality why do I want to do that I don’t want to let attack us steal my company secrets a successful attack starts with acquiring small details about the target information gathering is it called configuration details passwords it all starts at a very low level and the attacker does it like scavenger hunt elevate the privileges step by step so you want to purge sensitive information from exception you don’t want to lock sensitive information you want to purge sensitive information from memory after use so you probably all use exceptions exception in your data each other programming and you design your exception to write about the course what have gone wrong but think about what the attacker may read from your exceptions an i/o exception it may shows a user identity a file not found exception you can probe the file system for specific usual suspects like is that for a possibility or cetera shadow or whatever and to find out about your system details so you want to think about verbose debugging it’s great but not in production use consider separating output channel we use a decent logging framework probably gives the user only a hash offset things that have gone wrong and right the detail with a decent logging framework in a protected space for the first level support to pick up confidential information it can also appear with passwords you don’t want to log that you need to have a security policy in place don’t have passwords stored in clear-text encrypted sundered api’s and when you hash hash result consider purging highly sensitive information after we use which helps you to limit the exposure memory deleted as soon as possible do not depend on garbage collection it may stay in memory forever depending how large your memory is the garbage collector may never run so use character errors to

clear the traces this will be done immediately keeps the information local once you gave it to a second API it may have created copies created strings from your car ways so think about audit these third-party libraries if they also follow this goal that was confidentiality inclusion and injection so you want to have a clear distinction how to protect integrity you want to validate data from untrusted sources you have white lists of you uses black lists Sookie please check us out good know what you black lists but I come looking at your code and we will see so use standard passes so these are all good advices now we come to see details you want to generate valid formatting you want to avoid dynamic SQL use prepared statements for example XML and HTML it requires care think about cross-site scripting avoid untrusted data on the command line one time get runtime x’q can be harmful restrict xml inclusion especially if it comes from untrusted sources so think about resources care which BMP files they may have included color profiles that may procure system this is disabled HTML display in swing kimono components which is the same questionnaires with HTML generation on three three and if you have an embedded script framework that can be also very harmful so if you neglect to verify valid input formatting which is the anti pattern of v1 generate valid input formatting you have an example from jdk one for who is still using Gradle k1 for nobody good oh good how long still oh good so there’s probably the opportunity to upgrade ones but in Jerry k1 for you will find the HTTP URL connection which has a function set request property and a common misconception is that this function does import formatting but it did not of course in the meantime it does but it did not so the attacker could craft HTTP headers with custom value strings and you would bypass security restrictions by writing some embedded HTTP requests they put bypass you are security policy so this would get added to a request and you would have a valid request to the original host and you would have an invalid request that is edit and the proxy would then go double this request and go to the victor host and would also reaches this beauty policy which it allows would go to see have that originals so instead of obeying the same origin policy you would have attacked a third party of course this is fixed now this will only work it’s an internet because you may have not be white listed for this website so expect to create expect creative inputs with Auto bounds values or escape characters to circumvent all kinds of protections prefer white lists prefer white lists black listing is useless against new

attack types it effects code that processes requests or delegates to sub components so the attacker may construct around with network protocols he may construct SQL requests that you didn’t was expect it may call even into shell script with certain escape characters once the taker founds an adequate way in your code in your runtime get one time for example there are also additional issues when calling into native code C and C++ because that has no additional no automatic bound checking as Java is so always double Z validation code so generate valid formatting what does it mean provided input again with a whitelist check for escape characters reject mal forms malformed requests early don’t try to auto fix some attacker controlled string it may directly do you may directly get what he wants reject and don’t try to auto fix regular expression AP is a it can help you to validate input strings and that would give you the whitelist pass only validated inputs to subcomponents drop native methods we use well tested libraries instead of auto code reuse is very important we use prevents you from inheriting vulnerabilities of your own code and never get it maintained or fixed that was about integrity now we go into object construction and class models and extensibility and accessibility why would you do that to reduce the text surface to assign the least accessibility required via code these privileges that would prevent unwanted modifications of your code you would limit the accessibility of classes methods in turf interface and fields you would limit the accessibility of packages isolates unrelated code limit exposure of class loader instances limit the extensibility of class and methods understand and you need to understand how a superclass can affect subclass behavior what can go wrong there’s an example from jdk 102 who’s still using that ah not so many so there was the hash table and the edge table it had a put it has a put and remove operation and there are the properties the properties extend the edge table there is a provider that extends the properties so the provider inherits put and remove from hash table and overwrite them and does a security check so far so good now hash table gets extended it gets a new function with a new JDK breeze set entry set so what could happen the answer was a day entry would bypass the security checks that are enforced with put in remove and thus directly and has a direct access to the raw entry set yes and therefore you could modify the providers internal state so the attacker bypass the source and use the inherited entry set to delete properties because the entry set supports a-z removal and that would violate the integrity so subclasses what do we learn from that subclasses cannot guarantee encapsulation the superclass may modify behavior of methods that have not been overwritten the superclass may add new methods security checks enforced and subclasses can therefore be bypassed which we have seen with provider remove because there is entry set that would bypass that but that was fixed by

avoiding inappropriate sub classing you would surplus all events inheritance model is specified in Berlin astute when in doubt use to avoid such such cases before composition instead of inheritance monitor changes to super classes otherwise identify behavior change changes of existing inhabited methods and override if necessary identify new methods and override if necessary so in this case and reset was overwritten and turned into an immutable set and the problem was gone five valid inputs expect the unexpected to use whitelists bogus input matrix instrument harm this code into malicious behavior and work like a weird machine this would prevent attackers for modifying the control flow poly their inputs volley outputs define rubbers value their inputs this is what you will see at the border control and that’s what you have to do with untrusted input check and reject if necessary this is an example from jdk 1.5 which shows java.lang reflect proxy and the java language a proxy class it expected a list which interfaces a list of interfaces which it would generate dynamic dynamic proxy class and then it would feed into a native method define class 0 which you see at the top what could go wrong the API trusted that the attacker used less than 65,000 interfaces if you used more than 65535 non public interfaces the bytecode would be in such a state that the native method would crash and to make things worse proxy civilized world so it would be low for remote in out of service attack so behind crafting a civilized realization of this class which consisting of a lot of non-public interference references you could bring down remote server who supports civilization so don’t expect users to read it obeys the source code comments that’s what you have to do to write the checks check all violations of environments ideally use white lists so what was done we here was to add a comparison to this invariant explicitly and if this was violated an illegal argument exception was wrong and the problem was caught six mutability you would prefer immutability you would create copies of mutable output values create copies of mutable and surplus the input classes support copy functionality and a lot of other things because you want to rely on trustworthy objects in privileged code you don’t want to give attack us the chance to modify those on your behalf from their behalf those are um security trustworthy objects you don’t want someone else to mess around ourselves so don’t expose mutable statics for example you would write robust these wrappers prevent these invariants from being changed it would be couple the internal states from future changes to the input values so if the attacker still has an reference to the input value he can modify you internal values therefore clone and at appropriate validation checks for example so this will t couple the internal value from the outside an example from jdk 1 for 2 in Excel T X 30 add a array and it is this every you could define functions so this was public public static and what could be a possible attack yes you could overwrite the table so you

could overwrite the table of the global function table you could overwrite the values and once trusted code for example thus an excerpt EU function performs exempt assessing it would use your code you could gather information out of privileged areas think about scenarios with signed applets and unsigned applets and you could export values from on to some signed and privileged efforts so overwrite the table and its use so sensitive state could be modified you could replace functions you could establish cover channels taker was able to buy a tab data or modify its processing behavior static variables are global across a Java Runtime environment keeps this in mind because you can attack different application domains like hold loaded into different class loaders and with these static variables you could cross these supporters but it’s highly context dependent what is possible how would you protect against it make your classes final do not expose mutable statics we’d use the scope of so non final fields drop array access treat public statics primarily as constants consider yuning item x animals are type safe switchable and implicitly static final so you want to use those seven you want to do object construction but you wanted to save object construction stay in charge of the critical object instances that control your system do not let it take us control your classes your instances avoid exposing constructors the event against if prevent the unauthorized construction of sensitive classes defend against partial the initialized instances you want to have them initialized fully prevent constructors from calling in to message that the attacker can be control can control by overriding defend against cloning of non final classes there are see example again from jdk 102 with a class loader and the class loader looks nice does a security check and then idiots but what can go wrong here we will see that now the attacker overrides a finalized finalized method of the class loader in his subclass so he keeps a reference in the finalize method and pizzette he does not rely on a fully constructed object he keeps it he gets that object when he runs into garbage collection and he can control the class loader even untrusted code could do that in this case so he could call in two very important methods so throwing an exception from a constructor Dafa prevent a partially initialized instance from being acquired an attacker can override a finalized message to maintain the object constructor that calls in to outside code would propagate the exception you would leak this and this would enable the same attack as if sick instructor directly swoozie exception so what was done you would declare as a class s final if possible if finalized can be overridden ensure partially initialized instances are unusable how would you do that with an initialize flag that was also the case with a class loader the class loader got an initialized flag and only worked once initialize flag was set even though it may have the attacker may heaven a partial initialized instance defense against partially initialized instance of the class were in JDK 6 & 7 you could run into you could use a security check function that would be invoked before the super constructor is

called this would work with JDK 6 & 7 or later of and you would have to use the target 1.6 for this to work so thanks so two more to go civilization and D civilization avoid civilization for on security sensitive classes guard data Julie civilization civilization is the same as object construction keep that in mind dublicate therefore all security manito checks during civilization and D civilization understand security missions given to Civ civilisation and each civilization because this realization from untrusted sources it allows to take us to create unwanted instances of critical classes therefore always expect side effects with civilization again whenever possible use XML DTD when reading with untrusted sources don’t accept civilized object as a default what can go wrong civilization is the same as after construction integers it may have a invalid signal an attack I could put it into an output stream input stream so you would read set in an input stream and read a possible invalid big integer value so the default civilization cannot automatically applies the same invariant and parameter checking as the constructor and attacker can therefore create a malicious input stream is in valid field values therefore double the validations create a custom read object that shares the same validation checking as a class constructors avoids a default D civilization because in order to limit the window of exposure on an Tek travel instead maintain develop pilot state by first validating and then assigning to an instant field otherwise you would end up with corrupted instances understand how to apply X control understand how permissions are checked they are of core begins methods safely invoke the privilege now how to restrict privileges why ado privilege be careful of cashing results of potential operations understand to compare to transfer context and understand how select constructors and fair context why all this attackers prefer privilege context to execute their malicious actions and if you prefer police privilege execution you can do that with do privilege in this case so you would also like to safely invoke standard api’s that bypasses security checks based on the immediate caller play a couple of routes on that that would apply if you write signed templates for example or JRE extensions the same applies here so you want to know to restrict privileges to do privileges therefore we have an example from jdk 6 there was a zone info buck and the zone info bucket d civilized this was in a read object function this realized and attack a controlled instances which do privilege but in this case we don’t have any constraints so the object has deserialized with full permissions so it was read into the instance and it was d civilized as a zone info object but you don’t need all permissions for that you only would need package access to sun dot star otherwise you could all kinds of strange things like overriding zone info with a class loader or whatever and to all kinds of attacks in this case so we did to restrict the provision domain in protection domains in this case and edit annex control context this was granting a fine granular permission

set and was used to deserialize the object so that was a refactor code it used the display grips call to do privilege and only the package access control permission was used in this case so these were the nine chapters the nine chapters of Java security the nine chapters of the guidelines coming to the summary F if an anti patterns we have guidelines how you could address them you would follow the secure coding guidelines to reduce the vulnerabilities by abilities are concerned to everybody you can have breaches and if you have breaches you probably cannot war back them especially if they are information leaks poly date your data don’t try to auto fix don’t try to reinvent the wheel practice reuse reuse code is updated by others do safe nerve and reduce the effort and save money of course verify the attack surface in order to switch perspectives start assessing new code first are the exposure points where can the attacker doctor you have non final figures exposed native method static methods loop like functionality that what you would look into first check your validation mechanisms other bypasses don’t apply a black list use Wireless because black lists it’ll be incomplete consider a textile test cases excess tonight can be a wonderful test result if you have more questions if you want to dive deeper into the topic go to these URLs secure coding guidelines for Java language as you saw today go more into the details with Java is e security G overview overview about Java security at all and you could also check this short Oracle secure coding standard for Java so thank you very much for your attention this concludes my talk and now I guess we have a few minutes for questions the question was if there are tools to find out about Aziz the violations well they are tools like fine parks and PMDs you said they are commercial tools out there and you probably also wants to try to code stuff yourself which is sometimes very important to know your own code but they are tools out there commercial and open source and they are also tact with the s security for example in fine parks fine parks has a category of exploitable issues it’s not complete but it is start yeah sorry I think the presentation is going to be made available yes it will be on the Java one side yes Heather oh yeah that depends if you know how to instrument the existing code it doesn’t there have been instances as least as I know of offset application servers accept scripts for example from outside sources like rule bases or stuff like that but it doesn’t necessarily have to be Java code it can be any kind of a language any kind of toe ring something

yeah yeah yeah there is a list of permissions at least in Java Docs you can find those per class per package Cheers yes you could why it is good to compile them into one document should be sorry should be an afternoon’s work yeah thank you very much and see you next time