這個問題是對my previous question about unusual exceptions generated by a custom security manager.的一個跟進。在高層次上,我有興趣構建一個運行可信代碼和非可信代碼的應用程序。我最初的想法是建立一個不允許大多數操作運行的自定義SecurityManager
。這導致了不尋常的行爲,在16次調用之後,可信反射代碼實例化不可信對象失敗。爲什麼這個看似等價的SecurityManager代碼會導致虛假異常?
我重寫了代碼,以便代替使用自定義SecurityManager
來處理此問題,而是創建一個新的保護域,其中運行不受信任的代碼,然後從該不受信任的代碼剝離權限。這個新的代碼如下所示:
import java.io.FilePermission;
import java.lang.reflect.*;
import java.security.*;
public class Main {
/* Track how many instances have been created so that we can see when the exception
* is thrown.
*/
private static int numInstances = 0;
public Main() {
System.out.println("Number created: " + ++numInstances);
}
/* Utility function that returns a Constructor object for main. */
private static Constructor<Main> getCtor() {
try {
return Main.class.getConstructor();
} catch (NoSuchMethodException e) {
e.printStackTrace();
System.exit(-1);
return null; // Unreachable, needed to appease compiler.
}
}
/* Utility function that creates an AccessControlContext that only has file
* read permissions.
*/
private static AccessControlContext getContext() {
CodeSource c = new CodeSource(null, (java.security.cert.Certificate[])null);
Permissions permissions = new Permissions();
/* Grant specific permission to read files. This is necessary, since otherwise the
* class loader can't read classes from disk.
*/
permissions.add(new FilePermission("*", "read"));
/* Construct an AccessControlContext from these permissions. */
return new AccessControlContext(new ProtectionDomain[] {new ProtectionDomain(c, permissions)});
}
public static void main(String[] args) {
/* Get a very restrictive AccessControlContext that does not allow for anything to run. */
AccessControlContext noPermissions = getContext();
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager());
/* Sit in an infinite loop using reflection to create Main objects. This code is
* run in a context where its only permissions are file reading.
*/
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
/* Continuously create new Main objects. */
Constructor<Main> ctor = getCtor();
try {
while (true) {
ctor.newInstance();
}
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}, noPermissions);
}
}
此代碼現在工作完全正常 - 它構造各種Main
對象不用任何麻煩。
我很困惑的是以下內容。爲了讓AccessController
有任何牙齒,我們需要打開安全管理器。我通過調用
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager());
現在做這個,假設我改變了這個從默認SecurityManager
這個定製SecurityManager
:
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager() {
@Override
public void checkPermission(Permission p) {
/* Log the permission. */
System.out.println("Checking " + p);
super.checkPermission(p);
}
});
這SecurityManager
等同於前,除了它記錄發生在什麼會檢查權限,然後將請求轉發到默認SecurityManager
。
如果我有這樣的變化和運行程序,我現在得到相同的行爲之前:
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Number created: 1
Number created: 2
Number created: 3
Number created: 4
Number created: 5
Number created: 6
Number created: 7
Number created: 8
Number created: 9
Number created: 10
Number created: 11
Number created: 12
Number created: 13
Number created: 14
Number created: 15
Checking ("java.lang.RuntimePermission" "createClassLoader")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at Main$1.checkPermission(Main.java:51)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
at java.lang.ClassLoader.<init>(ClassLoader.java:316)
at sun.reflect.DelegatingClassLoader.<init>(ClassDefiner.java:72)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:60)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:58)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:57)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:396)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:395)
at sun.reflect.MethodAccessorGenerator.generateConstructor(MethodAccessorGenerator.java:94)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:48)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at Main$2.run(Main.java:65)
at Main$2.run(Main.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at Main.main(Main.java:58)
爲什麼我之前使用這個自定義SecurityManager
後得到不同的行爲?我不明白爲什麼這些程序會在這些情況下產生不同的結果,因爲在這兩種情況下,默認SecurityManager
是實際進行所有安全檢查的那個。
謝謝!
謝謝!我將如何使該代碼可信?或者我應該尋找一種完全不同的方法? – templatetypedef
@templatetypedef通常,您將在策略文件中授予代碼庫java.security.AllPermission。 –