Java/Security/SecurityManager
Содержание
Enabling the Security Manager
<source lang="java">
public class Main {
public static void main(String[] argv) throws Exception { System.setProperty("java.version", "data"); try { SecurityManager sm = new SecurityManager(); System.setSecurityManager(sm); } catch (SecurityException se) { se.printStackTrace(); } // no longer possible; an AccessControlException is thrown System.setProperty("java.version", "malicious data"); }
} /*Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.version write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) at java.lang.System.setProperty(System.java:727) at Main.main(Main.java:13)
- /
</source>
extends SecurityManager
<source lang="java">
import java.io.IOException; public class MainClass {
public static void main(String args[]) throws IOException { System.setSecurityManager(new MySecurityManager()); }
} class MySecurityManager extends SecurityManager {
public void checkRead(String file) { if (!(file.endsWith(".txt")) && !(file.endsWith(".java")) && !(file.endsWith(".class")) && !(file.startsWith("C:\\"))) { throw new SecurityException("No Read Permission for : " + file); } }
}
</source>
Listing All Permissions Granted to Classes Loaded from a URL or Directory
<source lang="java">
import java.io.File; import java.net.URL; import java.security.CodeSource; import java.security.Permission; import java.security.PermissionCollection; import java.security.Policy; import java.security.cert.Certificate; import java.util.Enumeration; public class Main {
public static void main(String[] argv) throws Exception { SecurityManager sm = new SecurityManager(); System.setSecurityManager(sm); URL codebase = new URL("http://java.sun.ru/"); codebase = new File("c:\\java\\").toURI().toURL(); codebase = new File(System.getProperty("user.home")).toURI().toURL(); CodeSource cs = new CodeSource(codebase, (Certificate[])null); PermissionCollection pcoll = Policy.getPolicy().getPermissions(cs); Enumeration e = pcoll.elements(); for (; e.hasMoreElements();) { Permission p = (Permission) e.nextElement(); } }
}
</source>
Security Support
<source lang="java">
/*
* Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
/*
* $Id$ */
import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.InputStream; import java.security.AccessController; import java.security.PrivilegedAction; import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; /**
* This class is duplicated for each Xalan-Java subpackage so keep it in sync. * It is package private and therefore is not exposed as part of the Xalan-Java * API. * * Base class with security related methods that work on JDK 1.1. */
class SecuritySupport {
/* * Make this of type Object so that the verifier won"t try to * prove its type, thus possibly trying to load the SecuritySupport12 * class. */ private static final Object securitySupport; static { SecuritySupport ss = null; try { Class c = Class.forName("java.security.AccessController"); // if that worked, we"re on 1.2. /* // don"t reference the class explicitly so it doesn"t // get dragged in accidentally. c = Class.forName("javax.mail.SecuritySupport12"); Constructor cons = c.getConstructor(new Class[] { }); ss = (SecuritySupport)cons.newInstance(new Object[] { }); */ /* * Unfortunately, we can"t load the class using reflection * because the class is package private. And the class has * to be package private so the APIs aren"t exposed to other * code that could use them to circumvent security. Thus, * we accept the risk that the direct reference might fail * on some JDK 1.1 JVMs, even though we would never execute * this code in such a case. Sigh... */ ss = new SecuritySupport12(); } catch (Exception ex) { // ignore it } finally { if (ss == null) ss = new SecuritySupport(); securitySupport = ss; } } /** * Return an appropriate instance of this class, depending on whether * we"re on a JDK 1.1 or J2SE 1.2 (or later) system. */ static SecuritySupport getInstance() { return (SecuritySupport)securitySupport; } ClassLoader getContextClassLoader() { return null; } ClassLoader getSystemClassLoader() { return null; } ClassLoader getParentClassLoader(ClassLoader cl) { return null; } String getSystemProperty(String propName) { return System.getProperty(propName); } FileInputStream getFileInputStream(File file) throws FileNotFoundException { return new FileInputStream(file); } InputStream getResourceAsStream(ClassLoader cl, String name) { InputStream ris; if (cl == null) { ris = ClassLoader.getSystemResourceAsStream(name); } else { ris = cl.getResourceAsStream(name); } return ris; } boolean getFileExists(File f) { return f.exists(); } long getLastModified(File f) { return f.lastModified(); }
} /*
* Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */
/*
* $Id$ */
/**
* This class is duplicated for each Xalan-Java subpackage so keep it in sync. * It is package private and therefore is not exposed as part of the Xalan-Java * API. * * Security related methods that only work on J2SE 1.2 and newer. */
class SecuritySupport12 extends SecuritySupport {
ClassLoader getContextClassLoader() { return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader cl = null; try { cl = Thread.currentThread().getContextClassLoader(); } catch (SecurityException ex) { } return cl; } }); } ClassLoader getSystemClassLoader() { return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader cl = null; try { cl = ClassLoader.getSystemClassLoader(); } catch (SecurityException ex) {} return cl; } }); } ClassLoader getParentClassLoader(final ClassLoader cl) { return (ClassLoader) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { ClassLoader parent = null; try { parent = cl.getParent(); } catch (SecurityException ex) {} // eliminate loops in case of the boot // ClassLoader returning itself as a parent return (parent == cl) ? null : parent; } }); } String getSystemProperty(final String propName) { return (String) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return System.getProperty(propName); } }); } FileInputStream getFileInputStream(final File file) throws FileNotFoundException { try { return (FileInputStream) AccessController.doPrivileged(new PrivilegedExceptionAction() { public Object run() throws FileNotFoundException { return new FileInputStream(file); } }); } catch (PrivilegedActionException e) { throw (FileNotFoundException)e.getException(); } } InputStream getResourceAsStream(final ClassLoader cl, final String name) { return (InputStream) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { InputStream ris; if (cl == null) { ris = ClassLoader.getSystemResourceAsStream(name); } else { ris = cl.getResourceAsStream(name); } return ris; } }); } boolean getFileExists(final File f) { return ((Boolean) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return new Boolean(f.exists()); } })).booleanValue(); } long getLastModified(final File f) { return ((Long) AccessController.doPrivileged(new PrivilegedAction() { public Object run() { return new Long(f.lastModified()); } })).longValue(); }
}
</source>
The security manager can be installed from the command line:
<source lang="java">
java -Djava.security.manager MyApp
</source>
Use SecurityManager to check AWT permission and file permission
<source lang="java">
import java.awt.AWTPermission; import java.io.FilePermission; public class MainClass {
public static void main(String args[]) throws Exception { SecurityManager sm = System.getSecurityManager(); if (sm != null) { FilePermission fp = new FilePermission("c:\\autoexec.bat", "read"); sm.checkPermission(fp); } if (sm != null) { AWTPermission ap = new AWTPermission("accessClipboard"); sm.checkPermission(ap); } System.out.println("Has AWTPermission to access AWT Clipboard"); }
}
</source>