Java/Security/SecurityManager

Материал из Java эксперт
Версия от 18:01, 31 мая 2010; (обсуждение)
(разн.) ← Предыдущая | Текущая версия (разн.) | Следующая → (разн.)
Перейти к: навигация, поиск

Enabling the Security Manager

   

public class Main {
  public static void main(String[] argv) throws Exception {
    System.setProperty("java.version", "data");
    try {
      SecurityManager sm = new SecurityManager();
      System.setSecurityManager(sm);
    } catch (SecurityException se) {
      se.printStackTrace();
    }
    // no longer possible; an AccessControlException is thrown
    System.setProperty("java.version", "malicious data");
  }
}
/*Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.version write)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
  at java.security.AccessController.checkPermission(AccessController.java:546)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
  at java.lang.System.setProperty(System.java:727)
  at Main.main(Main.java:13)
*/





extends SecurityManager

    
import java.io.IOException;
public class MainClass {
  public static void main(String args[]) throws IOException {
    System.setSecurityManager(new MySecurityManager());
  }
}
class MySecurityManager extends SecurityManager {
  public void checkRead(String file) {
    if (!(file.endsWith(".txt")) && !(file.endsWith(".java")) && !(file.endsWith(".class"))
        && !(file.startsWith("C:\\"))) {
      throw new SecurityException("No Read Permission for : " + file);
    }
  }
}





Listing All Permissions Granted to Classes Loaded from a URL or Directory

   
import java.io.File;
import java.net.URL;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class Main {
  public static void main(String[] argv) throws Exception {
    SecurityManager sm = new SecurityManager();
    System.setSecurityManager(sm);
    URL codebase = new URL("http://java.sun.ru/");
    codebase = new File("c:\\java\\").toURI().toURL();
    codebase = new File(System.getProperty("user.home")).toURI().toURL();
    CodeSource cs = new CodeSource(codebase, (Certificate[])null);
    PermissionCollection pcoll = Policy.getPolicy().getPermissions(cs);
    Enumeration e = pcoll.elements();
    for (; e.hasMoreElements();) {
      Permission p = (Permission) e.nextElement();
    }
  }
}





Security Support

  
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the  "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
/*
 * $Id$
 */

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
/**
 * This class is duplicated for each Xalan-Java subpackage so keep it in sync.
 * It is package private and therefore is not exposed as part of the Xalan-Java
 * API.
 *
 * Base class with security related methods that work on JDK 1.1.
 */
class SecuritySupport {
    /*
     * Make this of type Object so that the verifier won"t try to
     * prove its type, thus possibly trying to load the SecuritySupport12
     * class.
     */
    private static final Object securitySupport;
    static {
  SecuritySupport ss = null;
  try {
      Class c = Class.forName("java.security.AccessController");
      // if that worked, we"re on 1.2.
      /*
      // don"t reference the class explicitly so it doesn"t
      // get dragged in accidentally.
      c = Class.forName("javax.mail.SecuritySupport12");
      Constructor cons = c.getConstructor(new Class[] { });
      ss = (SecuritySupport)cons.newInstance(new Object[] { });
      */
      /*
       * Unfortunately, we can"t load the class using reflection
       * because the class is package private.  And the class has
       * to be package private so the APIs aren"t exposed to other
       * code that could use them to circumvent security.  Thus,
       * we accept the risk that the direct reference might fail
       * on some JDK 1.1 JVMs, even though we would never execute
       * this code in such a case.  Sigh...
       */
      ss = new SecuritySupport12();
  } catch (Exception ex) {
      // ignore it
  } finally {
      if (ss == null)
    ss = new SecuritySupport();
      securitySupport = ss;
  }
    }
    /**
     * Return an appropriate instance of this class, depending on whether
     * we"re on a JDK 1.1 or J2SE 1.2 (or later) system.
     */
    static SecuritySupport getInstance() {
  return (SecuritySupport)securitySupport;
    }
    ClassLoader getContextClassLoader() {
  return null;
    }
    ClassLoader getSystemClassLoader() {
        return null;
    }
    ClassLoader getParentClassLoader(ClassLoader cl) {
        return null;
    }
    String getSystemProperty(String propName) {
        return System.getProperty(propName);
    }
    FileInputStream getFileInputStream(File file)
        throws FileNotFoundException
    {
        return new FileInputStream(file);
    }
    InputStream getResourceAsStream(ClassLoader cl, String name) {
        InputStream ris;
        if (cl == null) {
            ris = ClassLoader.getSystemResourceAsStream(name);
        } else {
            ris = cl.getResourceAsStream(name);
        }
        return ris;
    }
    
    boolean getFileExists(File f) {
        return f.exists();
    }
    
    long getLastModified(File f) {
        return f.lastModified();
    }    
}
/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership. The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the  "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
/*
 * $Id$
 */

/**
 * This class is duplicated for each Xalan-Java subpackage so keep it in sync.
 * It is package private and therefore is not exposed as part of the Xalan-Java
 * API.
 *
 * Security related methods that only work on J2SE 1.2 and newer.
 */
class SecuritySupport12 extends SecuritySupport {
    ClassLoader getContextClassLoader() {
        return (ClassLoader)
                AccessController.doPrivileged(new PrivilegedAction() {
            public Object run() {
                ClassLoader cl = null;
                try {
                    cl = Thread.currentThread().getContextClassLoader();
                } catch (SecurityException ex) { }
                return cl;
            }
        });
    }
    ClassLoader getSystemClassLoader() {
        return (ClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    ClassLoader cl = null;
                    try {
                        cl = ClassLoader.getSystemClassLoader();
                    } catch (SecurityException ex) {}
                    return cl;
                }
            });
    }
    ClassLoader getParentClassLoader(final ClassLoader cl) {
        return (ClassLoader)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    ClassLoader parent = null;
                    try {
                        parent = cl.getParent();
                    } catch (SecurityException ex) {}
                    // eliminate loops in case of the boot
                    // ClassLoader returning itself as a parent
                    return (parent == cl) ? null : parent;
                }
            });
    }
    String getSystemProperty(final String propName) {
        return (String)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return System.getProperty(propName);
                }
            });
    }
    FileInputStream getFileInputStream(final File file)
        throws FileNotFoundException
    {
        try {
            return (FileInputStream)
                AccessController.doPrivileged(new PrivilegedExceptionAction() {
                    public Object run() throws FileNotFoundException {
                        return new FileInputStream(file);
                    }
                });
        } catch (PrivilegedActionException e) {
            throw (FileNotFoundException)e.getException();
        }
    }
    InputStream getResourceAsStream(final ClassLoader cl,
                                           final String name)
    {
        return (InputStream)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    InputStream ris;
                    if (cl == null) {
                        ris = ClassLoader.getSystemResourceAsStream(name);
                    } else {
                        ris = cl.getResourceAsStream(name);
                    }
                    return ris;
                }
            });
    }
    
    boolean getFileExists(final File f) {
    return ((Boolean)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new Boolean(f.exists());
                }
            })).booleanValue();
    }
    
    long getLastModified(final File f) {
    return ((Long)
            AccessController.doPrivileged(new PrivilegedAction() {
                public Object run() {
                    return new Long(f.lastModified());
                }
            })).longValue();
    }
        
}





The security manager can be installed from the command line:

   
java -Djava.security.manager MyApp





Use SecurityManager to check AWT permission and file permission

    
import java.awt.AWTPermission;
import java.io.FilePermission;
public class MainClass {
  public static void main(String args[]) throws Exception {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
      FilePermission fp = new FilePermission("c:\\autoexec.bat", "read");
      sm.checkPermission(fp);
    }
    if (sm != null) {
      AWTPermission ap = new AWTPermission("accessClipboard");
      sm.checkPermission(ap);
    }
    System.out.println("Has AWTPermission to access AWT Clipboard");
  }
}