Java/Security/SecurityManager
Версия от 18:01, 31 мая 2010; (обсуждение)
Содержание
Enabling the Security Manager
public class Main {
public static void main(String[] argv) throws Exception {
System.setProperty("java.version", "data");
try {
SecurityManager sm = new SecurityManager();
System.setSecurityManager(sm);
} catch (SecurityException se) {
se.printStackTrace();
}
// no longer possible; an AccessControlException is thrown
System.setProperty("java.version", "malicious data");
}
}
/*Exception in thread "main" java.security.AccessControlException: access denied (java.util.PropertyPermission java.version write)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.System.setProperty(System.java:727)
at Main.main(Main.java:13)
*/
extends SecurityManager
import java.io.IOException;
public class MainClass {
public static void main(String args[]) throws IOException {
System.setSecurityManager(new MySecurityManager());
}
}
class MySecurityManager extends SecurityManager {
public void checkRead(String file) {
if (!(file.endsWith(".txt")) && !(file.endsWith(".java")) && !(file.endsWith(".class"))
&& !(file.startsWith("C:\\"))) {
throw new SecurityException("No Read Permission for : " + file);
}
}
}
Listing All Permissions Granted to Classes Loaded from a URL or Directory
import java.io.File;
import java.net.URL;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.cert.Certificate;
import java.util.Enumeration;
public class Main {
public static void main(String[] argv) throws Exception {
SecurityManager sm = new SecurityManager();
System.setSecurityManager(sm);
URL codebase = new URL("http://java.sun.ru/");
codebase = new File("c:\\java\\").toURI().toURL();
codebase = new File(System.getProperty("user.home")).toURI().toURL();
CodeSource cs = new CodeSource(codebase, (Certificate[])null);
PermissionCollection pcoll = Policy.getPolicy().getPermissions(cs);
Enumeration e = pcoll.elements();
for (; e.hasMoreElements();) {
Permission p = (Permission) e.nextElement();
}
}
}
Security Support
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* $Id$
*/
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
/**
* This class is duplicated for each Xalan-Java subpackage so keep it in sync.
* It is package private and therefore is not exposed as part of the Xalan-Java
* API.
*
* Base class with security related methods that work on JDK 1.1.
*/
class SecuritySupport {
/*
* Make this of type Object so that the verifier won"t try to
* prove its type, thus possibly trying to load the SecuritySupport12
* class.
*/
private static final Object securitySupport;
static {
SecuritySupport ss = null;
try {
Class c = Class.forName("java.security.AccessController");
// if that worked, we"re on 1.2.
/*
// don"t reference the class explicitly so it doesn"t
// get dragged in accidentally.
c = Class.forName("javax.mail.SecuritySupport12");
Constructor cons = c.getConstructor(new Class[] { });
ss = (SecuritySupport)cons.newInstance(new Object[] { });
*/
/*
* Unfortunately, we can"t load the class using reflection
* because the class is package private. And the class has
* to be package private so the APIs aren"t exposed to other
* code that could use them to circumvent security. Thus,
* we accept the risk that the direct reference might fail
* on some JDK 1.1 JVMs, even though we would never execute
* this code in such a case. Sigh...
*/
ss = new SecuritySupport12();
} catch (Exception ex) {
// ignore it
} finally {
if (ss == null)
ss = new SecuritySupport();
securitySupport = ss;
}
}
/**
* Return an appropriate instance of this class, depending on whether
* we"re on a JDK 1.1 or J2SE 1.2 (or later) system.
*/
static SecuritySupport getInstance() {
return (SecuritySupport)securitySupport;
}
ClassLoader getContextClassLoader() {
return null;
}
ClassLoader getSystemClassLoader() {
return null;
}
ClassLoader getParentClassLoader(ClassLoader cl) {
return null;
}
String getSystemProperty(String propName) {
return System.getProperty(propName);
}
FileInputStream getFileInputStream(File file)
throws FileNotFoundException
{
return new FileInputStream(file);
}
InputStream getResourceAsStream(ClassLoader cl, String name) {
InputStream ris;
if (cl == null) {
ris = ClassLoader.getSystemResourceAsStream(name);
} else {
ris = cl.getResourceAsStream(name);
}
return ris;
}
boolean getFileExists(File f) {
return f.exists();
}
long getLastModified(File f) {
return f.lastModified();
}
}
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* $Id$
*/
/**
* This class is duplicated for each Xalan-Java subpackage so keep it in sync.
* It is package private and therefore is not exposed as part of the Xalan-Java
* API.
*
* Security related methods that only work on J2SE 1.2 and newer.
*/
class SecuritySupport12 extends SecuritySupport {
ClassLoader getContextClassLoader() {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
ClassLoader cl = null;
try {
cl = Thread.currentThread().getContextClassLoader();
} catch (SecurityException ex) { }
return cl;
}
});
}
ClassLoader getSystemClassLoader() {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
ClassLoader cl = null;
try {
cl = ClassLoader.getSystemClassLoader();
} catch (SecurityException ex) {}
return cl;
}
});
}
ClassLoader getParentClassLoader(final ClassLoader cl) {
return (ClassLoader)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
ClassLoader parent = null;
try {
parent = cl.getParent();
} catch (SecurityException ex) {}
// eliminate loops in case of the boot
// ClassLoader returning itself as a parent
return (parent == cl) ? null : parent;
}
});
}
String getSystemProperty(final String propName) {
return (String)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return System.getProperty(propName);
}
});
}
FileInputStream getFileInputStream(final File file)
throws FileNotFoundException
{
try {
return (FileInputStream)
AccessController.doPrivileged(new PrivilegedExceptionAction() {
public Object run() throws FileNotFoundException {
return new FileInputStream(file);
}
});
} catch (PrivilegedActionException e) {
throw (FileNotFoundException)e.getException();
}
}
InputStream getResourceAsStream(final ClassLoader cl,
final String name)
{
return (InputStream)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
InputStream ris;
if (cl == null) {
ris = ClassLoader.getSystemResourceAsStream(name);
} else {
ris = cl.getResourceAsStream(name);
}
return ris;
}
});
}
boolean getFileExists(final File f) {
return ((Boolean)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return new Boolean(f.exists());
}
})).booleanValue();
}
long getLastModified(final File f) {
return ((Long)
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
return new Long(f.lastModified());
}
})).longValue();
}
}
The security manager can be installed from the command line:
java -Djava.security.manager MyApp
Use SecurityManager to check AWT permission and file permission
import java.awt.AWTPermission;
import java.io.FilePermission;
public class MainClass {
public static void main(String args[]) throws Exception {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
FilePermission fp = new FilePermission("c:\\autoexec.bat", "read");
sm.checkPermission(fp);
}
if (sm != null) {
AWTPermission ap = new AWTPermission("accessClipboard");
sm.checkPermission(ap);
}
System.out.println("Has AWTPermission to access AWT Clipboard");
}
}