1
这个问题是对my previous question about unusual exceptions generated by a custom security manager.的一个跟进。在高层次上,我有兴趣构建一个运行可信代码和非可信代码的应用程序。我最初的想法是建立一个不允许大多数操作运行的自定义SecurityManager。这导致了不寻常的行为,在16次调用之后,可信反射代码实例化不可信对象失败。为什么这个看似等价的SecurityManager代码会导致虚假异常?
我重写了代码,以便代替使用自定义SecurityManager来处理此问题,而是创建一个新的保护域,其中运行不受信任的代码,然后从该不受信任的代码剥离权限。这个新的代码如下所示:
import java.io.FilePermission;
import java.lang.reflect.*;
import java.security.*;
public class Main {
/* Track how many instances have been created so that we can see when the exception
* is thrown.
*/
private static int numInstances = 0;
public Main() {
System.out.println("Number created: " + ++numInstances);
}
/* Utility function that returns a Constructor object for main. */
private static Constructor<Main> getCtor() {
try {
return Main.class.getConstructor();
} catch (NoSuchMethodException e) {
e.printStackTrace();
System.exit(-1);
return null; // Unreachable, needed to appease compiler.
}
}
/* Utility function that creates an AccessControlContext that only has file
* read permissions.
*/
private static AccessControlContext getContext() {
CodeSource c = new CodeSource(null, (java.security.cert.Certificate[])null);
Permissions permissions = new Permissions();
/* Grant specific permission to read files. This is necessary, since otherwise the
* class loader can't read classes from disk.
*/
permissions.add(new FilePermission("*", "read"));
/* Construct an AccessControlContext from these permissions. */
return new AccessControlContext(new ProtectionDomain[] {new ProtectionDomain(c, permissions)});
}
public static void main(String[] args) {
/* Get a very restrictive AccessControlContext that does not allow for anything to run. */
AccessControlContext noPermissions = getContext();
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager());
/* Sit in an infinite loop using reflection to create Main objects. This code is
* run in a context where its only permissions are file reading.
*/
AccessController.doPrivileged(new PrivilegedAction<Void>() {
@Override
public Void run() {
/* Continuously create new Main objects. */
Constructor<Main> ctor = getCtor();
try {
while (true) {
ctor.newInstance();
}
} catch (Exception e) {
e.printStackTrace();
return null;
}
}
}, noPermissions);
}
}
此代码现在工作完全正常 - 它构造各种Main对象不用任何麻烦。
我很困惑的是以下内容。为了让AccessController有任何牙齿,我们需要打开安全管理器。我通过调用
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager());
现在做这个,假设我改变了这个从默认SecurityManager这个定制SecurityManager:
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager() {
@Override
public void checkPermission(Permission p) {
/* Log the permission. */
System.out.println("Checking " + p);
super.checkPermission(p);
}
});
这SecurityManager等同于前,除了它记录发生在什么会检查权限,然后将请求转发到默认SecurityManager。
如果我有这样的变化和运行程序,我现在得到相同的行为之前:
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Number created: 1
Number created: 2
Number created: 3
Number created: 4
Number created: 5
Number created: 6
Number created: 7
Number created: 8
Number created: 9
Number created: 10
Number created: 11
Number created: 12
Number created: 13
Number created: 14
Number created: 15
Checking ("java.lang.RuntimePermission" "createClassLoader")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at Main$1.checkPermission(Main.java:51)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
at java.lang.ClassLoader.<init>(ClassLoader.java:316)
at sun.reflect.DelegatingClassLoader.<init>(ClassDefiner.java:72)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:60)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:58)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:57)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:396)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:395)
at sun.reflect.MethodAccessorGenerator.generateConstructor(MethodAccessorGenerator.java:94)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:48)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at Main$2.run(Main.java:65)
at Main$2.run(Main.java:1)
at java.security.AccessController.doPrivileged(Native Method)
at Main.main(Main.java:58)
为什么我之前使用这个自定义SecurityManager后得到不同的行为?我不明白为什么这些程序会在这些情况下产生不同的结果,因为在这两种情况下,默认SecurityManager是实际进行所有安全检查的那个。
谢谢!
谢谢!我将如何使该代码可信?或者我应该寻找一种完全不同的方法? – templatetypedef
@templatetypedef通常,您将在策略文件中授予代码库java.security.AllPermission。 –