Java Language
Sicherheitsmanager
Suche…
Aktivieren des SecurityManagers
Java Virtual Machines (JVMs) können mit einem installierten SecurityManager ausgeführt werden. Der SecurityManager legt fest, welche Aufgaben der in der JVM ausgeführte Code ausführen darf. Dies hängt von Faktoren ab, von denen der Code geladen wurde und aus welchen Zertifikaten der Code signiert wurde.
Der SecurityManager kann installiert werden, indem beim Starten der JVM die Systemeigenschaft java.security.manager in der Befehlszeile festgelegt wird:
java -Djava.security.manager <main class name>
oder programmgesteuert aus Java-Code heraus:
System.setSecurityManager(new SecurityManager())
Der Standard-Java SecurityManager erteilt Berechtigungen auf der Grundlage einer Richtlinie, die in einer Richtliniendatei definiert ist. Wenn keine Richtliniendatei angegeben ist, wird die Standardrichtliniendatei unter $JAVA_HOME/lib/security/java.policy
verwendet.
Sandboxing-Klassen, die von einem ClassLoader geladen werden
Der ClassLoader muss eine ProtectionDomain
bereitstellen, die die Quelle des Codes identifiziert:
public class PluginClassLoader extends ClassLoader {
private final ClassProvider provider;
private final ProtectionDomain pd;
public PluginClassLoader(ClassProvider provider) {
this.provider = provider;
Permissions permissions = new Permissions();
this.pd = new ProtectionDomain(provider.getCodeSource(), permissions, this, null);
}
@Override
protected Class<?> findClass(String name) throws ClassNotFoundException {
byte[] classDef = provider.getClass(name);
Class<?> clazz = defineClass(name, classDef, 0, classDef.length, pd);
return clazz;
}
}
Durch das Überschreiben von findClass
anstelle von loadClass
das Delegationsmodell beibehalten. Der PluginClassLoader fragt zunächst das System und den übergeordneten Classloader nach Klassendefinitionen ab.
Erstellen Sie eine Richtlinie:
public class PluginSecurityPolicy extends Policy {
private final Permissions appPermissions = new Permissions();
private final Permissions pluginPermissions = new Permissions();
public PluginSecurityPolicy() {
// amend this as appropriate
appPermissions.add(new AllPermission());
// add any permissions plugins should have to pluginPermissions
}
@Override
public Provider getProvider() {
return super.getProvider();
}
@Override
public String getType() {
return super.getType();
}
@Override
public Parameters getParameters() {
return super.getParameters();
}
@Override
public PermissionCollection getPermissions(CodeSource codesource) {
return new Permissions();
}
@Override
public PermissionCollection getPermissions(ProtectionDomain domain) {
return isPlugin(domain)?pluginPermissions:appPermissions;
}
private boolean isPlugin(ProtectionDomain pd){
return pd.getClassLoader() instanceof PluginClassLoader;
}
}
Legen Sie abschließend die Richtlinie und einen SecurityManager fest (Standardimplementierung ist in Ordnung):
Policy.setPolicy(new PluginSecurityPolicy());
System.setSecurityManager(new SecurityManager());
Regeln zum Verweigern von Richtlinien implementieren
Es ist gelegentlich wünschenswert , einer bestimmten ProtectionDomain
eine bestimmte Permission
zu verweigern , unabhängig von anderen Berechtigungen, die von der Domäne angefordert werden. Dieses Beispiel zeigt nur einen möglichen Ansatz, um diese Anforderung zu erfüllen. Sie führt eine „negative“ Berechtigungsklasse, zusammen mit einem Wrapper, der die Standard ermöglicht Policy
als Repository solcher Berechtigungen wiederverwendet werden.
Anmerkungen:
- Die standardmäßige Richtliniendatei-Syntax und der Mechanismus für die Zuweisung von Berechtigungen im Allgemeinen bleiben hiervon unberührt. Dies bedeutet, dass Ablehnungsregeln in Richtliniendateien immer noch als Zuschüsse ausgedrückt werden.
- Der Richtlinien-Wrapper soll die standardmäßige, dateibasierte
Policy
(die alscom.sun.security.provider.PolicyFile
) spezifisch kapseln. - Verweigerte Berechtigungen werden nur auf Richtlinienebene als solche verarbeitet. Wenn Sie einer Domäne statisch zugewiesen sind, werden sie standardmäßig von dieser Domäne als normale "positive" Berechtigungen behandelt.
Die DeniedPermission
Klasse
package com.example;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Modifier;
import java.security.BasicPermission;
import java.security.Permission;
import java.security.UnresolvedPermission;
import java.text.MessageFormat;
/**
* A representation of a "negative" privilege.
* <p>
* A <code>DeniedPermission</code>, when "granted" (to some <code>ProtectionDomain</code> and/or
* <code>Principal</code>), represents a privilege which <em>cannot</em> be exercised, regardless of
* any positive permissions (<code>AllPermission</code> included) possessed. In other words, if a
* set of granted permissions, <em>P</em>, contains a permission of this class, <em>D</em>, then the
* set of effectively granted permissions is<br/>
* <br/>
* <em>{ P<sub>implied</sub> - D<sub>implied</sub> }</em>.
* </p>
* <p>
* Each instance of this class encapsulates a <em>target permission</em>, representing the
* "positive" permission being denied.
* </p>
* Denied permissions employ the following naming scheme:<br/>
* <br/>
* <em><target_class_name>:<target_name>(:<target_actions>)</em><br/>
* <br/>
* where:
* <ul>
* <li><em>target_class_name</em> is the name of the target permission's class,</li>
* <li><em>target_name</em> is the name of the target permission, and</li>
* <li><em>target_actions</em> is, optionally, the actions string of the target permission.</li>
* </ul>
* A denied permission, having a target permission <em>t</em>, is said to <em>imply</em> another
* permission <em>p</em>, if:
* <ul>
* <li>p <em>is not</em> itself a denied permission, and <code>(t.implies(p) == true)</code>,
* or</li>
* <li>p <em>is</em> a denied permission, with a target <em>t1</em>, and
* <code>(t.implies(t1) == true)</code>.
* </ul>
* <p>
* It is the responsibility of the policy decision point (e.g., the <code>Policy</code> provider) to
* take denied permission semantics into account when issuing authorization statements.
* </p>
*/
public final class DeniedPermission extends BasicPermission {
private final Permission target;
private static final long serialVersionUID = 473625163869800679L;
/**
* Instantiates a <code>DeniedPermission</code> that encapsulates a target permission of the
* indicated class, specified name and, optionally, actions.
*
* @throws IllegalArgumentException
* if:
* <ul>
* <li><code>targetClassName</code> is <code>null</code>, the empty string, does not
* refer to a concrete <code>Permission</code> descendant, or refers to
* <code>DeniedPermission.class</code> or <code>UnresolvedPermission.class</code>.</li>
* <li><code>targetName</code> is <code>null</code>.</li>
* <li><code>targetClassName</code> cannot be instantiated, and it's the caller's fault;
* e.g., because <code>targetName</code> and/or <code>targetActions</code> do not adhere
* to the naming constraints of the target class; or due to the target class not
* exposing a <code>(String name)</code>, or <code>(String name, String actions)</code>
* constructor, depending on whether <code>targetActions</code> is <code>null</code> or
* not.</li>
* </ul>
*/
public static DeniedPermission newDeniedPermission(String targetClassName, String targetName,
String targetActions) {
if (targetClassName == null || targetClassName.trim().isEmpty() || targetName == null) {
throw new IllegalArgumentException(
"Null or empty [targetClassName], or null [targetName] argument was supplied.");
}
StringBuilder sb = new StringBuilder(targetClassName).append(":").append(targetName);
if (targetName != null) {
sb.append(":").append(targetName);
}
return new DeniedPermission(sb.toString());
}
/**
* Instantiates a <code>DeniedPermission</code> that encapsulates a target permission of the class,
* name and, optionally, actions, collectively provided as the <code>name</code> argument.
*
* @throws IllegalArgumentException
* if:
* <ul>
* <li><code>name</code>'s target permission class name component is empty, does not
* refer to a concrete <code>Permission</code> descendant, or refers to
* <code>DeniedPermission.class</code> or <code>UnresolvedPermission.class</code>.</li>
* <li><code>name</code>'s target name component is <code>empty</code></li>
* <li>the target permission class cannot be instantiated, and it's the caller's fault;
* e.g., because <code>name</code>'s target name and/or target actions component(s) do
* not adhere to the naming constraints of the target class; or due to the target class
* not exposing a <code>(String name)</code>, or
* <code>(String name, String actions)</code> constructor, depending on whether the
* target actions component is empty or not.</li>
* </ul>
*/
public DeniedPermission(String name) {
super(name);
String[] comps = name.split(":");
if (comps.length < 2) {
throw new IllegalArgumentException(MessageFormat.format("Malformed name [{0}] argument.", name));
}
this.target = initTarget(comps[0], comps[1], ((comps.length < 3) ? null : comps[2]));
}
/**
* Instantiates a <code>DeniedPermission</code> that encapsulates the given target permission.
*
* @throws IllegalArgumentException
* if <code>target</code> is <code>null</code>, a <code>DeniedPermission</code>, or an
* <code>UnresolvedPermission</code>.
*/
public static DeniedPermission newDeniedPermission(Permission target) {
if (target == null) {
throw new IllegalArgumentException("Null [target] argument.");
}
if (target instanceof DeniedPermission || target instanceof UnresolvedPermission) {
throw new IllegalArgumentException("[target] must not be a DeniedPermission or an UnresolvedPermission.");
}
StringBuilder sb = new StringBuilder(target.getClass().getName()).append(":").append(target.getName());
String targetActions = target.getActions();
if (targetActions != null) {
sb.append(":").append(targetActions);
}
return new DeniedPermission(sb.toString(), target);
}
private DeniedPermission(String name, Permission target) {
super(name);
this.target = target;
}
private Permission initTarget(String targetClassName, String targetName, String targetActions) {
Class<?> targetClass;
try {
targetClass = Class.forName(targetClassName);
}
catch (ClassNotFoundException cnfe) {
if (targetClassName.trim().isEmpty()) {
targetClassName = "<empty>";
}
throw new IllegalArgumentException(
MessageFormat.format("Target Permission class [{0}] not found.", targetClassName));
}
if (!Permission.class.isAssignableFrom(targetClass) || Modifier.isAbstract(targetClass.getModifiers())) {
throw new IllegalArgumentException(MessageFormat
.format("Target Permission class [{0}] is not a (concrete) Permission.", targetClassName));
}
if (targetClass == DeniedPermission.class || targetClass == UnresolvedPermission.class) {
throw new IllegalArgumentException("Target Permission class cannot be a DeniedPermission itself.");
}
Constructor<?> targetCtor;
try {
if (targetActions == null) {
targetCtor = targetClass.getConstructor(String.class);
}
else {
targetCtor = targetClass.getConstructor(String.class, String.class);
}
}
catch (NoSuchMethodException nsme) {
throw new IllegalArgumentException(MessageFormat.format(
"Target Permission class [{0}] does not provide or expose a (String name) or (String name, String actions) constructor.",
targetClassName));
}
try {
return (Permission) targetCtor
.newInstance(((targetCtor.getParameterCount() == 1) ? new Object[] { targetName }
: new Object[] { targetName, targetActions }));
}
catch (ReflectiveOperationException roe) {
if (roe instanceof InvocationTargetException) {
if (targetName == null) {
targetName = "<null>";
}
else if (targetName.trim().isEmpty()) {
targetName = "<empty>";
}
if (targetActions == null) {
targetActions = "<null>";
}
else if (targetActions.trim().isEmpty()) {
targetActions = "<empty>";
}
throw new IllegalArgumentException(MessageFormat.format(
"Could not instantiate target Permission class [{0}]; provided target name [{1}] and/or target actions [{2}] potentially erroneous.",
targetClassName, targetName, targetActions), roe);
}
throw new RuntimeException(
"Could not instantiate target Permission class [{0}]; an unforeseen error occurred - see attached cause for details",
roe);
}
}
/**
* Checks whether the given permission is implied by this one, as per the {@link DeniedPermission
* overview}.
*/
@Override
public boolean implies(Permission p) {
if (p instanceof DeniedPermission) {
return target.implies(((DeniedPermission) p).target);
}
return target.implies(p);
}
/**
* Returns this denied permission's target permission (the actual positive permission which is not
* to be granted).
*/
public Permission getTargetPermission() {
return target;
}
}
Die DenyingPolicy
Klasse
package com.example;
import java.security.CodeSource;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Policy;
import java.security.ProtectionDomain;
import java.security.UnresolvedPermission;
import java.util.Enumeration;
/**
* Wrapper that adds rudimentary {@link DeniedPermission} processing capabilities to the standard
* file-backed <code>Policy</code>.
*/
public final class DenyingPolicy extends Policy {
{
try {
defaultPolicy = Policy.getInstance("javaPolicy", null);
}
catch (NoSuchAlgorithmException nsae) {
throw new RuntimeException("Could not acquire default Policy.", nsae);
}
}
private final Policy defaultPolicy;
@Override
public PermissionCollection getPermissions(CodeSource codesource) {
return defaultPolicy.getPermissions(codesource);
}
@Override
public PermissionCollection getPermissions(ProtectionDomain domain) {
return defaultPolicy.getPermissions(domain);
}
/**
* @return
* <ul>
* <li><code>true</code> if:</li>
* <ul>
* <li><code>permission</code> <em>is not</em> an instance of
* <code>DeniedPermission</code>,</li>
* <li>an <code>implies(domain, permission)</code> invocation on the system-default
* <code>Policy</code> yields <code>true</code>, and</li>
* <li><code>permission</code> <em>is not</em> implied by any <code>DeniedPermission</code>s
* having potentially been assigned to <code>domain</code>.</li>
* </ul>
* <li><code>false</code>, otherwise.
* </ul>
*/
@Override
public boolean implies(ProtectionDomain domain, Permission permission) {
if (permission instanceof DeniedPermission) {
/*
* At the policy decision level, DeniedPermissions can only themselves imply, not be implied (as
* they take away, rather than grant, privileges). Furthermore, clients aren't supposed to use this
* method for checking whether some domain _does not_ have a permission (which is what
* DeniedPermissions express after all).
*/
return false;
}
if (!defaultPolicy.implies(domain, permission)) {
// permission not granted, so no need to check whether denied
return false;
}
/*
* Permission granted--now check whether there's an overriding DeniedPermission. The following
* assumes that previousPolicy is a sun.security.provider.PolicyFile (different implementations
* might not support #getPermissions(ProtectionDomain) and/or handle UnresolvedPermissions
* differently).
*/
Enumeration<Permission> perms = defaultPolicy.getPermissions(domain).elements();
while (perms.hasMoreElements()) {
Permission p = perms.nextElement();
/*
* DeniedPermissions will generally remain unresolved, as no code is expected to check whether other
* code has been "granted" such a permission.
*/
if (p instanceof UnresolvedPermission) {
UnresolvedPermission up = (UnresolvedPermission) p;
if (up.getUnresolvedType().equals(DeniedPermission.class.getName())) {
// force resolution
defaultPolicy.implies(domain, up);
// evaluate right away, to avoid reiterating over the collection
p = new DeniedPermission(up.getUnresolvedName());
}
}
if (p instanceof DeniedPermission && p.implies(permission)) {
// permission denied
return false;
}
}
// permission granted
return true;
}
@Override
public void refresh() {
defaultPolicy.refresh();
}
}
Demo
package com.example;
import java.security.Policy;
public class Main {
public static void main(String... args) {
Policy.setPolicy(new DenyingPolicy());
System.setSecurityManager(new SecurityManager());
// should fail
System.getProperty("foo.bar");
}
}
Weisen Sie einige Berechtigungen zu:
grant codeBase "file:///path/to/classes/bin/-"
permission java.util.PropertyPermission "*", "read,write";
permission com.example.DeniedPermission "java.util.PropertyPermission:foo.bar:read";
};
Führen Sie zuletzt den Main
und beobachten Sie, wie er aufgrund der "deny" DeniedPermission
( DeniedPermission
), die den grant
(seine PropertyPermission
) überschreibt, DeniedPermission
. Beachten Sie, dass ein setProperty("foo.baz", "xyz")
stattdessen erfolgreich war, da die verweigerte Berechtigung nur die Aktion "Lesen" und nur für die Eigenschaft "foo.bar" umfasst.