安全性：通过限制第三方软件内部访问 [英] Security: Restrict internal access by third-party software

问题描述

我有哪些第三方插件，可以通过用户加载到提升用户体验的Java应用程序。一个API存在由这些插件的使用，但在第三方软件应从访问内部的应用程序类的安全目的的限制。受限包插件将是com。示例和允许的将是com.example.api。该API类做作出内部，混淆类的电话。

I have a Java application in which third-party "plugins" can be loaded by users to enhance the user experience. An API exists for use by these plugins, but the third-party software should be restricted from access to internal application classes for purpose of security. The restricted package to plugins would be "com.example" and the allowed would be "com.example.api". The API classes do make calls to the internal, obfuscated classes.

研究这个之后，我碰到的SecurityManager的一对夫妇的方法：<一href=\"http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html#checkMemberAccess%28java.lang.Class,%20int%29\"相对=nofollow> checkMemberAccess（类，INT）和<一个href=\"http://docs.oracle.com/javase/7/docs/api/java/lang/SecurityManager.html#checkPackageAccess%28java.lang.String%29\"相对=nofollow> checkPackageAccess（字符串），这两者似乎是我的目标可行的路径。然而，做一些测试，并进一步研究后，我发现，checkMemberAccess只​​适用于反射调用，当一个类加载器调用的loadClass checkPackageAccess只​​调用了。

After researching this, I came across a couple methods of SecurityManager: checkMemberAccess(Class, int) and checkPackageAccess(String), which both seemed to be viable paths to my goal. However, after doing some tests and further research, I have found that checkMemberAccess only applies to reflection calls, and checkPackageAccess is only called when a class loader invokes loadClass.

什么是限制进入一个包（com。示例，但不是com.example.api）以合理的方式？

What is a reasonable way to restrict access to a package (com.example, but not com.example.api)?

推荐答案

我建议写自定义的类装载器作为插件，隐藏的存在 com。示例从班包使用的类加载器加载。通常的类加载器委托给他们的父母，但也有几种实现在野外，这将这样做只是部分或完全没有。我相信如蚂蚁利用这种技术。当这样的类加载器加载，任何类的链接的反对禁止functinality将无法加载。或者，如果用于实现迟缓​​链接，才成功加载后，也依然禁code的执行过程中失败。

I suggest writing a custom class loader for the plugins, which hides the existence of the com.example package from classes loaded using that classloader. Usually class loaders delegate to their parent, but there are several implementations out in the wild which will do so only in part or not at all. I believe e.g. ant uses this technique. When loaded with such a class loader, any class linked against forbidden functinality would fail to load. Or if the implementation used lazy linking, and it did load successfully, it would still fail during execution of the forbidden code.

已经拒绝了禁包你的插件链接时进入，就可以使用了SecurityManager拒绝通过反射运行时的访问，同时也否认了新的类加载器可能被用来绕过你的创作。

Having denied your plugins link-time access to the forbidden package, you can then use a SecurityManager to deny runtime access via reflection, and also to deny creation of a new class loader which might be used to circumvent yours.

class RestrictingClassLoader extends URLClassLoader {
  @Override
  public Class<?> loadClass(String name) throws ClassNotFoundException {
    if (!name.startsWith("com.example.") || name.startsWith("com.example.api."))
      return super.loadClass(name);
    return findClass(name);
  }
}

class RestrictingSecurityManager extends SecurityManager {
  private boolean isRestricted() {
    for (Class<?> cls: getClassContext())
      if (cls.getClassLoader() instanceof RestrictingClassLoader)
        return true;
    return false;
  }
  // Implement other checks based on isRestricted().
}

这篇关于安全性：通过限制第三方软件内部访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！