我可以通过配置java.policy文件来拒绝对jvm类的访问吗? [英] Can i deny access to a jvm class by configuring java.policy file?
问题描述
我想添加到我的 jdk6 \jre\lib\security\java.policy 文件中,创建一些被appengine列入黑名单的类。例如,我希望我的本地jvm在应用程序尝试实例化 javax.naming.NamingException 时抛出异常。
这是可能的吗?
我会在这里解释我的具体问题。 Google提供的服务(GAE-google应用程序引擎)对哪些类可以使用有一些限制。例如,不会实例化javax.naming包中的JNDI类。他们还提供了一个测试服务器,可以用来在我的机器上测试这个应用程序,但是这个服务器允许这样的类并且可以代码清晰。只有在将应用程序上传到Google后,才会发现您使用了黑名单课程。我在想如果这样的类黑名单强制执行不能在开发jvm上完成。否则我认为这很容易,他们可能已经提供了这样一个策略文件。
您可以编写一个小型装载程序应用程序创建一个新的自定义类加载器。然后,您的应用程序类可以使用这个类加载器加载。在自定义类加载器中,当应用程序尝试访问您想要加入的类时,您可以抛出ClassNotFoundException。
您需要重载load()方法。如果类允许,这个方法将负责在列入黑名单的类上抛出异常或者转到父类加载器。示例实现:
public class loadClass(String name)引发ClassNotFoundException {
if(name.equals(javax .lang.ClassIDontLike)){
抛出新的ClassNotFoundException(对不起,戴夫,我怕我不能那样做。);
}
返回super.loadClass(name,false);
$ / code> (当然,真正的实现可能比这更复杂)
由于您的应用程序的类是通过此类加载器加载的,并且您只是在需要时将loadClass()调用委托给父类加载器,所以可以将任何类您需要。
我非常确定这是Google用来在其服务器中将类加入黑名单的方法。它们加载特定类加载器中的每个应用程序。这也与Tomcat隔离不同Web应用程序的方式类似。
I wanted to add to my jdk6\jre\lib\security\java.policy file an interdiction to create some classes that are blacklisted by appengine. For example I want my local jvm to throw an exception when the application tries to instantiate javax.naming.NamingException.
It is possible?
I will try to explain my specific problem here. Google offers an service (GAE-google app engine) that has some limitations on what classes can be used. For example doesn't instantiate JNDI classes that are in javax.naming package. They also offer an testing server that can be used to tests this application on my machine, but this server allows such classes and can exacute the code. You find out that you used a blacklisted class only after you upload your application to google. I was thinking if such class blacklist enforcement couldn't be done on the development jvm. Else i'm thinking that this would be easy they might already provide such a policy file.
You could write a small loader application that creates a new, custom classloader. Your application classes could then be loaded using this classloader.
In the custom classloader, you can then throw ClassNotFoundException when your application tries to access a class that you want to blacklist.
You will need to overload the load() method. This method will be responsible for throwing the exception on your blacklisted classes ordelegating to the parent Classloader if the class is allowed. A sample implementation:
public Class loadClass(String name) throws ClassNotFoundException {
if(name.equals("javax.lang.ClassIDontLike")){
throw new ClassNotFoundException("I'm sorry, Dave. I'm afraid I can't do that.");
}
return super.loadClass(name, false);
}
(Of course, a real implementation can be way more sophisticated than this)
Because the classes of your application are loaded through this Classloader, and you are only delegating the loadClass() invokations to the parent classloader when you want to, you can blacklist any classes that you need.
I am pretty sure that this is the method that Google uses to blacklist classes in their server. They load every app in a specific Classloader. This is also similar to the way that Tomcat isolates the different Web Applications.
这篇关于我可以通过配置java.policy文件来拒绝对jvm类的访问吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
