基于安全策略限制动态加载的类和 jar [英] Restricting dynamically loaded classes and jars based on a security policy

问题描述

我想动态加载一组 jar 或类(即在运行时加载的插件).同时，我想限制这些插件能够在 JVM 中执行的操作.对于测试用例，我想将它们限制为几乎所有内容(现在我只允许读取一个 System.getProperty 值).

I would like to dynamically load a set of jars or classes (i.e. plugins loaded at runtime). At the same time, I would like to restrict what these plugins are able to do in the JVM. For a test case, I would like to restrict them to pretty much everything (right now I'm just allowing one System.getProperty value to be read).

我目前正在使用一个安全策略文件，但我无法为我的代码库中的一个文件夹或包指定策略，而不能为另一个文件夹或包指定策略.

I am currently using a security policy file, but I'm having difficulty specifying a policy for one folder or package in my codeBase, but not another.

以下是我的政策现在的样子:

Here is how my policy looks now:

grant codeBase "file:/home/max/programming/java/plugin/plugins/" {
    permission java.util.PropertyPermission "java.version", "read";
};
grant codeBase "file:/home/max/programming/java/plugin/api/" {
    permission java.security.AllPermission;
};

where(为了测试目的)，plugins包和文件夹中的所有文件都受到限制，但api文件夹中的类则不受限制.这可能吗?我是否必须创建自定义类加载器?有没有更好的方法来做到这一点?

Where (for testing purposes), all files in the plugins package and folder are restricted, but the classes in the api folder are not. Is this possible? Do I have to create a custom class loader? Is there a better way to go about doing this?

谢谢.

推荐答案

这个答案解决了我的问题:针对 Java 应用程序中恶意代码的沙箱

This answer solved my problems: Sandbox against malicious code in a Java application

这篇关于基于安全策略限制动态加载的类和 jar的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！