AccessController.doPrivileged 是否授予 JavaScript 线程已签名 Applet 的权限? [英] Does AccessController.doPrivileged give JavaScript threads the permissions of the signed Applet?

问题描述

我正在查看一个从 JavaScript 大量调用的签名 Applet.显然，源自 JavaScript 的线程比直接从 Java 内部启动的任何线程都受到了更严重的沙箱化.例如，如果 JavaScript 线程调用 Applet 并记录导致日志文件滚动的内容，则会引发安全异常.直接在 Applet 内启动的任何线程都不会遇到此安全异常.log4j 的解决方案是使用异步 appender.

I'm looking at a signed Applet that is heavily called from JavaScript. Obviously, the threads that originate from JavaScript are more heavily sandboxed than any thread started directly from within Java. For example, if a JavaScript thread calls into the Applet and logs something that causes the log file to roll, a security exception is thrown. Any thread started directly within the Applet will not experience this security exception. The solution here with log4j is to use the asynchronous appender.

但是对于其他安全例外(例如，在已签名的 Applet 中但在 JavaScript 线程中使用 Apache Axis)，没有明显的方法来拥有一些异步线程.假设我有以下代码，如果从 Java 线程调用将起作用，如果通过 JavaScript 调用将失败并显示 SecurityException:

But with other security exceptions (for example making use of Apache Axis in the signed Applet but in a JavaScript thread) there is no obvious way to have some asynchronous thread. Let's say I have the following code that if called from a Java thread will work and if called via JavaScript will fail with a SecurityException:

public void someMethodCalledFromJavaScript() {
  // Stuff that would throw a SecurityException
}

我看到以下三个选项，但它们可能并非全部有效.为便于讨论，请忽略执行是同步还是异步，因为这很容易管理.我很难理解安全模型的细节.以下是我的三个潜在选择:

I see three following options, but they may not all be valid. For the sake of this discussion, ignore whether or not the execution will be synchronous or asynchronous, as that's easily managed. I am having a difficult time understanding the details of the security model. Here are my three potential choices:

• 开始一个新线程(这个线程还能用吗?):

• Start a new Thread (will this one even work?):

public void someMethodCalledFromJavaScript() {
  new Thread(new Runnable() {
    public void run() {
      // Stuff that would throw a SecurityException
    }
  }).start();
}

让 Applet 有一个随时可用的线程，通过源自 JavaScript 的线程触发(此处为高度简化的代码):

Have the Applet have a thread ready to go at all times, triggered via the JavaScript-origin thread (highly simplified code here):

private volatile boolean doit = false;

// This code is running in a Thread, started @ Applet init time
public void alwaysWaiting() {
  while (true) {
    if (doit) {
      doit = false;
      // Stuff that would throw a SecurityException
    }
  }
}

public void someMethodCalledFromJavaScript() {
  doit = true;
}

使用 AccessController.doPrivileged:

Use AccessController.doPrivileged:

public void someMethodCalledFromJavaScript() {
  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      // Stuff that would throw a SecurityException
      return null;
    }
  });
}

根据我对 AccessController.doPrivileged 的了解，您使用当前安全权限与您正在调用的代码的安全域的权限的交集运行.这对我来说没有意义，就好像您在低安全域和高安全域的交集中运行一样，您将只拥有低安全域.很明显我不明白什么.

According to what I read of AccessController.doPrivileged, you run with the intersection of the current security privs and the privs of the security domain of the code you're calling. This doesn't make sense to me, as if you're running with the intersection of a low and a high security domain, you'll just have the low security domain. So clearly I'm not understanding something.

我看到的特定 SecurityException 是这个:

The specific SecurityException I'm seeing is this one:

java.security.AccessControlException: access denied (java.lang.RuntimePermission accessDeclaredMembers)

但当然，我对 JavaScript 调用签名 Applet 上下文中的一般情况感到好奇，以及我如何允许 JavaScript 发起的线程使用签名 Applet 的 priv 运行，就像它是一个线程一样这纯粹是在 Applet 内部产生的.

but of course I'm curious about the general case in the context of JavaScript calling into a signed Applet, and how I can allow a JavaScript-originated thread to run with the priv's of the signed Applet as if it were a thread that originated purely within the Applet.

以上哪些选择甚至有效，哪些比其他选择更好，以及为什么.

Which choices above will even work, and which are better than others, and why.

推荐答案

• 创建一个新线程(这个线程还能用吗?)"

由于以下原因无法工作

• 让 Applet 有一个随时可以运行的线程，通过 JavaScript 源线程触发

当然可以，但这比调用 doPrivileged 更痛苦，但在语义上具有相同的效果.

Will work of course, but that's more painful than calling doPrivileged, yet has the same effect semantically.

• 使用 AccessController.doPrivileged

是的，这行得通.

每个访问控制检查都会检查当前线程堆栈上的所有堆栈帧的集合(包括导致当前线程实例化的堆栈帧，递归地).如果存在 doPrivileged 帧，则该帧之前的帧不包含在该集合中(但实际的 doPrivileged 帧被包含在其中).

Every access control check inspects the set of all stack frames on the stack of the current thread (including the stack frame leading up to the instantiation of the current thread, recursively). If there is a doPrivileged frame, frames leading up to that frame are not included in the set (but the actual doPrivileged frame is included).

如果被检查的权限不在该集合的每一帧中，则检查失败.

If the privilege being checked is not in every single frame in that set, the check fails.

换句话说，一个线程的当前权限就是这个集合中权限的交集.

In other words, the current privileges of a thread are the intersection of privileges in this set.

例如，如果特权代码 doPrivileged 是一些试图打开文件的非特权代码，则检查将失败.同样，如果非特权代码 doPrivileged 的特权代码打开文件，则检查将失败.但是如果非特权代码调用特权代码，特权代码又调用doPrivileged打开文件，则检查成功.

So for example if privileged code doPrivilegeds some unprivileged code which tries to open a file, the check will fail. Likewise if unprivileged code doPrivilegeds privileged code that opens a file, the check will fail. But if unprivileged code invokes privileged code and the privileged code in turn calls doPrivileged to open a file, the check will succeed.

理论上，您应该只授予您的 Java 代码库所需的权限(可能访问某个隔离目录)，然后授予相同权限给将使用此特权代码的 JavaScript 代码，但我怀疑任何浏览器都具有此类功能.我很惊讶 JavaScript 甚至在 Java 之外的另一个保护域中运行.

In theory, you should be able to only grant your Java codebase the privileges it needs (perhaps access to some isolated directory), and then grant the same privileges to the JavaScript code that will use this privileged code, but I doubt any browser has such features. I'm surprised JavaScript even runs in another protection domain than Java.

我从来没有做过 JavaScript<->Java 互操作，但似乎不管你要让 JavaScript 调用的方法在它们的整个主体上使用 doPrivileged 块.

I've never done JavaScript<->Java interop, but it seems no matter what you are going to have to make the methods that are invoked by JavaScript use doPrivileged blocks on their entire body.

正如 Sami 所说，在特权代码中调用 doPrivileged 块时要小心(并阅读他的回答).

As Sami said, be careful when invoking doPrivileged blocks within the privileged code (and read his answer).

这篇关于AccessController.doPrivileged 是否授予 JavaScript 线程已签名 Applet 的权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！