检测System.setProperty方法调用 [英] Detecting System.setProperty method invocations

问题描述

我在这里面临一个难题。

I'm facing a conundrum here.

我开发的一个应用程序正在加载 DocumentBuilderFactory 类。这种行为后来被推断为由不同的团队/公司构建的不同应用程序中的另一个类的结果。上述类在加载时更改了首选的DocumentBuilderFactory类，通过包含类似于下面的静态块：

One of the applications that I've developed is loading an incorrect implementation of the DocumentBuilderFactory class of JAXP. This behavior was later deduced to be resulting from another class in different application built by a different team/company. The said class had changed the preferred DocumentBuilderFactory class upon loading, by inclusion of a static block similar to the one below:

  static
  {
    System.setProperty("javax.xml.parsers.DocumentBuilderFactory", "a new factory");
  }

如果通过 DocumentBuilderFactory.newInstance 方法的Javadoc，这将是相当的显然上述代码负责更改在调用newInstance方法时返回到所有应用程序的解析器实现。

If one goes by the Javadocs of the DocumentBuilderFactory.newInstance method, it would be quite obvious that the above code was responsible for changing the parser implementation returned to all applications, when the newInstance method is invoked.

已应用修补程序，从而更正了此问题，但是它引导我提出这个问题 - 如何确定哪个类在运行时执行System.setProperty调用？

A patch was applied, which corrected this problem, but it leads me to ask this question - how does one determine which class is performing the System.setProperty call at runtime?

我们已经生成了一个由于非常简单的原因，我们无法访问部署在服务器上的所有应用程序的所有源代码，因此OpenJDK的自定义构建与修改的System类负责打钉。但这是有可能的，只因为生产环境的复杂化。因此，问题也可以解释为 - 在生产环境中，如何确定哪个类在运行时执行System.setProperty调用？

We had produced a custom build of OpenJDK with a modified System class that was responsible for nailing the culprit, for the very simple reason that we did not have access to all the sources for all the applications deployed on the server. But this was possible only due to the fact that the production environment was replicated in its entiriety. The question therefore, could also be interpreted as - how does one determine which class is performing the System.setProperty call at runtime, in a production environment?

推荐答案

System.setProperty 被一个 SecurityManager ，如果已安装。

System.setProperty is checked by a SecurityManager, if installed.

您可以创建自己的MySecurityManager并在运行时进行部署。调用方法 checkPropertyAccess 时，您自己的SecurityManager可以记录当前堆栈跟踪的一些信息：

You can create your own MySecurityManager and deploy at runtime. Your own SecurityManager can log some information like the current stacktrace, when the method checkPropertyAccess is called:

public class MySecurityManager extends SecurityManager
{

    public MySecurityManager()
    {
        super();
    }

    @Override
    public void checkPropertyAccess(String key)
    {
        if ("javax.xml.parsers.DocumentBuilderFactory".equals(key))
        {
            System.err.println("checkPropertyAccess(String :" + key + "): ");
            Thread.currentThread().dumpStack(); // or anything useful for
                                                // logging the context.
            new Throwable().printStackTrace(); // whatever, or use it with
            // PrintStream/PrintWriter, or some logging framework if configured.
        }
        super.checkPropertyAccess(key);
    }

    @Override
    public void checkPermission(Permission perm)
    {
        if (perm instanceof PropertyPermission)
        {
            PropertyPermission propPerm = (PropertyPermission) perm;
            System.err.println("checkPropertyAccess(String:" + propPerm.getName() + "):");
            Thread.currentThread().dumpStack(); // or anything useful for
                                                // logging the context.
            new Throwable().printStackTrace(); // whatever, or use it with
            // PrintStream/PrintWriter, or some logging framework if configured.
        }
        super.checkPermission(perm);
    }
}

这篇关于检测System.setProperty方法调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！