限制Java中的文件访问 [英] Limiting file access in Java

问题描述

问题：

在我的Java应用程序（不是applet）中，我希望将某些文件操作限制为除了不应该的类的列表/组/包之外的所有类受限制。

Problem:
In my Java application (not an applet) I wish to limit certain file operations to all classes except a list/group/package of classes that should not be restricted.

具体来说，我想限制......

Specifically, I would like to limit...

• 文件读取


• 文件写入


• 文件创建


• 文件删除

• File reads
• File writes
• File creation
• File deletion

...这样它们只能在当前工作目录中为除了不受限制的类之外的所有类别完成。

...such that they can only be done within the current working directory for all but the unrestricted classes.

SecurityManager尝试：

我试图实现实现此行为的SecurityManager类的子类，但是当检查时，似乎文件提供的信息不仅仅提供文件名（除非我遗漏了什么？）。

SecurityManager attempt:
I have tried to implement a subclass of the SecurityManager class that implements this behaviour, however it seems that when checks are made the file information provided does not give more than just the filename (unless I am missing something?).

另外，我不太明白在这种情况下我怎么能找到从正在进行呼叫的班级中，允许我确定是否允许操作或抛出异常。我有什么方法可以获得这种方法所需的所有信息吗？

Also, I don't quite understand how in this case I could find out the class which the call is being made from, to allow me to determine whether to allow the operation or throw an exception. Is there any way I could get all the information I need for this approach to work?

基于策略的尝试：

我也知道Java策略旨在限制类的操作，包括文件操作等。但是，我真的很难找到一个很好的资源来学习如何使用 .policy 文件来解决我的问题。

Policy-based attempt:
I am also aware that Java policies are intended for restricting the actions of classes, including things such as file operations. However, I've really struggled to find a good resource to learn how I could go about solving my problems using a .policy file.

问题摘要：

1）是否有任何替代方法可能比我提到的更好？

1) Are there any alternative approaches that may be preferable to those I've mentioned?

2）使用SecurityManager可以实现吗？我错过了我应该如何实际采用这种方法吗？

2) Is this possible using a SecurityManager? Am I missing out on how I should actually be implementing such an approach?

3）这是否可以使用策略文件？在这方面我有没有错过任何好的资源？

3) Is this possible using a policy file? Are there any good resources I've missed on this front?

我真的不会厌倦任何我需要投入的努力来实现这个目标 - 我只是不确定我应该如何正确接近它。我也非常缺乏足够的资源来教我足够的关于我提到的两种可能的方法，允许我自己实现它。最重要的是，我不怕在需要的地方进行重要的阅读！

谢谢您可以提前给予任何帮助。

Thanks for any help you can give, in advance.

推荐答案

以下是使用策略文件的方法。

Here is how you can do it using a policy file.

创建一个可以使用权限行事的Java文件：

Create a Java file that can act with privileges:

package egPriv;

import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;

public class PrivCat {
    /** Cat a file with no privileges */
    public void cat(String file) throws IOException {
        cat(new FileReader(file));
    }

    private void cat(Reader r) throws IOException {
        int c;
        while( (c = r.read()) != -1 ) {
            System.out.print((char) c);
        }
        r.close();
    }

    /** Cat a file WITH privileges */
    public void catPriv(final String file) throws IOException {
        Reader r;
        try {
            r = AccessController.doPrivileged(new PrivilegedExceptionAction<Reader>() {
                public Reader run() throws IOException {
                    return new FileReader(file);
                }
            });
        } catch (PrivilegedActionException e) {
            throw (IOException) e.getCause();
        }
        cat(r);
    }
}

创建一个用于演示的常规文件

Create a regular file for demonstating

package eg;

import egPriv.PrivCat;

import java.io.IOException;

public class Cat extends PrivCat {
    public static void main(String[] args) throws IOException {
        Cat eg2 = new Cat();
        System.out.println("Processing with privilege:");
        eg2.catPriv(args[0]);

        System.out.println("Processing normally");
        eg2.cat(args[0]);
    }
}

创建sample.policy文件：

Create sample.policy file:

/* anyone can read write and execute within current working dir */
grant {
  permission java.io.FilePermission "${user.dir}", "read,write,execute";
};

grant {
  permission java.io.FilePermission "${user.dir}/*", "read,write,execute,delete";
};


/* Only code from this jar can work outside of CWD */
grant codebase "file:egPriv.jar" {
  permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
};

编译然后测试：

jar cvf egPriv.jar egPriv
jar cvf eg.jar eg


echo 'Restricted' > ..\file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy  eg.Cat ..\file.txt

echo 'Open' > file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy  eg.Cat file.txt

这篇关于限制Java中的文件访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！