反思安全 [英] Reflection Security

问题描述

如何通过不允许方法，字段，构造函数<来强制执行反射安全性/ code>要调用的对象 setAccessible（true）？ SecurityPolicy文件还是别的？

How to enforce reflection security by not allow the Method, Field, Constructor object to call setAccessible(true) ? SecurityPolicy File or something else?

通常，对于独立的Java应用程序，没有注册 SecurityManager 。

Normally for stand-alone Java applications there is no SecurityManager registered.

我使用此 System.setSecurityManager（new SecurityManager（））;

这种方法适用于调用方法。

This approach will work for calling methods.

我想强制执行使用jar的整个jar或客户端代码不允许调用 setAccessible（true）;

I would like to enforce the whole jar or client code that uses the jar is not allow to call setAccessible(true);

有更好的方法吗？

谢谢。

推荐答案

嗯，它做为setAccessible工作。请参阅：

Um, it does work for setAccessible. See:

class A {
  private String method1() {
    return "Hello World!";
  }
}

和

import java.lang.reflect.Method;

class B {
  public static void main(String[] args) throws Exception {
    System.setSecurityManager(new SecurityManager());
    Class clazz = A.class;
    Method m = clazz.getDeclaredMethod("method1");
    m.setAccessible(true);
  }
}

结果

Exception in thread "main" java.security.AccessControlException: access denied ("java.lang.reflect.ReflectPermission" "suppressAccessChecks")
        at java.security.AccessControlContext.checkPermission(Unknown Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.reflect.AccessibleObject.setAccessible(Unknown Source)
        at B.main(B.java:8)

根据中的评论，它可能对您不起作用的一个原因是这篇文章它没有用于在Java 1.5中工作，但在6及之后工作。

One reason it might've not worked for you is that according to comments in this post it didn't use to work in Java 1.5, but works in 6 and thereafter.

编辑：要拒绝特定的罐子，你需要使用一个策略文件，例如：

to deny it for specific jars, you need to either use a policy file, example:

// specific file
grant codeBase "file:/test/path/tools.jar" {
  // no permissions for this one
};

// default to giving all
grant {
  permission java.security.AllPermission;
};

有两种方法可以指定策略文件，或者将其作为默认值添加，或者只提供那些已指定（来源）：

There's two ways of specifying the policy file, either give it as additions to default, or give only those that are specified (source):

如果您使用

If you use

java -Djava.security.manager -Djava.security.policy==someURL SomeApp

（注意双等于）然后只使用指定的策略文件
;安全属性文件中指示的所有内容都将被
忽略。

(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.

...或实现自定义安全管理器， 看起来并不那么难。但是我自己也没做过。

...or implement a custom security manager, which doesn't look that hard. Haven't done that myself though.

这篇关于反思安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！