根据安全策略创建java沙箱 [英] Create java sandbox based on security policies
问题描述
我需要创建环境来运行可能不受信任的代码。程序允许连接到预配置的地址:端口,没有别的(甚至读取系统时间)。我编译了类白名单。我搜索过类似的问题,但只找到了基于SecurityManager的模板,其中AFAIK已被弃用。
有人能给我一个简单的示例如何根据安全策略和AccessController在沙箱中运行代码吗?
I need to create environment to run potentially untrusted code. Program allowed to connect to preconfigured address:port and nothing else (even read the system time). I have compiled the class whitelist. I'd searched similar questions, but found only template that based on SecurityManager which AFAIK is deprecated. Can anybody give me a simple sample how to run code in sandbox based on security policies and AccessController?
推荐答案
As据我所知,它仍然是运行安全检查的SecurityManager。但它现在似乎委托给AccessController。
As far as I know it's still SecurityManager that runs the security checks. But it seems to delegate to the AccessController nowadays.
首先你需要打开安全管理器:
First you'll need to switch on the security manager:
-Djava.security.manager
-Djava.security.manager
如果省略这个参数,那么就没有任何沙盒。
If you omit this argument there'll be no sandbox whatsoever.
其次,你需要知道在哪里找到政策文件:
Second you'll need to tell where to find the policy file:
-Djava.security.policy =
-Djava.security.policy=
这会将您的权限添加到已在java主目录中定义的权限。原始沙箱规则在... / jre / lib / security / java.policy中。但是,如果您希望您的政策是唯一需要使用双=的政策。通过这种方式,您可以完全控制允许的内容。
This will add your permissions to the ones already defined in your java home. The original sandbox rules in .../jre/lib/security/java.policy. However, if you want your policy to be the only one you'll need to use a double "=". This way you control completely what's allowed.
例如:
-Djava.security.policy ==
-Djava.security.policy==
我建议你使用Java附带的policytool。这是相当基本的,但它可以帮助您快速编写具有正确语法的策略文件。
I would advise you to use the "policytool" shipped with the Java. It's fairly basic but it helps you to write quickly a policy file with the correct syntax.
我希望这有帮助......
I hope this helps...
这篇关于根据安全策略创建java沙箱的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!