根据安全策略创建java沙箱 [英] Create java sandbox based on security policies

问题描述

我需要创建环境来运行可能不受信任的代码。程序允许连接到预配置的地址：端口，没有别的（甚至读取系统时间）。我编译了类白名单。我搜索过类似的问题，但只找到了基于SecurityManager的模板，其中AFAIK已被弃用。
有人能给我一个简单的示例如何根据安全策略和AccessController在沙箱中运行代码吗？

I need to create environment to run potentially untrusted code. Program allowed to connect to preconfigured address:port and nothing else (even read the system time). I have compiled the class whitelist. I'd searched similar questions, but found only template that based on SecurityManager which AFAIK is deprecated. Can anybody give me a simple sample how to run code in sandbox based on security policies and AccessController?

推荐答案

As据我所知，它仍然是运行安全检查的SecurityManager。但它现在似乎委托给AccessController。

As far as I know it's still SecurityManager that runs the security checks. But it seems to delegate to the AccessController nowadays.

首先你需要打开安全管理器：

First you'll need to switch on the security manager:

-Djava.security.manager

-Djava.security.manager

如果省略这个参数，那么就没有任何沙盒。

If you omit this argument there'll be no sandbox whatsoever.

其次，你需要知道在哪里找到政策文件：

Second you'll need to tell where to find the policy file:

-Djava.security.policy =

-Djava.security.policy=

这会将您的权限添加到已在java主目录中定义的权限。原始沙箱规则在... / jre / lib / security / java.policy中。但是，如果您希望您的政策是唯一需要使用双=的政策。通过这种方式，您可以完全控制允许的内容。

This will add your permissions to the ones already defined in your java home. The original sandbox rules in .../jre/lib/security/java.policy. However, if you want your policy to be the only one you'll need to use a double "=". This way you control completely what's allowed.

例如：

-Djava.security.policy ==

-Djava.security.policy==

我建议你使用Java附带的policytool。这是相当基本的，但它可以帮助您快速编写具有正确语法的策略文件。

I would advise you to use the "policytool" shipped with the Java. It's fairly basic but it helps you to write quickly a policy file with the correct syntax.

我希望这有帮助......

I hope this helps...

这篇关于根据安全策略创建java沙箱的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！