System.setProperty在java中是安全的吗? [英] System.setProperty is safe in java?
问题描述
在java中传递某些类之间的值,我们可以使用System.setProperty。但是使用System.getProperties()我们可以获得所有系统属性。因此,如果我使用任何第三方API意味着他们也可以访问我的属性,他们也可以更改。那么System.setProperty安全吗?
In java to pass the values between some classes we can use System.setProperty. But using System.getProperties() we can get all the system properties. So if i use any third party API's means they can also access my properties and also they can change. SO is System.setProperty safe ?
推荐答案
这取决于您的安全意义。
It depends what you mean by safe.
-
优良作法 1 将系统属性对象视为只读,但您不能依赖第三方库来执行此操作。
It is good practice1 treat the System Properties object as read only, but you can't rely on 3rd-party libraries to do that.
如果您担心看到或更改应用程序属性的可信第三方代码,请不要使用系统属性来表示它们。创建自己的Properties对象并将属性放在那里。这可能是最简单的方法。
If you are worried about "trusted" 3rd-party code seeing or changing your application's properties, don't use System Properties to represent them. Create your own Properties object and put your properties there. This is probably the simplest approach overall.
如果使用沙盒,可以防止不受信任的代码访问系统属性...前提是您的代码没有t将系统属性对象泄漏到不受信任的代码。 (访问检查在系统方法中实现...)
If you use sandboxing, you can prevent untrusted code from access the System Properties ... provided that your code doesn't leak the System Properties object to the untrusted code. (The access checks are implemented in the System methods ...)
一个Properties对象是线程-safe ...如果你指的是那种安全。
A Properties object is thread-safe ... if you are referring to that kind of safety.
1 - 有时需要以编程方式修改系统属性。但是,通过执行此操作,您最终可能会遇到脆弱的应用程序。系统属性通常用于在初始化期间配置JVM服务。如果类初始化的顺序由于某种原因而改变,您可能会发现您的应用程序代码现在设置属性太晚了。如果可能,最好通过 -D 命令行参数设置属性。
1 - Occasionally it is necessary to modify system properties programmatically. However, you can end up with fragile applications by doing this. The system properties are typically used to configure JVM services during the initialization. If the order of class initialization changes for some reason, you could find that your application code is now setting the properties too late. If possible, it is better to set the properties via -D command line parameters.
这篇关于System.setProperty在java中是安全的吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
