我应该在Java Web应用程序中使用Security Manager吗? [英] Should I use Security Manager in Java web applications?
问题描述
使用运行应用程序服务器进程的用户的权限来保护Java Web应用程序是否足够,或者将SecurityManager与合适的策略文件一起使用是否合理?
Is it sufficient to secure a Java web application with the rights of the user that is running the application server process or is it reasonable also to use SecurityManager with a suitable policy file?
我曾经做过前者而不是后者,但有些客户希望我们也使用SecurityManager,它会明确地为每个第三方组件授予权限,以确保没有任何恶意代码潜伏在那里。
I have used to do the former and not the latter, but some customers would like us to also use SecurityManager that would explicitly give permissions to every third-party component to be sure there isn't any evil code lurking there.
我见过一些Servlet容器,比如 Resin 建议不要使用SecurityManager来放慢速度。有什么想法?
I've seen some Servlet containers, like Resin to propose not using SecurityManager to slow things up. Any thoughts?
推荐答案
虽然我讨厌使用安全功能推荐不,但这是我的看法SecurityManager更倾向于管理在JVM中执行不受信任或第三方代码的情况。思考applet或托管的共享应用服务器场景。如果您完全控制应用服务器并且没有运行任何其他人的代码,我认为这是多余的。根据我的经验,启用SecurityManager确实会对性能产生重大影响。
While I hate to ever recommend not using a security feature, it's my opinion that a SecurityManager is more intended to manage situations where untrusted or third-party code is executing in the JVM. Think applets, or a hosted, shared app server scenario. If you have complete control over the app server and are not running anybody else's code, I think it's redundant. Enable the SecurityManager does have significant performance impact in my experience.
这篇关于我应该在Java Web应用程序中使用Security Manager吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
