Java .policy文件 - 如何防止java.util.Date()被访问 [英] Java .policy file - how to prevent java.util.Date() from being accessible
问题描述
我正在玩java .policy文件,并且想知道如何防止对java.util.Date()的调用,例如。
I am playing around with the java .policy file and was wondering how I could go about doing something like preventing calls to java.util.Date(), as an example.
我只是想更好地了解.policy文件的工作原理以及它如何用于沙盒代码。
I just want to get a better sense of the .policy file works and how it can be used to sandbox code.
推荐答案
你恐怕会不幸。
正如PaŭloEbermann所说, package.access 可以阻止包层次结构。您可以使用自定义 SecurityManager 更精确地解决这个问题,这通常是一个非常好的迹象表明您正在做一些非常狡猾的事情。
As Paŭlo Ebermann says, package.access can block out package hierarchies. You can be more precise about this with a custom SecurityManager, which is usually a damn good indication you are doing something really dodgy.
通常,您可以创建一个 ClassLoader ,它并不总是委托给它的父级。虽然Java EE规范鼓励它,但在技术上与当前的Java SE规范相反。你可以阻止 java.util.Date 。如果任何其他类引用它,它仍然可以通过反射访问,或者你可以获得它的实例。你可以阻止使用 Date 的传递关闭,包括以某种方式返回 Date 的那些。但是,要使用最小日期完成该方案,您必须在类加载器中加载 java.util.Date ,而不能与其他所有 java。* classes。
In general you can make a ClassLoader that doesn't always delegate to its parent. Technically against the current Java SE spec, although the Java EE spec encourages it. You could block out java.util.Date. It's still accessible through reflection if any other class references it, or you can get an instance of it. You could block out the transitive closure of uses of Date, including those that in some way return a Date. However, to complete the scheme with your minimal date you'd have to load a java.util.Date in your class loader, which you can't along with all other java.* classes.
所以,错误,替换 java.util.Date rt.jar中的类(可能使用Java代理),并在任何类中替换你不想限制 new Date() with 新日期(System.currentTimeMillis())。
So, err, replace the java.util.Date class in rt.jar (possibly using a Java Agent), and substitute in any class you don't want to restrict new Date() with new Date(System.currentTimeMillis()).
(顺便说一下,+1减少依赖于 System.currentTimeMillis()和其他魔术方法。)
(Btw, +1 to anything that reduces the dependency on System.currentTimeMillis() and other magic methods.)
这篇关于Java .policy文件 - 如何防止java.util.Date()被访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
