为什么这个看似等效的SecurityManager代码会导致虚假异常?

时间:2013-12-11 23:46:23

标签: java security securitymanager accesscontrolexception

这个问题是my previous question about unusual exceptions generated by a custom security manager.的后续问题。在高层次上,我有兴趣构建一个运行受信任代码和不受信任代码的应用程序。我最初的想法是构建一个不允许大多数操作运行的自定义SecurityManager。这导致了异常行为,在16次调用后,实例化不受信任对象的可信反射代码失败。

我已经重写了代码,因此我不是使用自定义SecurityManager来处理这个问题,而是创建一个新的保护域,其中运行不受信任的代码,然后从该不受信任的代码中删除权限。这个新代码如下所示:

import java.io.FilePermission;
import java.lang.reflect.*;
import java.security.*;

public class Main {
    /* Track how many instances have been created so that we can see when the exception
     * is thrown.
     */
    private static int numInstances = 0;
    public Main() {
        System.out.println("Number created: " + ++numInstances);
    }

    /* Utility function that returns a Constructor object for main. */
    private static Constructor<Main> getCtor() {
        try {
            return Main.class.getConstructor();
        } catch (NoSuchMethodException e) {
            e.printStackTrace();
            System.exit(-1);
            return null; // Unreachable, needed to appease compiler.
        }
    }

    /* Utility function that creates an AccessControlContext that only has file
     * read permissions.
     */
    private static AccessControlContext getContext() {
        CodeSource c = new CodeSource(null, (java.security.cert.Certificate[])null);
        Permissions permissions = new Permissions();

        /* Grant specific permission to read files. This is necessary, since otherwise the
         * class loader can't read classes from disk.
         */
        permissions.add(new FilePermission("*", "read"));

        /* Construct an AccessControlContext from these permissions. */
        return new AccessControlContext(new ProtectionDomain[] {new ProtectionDomain(c, permissions)});
    }

    public static void main(String[] args) {
        /* Get a very restrictive AccessControlContext that does not allow for anything to run. */
        AccessControlContext noPermissions = getContext();

        /* Install a standard security manager to enable security. */
        System.setSecurityManager(new SecurityManager());

        /* Sit in an infinite loop using reflection to create Main objects.  This code is
         * run in a context where its only permissions are file reading.
         */
        AccessController.doPrivileged(new PrivilegedAction<Void>() {
            @Override
            public Void run() {
                /* Continuously create new Main objects. */
                Constructor<Main> ctor = getCtor();
                try {
                    while (true) {
                        ctor.newInstance();
                    }
                } catch (Exception e) {
                    e.printStackTrace();
                    return null;
                }
            }
        }, noPermissions);

    }
}

此代码现在完全正常 - 它可以毫无困难地构建各种Main个对象。

我对此感到困惑的是以下内容。为了使AccessController有任何牙齿,我们需要打开安全管理器。我通过调用

来做到这一点 
/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager());

现在,假设我将此更改从默认 SecurityManager更改为此自定义SecurityManager

/* Install a standard security manager to enable security. */
System.setSecurityManager(new SecurityManager() {
    @Override
    public void checkPermission(Permission p) {
         /* Log the permission. */
         System.out.println("Checking " + p);
         super.checkPermission(p);
    }
});

SecurityManager与之前相同,只是它记录了检查权限时发生的情况,然后将请求转发到默认SecurityManager

如果我进行此更改并运行程序,我现在可以获得与以前相同的行为:

Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Checking ("java.io.FilePermission" "/home/keith/Documents/secret-eclipse-workspace/Security Manager Test/bin/Main$2.class" "read")
Number created: 1
Number created: 2
Number created: 3
Number created: 4
Number created: 5
Number created: 6
Number created: 7
Number created: 8
Number created: 9
Number created: 10
Number created: 11
Number created: 12
Number created: 13
Number created: 14
Number created: 15
Checking ("java.lang.RuntimePermission" "createClassLoader")
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "createClassLoader")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
    at java.security.AccessController.checkPermission(AccessController.java:559)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at Main$1.checkPermission(Main.java:51)
    at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
    at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
    at java.lang.ClassLoader.<init>(ClassLoader.java:316)
    at sun.reflect.DelegatingClassLoader.<init>(ClassDefiner.java:72)
    at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:60)
    at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:58)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:57)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:396)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:395)
    at sun.reflect.MethodAccessorGenerator.generateConstructor(MethodAccessorGenerator.java:94)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:48)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at Main$2.run(Main.java:65)
    at Main$2.run(Main.java:1)
    at java.security.AccessController.doPrivileged(Native Method)
    at Main.main(Main.java:58)

为什么在使用此自定义SecurityManager之前和之后我会遇到不同的行为?我不明白为什么程序会在这些情况下产生不同的结果,因为在这两种情况下,默认SecurityManager是实际进行所有安全检查的。{/ p>

谢谢!

1 个答案:

答案 0 :(得分:1)

SecurityManager中的代码似乎不受信任。因此,当在堆栈检查期间出现时,安全检查将失败。

为什么代码mainrun导致同样的问题?我们可以从堆栈跟踪中看到安全检查中涉及的堆栈元素。

at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372)
at java.security.AccessController.checkPermission(AccessController.java:559)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at Main$1.checkPermission(Main.java:51)
at java.lang.SecurityManager.checkCreateClassLoader(SecurityManager.java:611)
at java.lang.ClassLoader.checkCreateClassLoader(ClassLoader.java:274)
at java.lang.ClassLoader.<init>(ClassLoader.java:316)
at sun.reflect.DelegatingClassLoader.<init>(ClassDefiner.java:72)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:60)
at sun.reflect.ClassDefiner$1.run(ClassDefiner.java:58)
at java.security.AccessController.doPrivileged(Native Method)
at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:57)

唯一的非系统框架是Main$1.checkPermission(Main.java:51)。删除它,问题就消失了。

相关问题
最新问题