java.net.SocketPermission

时间:2016-03-21 05:33:30

标签: java java-security

我正在努力获得正确的Java安全策略。我的代码需要解析并连接到login.salesforce.comxx99.salesforce.com,其中xx99可以使用大约100个不同的值。

如果我对特定主机进行硬编码,则可行 - 例如

permission java.net.SocketPermission "login.salesforce.com:443", "connect, resolve";
permission java.net.SocketPermission "na30.salesforce.com:443", "connect, resolve";

但这会导致我在我的安全策略文件中添加大约100个条目以涵盖所有可能性,Salesforce会一直添加新实例,从而使维护成为一场噩梦。

如果我通配任何主机/端口,它就可以工作:

permission java.net.SocketPermission "*", "connect, resolve";

但显而易见的答案失败了 - 这个

permission java.net.SocketPermission "*.salesforce.com:443", "connect, resolve";

给了我

2016-03-20 22:19:56,024 [user:*admin] [pipeline:Pipeline1] [thread:preview-pool-1-thread-1] WARN  Pipeline - Stage 'com_streamsets_stage_destination_waveanalytics_WaveAnalyticsDTarget_1' initialization error: java.security.AccessControlException: access denied ("java.net.SocketPermission" "login.salesforce.com:443" "connect,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission" "login.salesforce.com:443" "connect,resolve")
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.security.AccessController.checkPermission(AccessController.java:884)
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
    at java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)
    at sun.net.www.http.HttpClient.openServer(HttpClient.java:510)
    ...etc...

现在已经盯着这段时间 - 我只是不明白!

1 个答案:

答案 0 :(得分:1)

所以this question让我朝着正确的方向前进。逐步执行JDK源代码,它解析主机名,然后进行反向查找,并进行一系列检查以防止欺骗。问题是login.salesforce.com ...

让我们解决login.salesforce.com

$ dig login.salesforce.com

; <<>> DiG 9.8.3-P1 <<>> login.salesforce.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28719
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;login.salesforce.com.      IN  A

;; ANSWER SECTION:
login.salesforce.com.   2288    IN  CNAME   login.gslb2.salesforce.com.
login.gslb2.salesforce.com. 57  IN  A   136.147.59.44
login.gslb2.salesforce.com. 57  IN  A   136.147.57.172
login.gslb2.salesforce.com. 57  IN  A   136.147.58.44
login.gslb2.salesforce.com. 57  IN  A   136.147.58.172

好的 - 让我们对第一个IP地址进行反向查找:

$ nslookup 136.147.59.44
Server:     192.168.69.1
Address:    192.168.69.1#53

Non-authoritative answer:
44.59.147.136.in-addr.arpa  name = dcl7-dfw.login-dfw.salesforce.com.

Authoritative answers can be found from:

嗯 - 好的,让我们解决那个主机名:

$ dig dcl7-dfw.login-dfw.salesforce.com

; <<>> DiG 9.8.3-P1 <<>> dcl7-dfw.login-dfw.salesforce.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26165
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dcl7-dfw.login-dfw.salesforce.com. IN  A

;; Query time: 35 msec
;; SERVER: 192.168.69.1#53(192.168.69.1)
;; WHEN: Thu Apr 28 13:25:56 2016
;; MSG SIZE  rcvd: 51

此时,JDK尝试将其持有的IP地址(136.147.59.44)与通配符策略(*.salesforce.com)进行比较,并且毫不奇怪地确定它们不匹配。

所以,我在政策中坚持使用“*”。

相关问题
最新问题