我正在尝试实施一项安全策略,为由特定签署者签署的Java类赋予某些权限。我的安全策略文件如下所示:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
密钥库cacerts
包含一个别名为mycompany
的证书。测试该安全策略的JAR文件已使用该证书的私钥签名。当我使用
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
我知道
access: access denied ("java.io.FilePermission" "C:\" "read")
当我使用codeBase "path/to/jar"
而不是signedBy "mycompany"
时,它可以很好地工作。有人知道这里可能出什么问题吗?