问题描述
问题:
在我的 Java 应用程序(不是小程序)中,我希望将某些文件操作限制为所有类,除了不应限制的类的列表/组/包.
Problem:
In my Java application (not an applet) I wish to limit certain file operations to all classes except a list/group/package of classes that should not be restricted.
具体来说,我想限制...
Specifically, I would like to limit...
- 文件读取
- 文件写入
- 文件创建
- 文件删除
...这样它们只能在当前工作目录中完成,但不受限制的类除外.
...such that they can only be done within the current working directory for all but the unrestricted classes.
SecurityManager 尝试:
我试图实现实现此行为的 SecurityManager 类的子类,但是似乎在进行检查时,所提供的 file 信息不仅仅提供文件名(除非我遗漏了什么?).
SecurityManager attempt:
I have tried to implement a subclass of the SecurityManager class that implements this behaviour, however it seems that when checks are made the file information provided does not give more than just the filename (unless I am missing something?).
另外,我不太明白在这种情况下我如何找出调用的类,以允许我确定是允许操作还是抛出异常.有什么方法可以让我获得使这种方法发挥作用所需的所有信息?
Also, I don't quite understand how in this case I could find out the class which the call is being made from, to allow me to determine whether to allow the operation or throw an exception. Is there any way I could get all the information I need for this approach to work?
基于策略的尝试:
我还知道 Java 策略旨在限制类的操作,包括诸如文件操作之类的操作.然而,我真的很难找到一个好的资源来学习如何使用 .policy 文件解决我的问题.
问题总结:
1) 有没有比我提到的方法更可取的替代方法?
1) Are there any alternative approaches that may be preferable to those I've mentioned?
2) 这可以使用 SecurityManager 吗?我是否错过了我应该如何实际实施这种方法?
2) Is this possible using a SecurityManager? Am I missing out on how I should actually be implementing such an approach?
3) 这可以使用策略文件吗?在这方面有没有我错过的好资源?
3) Is this possible using a policy file? Are there any good resources I've missed on this front?
我真的不反对为实现这一目标而需要投入的任何艰苦工作 - 我只是不确定我应该如何正确处理它.我也非常缺乏好的资源来教我足够多的关于我提到的两种可能的方法,让我自己实现它.最重要的是,我不怕在需要时进行大量阅读!
感谢您能提前提供的任何帮助.
Thanks for any help you can give, in advance.
推荐答案
以下是使用策略文件的方法.
Here is how you can do it using a policy file.
创建一个可以使用权限操作的Java文件:
Create a Java file that can act with privileges:
package egPriv;
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
public class PrivCat {
/** Cat a file with no privileges */
public void cat(String file) throws IOException {
cat(new FileReader(file));
}
private void cat(Reader r) throws IOException {
int c;
while( (c = r.read()) != -1 ) {
System.out.print((char) c);
}
r.close();
}
/** Cat a file WITH privileges */
public void catPriv(final String file) throws IOException {
Reader r;
try {
r = AccessController.doPrivileged(new PrivilegedExceptionAction<Reader>() {
public Reader run() throws IOException {
return new FileReader(file);
}
});
} catch (PrivilegedActionException e) {
throw (IOException) e.getCause();
}
cat(r);
}
}
创建一个常规文件用于演示
Create a regular file for demonstating
package eg;
import egPriv.PrivCat;
import java.io.IOException;
public class Cat extends PrivCat {
public static void main(String[] args) throws IOException {
Cat eg2 = new Cat();
System.out.println("Processing with privilege:");
eg2.catPriv(args[0]);
System.out.println("Processing normally");
eg2.cat(args[0]);
}
}
创建 sample.policy 文件:
Create sample.policy file:
/* anyone can read write and execute within current working dir */
grant {
permission java.io.FilePermission "${user.dir}", "read,write,execute";
};
grant {
permission java.io.FilePermission "${user.dir}/*", "read,write,execute,delete";
};
/* Only code from this jar can work outside of CWD */
grant codebase "file:egPriv.jar" {
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
};
编译然后测试:
jar cvf egPriv.jar egPriv
jar cvf eg.jar eg
echo 'Restricted' > ..file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat ..file.txt
echo 'Open' > file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat file.txt
这篇关于在 Java 中限制文件访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!