如何在动态类加载时保护Java应用程序?
我有一个Java/Scala应用程序,它执行磁盘IO并动态加载用户提交的类。动态类在它们自己的类加载器下运行 加载这些类时应考虑哪些安全问题,以确保它们没有权限删除磁盘上的文件或执行任何恶意操作,并且只是执行内存中的操作 我到目前为止所做的事情如何在动态类加载时保护Java应用程序?,java,scala,nio,Java,Scala,Nio,我有一个Java/Scala应用程序,它执行磁盘IO并动态加载用户提交的类。动态类在它们自己的类加载器下运行 加载这些类时应考虑哪些安全问题,以确保它们没有权限删除磁盘上的文件或执行任何恶意操作,并且只是执行内存中的操作 我到目前为止所做的事情 正则表达式检查以删除 java.io.*,java.nio.*,java.lang.reflect&java.lang.Runtime.*相关导入。 我试图看看这些导入是否可以直接从类路径中删除,而不是执行正则表达式 为动态加载的类实例的每次执行设置超
- 正则表达式检查以删除
,java.io.*
,java.nio.*
&java.lang.reflect
相关导入。 我试图看看这些导入是否可以直接从类路径中删除,而不是执行正则表达式java.lang.Runtime.*
- 为动态加载的类实例的每次执行设置超时
- 书面测试加载1000个动态加载的类,以检查PermGen问题,并且没有内存泄漏李>
有人能建议我还应该考虑什么吗?如果我的思路正确的话?不要修改你自己的解决方案,而是使用内置的来处理不同任务的各种不同权限。正如@Kayaman所说,您应该尝试使用SecurityManager处理这些动态类权限,这里有一个简单的示例来演示这一点,可能对您有所帮助 1.创建动态类策略文件,这将用于限制权限,例如,my.policy:
grant {
permission java.io.FilePermission "*", "read";
};
上述策略将为任何文件启用读取文件
2.创建自定义策略文件,该文件可用于处理具有权限的动态类
class MyPolicy extends Policy {
//custom classes with policy mapping
private final Map<String, Policy> plugins;
MyPolicy(Map<String, Policy> plugins) {
this.plugins = plugins;
}
@Override
public boolean implies(ProtectionDomain domain, Permission permission) {
CodeSource codeSource = domain.getCodeSource();
if (codeSource == null) {
return false;
}
URL location = codeSource.getLocation();
if (location != null) {
//get the custom plugin policy rules and validate the permissions
Policy plugin = this.plugins.get(location.getFile());
if (plugin != null) {
return plugin.implies(domain, permission);
}
}
return defaultSystemPermissions().implies(permission);
}
private PermissionCollection defaultSystemPermissions() {
Permissions permissions = new Permissions();
permissions.add(new AllPermission()); // this will set the application default permissions, in there we enable all
return permissions;
}
}
此外,在<>强>所有权限< /强>中,对于<强>默认应用< /强>,可能在实际场景中考虑更多。
3.setPolicy
并为您的动态策略安装SecurityManager
// load the dynamic classes
URL pluginClass = new File("./myplugin").toURI().toURL();
// read my plugin security policy
URIParameter myPolicyPath = new URIParameter(MyClass.class.getResource("/my.policy").toURI());
Policy policy = Policy.getInstance("JavaPolicy", myPolicyPath);
MyPolicy myPolicy = new MyPolicy(ImmutableMap.of(pluginClass.getPath(), policy));
Policy.setPolicy(myPolicy);
// install the security manager
System.setSecurityManager(new SecurityManager());
4.完整示例:
测试类:
public class TestClass {
public void foobar() throws IOException {
Path path = Paths.get("test.txt");
String lines = Files.readAllLines(path).stream().collect(Collectors.joining(","));
System.out.println(lines);
}
}
跑步者:
public static void main(String[] args) throws Exception{
// create a new url class loader, this can be used to load a jar or classes directory
URL pluginClass = new File("./myplugin").toURI().toURL();
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{pluginClass}, MyClass.class.getClassLoader());
// load a dynamic TestClass class
Class loadedMyClass = urlClassLoader.loadClass("TestClass");
// read my plugin security policy
URIParameter myPolicyPath = new URIParameter(MyClass.class.getResource("/my.policy").toURI());
Policy policy = Policy.getInstance("JavaPolicy", myPolicyPath);
MyPolicy myPolicy = new MyPolicy(ImmutableMap.of(pluginClass.getPath(), policy));
Policy.setPolicy(myPolicy);
// install the security manager
System.setSecurityManager(new SecurityManager());
System.out.println("Loaded class: " + loadedMyClass.getName());
Object myClassObject = loadedMyClass.getConstructor().newInstance();
Method method = loadedMyClass.getMethod("foobar");
System.out.println("Invoked method: " + method.getName());
method.invoke(myClassObject);
}
参考:
public static void main(String[] args) throws Exception{
// create a new url class loader, this can be used to load a jar or classes directory
URL pluginClass = new File("./myplugin").toURI().toURL();
URLClassLoader urlClassLoader = new URLClassLoader(new URL[]{pluginClass}, MyClass.class.getClassLoader());
// load a dynamic TestClass class
Class loadedMyClass = urlClassLoader.loadClass("TestClass");
// read my plugin security policy
URIParameter myPolicyPath = new URIParameter(MyClass.class.getResource("/my.policy").toURI());
Policy policy = Policy.getInstance("JavaPolicy", myPolicyPath);
MyPolicy myPolicy = new MyPolicy(ImmutableMap.of(pluginClass.getPath(), policy));
Policy.setPolicy(myPolicy);
// install the security manager
System.setSecurityManager(new SecurityManager());
System.out.println("Loaded class: " + loadedMyClass.getName());
Object myClassObject = loadedMyClass.getConstructor().newInstance();
Method method = loadedMyClass.getMethod("foobar");
System.out.println("Invoked method: " + method.getName());
method.invoke(myClassObject);
}