AccessController.doPrivileged 不念不忘少年蓝@ 2022-05-31 03:10 80阅读 0赞 转自: http://blog.csdn.net/jiaotuwoaini/article/details/70176021 在某一个线程的调用栈中,当 AccessController 的 checkPermission 方法被最近的调用程序(例如 A 类中的方法)调用时,对于程序要求的所有访问权限,ACC 决定是否授权的基本算法如下: 1. 如果调用链中的某个调用程序没有所需的权限,将抛出 AccessControlException; 2. 若是满足以下情况即被授予权限: a. 调用程序访问另一个有该权限域里程序的方法,并且此方法标记为有访问“特权”; b. 调用程序所调用(直接或间接)的后续对象都有上述权限。 当然了,Java SDK 给域提供了 doPrivileged 方法,让程序突破当前域权限限制,临时扩大访问权限。 创建一个项目projectX: 1. 2. **public****class** FileUtil \{ 3. // 工程 A 执行文件的路径 4. **private****final****static** String FOLDER\_PATH = "C:\\\\Users\\\\dushangkui\\\\workspace\\\\projectX\\\\bin"; 5. 6. **public****static****void** makeFile(String fileName) \{ 7. **try** \{ 8. // 尝试在工程 A 执行文件的路径中创建一个新文件 9. File fs = **new** File(FOLDER\_PATH + "\\\\" \+ fileName); 10. fs.createNewFile(); 11. \} **catch** (AccessControlException e) \{ 12. e.printStackTrace(); 13. \} **catch** (IOException e) \{ 14. e.printStackTrace(); 15. \} 16. \} 17. 18. **public****static****void** doPrivilegedAction(**final** String fileName) \{ 19. // 用特权访问方式创建文件 20. AccessController.doPrivileged(**new** PrivilegedAction<String>() \{ 21. @Override 22. **public** String run() \{ 23. makeFile(fileName); 24. **return****null**; 25. \} 26. \}); 27. \} 28. \} 创建另一个项目projectY 1. 2. **public****class** DemoDoPrivilege \{ 3. 4. **public****static****void** main(String\[\] args) \{ 5. System.out.println("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"); 6. System.out.println("I will show AccessControl functionality..."); 7. 8. System.out.println("Preparation step : turn on system permission check..."); 9. // 打开系统安全权限检查开关 10. System.setSecurityManager(**new** SecurityManager()); 11. System.out.println(); 12. 13. System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 14. System.out.println("Create a new file named temp1.txt via privileged action ..."); 15. // 用特权访问方式在工程 A 执行文件路径中创建 temp1.txt 文件 16. FileUtil.doPrivilegedAction("temp1.txt"); 17. System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 18. System.out.println(); 19. 20. System.out.println("/"); 21. System.out.println("Create a new file named temp2.txt via File ..."); 22. **try** \{ 23. // 用普通文件操作方式在工程 A 执行文件路径中创建 temp2.txt 文件 24. File fs = **new** File( 25. "C:\\\\Users\\\\dushangkui\\\\workspace\\\\projectX\\\\temp2.txt"); 26. fs.createNewFile(); 27. \} **catch** (IOException e) \{ 28. e.printStackTrace(); 29. \} **catch** (AccessControlException e1) \{ 30. e1.printStackTrace(); 31. \} 32. System.out.println("/"); 33. System.out.println(); 34. 35. System.out.println("-----------------------------------------"); 36. System.out.println("create a new file named temp3.txt via FileUtil ..."); 37. // 直接调用普通接口方式在工程 A 执行文件路径中创建 temp3.txt 文件 38. FileUtil.makeFile("temp3.txt"); 39. System.out.println("-----------------------------------------"); 40. System.out.println(); 41. 42. System.out.println("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"); 43. \} 44. \} 在projectY根目录下面创建策略文件MyPolicy.txt **\[java\]** [view plain][] [copy][view plain] 1. // 授权工程 A 执行文件路径中文件在本目录中的写文件权限 2. grant codeBase "file:D:/lianjia/20180130test/-" { permission java.io.FilePermission "D:/lianjia/20180130test/-", "write"; }; 3. 配置JVM运行参数 -Djava.security.policy=.\\\\MyPolicy.txt ![20170415103929572][] \-Djava.security.manager //打开 安全策略 \-Djava.security.policy=.\\\\MyPolicy.txt //制定安全侧路位置 Java默认不打开安全检查,如果不打开,本地程序拥有所有权限: **\[java\]** [view plain][] [copy][view plain] 1. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 2. I will show AccessControl functionality... 3. Preparation step : turn on system permission check... 4. 5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6. Create a **new** file named temp1.txt via privileged action ... 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8. 9. / 10. Create a **new** file named temp2.txt via File ... 11. / 12. 13. \----------------------------------------- 14. create a **new** file named temp3.txt via FileUtil ... 15. \----------------------------------------- 16. 17. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 如果添加 运行VM option : **\[java\]** [view plain][] [copy][view plain] 1. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 2. I will show AccessControl functionality... 3. Preparation step : turn on system permission check... 4. 5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6. Create a **new** file named temp1.txt via privileged action ... 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8. 9. / 10. Create a **new** file named temp2.txt via File ... 11. java.security.AccessControlException: access denied ("java.io.FilePermission""C:\\Users\\dushangkui\\workspace\\projectX\\temp2.txt""write") 12. at java.security.AccessControlContext.checkPermission(Unknown Source) 13. at java.security.AccessController.checkPermission(Unknown Source) 14. at java.lang.SecurityManager.checkPermission(Unknown Source) 15. at java.lang.SecurityManager.checkWrite(Unknown Source) 16. at java.io.File.createNewFile(Unknown Source) 17. at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:33) 18. / 19. 20. \----------------------------------------- 21. create a **new** file named temp3.txt via FileUtil ... 22. java.security.AccessControlException: access denied ("java.io.FilePermission""C:\\Users\\dushangkui\\workspace\\projectX\\bin\\temp3.txt""write") 23. at java.security.AccessControlContext.checkPermission(Unknown Source) 24. at java.security.AccessController.checkPermission(Unknown Source) 25. at java.lang.SecurityManager.checkPermission(Unknown Source) 26. at java.lang.SecurityManager.checkWrite(Unknown Source) 27. at java.io.File.createNewFile(Unknown Source) 28. at com.dusk.FileUtil.makeFile(FileUtil.java:17) 29. at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:45) 30. \----------------------------------------- 31. 32. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 在某一个线程的调用栈中,当 AccessController 的 checkPermission 方法被最近的调用程序(例如 A 类中的方法)调用时,对于程序要求的所有访问权限,ACC 决定是否授权的基本算法如下: 1. 如果调用链中的某个调用程序没有所需的权限,将抛出 AccessControlException; 2. 若是满足以下情况即被授予权限: a. 调用程序访问另一个有该权限域里程序的方法,并且此方法标记为有访问“特权”; b. 调用程序所调用(直接或间接)的后续对象都有上述权限。 当然了,Java SDK 给域提供了 doPrivileged 方法,让程序突破当前域权限限制,临时扩大访问权限。 创建一个项目projectX: **\[java\]** [view plain][] [copy][view plain] 1. **package** com.dusk; 2. 3. **import** java.io.File; 4. **import** java.io.IOException; 5. **import** java.security.AccessControlException; 6. **import** java.security.AccessController; 7. **import** java.security.PrivilegedAction; 8. 9. **public****class** FileUtil \{ 10. // 工程 A 执行文件的路径 11. **private****final****static** String FOLDER\_PATH = "C:\\\\Users\\\\dushangkui\\\\workspace\\\\projectX\\\\bin"; 12. 13. **public****static****void** makeFile(String fileName) \{ 14. **try** \{ 15. // 尝试在工程 A 执行文件的路径中创建一个新文件 16. File fs = **new** File(FOLDER\_PATH + "\\\\" \+ fileName); 17. fs.createNewFile(); 18. \} **catch** (AccessControlException e) \{ 19. e.printStackTrace(); 20. \} **catch** (IOException e) \{ 21. e.printStackTrace(); 22. \} 23. \} 24. 25. **public****static****void** doPrivilegedAction(**final** String fileName) \{ 26. // 用特权访问方式创建文件 27. AccessController.doPrivileged(**new** PrivilegedAction<String>() \{ 28. @Override 29. **public** String run() \{ 30. makeFile(fileName); 31. **return****null**; 32. \} 33. \}); 34. \} 35. \} 创建另一个项目projectY **\[java\]** [view plain][] [copy][view plain] 1. **package** com.dusk; 2. 3. **import** java.io.File; 4. **import** java.io.IOException; 5. **import** java.security.AccessControlException; 6. 7. **import** com.dusk.FileUtil; 8. 9. **public****class** DemoDoPrivilege \{ 10. 11. **public****static****void** main(String\[\] args) \{ 12. System.out.println("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"); 13. System.out.println("I will show AccessControl functionality..."); 14. 15. System.out.println("Preparation step : turn on system permission check..."); 16. // 打开系统安全权限检查开关 17. System.setSecurityManager(**new** SecurityManager()); 18. System.out.println(); 19. 20. System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 21. System.out.println("Create a new file named temp1.txt via privileged action ..."); 22. // 用特权访问方式在工程 A 执行文件路径中创建 temp1.txt 文件 23. FileUtil.doPrivilegedAction("temp1.txt"); 24. System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"); 25. System.out.println(); 26. 27. System.out.println("/"); 28. System.out.println("Create a new file named temp2.txt via File ..."); 29. **try** \{ 30. // 用普通文件操作方式在工程 A 执行文件路径中创建 temp2.txt 文件 31. File fs = **new** File( 32. "C:\\\\Users\\\\dushangkui\\\\workspace\\\\projectX\\\\temp2.txt"); 33. fs.createNewFile(); 34. \} **catch** (IOException e) \{ 35. e.printStackTrace(); 36. \} **catch** (AccessControlException e1) \{ 37. e1.printStackTrace(); 38. \} 39. System.out.println("/"); 40. System.out.println(); 41. 42. System.out.println("-----------------------------------------"); 43. System.out.println("create a new file named temp3.txt via FileUtil ..."); 44. // 直接调用普通接口方式在工程 A 执行文件路径中创建 temp3.txt 文件 45. FileUtil.makeFile("temp3.txt"); 46. System.out.println("-----------------------------------------"); 47. System.out.println(); 48. 49. System.out.println("\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*"); 50. \} 51. \} 在projectY根目录下面创建策略文件MyPolicy.txt **\[java\]** [view plain][] [copy][view plain] 1. // 授权工程 A 执行文件路径中文件在本目录中的写文件权限 2. grant codebase "file:C:/Users/dushangkui/workspace/projectX/bin" 3. \{ 4. permission java.io.FilePermission 5. "C:\\\\Users\\\\dushangkui\\\\workspace\\\\projectX\\\\bin\\\\\*", "write"; 6. \}; 配置JVM运行参数 -Djava.security.policy=.\\\\MyPolicy.txt ![20170415103929572][] Java默认不打开安全检查,如果不打开,本地程序拥有所有权限: **\[java\]** [view plain][] [copy][view plain] 1. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 2. I will show AccessControl functionality... 3. Preparation step : turn on system permission check... 4. 5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6. Create a **new** file named temp1.txt via privileged action ... 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8. 9. / 10. Create a **new** file named temp2.txt via File ... 11. / 12. 13. \----------------------------------------- 14. create a **new** file named temp3.txt via FileUtil ... 15. \----------------------------------------- 16. 17. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 如果去掉注释: **\[java\]** [view plain][] [copy][view plain] 1. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* 2. I will show AccessControl functionality... 3. Preparation step : turn on system permission check... 4. 5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6. Create a **new** file named temp1.txt via privileged action ... 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 8. 9. / 10. Create a **new** file named temp2.txt via File ... 11. java.security.AccessControlException: access denied ("java.io.FilePermission""C:\\Users\\dushangkui\\workspace\\projectX\\temp2.txt""write") 12. at java.security.AccessControlContext.checkPermission(Unknown Source) 13. at java.security.AccessController.checkPermission(Unknown Source) 14. at java.lang.SecurityManager.checkPermission(Unknown Source) 15. at java.lang.SecurityManager.checkWrite(Unknown Source) 16. at java.io.File.createNewFile(Unknown Source) 17. at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:33) 18. / 19. 20. \----------------------------------------- 21. create a **new** file named temp3.txt via FileUtil ... 22. java.security.AccessControlException: access denied ("java.io.FilePermission""C:\\Users\\dushangkui\\workspace\\projectX\\bin\\temp3.txt""write") 23. at java.security.AccessControlContext.checkPermission(Unknown Source) 24. at java.security.AccessController.checkPermission(Unknown Source) 25. at java.lang.SecurityManager.checkPermission(Unknown Source) 26. at java.lang.SecurityManager.checkWrite(Unknown Source) 27. at java.io.File.createNewFile(Unknown Source) 28. at com.dusk.FileUtil.makeFile(FileUtil.java:17) 29. at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:45) 30. \----------------------------------------- 31. 32. \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* [view plain]: http://blog.csdn.net/jiaotuwoaini/article/details/70176021# [20170415103929572]: /images/20220531/55b7f233e74d42c3962eede2035f75e5.png
还没有评论,来说两句吧...