Geek asks and answers

How to use custom Spi policy

I am trying to implement a custom type java.security.Permissionthat needs to be checked at runtime (so not a policy file, but code). This check is performed with java.security.Policy. I realized that for this I have to implement my own java.security.PolicySpi.

I can not find any explanation on how to initialize and use PolicySpi, or is there a better way to do this?

+3
source share
2 answers

Permission check

In your question, you stated that you then want to check the resolution with java.security.Policy, but without using a file spi.policy.

PolicySpi API , PolicySpi 4 :

PolicySpi, .

:

, , , java.security.CodeSource .

:

public static void main(String[] args) {

    CodeSource source;

    try {
      source = new CodeSource(new URL("file:/c:/*"), (java.security.cert.Certificate[]) null);

      Policy policy = Policy.getPolicy();
      System.out.println(policy.getPermissions(source));

    } catch (IOException e) {
      e.printStackTrace();
    }
  }

SecurityManager checkPermission() .

FilePermission s :

FilePermission perm = new FilePermission("path/file", "read");
AccessController.checkPermission(perm);

java.lang.RuntimePermission.

:

! !

+3

previous PolicySpi ( Policy ). , PolicySpi Policy.

  • JCA Provider.

    package com.example;

import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Provider;

public final class TestProvider extends Provider {

    private static final long serialVersionUID = 5544432861418770903L;

    public TestProvider() {
        super("TestProvider", 1, "TestProvider 1.0");
        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
            putService(new TestPolicySpiService(this));
            return null;
        });
    }

}

  • Service , .

    package com.example;

import java.security.Policy.Parameters;
import java.security.PolicySpi;
import java.security.Provider;
import java.security.Provider.Service;
import java.util.Collections;

final class TestPolicySpiService extends Service {

    TestPolicySpiService(Provider p) {
        super(p, "Policy", "TestPolicy", PolicySpi.class.getName(), Collections.emptyList(), Collections.emptyMap());
    }

    @Override
    public PolicySpi newInstance(Object constructorParameter) {
        Parameters policyParams = null;
        if (constructorParameter instanceof Parameters) {
            policyParams = (Parameters) constructorParameter;
        }
        return new TestPolicySpi(policyParams);
    }

    @Override
    public boolean supportsParameter(Object parameter) {
        return parameter instanceof Parameters;
    }

}

  • ( PolicySpi ), .

    package com.example;

import java.security.Permission;
import java.security.Policy.Parameters;
import java.security.PolicySpi;
import java.security.ProtectionDomain;

final class TestPolicySpi extends PolicySpi {

    TestPolicySpi(Parameters policyParams) {}

    @Override
    protected boolean engineImplies(ProtectionDomain domain, Permission permission) {
        // deny unconditionally
        return false;
    }

}

  • , security.provider.n JAVA_HOME/lib/security/java.security, , java.security.Security.addProvider(Provider)/java.security.Security.insertProviderAt(Provider, int).

  • Policy.

    package com.example;

import java.security.NoSuchAlgorithmException;
import java.security.Policy;

public class Main {

    public static void main(String... args) throws NoSuchAlgorithmException {
        // the following assumes that the provider has been statically registered
        Policy.setPolicy(Policy.getInstance("TestPolicy", null));
        System.setSecurityManager(new SecurityManager());

        // test
        System.out.println(System.getProperty("user.home")); // should raise AccessControlException
    }

}

?

, , : Policy Policy.setPolicy(Policy).

:
0

More articles:


All Articles