开发者

SecurityManager surprises

2023-03-24 15:41 问答作者：

I wanted to create a very restrictive security manager, so I extended SecurityManager and overridden all the custom checkXXX methods.

But then I found out that my security manager is useless, because anyone can just:

System.setSecurityManager(null);

So I have to add:

@Ov开发者_开发技巧erride    public void checkPermission(Permission perm)  {
    if (perm.getName().equals("setSecurityManager")) {
        throw new SecurityException("You shall have no other security manager but me!");
    }
}

Are there any more surprises? Any other things I have to do to make my SecurityManager hermetic?

There are at least a couple of things I can think of:

Someone could use reflection to set the System.security field to accessible, and then set it to whatever they want.
Someone could use sun.misc.Unsafe to directly overwrite your instance in memory with whatever random thing they want.

I think your SecurityManager can guard against these things, since they both rely on calls to Field.setAccessible(). But better to test it out to make sure.

继续阅读：securitymanager

更多精彩内容

0 赞 0 踩 0 收藏

上一篇:Cant query sybase with Nhibernate

下一篇:android : can we call from Android to another platform and vice versa using VOIP

精彩评论

暂无评论...

登录注册

请自觉遵守互联网相关的政策法规，严禁发布色情、暴力、反动的言论！

验证码：

验证码

取消

最新问答

问答排行榜