Java Security Notes (3)

王朝java/jsp·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

Welcome to the framework of Java Security-- sandbox. It's true that the sandbox which is one of nature characters belonging to all interpreting programming languages. Not like C/C++ which nears with operating system, Java lives and works in itself world, a virtual world under Java macro instructions totally controlling. So security for Java doesn't matter.

The chapter does not focus on the Java Virtual Machine Security Mechanism but security policys. From this point, the chapter is fit for those end users and administratives only.

So from adminstrative point of view, the sandbox is composed of five elements:

Permissions

Code sources

Protection domains

Policy files

Keystores

Java developers say it's platform technique. You're right. Before Java application runs in Java Virtual Machine including sandbox mechanism, administrative also program or configurate above elements to implement their security policy.

Now let's come closer to five elements.

Permission:

No matter who wants to manage Java platform, he has to cope with Java API. Permission management follow such rule. You must take advantage of Java.security.Permission to achieve your goal. That means all Java class is under monitored because there is one respective set of permissions map with one Java class to define the activities that the class is allowed to perform. However, the compromise is that the core Java API always get permission to perform anything. Now the key question is how to set permission or how to work with permission? To be frankly, I also don't know how to do this. But the book will introduce the details.

Here are core Java API permission.

**********************************************************************

File Permissions

[Type]: java.io.FilePermission

[Name]

Because the file name is different in different operating system, the specific file name should be universal.

${/}----------------/

${user.home}----------------/home/userid

${user.home}${/}file-------------------/home/userid/file

[Actions]read,write, delete and execute

So when we define one file permission, the most like statement is

permission java.io.FilePermission “<<ALL FILES>>”,

“read,write,delete,execute”;

permission java.io.FilePermission “${user.home}$/mypassword”,“read”;

I need to highlight one thing here that the file permission defined above can only take effect in Java Virtual Machine. It's eay to be destroyed by operatinh system configuration. For instance, one file is allowed to be deleted by user but has been set to read only under UNIX. If user is noy super user, he still can not delete the file as he wants.

**********************************************************************

Socket Permissions

[Type]java.net.SocketPermission

[Name]

hostname:port ,such as java.sun.com:1020.

Of couse a wildcard can be used like:127.1.10.*:8080.

Another flexible usage is '-'. You can set :

1024- means 1024 and all ports geater than 1024

-1024 means 1024 and all ports less than 1024

1-204 means from 1 to 1024 but exclude two ends

[Actions]accept, listen, connect and resolve.

permission java.net.SocketPermission “127.*:1-”,”accept, listen, connect, resolve”;

**********************************************************************

Property Permission

[Type]java.util.PropertyPermission

[Name]

Any java class or package name just like what you define in the front of source code.

[Actions]read and write

permission java.util.PropertyPermission “java.*“, “read“;

**********************************************************************

Runtime Permissions

[Type]java.lang.RuntimePermission

[Name]

There are a lot of various definitions. Please refer to sun java api document. Because many of them relate to very low level Java runtime configuration. This portion is the essential part of Java sandbox processing.

permission java.lang.RuntimePermission “queuePrintJob“;

**********************************************************************

AWT Permissions

[Type]java.awt.AWTPermission

[Name]

accessClipboard

accessEventQueue

accessRobot

listenToAllAWTEvents

readDisplayPixels

showWindowWithoutWarningBanner

[Actions]NA

So you can easy write the permission script like

permission java.awt.AWTPermission “createRobot”;

**********************************************************************

Net Permission

[Type]java.net.NetPermission

[Name]

I am not sure that what it exactly means. So I have to write the original text here for your information.

”There are three names associated with this class. specifyStreamHandler allows new stream handlers to be installed into the URL class. HTTP authentication(which is not exactly implemented by default Java implementations) requires two permissions: setDefaultAuthenticator to install the authentication class and requestPasswordAuthentication to complete the authentication.”

[Action]NA

permission java.net.NetPermission “specifyStreamHandler”;

**********************************************************************

Security Permission

[Type]java.security.SecurityPermission

[Name]

Various.

addIdentityCertificate

clearProviderProperties

...

No comment on this portion. Maybe when I finish the first five chapters, I could understand what the author states here.

**********************************************************************

Serializable Permission

[Type]java.io.SerializablePermission

[Name]

enableSubstitution and enableSubclassImplementation.

No comment too.

**********************************************************************

Reflection Permission

[Type]java.lang.reflect.ReflectPermission

[Name]

suppressAccessChecks. If granted, this permission allows reflection to examine the private variables of arbitrary classes.

No comment as well.

**********************************************************************

All Permission

[Type]java.security.AllPermission

No need to introduction. This is that famous but dummy one.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航