JavaTM security architecture 3

zhaozj2021-02-08  343

JavaTM security architecture (JDK1.2)

3. Licensing and Security Policy 3.1 Licensing classes? The licensing class represents access to system resources. The Java.Security.Permission class is an abstract class and generates subclasses when appropriate to represent specific access.

As an example of a license, the following code can be used to generate a license for files named "ABC" in the / TMP directory? Br>

Perm = new java.io.filepermission ("/ TMP / ABC", "Read");

The new license class can be generated by inheriting the Permission class or its subclass (such as java.security.basicpermission). Licensed (not BasicPermission) that has become subclasses is usually their own packages. Therefore, FILEPERMISSION can be found in java.io.package.

An abstract method implemented by each licensed new class is an Implies method. In general, "A Implies B" means that if you have been licensed "A", then you are naturally awarded "B". This is very important in access control decisions.

Together with abstract class java.security.permission is known as the abstract class and leaf class java.security.permissions for Java.Security.PermissionCollection.

The Java.Security.PermissionCollection class represents a collection of a single category (such as a file license) Permission object (for example, a set that allows copying) to facilitate packet. When the license can be added to the PermissionCollection object in any order, when the Implies function is called, the PermissionCollection object ensures that the correctness of the post semantic is critical.

The Java.Security.Permissions class represents a collection of PERMISSION objects, or in other words, is a supercomer for heterogeneous licenses.

Applications can add new types of licenses for system support. The method of adding this special application license will be discussed later.

Now let's explain the syntax and semantics of all built-in licenses.

3.1.1 java.security.permission?

This abstraction class is all licensed ancestors, which defines the basic functions required for all licenses.

Typically, each license instance is generated by passing one or more string parameters to the constructor. In normal cases with two parameters, the first parameter is usually "target name" (such as a file of a file as a license target), the second parameter is an action (such as "reading" on a file). In general, a set of motions can be specified together with a comma-separated composite string.

3.1.2 java.security.permissioncollection

This class has mastered a similar collection of licensed. In other words, each instance of the class masters only the same type of license.

3.1.3 java.security.permissions

Design This class is to master licensed heterogeneous collection. Basically, it is a collection of java.security.permissioncollection objects.

3.1.4 java.security.unResolvedPermission

Under normal circumstances, the internal state of a security policy is represented by license objects associated with each code source. However, in view of the dynamics of Java technology, when the policy is activated, actual code to implement a specific license class may not be loaded and defined in the Java environment. For example, a benchmark license class may be in the JAR file, and the file will be loaded later. The UnresolvedPermission class is used to master this "unresolved" license. Similarly, the Java.Security.unResolvedPermissionCollection class stores the collection of unresolvedPermission licenses.

In the access control check for a previously unresolved type (but its class has been loaded), the unresolved license is "solved" and makes appropriate access control decisions. That is: If possible, the information based on UnreSolvedPermission is instantiated, and this new object replaces UnresolvedPermission.

If the license is still unresolved, the license is considered invalid, just in a security policy, it has never been granted.

3.1.5 java.io.filepermission

The goal of this class can be explained by the following methods, here, the directory and file names are strings that do not include spaces.

file

firectory (like Directory)

firectory / file

firectory / * (all files under Directory Directory)

? (All files in the current directory)

Firectory / - (all files in the file system under the directory Directory)

? (All files in the file system in the current directory)

"All Files" (all files in the file system)

?

Note "" "Is a special string used to indicate all files in the system. In UNIX systems, it includes all files in the root directory; in the MS-DOS system, it includes all files in all drives.

This type of action is: read, write, delete, and execute (Read, White, Delete and Execute). The following is a valid code sample for creating a file license:

Port java.io.filepers;

FILEPERMISSION P = New FILEPERMISSION ("MyFile", "Read, Write");

filepermission p = new filepermission ("/ home / gong /", "read");

FILEPERMISSION P = New Filepermission ("/ TMP / MyTMP", "Read, Delete");

FILEPERMISSION P = New FilePermission ("/ bin / *", "execute");

FILEPERMISSION P = New FilePermission ("*", "read");

FILEPERMISSION P = New FILEPERMISSION ("/ -", "Read, Execute");

FILEPERMISSION P = New FilePermission ("-", "Read, Execute");

FILEPERMISSION P = New FILEPERMISSION ("All Files", "Read");

The Implies method in this class can correctly explain the file system. For example, FILEPERMISSION ("/ -", "Read, Execute") is implicit

FILEPERMISSION ("/ Home / Gong / Public_HTML / INDEX.HTML", "Read");

FILEPERMISSION ("/ bin / *", "execute") implies

FILEPERMISSION ("Bin / Emacs19.13", "Execute").

Note: Most of these strings are given in formats that depend on the platform. For example, to indicate reading access to files named "foo" in the "TEMP" directory in the Windows system C drive, you can use:

FILEPERMISSION P = New FilePermission ("C: // Temp // Foo", "Read");

It is necessary to use a double reverse slash to represent a single-reverse slope. Because the string is processed by a tokenizer (Java.io.StreamTokenizer), it allows "/" as a changing string to use (for example, "/ n" means a new row), so we need double Antilaline is replaced by the function of single-reverse slope. After TOKENIZER has been processed for the above filepermission target string, convert the double-reverse slash to a single reverse slope, the last result is the actual path:

"C: / TEMP / FOO"

Before the global file description language occurs, the string should be given in the format of the platform, this is necessary. Also note that wildcards (such as "*" and "-", etc.) affect the use of special file names. We think this is a small limit that can tolerance. Finally, pay attention to "/ -" and "All Files" "in the UNIX system is the same target, they all represent the entire file system (if any, they can also represent multiple file systems); in other operating systems Both (such as MS Windows, MacOS), these two goals may be different.

It is also important to note that only the target name of the directory and "Read" action in the following column, indicating that you are only allowed to list the file name in that directory, and you cannot read them.

FILEPERMISSION P = New FilePermission ("/ Home / Gong", "Read");

To allow reading access to files, you must point out a clear file name, or "*", or "-", as shown below:? Br>

FILEPERMISSION P = New FilePermission ("/ Home / Gong / MyFile", "Read");

FILEPERMISSION P = New FilePermission ("/ Home / Gong / *", "Read");

FILEPERMISSION P = New FilePermission ("/ Home / Gong / -", "Read");

Not, note that the code always has a license for reading files on the same URL location, including the subdirectories at that location; this does not require a clear license. 3.1.6 java.net.socketpermission

This class represents access to a network via Sockets. The object of this class can be given to "Hostname: Port_Range", where HostName here is available in the following manner:

Hostname (a host) IP address (a host) "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" All hosts) * .subdomain.domain * (all hosts)? / Pre>?

That is, the host is represented as a DNS name, or a digital IP address, or "localhost" (for local machine), or "it" (it is equivalent to the specified "localhost".

The wildcard "*" may be used in the DNS name host specification, in which case it must be placed at the leftmost, such as "* .sun.com". ? br>

Port_Range can be given as follows:

N (a single port)

N- (all ports of port N and above)

-N (port n and all ports below)

N1-N2 (all ports between N1 and N2, including N1 and N2)

N, N1 and N2 here are non-negative integers, ranging from 0 to 65535 (2 ^ 16-1). ? br>

Action on the Socket has Accept, Connect (Connections), Listen (Listening), and Resolve (which are basic DNS queries). Please note that the action "resolve" is impressed by "Accept", "Connect", "Connect" and "Listen", that is, those can listen, accept the connection from the host or start a connection pointing to another host. Class, you should be able to query the name of the remote host.

The following is some examples of the Socket license:

Import java.net.socketpermission;

SocketPermission P = New Socketpermission ("java.sun.com", "accept");

P = New SocketPermission ("204.160.241.99", "accept");

P = New SocketPermission ("* .com", "connect");

P = new socketpermission ("* .sun.com: 80", "accept");

P = new socketpermission ("* .sun.com: -1023", "accept");

P = new socketpermission ("* .sun.com: 1024-", "connect");

P = New SocketPermission ("java.sun.com: 8000-9000", "connect, accept");

P = New SocketPermission ("Localhost: 1024-", "Accept, Connect, Listen");?

Please note that SocketPermission ("Java.sun.com: 80, 8080", "Accept") and SocketPermission ("java.sun.com, javasun.sun.com", "accept") is not a valid Socket license.

In addition, Listen is only actions used for local host ports, while Accept is not only available for local host ports, but also the actions of remote host ports. Both movements are required.

3.1.7 java.security.basicPermission? / B>

The BasicPerMission class inherits the Permission class, which can be used as a base class, and is called BasicPermission in accordance with the same naming convention.

A BasicPermission name is the name of a particular license (for example, "EXITVM", "SetFctory", "QueuePrintJob", etc.). Name is performed in accordance with all level naming practices. The asterisk may appear in the last name to represent a wildcard match, and there may be "." Or not. For example: "java. *" Or "*" is valid, "* java" or "a * b" is invalid.

The action string cannot be used (inherited from permission). Therefore, BasicPermission is generally used as a "named" licensed base class (these licenses contains name but no action list; you may have named licenses, or may not be). If you prefer, the subclass may act in the upper layer of the BasicPermission. Some BasicPermissions have java.lang.RuntimePermission, java.security.securityPermission, java.util.propertypermission, java.util.propertypermission,? Br> java.net.netpermission? / Font>? 3.1.8 java.util.propertypermission

The basic objective of this class is to set the Java property name in various attribute files, such as "java.home" and "os.name" properties. The target can be specified as "*" (all attributes), "a. *" (Whose name has a full property of the prefix a.) And "A.B. *", etc. Note that wildcards can only appear once and must be on the rightmost end.

This class is one of the BasicPermission subclasses, which implements actions on the BasicPermission. This action is read and written, which is defined as follows: "READ" license allows the getProperty method to be called to obtain the attribute value, "White" license allows the setProperty method to set the attribute value. 3.1.9 java.lang.RuntimePermission

A RuntimePermission target can be represented by any string, and no action is associated with the target. For example, RuntimePermission ("EXITVM") means a license to exit Java virtual machines. Target name: CREATECLASSLOADER

GetClassLoader

SetContextClassLoader

SetSecurityManager

CreateCurityManager

EXITVM

SetFactory

setio

Modifythread

StopThread

Modifythreadgroup

GetProtectionDomain

ReadFileDescriptor

WritefileDescriptor

LoadLibrary. {library name}

AccessClassInpackage. {package name}

DefineClassInpackage. {package name}

AccessDeclaredmembers. {Class Name}

QueuePrintJob

? 3.1.10 java.awt.awtpermission

It is the same as RuntimePermission and is also a license without action. Its objective name is:

AccessClipboard

AccessEventqueue

ListentoallawTevents

ShowWindowwithoutWarningbannenner 3.1.11 java.net.netpermission

This class contains the following objectives and no action:

RequestPasswordAuthenTPasswordAuthentication

SetDefaultAuthenTicator

SpecifyStreamHandler 3.1.12 java.lang.reflect.ReflectperMission

This is a PERMISSION class that is reflected. A ReflectPermission is a naming license (similar to RuntimePermission) and has no action. The only name currently defined is:

SuppressAccessChecks? Br>

It allows for an access check for standard Java programming languages ​​implemented by reflective objects, ie public, default, protected and privately-friendly access checks in its class. In other words, after an instance has the license, it can access the public, default, protected and private member of the reflective object. 3.1.13 java.io.serializablepermission? Br>

This class contains the following goals and no action:? Br>

EnableSubclassImplementation

EnableSubstitution? Br> 3.1.14 java.security.securityPermission? Br>

SecurityPermission controls access to security-related objects, such as object security, policy, provider, signer, and identity, etc. This class contains the following objectives and no action: getPolicy

SetPolicy

GetProperty. {key}

SetProperty. {key}

INSERTPROVIDER. {Provider Name}

REMOVEPROVIDER. {Provider name}

setysystesscope

SETIDENTINPUBLICKEY

SetIdentityInfo

PrintIndentity

AddidentityCertificate

RemoveIdentityCertificate

ClearProviderProperties. {provider name}

PutproviderProperty. {provider name}

REMOVEPROVIDERPROPERTY. {provider name}

GetsignerPrivateKey

SetsignerKeypair

3.1.15 java.security.Allpermission

This license means all licenses. It is designed to simplify system administrators, as system administrators may need to perform multiple requirements for all (or large) licensed tasks. Repeated definition licenses are obviously cumbersome. Note that Allpermission also means a new license defined in the future. ? Br> When using this license, it should be carefully considered. 3.1.16 Licensing Meaning Discussion

Recall that we have found that the license is often compared, and in order to facilitate this comparison, we ask each license class to define an Implies method, which indicates how the specific license class is related to other license classes. For example, java.io.filepermission ("/ temp / *", "read") implies java.io.filePermission ("/ Temp / A.txt", "Read"), but does not hide any java.net. Netpermission.

Another implications may not be immediately clear about some readers. Suppose an applet is awarded a license to write all file systems, which assumes that the applet is allowed to replace the execution system, including the JVM operating environment. This effectively means that the applet has been awarded all licenses. ? br>

Another example is that if an applet is granted a license for the runtime, it is effectively awarded more licenses. Because the class loader can perform sensitive operations. ? br>

Other "Danger" licenses include licenses that allow setting system properties, runtime definition packages, and licenses loaded with local code libraries (because Java security structures can prevent local code malicious behavior), of course, there is allPermission. ? br>

For more information on licensing, including the list of risks allocated for special licenses and all JDK built-in methods of the required license, please see:? Br>

? a href = "http://java.sun.com/Products/jdk/1.2/docs/guide/security/permissions.html" Target = "_new"> http://java.sun.com/products/jdk / 1.2/docs

/Guide/security/permissions.html 3.1.17 How to create a new license

In addition to Sun Microsystems should be responsible for extension within JDK, whether by increasing functionality or by introducing additional target keywords into a class (such as java.lang.RuntimePermission), no one can take this anything. This is required, it maintains the continuity of JDK.

To create a new license, it is recommended to use the steps shown in the following example. Assuming an application developer from ABC has to create a "watch TV" user-based license.

First, create a new class com.abc.permission, which inherits abstract class java.security.permission (or one subclass); create another new COM.abc.tvpermission, which inherits com.abc. Permission. Confirm that the Implies method in other classes is implemented correctly (of course, com.abc.tvpermission can directly inherit java.security.permission; no intermediate com.abc.Permission).

Public class com.abc.permission extends java.security.permission

Public class com.abc.tvpermission extends com.abc.permission

The figure below shows the relationship between subclasses: Second, add these new classes in the application package.

Each user who wants to allow this new license must add an entry in the policy file (see the details of the policy file syntax). A code license from http://java.sun.com/, allowing it to watch the 5-channel TV policy file entry authorization code: grant codebase "http://java.sun.com/" {

Permission com.abc.tvpermission "Channel-5", "Watch";

}

In the application's resource management code, you want to see if a license should be granted, use a COM.abc.tvpermission object as a parameter to call AccessController's Checkpermission method. com.abc.tvpermission TVperm = new

Com.abc.tvpermission ("Channel-5", "Watch");

AccessController.checkpermission (TVperm);

Note that when you add a new license, you should create a new (license) class, not add new methods in SecurityManager (past, in order to check the new type of access, you must add new methods in the SecurityManager class. ).

If more refined TVPermission (for example, "Channel-1: 13" or "Channel- *") is allowed, you need to implement a TVPermissionCollection object, which knows how to handle these pseudo names.

To perform a built-in access control algorithm, the new code should always call a license check by calling the CHECKPERMISSION method of the AccessController class. There is no need to check if there is a ClassLoader or SecurityManager. On the other hand, if this algorithm leaves the installed security manager class, the method should be called SecurityManager.Checkpermission. 3.2 java.security.coDesource

This class inherits the concept of the code base base base (codebase), but also the encapsulation code location (URL), but also encapsulates the public key (this public key can be used to verify the digital certificate from the number signature from that position). . Please note that this is not an equivalent of the CodeBase tag in the HTML file. Each certificate is represented as java.security.cert.certificate, each URL is expressed as java.net.url. 3.3 java.security.policy

The system security policy for the Java application environment illustrates the available licenses from different places, it is represented by the Policy object. In particular, use a Policy subclass, the subclass implements an abstraction method in the Policy class.

In order to enable an applet (or an application running in SecurityManager) can be allowed to perform secure action, such as reading or writing files, the applet (or application) must be granted licenses for that particular action. The only exception is that the code always has a license for reading files from the same source and subdirectory of this source, without having to clearly permit.

There may be multiple policy objects, although only one is "effective" at any time. By calling the getPolicy method, you can get the currently installed Policy object, and you can change it by calling the setPolicy method (executed by code with a license to reset the policy). When the protected domain starts its license set, the current policy is checked by a ProtectionDomain. The protection domain passes in a CODESource object, which encapsulates its code base (URL) and certificate properties. Policy object evaluates a global policy and returns an appropriate Permission object that illustrates the license from the code from the specified code source.

Resource positioning of policy information used in Policy objects is equal to Policy implementation. The configuration of the policy can be stored, for example as a flat ASCII file to store, or as a serial binary file for a Policy class to store, or as a database to store. There is a default policy implementation that gets information from the static policy configuration file.

There is no Policy object when developing a security policy. It is just a policy configured in Java runtime. 3.3.1 Policy File Format

In the default policy implementation, the policy can be specified in one or more policy configuration files. The configuration file indicates that the code from the specified code source is permitted.

A policy profile typically contains an entry list. It may contain a keystore entry and contain zero or more "GRANT" portals.

The keystore is a database that is equipped with a private key and its related digital certificates, such as the X.509 certificate chain used to authenticate the corresponding public key. KeyTool utility is used to create and manage the keystore. The keystore specified in the policy configuration file can be used to query the public key of the signer specified in the file. If any quasi-entry illustrates the alias of the signator, a keystore entry must appear in a policy configuration file.

At this point, there may be only one keystore entry in the policy file (the first after ignore), and it can appear anywhere in the file. It has the following syntax:

KeyStore "Some_KeyStore_URL", "KeyStore_Type";

Here, "Some_KeyStore_URL" specifies the keystore's URL location, "KeyStore_Type" specifies the keystore type. The latter is an option, if not specified, is assumed to be the type specified in the "KeyStore.Type" property in the security properties file.

The URL is related to the location of the policy file. Therefore, if the policy file is specified in the security properties file:

Policy.url.l = http://foo.bar.com/blah/SOME.POLICY

And the strategy file has an entry:

KeyStore ". KeyStore";

The KeyStore will be loaded from the following location:

? http://foo.bar.com/blah/.keystore

The URL can also be an absolute address.

The keystore type defines the storage form and data format of the keystore information, and defines an algorithm to protect the private key in the keystore and the integrity of the keystore itself. The default type supported by Sun Microsystems is a dedicated keystore type called "JKS".

Each level in the policy file is basically constructed from a CODESource and its license. In fact, CODESource is composed of a URL and a certificate set, and a policy file entry includes a URL and a list of signature. After querying the keystore to determine the specified signer's certificate, the system creates the corresponding CODESource.

Each level of the policy file is used in the following format. The previous "GRANT" is a reserved word that represents the beginning of a new entry, and the option appears in parentheses. In each entrance, the first "permission" is also a reserved word, which marks the beginning of a new license within the entrance. Each given entourt will grant a permit to a specified code source. Grant [Signedby "Signer_Names"] [, CodeBase "URL"] {

Permission permission_class_name ["target_name"]

[, "Action"] [, Signedby "Signer_Names"];

Permission ...

}

Allow spaces before or after any comma. The name of the license class must be all qualified class names, such as java.io.filepermission, and cannot simplify (such as simplified FILEPERMISSION)

The action field is an option, and if the license class does not need it, it can be ignored. If an action field appears, you must follow the target field.

The exact meaning of a CodeBase URL value depends on characters at the end. use "/"

The end of CodeBase can match all class files in the specified directory (excluding JAR files); use "/ *"

CodeBase ends can match all files in the specified directory (including class files and jar files); use "/ -"

The end of the CodeBase can match all files in the subdirectory in the specified directory (including class files and JAR files).

The CodeBase field (URL) is an option, if ignored, it represents "any code base address".

The first signature field is a string alias mapping by a single mechanism, which maps the mapping corresponding to the public key set (within the keystore) related to the signator. These keys are used to verify that a certain signature class is really signed by those signeders.

Fields including multiple signs can be a string separated by a comma. For example, "ADAM, EVE, Charles" means this is a word sign by ADAM and EVE and CHARLES (that is, their relationship is "and", not "or").

This field is optional. If it is ignored, it means "any signature"; in other words, "this code is signed."

The second signature field (in a Permission portal) represents an alias of a keystore entry including a public key, which corresponds to a private key used to sigute a word code that implements the above-described license class. This license entry is valid only if the implementation of the byte code is verified as the correct signature of the above alias (that is, the access control license is based on this entry).

The order between the CodeBase and the SignedBY field is irrelevant.

The following is a BNF syntax designed for the Policy file format, where the non-larger-write item is the end.

??

PolicyFile -> PolicyTry | PolicyEntry; PolicyFile

PolicyEntry -> grant {permissionentry};

Grant SignereErenTry} |

Grant CodeBasentry {permissionentry} |

Grant Signeerentry, CodeBasentry {Permissionentry} |

Grant CodeBasentry, SignerenTry {PermissionEntry} | KeyStore "URL"

SIGNERENTRY -> Signedby (a comma-separated list of strings)

CodebaseEntry -> CodeBase (a string representation of a url)

Permissionentry-> Onepermission | Onepermission Permissionentry

Onepermission -> Permission permission_class_name

["Target_Name"] [, "Action_List"]

[, SIGNERENTRY];

Now we give some examples. The following strategy will grant the code that is signed by the Roland of the Roland of A.b.foo:

Grant Signedby "ROLAND" {

Permission a.b.foo;

}

The following example grants all code (regardless of signator and / or codebase): grant {

Permission java.io.filepermission ".tmp", "r";

}

The following example will grant two licenses to code from Li and Roland:

Grant Signedby "ROLAND, Li" {

Permission java.io.filepermission "/ tmp / *", "read";

Permission java.util.propertypermission "User. *";

}

• The following example will grant two licenses to the code signed by the li and from http://java.sun.com:

Grant CodeBase "http://java.sun.com/*", signby "li" {

Permission java.io.filepermission "/ tmp / *", "read";

Permission java.io.socketpermission "*", "connect";

}

• The following example will grant two licenses to be signed by li and roland, and only when the bytecode is signed by the LI by the zi:

Grant Signedby "ROLAND, Li" {

Permission java.io.filepermission "/ tmp / *", "read";

Permission com.abc.tvpermission "Channel-5", "Watch",

Signedby "Li";

}

The reason why the second signword field is to prevent spoofing when a license class is not installed with Java. For example, a copy of com.abc.tvpermission can be downloaded as a remote JAR, and the user policy may include an entry that references it. Because the document is not long, when the com.abc.tvpermission class is downloaded for the second time (possibly from different web addresses), this is critical because of the user policy The appearance of the permission entrance may reflect the confidence and trust of the first copy of this type of one bynon code.

We chose to use digital signatures (rather than choosing the first copy of the module code, and then comparing the second copy with it) to ensure authenticity, because the author of the license can legal Change class files to reflect a new design or implementation. Please note: The file path string must adopt a platform-dependent format; it is necessary before a global file description language occurs. The above example has shown a string suitable for the Solaris system. In the Windows system, when you want to specify a file path with a string, you need to use a double reverse line to replace a single reverse slope representing the path. For example, as follows:

Grant Signedby "ROLAND" {

Permission java.io.filepermission "c: // users // cathy /// *", "read";

};? / pre>

This is because the string is processed by a tokenizer (Java.io.StreamTokenizer), which allows "/" to be used as a synthetic string (for example: "/ n" means a new line), this Requires double reverse slash instead of single-reverse slope. When Tokenizer processes the above-mentioned FilePermission target string, convert the double-reverse slash to a single reverse slash, the end result is the actual path:

"C: / users / cathy / *"? 3.3.2 Properties extension of the policy file

Properties extensions in policy files and secure properties files are possible.

Attribute extensions are similar to the expansion of the variables on a housing. That is: when the string is as follows

"$ {some.property}"

When there is a policy file or a security properties file, it will be extended to the value of the attribute of the system. E.g:

Permission java.io.Permission "$ {user.home}", "read";

The "$ {User, Home}" will be extended to use the value of the "user.home" system attribute; if the value of that property is "/ home / cathy", the above code is equivalent to the following code:

Permission java.io.filepermission "/ home / cathy", "read";

To accelerate the strategy files independent of the platform, you can also use special symbol "$ {/}", which is a shortcut to "$ {file.separator}". It allows you to use in a license definition. E.g:

Permission java.io.filepermission "$ {user.home} $ {/} *", "read";

If User.home is / home / cathy, and you are in the Solaris system, the above formula can be converted to:

Permission java.io.filepermission "/ home / cathy / *", "read";

On the other hand, if User.home is C: / Users / Cathy, and you are in a Windows system, you can convert to:

Permission java.io.filepermission "c: / users / cathy / *", "read";

In addition, as a special case, if you extend an attribute in a code base, such as: Grant CodeBase "file: / $ {java.home} / lib / ext /"

Then any file.separator characters will be automatically converted to / 's because the code base is URLS, so the above conversion is what we expect. In this way, in a Windows system, even if Java, Home is set to C: /JDK1.2, the above formula can also be converted to:

Grant CodeBase "file: / c: /jdk1.2/lib/ext/"

So you don't need to use $ {/} in the code base string (you should not be used).

Attribute extensions can occur in any place with a dual quotation marks in the policy file, including: signedby, code base, target name, and action field.

Whether to allow attribute extensions, depending on the value of the "policy.expandproperties" attribute in the security properties file. If this value is true (default), the extension is allowed.

Please note: You cannot use nested properties. E.g:

"$ {User. $ {Foo}}"

The above formula will not work, or even "foo" attribute is set to "home", nor does it work. The reason is that the attribute syntax analyzer cannot identify the nested properties. It only looks for the first "$ {" and then continue to find until the first "}" is discovered, and try to interpret the result "$ {user. $}" As an attribute. If there is no such attribute, it will fail.

Also note that if an attribute is permitted, the license entry or keystore entry cannot be expanded, the entry will be ignored. For example: If the system properties "foo" are not defined and you have:

Grant CodeBase "$ {foo}" {

Permission?

Permission?

}

All licenses performed in the entrance will be ignored. If you have:?

Grant {

Permission foo "$ {foo}"

Permission bar;

}

Then only "permission foo? The entrance is ignored. Finally, if you have:

KeyStore "$ {foo}";

The keystore entry is ignored.

Finally, pay attention, in the Windows system, when you specify a file path directly with a string, you need to use double reverse line instead of SLR slash in the path:

"C: //Users//cathy//foo.bat"

This is because the string is processed by a tokenizer (Java.io.StreamTokenizer), which allows "/" to be used as a synthetic string (for example: "/ n" means a new line), this Requires double reverse slash instead of single-reverse slope. When Tokenizer handles the above string, convert the double-reverse slash to a single reverse slash, the end result is:

"C: /users/cathy/foo.bat"

The attribute extension in a string occurs after the Tokenizer processes the string. So if you have a string "$ {user.home} // foo.bat"

The Tokenizer will first process the string, and the conversion double reverse slash is a single reverse slope, and the result is:

"$ {User.home} /foo.bat"

Then the $ {user.home} attribute is expanded, the last result is:

"C: /users/cathy/foo.bat"

Suppose the user.home value is "c: / users / cathy" (of course, it is independent of the platform), it is best to be specified at the beginning string without any explicit oblique line. As follows:

"$ {User.home} $ {/} foo.bat" 3.3.3 Assignment License

When loading a new class originated from a specific CODesource, the security mechanism queries the policy object to determine what kind of license should be given. This is done by calling the getPermission method installed on the POLICY object on the VM.

Obviously, a particular code source can match the code source given by multiple inlets in this policy. For example, since the wildcard "*" is allowed.

The following algorithms are used to locate the appropriate license in the policy:

1. If the code is signed, match the public key.

2. If the key is not found in the policy, the key is ignored; if each key is ignored, the code is not signing code.

3. If the key matches or does not explain the signage {attempts to match all URLs} in the policy

4. If one of the keys or URLs do not match, use built-in default licenses, the license is the initial sandbox license.

The exact meaning of a policy entry CodeBase URL value depends on characters at the end. use "/"

The end of CodeBase matches all class files in the specified directory (excluding JAR files); use "/ *"

The end of CodeBase matches all files in the specified directory (including class files and jar files); use "/ -"

The end of CodeBase matches all files in the subdirectory in the specified directory (including class files and JAR files).

For example, "http://java.sun.com/-" is given in the policy, and any code base address on the web address will match the policy entry. The matched code base includes "http://java.sun.com/jdk/" and "http://java.sun.com/people/gong/appl.jar".

If multiple entrances are matched, all licenses given in those portions will be granted. In other words, the license assignment is attached. For example, if the code signed with the key A is obtained, the license y is obtained with the code signed with the key B, and the specific code base base is not specified, and the code that is symbolized by the A and B will obtain the license X And Y. Similarly, if the code base base address "http://java.sun.com/-" is licensed X, with code base address "http://java.sun.com/people/*" The code gets license y and does not specify a specific signage, an applet from "http://java.sun.com/people/applet.jar" will get X and Y.

Please note that the URL is purely on the syntax. For example, a policy can give an entry, which specifies a URL "http://ftp.sun.com", which is useful only when it is possible to get Java code directly from the FTP. In order to specify URLs for the local file system, the file URL can be used. For example, you can use the files in the / home / cathy / temp directory in the Solaris system.

File: / Home / Cathy / Temp / * "

To specify a file in the Temp directory on the C drive in the Windows system, you can use:

File: / C: / Temp / * "

Note: No matter what the platform, the code base URL always uses the oblique line (not a backslash).

You can also use an absolute path name, such as:

"/ home / gong / bin / mywonderfuljava" 3.3.4 default system and user policy file

In the default policy implementation, the policy can be explained in one or more policy configuration files. What kind of license specifies what kind of license can be used for code from the specified code source.

A policy file can be made through a simple text editor, or we can use the graphic policy tool utility that will be discussed later.

By default, we have a separate system overall policy file and a separate user policy file.

The overall policy file of the system is default:

{Java.home} /lib/security/java.policy (Solaris)? Br>

{Java.home} /lib/security/java.policy (windows)

Java.home here is a system properties that specifies the directory where JDK is installed.

The user policy file defaults:

{User.home} /. Java.policy (solaris)

{User.home} /. Java.policy (windows)

The user.home here is a system properties for a specified user's starting directory.

When Policy is initialized, the system's overall policy is first loaded, and then the user policy is added. If both strategies do not appear, a built-in policy is used. This built-in policy is the same as the initial sandbox strategy.

The policy file is positioned in the security properties file, which is located:

{java.home} /lib/security/java.security (Solaris)

{java.home} /lib/security/java.security (windows)

Policy file positioning is specified as a value of an attribute, its name as follows:

Policy.url.n

The N here is a number. You can use the following line to specify each such attribute value:

Policy.url.n = URL

The URL here is an URL description. For example, the default system and user policy file are defined in the security properties file:

Policy.url.1 = file: $ {java.home} /lib/security/java.policy

Policy.url.2 = file: $ {java.home} /. java.policy

In fact, you can specify a number of URLs, including "http: //" form. All specified policy files will be loaded. You can also comment or change the second URL to make the default user policy file cannot be read.

The algorithm starts from policy.url.1 and remains increasing until it does not find a URL. So if you have policy.url.1 and policy.ur.3, policy.url.3 will always be read. When calling an application execution, you may specify an additional or different policy files. This can be implemented through the "-djava.security.policy command line" command, it sets the value of the java.security.policy property. For example, if you use:

Java -djava.security.manager -djava.security.policy = PURL SomeApp

The PURL here is a URL that specifies a policy file location, and then the specified policy file will also be loaded in addition to all policy files specified in the security properties file. ("-Djava.security.manager" index will ensure that the default security manager is installed, and the application service is checked from the policy check, just as described in "Security Management for Applets and Applications". If the application SomeApp installed There is no need to have a security manager.

If you use a double equity as follows, only the specified policy file will be used, others will be ignored.

Java -djava.security.manager -djava.security.policy = = PURL SomeApp

If you want to pass a policy file to AppletViewer, use the "-djava.security.policy" self-variable again, as shown below:

AppletViewer -j-djava.security.policy = purl myapplet

Note: If the "Policy.AllowsystemProperty property in the security properties file is set to the fake," - DJAVA.Security.Policy "policy file value will be ignored (the same is the same for Java and AppletViewer). Its default is true. 3.3.5 User Technology Policy Evaluation

The current design of the Policy class is not as complex as before. We have fully considered this issue and develop in cautiously; part of the reason is that the methods we have designed can be suitable for most general situations. At the same time, the optional policy class is given to replace the default policy class, as long as the former is a subclass of an abstract policy class and implements the getPermissions method (other methods when needed).

The default policy implementation can be changed by resetting the "Policy.Provider" security attribute (in the security properties file) to the desired Policy implementation class name. The name of the security attribute file is as follows:

{java.home} /lib/security/java.security (Solaris)

{java.home} /lib/security/java.security (windows)

Here, {java.home} means a directory with a JDK installed.

Properties policy.Provider Specifies the name of the policy class, the default value is as follows:

Policy.Provider = sun.security.provider.policyfile

For the user, you can change the value of this property to specify another class, as shown below:

Policy.Provider = com.mycom.mypolicy

Note: The MyPolicy class must be a subclass of java.security.policy. Perhaps it is worth emphasizing such a strategy coverage is a temporary solution, and a wider range of policy API will replace this method. ? 3.4 jjava.security.generalsecurityException This is a new anomaly class, which is a subclass of java.lang.exception. It tries to indicate that there should be two exception types associated with security and security packages.

Java.lang.securityException and its subclasses should be runtime exceptions (unknown, not declared), which may cause execution of a program being interrupted.

Such an exception is thrown out only when some security violation is detected. For example, when some code is trying to access a file, it does not access the license, which is thrown out. Application developers can capture these exceptions.

Java.security.generalsecurityException is a subclass of java.lang.exception (must be declared or captured), which is thrown from the secure package in all other instances.

Such abnormalities are related to security but not fatal. For example, transmitting an invalid key may not be a security violation, it should be captured and processed by the developer.

There are two exceptions in the Java.Security package, they are subclats of RuntimeException, due to backward compatibility, we can't change it. We will discuss this issue later. ........ | Next | ......... Welcome to contact us: Webmaster@prc.sun.com Copyright 1997-1998 Sun (China) Company, Beijing South Gifts 16th Floor, Jianwei Building, No. 66 Road, ALL RIGHTS Reserved.lege

转载请注明原文地址:https://www.9cbs.com/read-872.html

New Post(0)