转自: http://blog.csdn.net/jiaotuwoaini/article/details/70176021
在某一个线程的调用栈中,当 AccessController 的 checkPermission 方法被最近的调用程序(例如 A 类中的方法)调用时,对于程序要求的所有访问权限,ACC 决定是否授权的基本算法如下:
1. 如果调用链中的某个调用程序没有所需的权限,将抛出 AccessControlException;
2. 若是满足以下情况即被授予权限:
a. 调用程序访问另一个有该权限域里程序的方法,并且此方法标记为有访问“特权”;
b. 调用程序所调用(直接或间接)的后续对象都有上述权限。
当然了,Java SDK 给域提供了 doPrivileged 方法,让程序突破当前域权限限制,临时扩大访问权限。
创建一个项目projectX:
- public class FileUtil {
- // 工程 A 执行文件的路径
- private final static String FOLDER_PATH = "C:\\Users\\dushangkui\\workspace\\projectX\\bin";
- public static void makeFile(String fileName) {
- try {
- // 尝试在工程 A 执行文件的路径中创建一个新文件
- File fs = new File(FOLDER_PATH + "\\" + fileName);
- fs.createNewFile();
- } catch (AccessControlException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- public static void doPrivilegedAction(final String fileName) {
- // 用特权访问方式创建文件
- AccessController.doPrivileged(new PrivilegedAction<String>() {
- @Override
- public String run() {
- makeFile(fileName);
- return null;
- }
- });
- }
- }
- public class DemoDoPrivilege {
- public static void main(String[] args) {
- System.out.println("***************************************");
- System.out.println("I will show AccessControl functionality...");
- System.out.println("Preparation step : turn on system permission check...");
- // 打开系统安全权限检查开关
- System.setSecurityManager(new SecurityManager());
- System.out.println();
- System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
- System.out.println("Create a new file named temp1.txt via privileged action ...");
- // 用特权访问方式在工程 A 执行文件路径中创建 temp1.txt 文件
- FileUtil.doPrivilegedAction("temp1.txt");
- System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
- System.out.println();
- System.out.println("/");
- System.out.println("Create a new file named temp2.txt via File ...");
- try {
- // 用普通文件操作方式在工程 A 执行文件路径中创建 temp2.txt 文件
- File fs = new File(
- "C:\\Users\\dushangkui\\workspace\\projectX\\temp2.txt");
- fs.createNewFile();
- } catch (IOException e) {
- e.printStackTrace();
- } catch (AccessControlException e1) {
- e1.printStackTrace();
- }
- System.out.println("/");
- System.out.println();
- System.out.println("-----------------------------------------");
- System.out.println("create a new file named temp3.txt via FileUtil ...");
- // 直接调用普通接口方式在工程 A 执行文件路径中创建 temp3.txt 文件
- FileUtil.makeFile("temp3.txt");
- System.out.println("-----------------------------------------");
- System.out.println();
- System.out.println("***************************************");
- }
- }
在projectY根目录下面创建策略文件MyPolicy.txt
- // 授权工程 A 执行文件路径中文件在本目录中的写文件权限
-
grant codeBase "file:D:/lianjia/20180130test/-" { permission java.io.FilePermission "D:/lianjia/20180130test/-", "write"; };
- ***************************************
- I will show AccessControl functionality...
- Preparation step : turn on system permission check...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Create a new file named temp1.txt via privileged action ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- /
- Create a new file named temp2.txt via File ...
- /
- -----------------------------------------
- create a new file named temp3.txt via FileUtil ...
- -----------------------------------------
- ***************************************
如果添加 运行VM option :
- ***************************************
- I will show AccessControl functionality...
- Preparation step : turn on system permission check...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Create a new file named temp1.txt via privileged action ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- /
- Create a new file named temp2.txt via File ...
- java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dushangkui\workspace\projectX\temp2.txt" "write")
- at java.security.AccessControlContext.checkPermission(Unknown Source)
- at java.security.AccessController.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkWrite(Unknown Source)
- at java.io.File.createNewFile(Unknown Source)
- at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:33)
- /
- -----------------------------------------
- create a new file named temp3.txt via FileUtil ...
- java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dushangkui\workspace\projectX\bin\temp3.txt" "write")
- at java.security.AccessControlContext.checkPermission(Unknown Source)
- at java.security.AccessController.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkWrite(Unknown Source)
- at java.io.File.createNewFile(Unknown Source)
- at com.dusk.FileUtil.makeFile(FileUtil.java:17)
- at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:45)
- -----------------------------------------
- ***************************************
在某一个线程的调用栈中,当 AccessController 的 checkPermission 方法被最近的调用程序(例如 A 类中的方法)调用时,对于程序要求的所有访问权限,ACC 决定是否授权的基本算法如下:
1. 如果调用链中的某个调用程序没有所需的权限,将抛出 AccessControlException;
2. 若是满足以下情况即被授予权限:
a. 调用程序访问另一个有该权限域里程序的方法,并且此方法标记为有访问“特权”;
b. 调用程序所调用(直接或间接)的后续对象都有上述权限。
当然了,Java SDK 给域提供了 doPrivileged 方法,让程序突破当前域权限限制,临时扩大访问权限。
创建一个项目projectX:
- package com.dusk;
- import java.io.File;
- import java.io.IOException;
- import java.security.AccessControlException;
- import java.security.AccessController;
- import java.security.PrivilegedAction;
- public class FileUtil {
- // 工程 A 执行文件的路径
- private final static String FOLDER_PATH = "C:\\Users\\dushangkui\\workspace\\projectX\\bin";
- public static void makeFile(String fileName) {
- try {
- // 尝试在工程 A 执行文件的路径中创建一个新文件
- File fs = new File(FOLDER_PATH + "\\" + fileName);
- fs.createNewFile();
- } catch (AccessControlException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- public static void doPrivilegedAction(final String fileName) {
- // 用特权访问方式创建文件
- AccessController.doPrivileged(new PrivilegedAction<String>() {
- @Override
- public String run() {
- makeFile(fileName);
- return null;
- }
- });
- }
- }
- package com.dusk;
- import java.io.File;
- import java.io.IOException;
- import java.security.AccessControlException;
- import com.dusk.FileUtil;
- public class DemoDoPrivilege {
- public static void main(String[] args) {
- System.out.println("***************************************");
- System.out.println("I will show AccessControl functionality...");
- System.out.println("Preparation step : turn on system permission check...");
- // 打开系统安全权限检查开关
- System.setSecurityManager(new SecurityManager());
- System.out.println();
- System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
- System.out.println("Create a new file named temp1.txt via privileged action ...");
- // 用特权访问方式在工程 A 执行文件路径中创建 temp1.txt 文件
- FileUtil.doPrivilegedAction("temp1.txt");
- System.out.println("~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~");
- System.out.println();
- System.out.println("/");
- System.out.println("Create a new file named temp2.txt via File ...");
- try {
- // 用普通文件操作方式在工程 A 执行文件路径中创建 temp2.txt 文件
- File fs = new File(
- "C:\\Users\\dushangkui\\workspace\\projectX\\temp2.txt");
- fs.createNewFile();
- } catch (IOException e) {
- e.printStackTrace();
- } catch (AccessControlException e1) {
- e1.printStackTrace();
- }
- System.out.println("/");
- System.out.println();
- System.out.println("-----------------------------------------");
- System.out.println("create a new file named temp3.txt via FileUtil ...");
- // 直接调用普通接口方式在工程 A 执行文件路径中创建 temp3.txt 文件
- FileUtil.makeFile("temp3.txt");
- System.out.println("-----------------------------------------");
- System.out.println();
- System.out.println("***************************************");
- }
- }
在projectY根目录下面创建策略文件MyPolicy.txt
- // 授权工程 A 执行文件路径中文件在本目录中的写文件权限
- grant codebase "file:C:/Users/dushangkui/workspace/projectX/bin"
- {
- permission java.io.FilePermission
- "C:\\Users\\dushangkui\\workspace\\projectX\\bin\\*", "write";
- };
- ***************************************
- I will show AccessControl functionality...
- Preparation step : turn on system permission check...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Create a new file named temp1.txt via privileged action ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- /
- Create a new file named temp2.txt via File ...
- /
- -----------------------------------------
- create a new file named temp3.txt via FileUtil ...
- -----------------------------------------
- ***************************************
如果去掉注释:
- ***************************************
- I will show AccessControl functionality...
- Preparation step : turn on system permission check...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Create a new file named temp1.txt via privileged action ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- /
- Create a new file named temp2.txt via File ...
- java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dushangkui\workspace\projectX\temp2.txt" "write")
- at java.security.AccessControlContext.checkPermission(Unknown Source)
- at java.security.AccessController.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkWrite(Unknown Source)
- at java.io.File.createNewFile(Unknown Source)
- at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:33)
- /
- -----------------------------------------
- create a new file named temp3.txt via FileUtil ...
- java.security.AccessControlException: access denied ("java.io.FilePermission" "C:\Users\dushangkui\workspace\projectX\bin\temp3.txt" "write")
- at java.security.AccessControlContext.checkPermission(Unknown Source)
- at java.security.AccessController.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkPermission(Unknown Source)
- at java.lang.SecurityManager.checkWrite(Unknown Source)
- at java.io.File.createNewFile(Unknown Source)
- at com.dusk.FileUtil.makeFile(FileUtil.java:17)
- at com.dusk.DemoDoPrivilege.main(DemoDoPrivilege.java:45)
- -----------------------------------------
- ***************************************