• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Java security

 
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there a way to restrict a single class from writing to a file system or calling exec?
I have looked at the Java security API and can only find two ways to do it:
1. Restrict the enclosing codebase (which restricts classes I don't want restricted)
2. Create a SecurityManager that will override checkExec() and checkWrite() with methods that search the call stack for the restricted class (seems kinda kludegy to me)
Am I missing something? Is there a better way?
-Anton
 
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
hi Anton,
i am sorry but i am not able to understand why we want to restrict "some" class from writing a file whereas others are able to write??
i am not an expert on this but i have a code solution for this if you are able to change the code of the applet downloaded (its an applet , right?)...
what you can do is- if you have a particular class that handles a request for file writing or a method that hanles the request for file writing then you can pass a boolean variable to indiate if the write should really happen or not.
from the calling class you pass 'true' if the class is allowed to write else pass 'false' if you want that class not able to write and throw an exception...
well, this you also might have thought about but i am not sure what you have so i just did put down my thoughts...
there is another possiblity as well,
you can have method enableFileWrite() where you set above mentioned boolean variable for the class that is actually performing File Write and then allow other classes to write the file via that File Writer class's method if that boolean variable is set to be true priorly you know...do you get what i mean here?
i don't think there would be something on higher level that will allow you to restrict certain classes from writing while allowing others from the same code base...
do you have multiple packages that gets downloaded and you want to restrict some other packages' class other than your package or something???
please clarify exact scenario you have...
regards
maulin
 
Anton Hinds
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the reply. Here is my exact situation:
I am using 3rd party scripting interpreters (beanshell/jython) in my code. I do not want an interpreted script to gain access to the filesystem or to execute native commands.
Since I do not want to go mucking around with the interepter source code, the only way I can see to do this is to restrict the interpreter object from performing these actions at the JVM level. I figured I can use the Java security package for this. I have found a way (see original post)... but I was wondering if there was a better or more standard way.
 
Maulin Vasavada
Ranch Hand
Posts: 1873
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
yeah..
i see what u mean. i thought u had some 3rd party thing otherwise you wouldn't want to achieve what you are trying to...
i don't know about any standard way of achieving it. it seems there is a work ahead of you
btw, i have never done anything with this SecurityManager on my own..i wish i would learn it someday...
interesting problem, huh?
regards
maulin
 
Ranch Hand
Posts: 185
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your options are based on what you are willing to do:
1) If you do not want to make severe code changes
The Java SecurityManager and the java.policy file are pretty much the standard ways to impose such kind of a restriction. I would suggest using the
AccessController (instead of SecurityManager)
2) If you want to make code changes
I suggest pulling out code that writes to a file
and executes OS calls into another class and have both these classes (one that does the illegal stuff and one that does not do the illegal stuff) implement an interface and expose that interface to your client calls.
reply
    Bookmark Topic Watch Topic
  • New Topic