下面是如何使用策略文件来实现的。
创建一个可以使用特权操作的Java文件:
代码语言:txt复制package egPriv;
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
public class PrivCat {
/** Cat a file with no privileges */
public void cat(String file) throws IOException {
cat(new FileReader(file));
}
private void cat(Reader r) throws IOException {
int c;
while( (c = r.read()) != -1 ) {
System.out.print((char) c);
}
r.close();
}
/** Cat a file WITH privileges */
public void catPriv(final String file) throws IOException {
Reader r;
try {
r = AccessController.doPrivileged(new PrivilegedExceptionAction
public Reader run() throws IOException {
return new FileReader(file);
}
});
} catch (PrivilegedActionException e) {
throw (IOException) e.getCause();
}
cat(r);
}
}创建一个正常的文件,用于妖魔化
代码语言:txt复制package eg;
import egPriv.PrivCat;
import java.io.IOException;
public class Cat extends PrivCat {
public static void main(String[] args) throws IOException {
Cat eg2 = new Cat();
System.out.println("Processing with privilege:");
eg2.catPriv(args[0]);
System.out.println("Processing normally");
eg2.cat(args[0]);
}
}创建sample.policy文件:
代码语言:txt复制/* anyone can read write and execute within current working dir */
grant {
permission java.io.FilePermission "${user.dir}", "read,write,execute";
};
grant {
permission java.io.FilePermission "${user.dir}/*", "read,write,execute,delete";
};
/* Only code from this jar can work outside of CWD */
grant codebase "file:egPriv.jar" {
permission java.io.FilePermission "<
};编译然后测试:
代码语言:txt复制jar cvf egPriv.jar egPriv
jar cvf eg.jar eg
echo 'Restricted' > ..\file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat ..\file.txt
echo 'Open' > file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat file.txt