Reputation: 66
how to load a user class file to make sure it's safe?
I want to implement a system that allow user to add certain business logics. I can use my own class loader to load it and create instance of this class. It will extend my predefined interfaces and I will call some of it's methods. How can I prevent it do something bad in my system? Bad thing I mean reading unneccessary files in my server, writing useless information or even dangerous information to my server. It can visit some predefined external ip addresses(or predefined internal network)
Upvotes: 0
Views: 95
Answers (1)
Reputation: 3464
Java has security management built in. If you are not familiar with it you should have a look at Security Features in Java tutorial which also shows what you have to do as "Code Receiver": http://docs.oracle.com/javase/tutorial/security/toolsign/receiver.html.
Also look into Java Security Architecture and Policy Files. The latter link contains these example from a policy file, so you can get an idea:
grant codeBase "file:/C:/somepath/api/" {
...
};
// If the code is signed by "Duke", grant it read/write access to all
// files in /tmp:
grant signedBy "Duke" {
permission java.io.FilePermission "/tmp/*", "read,write";
};
It means you can restrict (or rather grant specific) permissions to classes based on their origin.
Follow the links to the Michael's comment on your question to see some real world usage of Java's security architecture.
Upvotes: 1
Related Questions
- When does getClassLoader() of Class throws SecurityException
- Loading user code in java application
- Java Remote Class Loading secure?
- Controlling access to loading of a JAVA class at runtime
- Java Client .class File Protection
- Loading files with ClassLoader
- Is it possible to use Java Unsafe in user code?
- The Java ClassLoader Security Model
- Java class loader security handling
- Java security policy: granting access depending on classloader