Reputation: 51
Java Security Manager on Threads
I have an application that uses various third party API's one of the third party API gets executed in a separate thread.
I want one specific thread to have access a particular directory and restrict that thread to access other directories of my local disk.
Is this possible to be achieved through java security manager?
Upvotes: 5
Views: 2057
Answers (2)
Reputation: 1167
If I understand correctly, it sounds like what you want to do is restrict access to the file system for one of the third party libraries you're using. In terms of the Java SecurityManager, the fact that this particular third party library is running in a separate thread isn't relevant: Java security policies grant permissions based on where the code is loaded from, whether it's been signed, or the user who is running the code, but not on the basis of which thread the code is running in.
To restrict the access of a specific library to certain areas of the file system, you'll need a policy file that grants the necessary permissions to all your other code, and limited permissions to the library you want to restrict. Assuming the code you're running is in a set of separate jar files and you don't want to place any restrictions on any of the other code, your policy file will look something like this:
grant codebase "file:/path/to/your-application.jar" {
permission java.security.AllPermission;
};
grant codebase "file:/path/to/trusted-library.jar" {
permission java.security.AllPermission;
};
grant codebase "file:/path/to/another-trusted-library.jar" {
permission java.security.AllPermission;
};
grant codebase "file:/path/to/restricted-library.jar" {
permission java.io.FilePermission "/path/to/particular/directory", "read,write";
// Any additional permissions this library needs
};
It might take some trial and error to discover what other specific permissions you'll need to grant to the restricted library in order for it to run correctly.
If your requirement really is to restrict access to a specific thread, you'll need to write a custom SecurityManager and override the checkPermission methods so that they check which thread is calling the method in order to determine if the permission should be granted. You would need to add methods to the custom SecurityManager to allow your application code to register which threads should be restricted, and you'd need to make sure that those additional methods couldn't be called by the restricted code, for example by creating and checking for a custom Permission.
Writing custom SecurityManagers is generally more risky than making use of the standard SecurityManager, so you'll want to do some careful testing if you take this approach.
Upvotes: 6
Reputation: 147164
Assuming the library you are intending to trust is well written, you can set the permissions for each library in your policy file and add a calls to java.security.AccessController.doPrivileged within the thread or around its construction. Usual disclaimer that badly written trusted code will allow untrusted code to take advantage of its trust.
A "custom" security manager has generally been unnecessary since Java 2, released 1998, but it does seem to appear in much folk memory.
Upvotes: 2
Related Questions
- why java security manager doesn't forbid neither creating new Thread() nor starting it?
- Stopping Hostile Threads in JVM
- Preventing Thread creation/start in Java
- How to protect private Thread without using SecurityManager
- Enabling multiple security managers in a single java thread
- Java Security manager per thread
- Question on jvm-wide properties and multithreading
- Java SecurityManager multiple threads
- Threading security policy
- How to set a SecurityManager for this thread and not for System?