下面介绍如何使用策略文件执行此操作。
创建一个可以具有特权的 Java 文件:
package egPriv;
import java.io.FileReader;
import java.io.IOException;
import java.io.Reader;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
public class PrivCat {
/** Cat a file with no privileges */
public void cat(String file) throws IOException {
cat(new FileReader(file));
}
private void cat(Reader r) throws IOException {
int c;
while( (c = r.read()) != -1 ) {
System.out.print((char) c);
}
r.close();
}
/** Cat a file WITH privileges */
public void catPriv(final String file) throws IOException {
Reader r;
try {
r = AccessController.doPrivileged(new PrivilegedExceptionAction<Reader>() {
public Reader run() throws IOException {
return new FileReader(file);
}
});
} catch (PrivilegedActionException e) {
throw (IOException) e.getCause();
}
cat(r);
}
}
创建用于演示的常规文件
package eg;
import egPriv.PrivCat;
import java.io.IOException;
public class Cat extends PrivCat {
public static void main(String[] args) throws IOException {
Cat eg2 = new Cat();
System.out.println("Processing with privilege:");
eg2.catPriv(args[0]);
System.out.println("Processing normally");
eg2.cat(args[0]);
}
}
创建示例.策略文件:
/* anyone can read write and execute within current working dir */
grant {
permission java.io.FilePermission "${user.dir}", "read,write,execute";
};
grant {
permission java.io.FilePermission "${user.dir}/*", "read,write,execute,delete";
};
/* Only code from this jar can work outside of CWD */
grant codebase "file:egPriv.jar" {
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
};
编译,然后测试:
jar cvf egPriv.jar egPriv
jar cvf eg.jar eg
echo 'Restricted' > ..\file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat ..\file.txt
echo 'Open' > file.txt
java -cp eg.jar;egPriv.jar -Djava.security.manager -Djava.security.policy=sample.policy eg.Cat file.txt