首页

为什么我不能在安全管理器下关闭我自己的执行器服务?

security java jsr166 securitymanager
2022-09-03 08:14:45

在默认的安全管理器下,如果我创建一个执行器服务(在本例中为 ThreadPoolExecutor),我无法关闭它,只是调用,因此立即死亡:shutdown()checkPermission("modifyThread")

import java.util.concurrent.*;

class A {
    public static void main( String[] args) {
        Thread ct = Thread.currentThread();
        System.out.println("current thread: " + ct);
        ct.checkAccess(); // we have access to our own thread...
        ThreadPoolExecutor tpe = new ThreadPoolExecutor(
            1, // one core thread
            1, // doesn't matter because queue is unbounded
            0, TimeUnit.SECONDS, // doesn't matter in this case
            new LinkedBlockingQueue<Runnable>(), /* unbound queue for
                                                  * our single thread */
            new ThreadFactory() {
                public Thread newThread(Runnable r) {
                    // obviously never gets called as we don't add any work
                    System.out.println("making thread");
                    return new Thread(r);
                }
            }
        );
        tpe.shutdown(); // raises security exception
    }
}

孙杰德克:

$ java -Djava.security.manager 当前线程: Thread[main,5,main] 线程 “main” java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThread) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323) at java.security.AccessController.checkPermission(AccessController.java:546) at java.lang.SecurityManager.checkPermission(SecurityManager.java:532) atjava.util.concurrent.ThreadPoolExecutor.shutdown(ThreadPoolExecutor.java:1094) at A.main(A.java:22)

OpenJDK:

$ java -Djava.security.manager 当前线程: Thread[main,5,main] 异常线程 “main” java.security.AccessControlException: access denied (java.lang.RuntimePermission modifyThread) at java.security.AccessControlContext.checkPermission(AccessControlContext.java:342) at java.security.AccessController.checkPermission(AccessController.java:553) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.util.concurrent.ThreadPoolExecutor.checkShutdownAccess(ThreadPoolExecutor.java:711) at java.util.concurrent.ThreadPoolExecutor.shutdown(ThreadPoolExecutor.java:1351) at A.main(A.java:22)

为什么???????创建只有您自己控制的线程池并将其关闭会有什么安全隐患?这是实现中的错误,还是我遗漏了什么?

让我们看看ExperfectorService.shutdown的规范是怎么说的...

启动有序关机,其中将执行以前提交的任务,但不接受任何新任务。如果已经关闭,则调用不会产生其他影响。

Throws:SecurityException - 如果存在安全管理器并关闭此 ExecutorService 可能会操作不允许调用方修改的线程,因为它不持有 RuntimePermission(“modifyThread”),或者安全管理器的 checkAccess 方法拒绝访问。

这。。。几乎是模糊的。该规范没有提到在ExecutorService的生命周期中正在创建的任何“系统线程”,此外,它允许您提供自己的线程,这证明当您这样做时不应该涉及“系统线程”。(如上文在我的样本源中所做的那样)

感觉就像Java SE实现者看到可以提高,所以他们就像,“哦,好吧,我只是在这里添加一个随机的安全检查以确保合规性”......shutdownSecurityException

问题是,阅读OpenJDK源代码(openjdk-6-src-b20-21_jun_2010),事实证明,创建任何线程的唯一方法是调用您提供的ThreadFactory(在我的测试用例中从未调用过它,因为我不创建任何工作,我不调用prestartCoreThreadpreStartAllCoreThreads。).因此,在OpenJDK的ThreadPoolExecutor中,安全检查是无缘无故地完成的(就像在sun-jdk-1.6中所做的那样,但我没有源代码):

/**
 * Initiates an orderly shutdown in which previously submitted
 * tasks are executed, but no new tasks will be accepted.
 * Invocation has no additional effect if already shut down.
 *
 * @throws SecurityException {@inheritDoc}
 */
public void shutdown() {
    final ReentrantLock mainLock = this.mainLock;
    mainLock.lock();
    try {
        checkShutdownAccess();
        advanceRunState(SHUTDOWN);
        interruptIdleWorkers();
        onShutdown(); // hook for ScheduledThreadPoolExecutor
    } finally {
        mainLock.unlock();
    }
    tryTerminate();
}

checkShutdownAccess在执行任何操作之前调用...

/**
 * If there is a security manager, makes sure caller has
 * permission to shut down threads in general (see shutdownPerm).
 * If this passes, additionally makes sure the caller is allowed
 * to interrupt each worker thread. This might not be true even if
 * first check passed, if the SecurityManager treats some threads
 * specially.
 */
private void checkShutdownAccess() {
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
        security.checkPermission(shutdownPerm);
        final ReentrantLock mainLock = this.mainLock;
        mainLock.lock();
        try {
            for (Worker w : workers)
                security.checkAccess(w.thread);
        } finally {
            mainLock.unlock();
        }
    }
}

如您所见,它无条件地在安全管理器上调用....关机项目被定义为...私有静态最终运行时权限关闭Perm = new RuntimePermission(“modifyThread”);checkPermission(shutdownPerm)

...据我所知,这完全没有意义,因为这意味着访问系统线程,并且这里没有系统线程在起作用,实际上,根本没有线程,因为我没有提交任何工作或预启动,即使有线程,它们也会是我的线程,因为我传入了.该规范没有说任何关于神奇死亡的内容,除了如果涉及系统线程(它们不涉及),则可能存在.modifyThreadThreadFactorySecurityException

基本上,为什么我不能删除检查系统线程访问的行?我认为没有安全隐患需要这样做。其他人怎么没有遇到这个问题???我在问题跟踪器上看到过一个帖子,他们通过将呼叫更改为“解决了”此问题,显然,这并没有为他们解决问题。shutdownNowshutdown


答案 1

这很简单:你不能在主线程组中做到这一点。它部分是为小程序设计的。从关机方法复制想法为什么?如果这是一个问题,您可以自由地使用特权操作来调用关机。请记住,Thread.interrupt() 作为无辜的,它可能看起来也是。throws SecurityException

要回答这个问题:只要确保你授予自己的代码权限,你很高兴。或者,“modifyThread”也可以自由授予,它主要由小程序使用。

至于不受信任的代码:好吧,不受信任的代码甚至不应该在其ThreadGroup之外处理线程,因此请提供API来创建ThreadPool,并允许关闭调用方创建的此类代码。您可以根据调用方授予权限。

希望这有帮助一点(虽然问号的数量清楚地表明了绝望和最大的烦恼)

    /*
     * Conceptually, shutdown is just a matter of changing the
     * runState to SHUTDOWN, and then interrupting any worker
     * threads that might be blocked in getTask() to wake them up
     * so they can exit. Then, if there happen not to be any
     * threads or tasks, we can directly terminate pool via
     * tryTerminate.  Else, the last worker to leave the building
     * turns off the lights (in workerDone).
     *
     * But this is made more delicate because we must cooperate
     * with the security manager (if present), which may implement
     * policies that make more sense for operations on Threads
     * than they do for ThreadPools. This requires 3 steps:
     *
     * 1. Making sure caller has permission to shut down threads
     * in general (see shutdownPerm).
     *
     * 2. If (1) passes, making sure the caller is allowed to
     * modify each of our threads. This might not be true even if
     * first check passed, if the SecurityManager treats some
     * threads specially. If this check passes, then we can try
     * to set runState.
     *
     * 3. If both (1) and (2) pass, dealing with inconsistent
     * security managers that allow checkAccess but then throw a
     * SecurityException when interrupt() is invoked.  In this
     * third case, because we have already set runState, we can
     * only try to back out from the shutdown as cleanly as
     * possible. Some workers may have been killed but we remain
     * in non-shutdown state (which may entail tryTerminate from
     * workerDone starting a new worker to maintain liveness.)
     */

答案 2

听起来像是一个懒惰和/或安全的实现。它不是检查是否涉及其他线程,它只是假设一些线程涉及。最好抛出安全异常,而不是留下潜在的安全漏洞。


推荐
更多 »
标签
更多 »
php pass-by-reference optional-parameters default-value javascript arrays dom function string object serialization tostring visibility syntax jslint use-strict operators equality equality-operator identity-operator datetime timestamp date-arithmetic redirect angularjs loops foreach iteration scope variables
推荐
更多 »