简体繁体 English

为什么Java Security Manager不是强制性的？

[英]Why java security manager is not mandatory?

原文 2018-05-10 10:42:22 8 1 java/ security

One of the benifits of java language is we say it is secure language. Java语言的好处之一是我们说它是安全的语言。 But security manager is not mandatory by default. 但是默认情况下，安全管理器不是必需的。 And by default we can have many issues like accessing private objects with reflection. 默认情况下，我们会遇到很多问题，例如通过反射访问私有对象。 Little confused on why it is designed so, can you please provide more points on this. 对其设计为何如此感到困惑，您能否在此提供更多要点。

1 个解决方案

One of the benefits of java language is we say it is secure language. Java语言的好处之一是我们说它是安全的语言。

I would disagree with that proposition: 我不同意这个主张：

Java is not a (sufficiently) secure language to absolve the programmer of thinking about security. Java不是一种（足够）安全的语言，可以免除程序员对安全性的思考。 Certainly it is not good enough for running untrusted code in a browser plugin. 当然，在浏览器插件中运行不受信任的代码还不够好。 I would not call Java a secure language. 我不会将Java称为安全语言。
I'm not convinced that more security would be of benefit for a most Java applications. 我不相信更多的安全性对于大多数Java应用程序都会有所帮助。

But security manager is not mandatory by default. 但是默认情况下，安全管理器不是必需的。

Correct. 正确。

And by default we can have many issues like accessing private objects with reflection. 默认情况下，我们会遇到很多问题，例如通过反射访问私有对象。

Private visibility was never designed as a security feature. 私人可见性从未设计为安全功能。 It is a feature for enforcing encapsulation of Java's "abstract data types"; 它是用于强制封装Java的“抽象数据类型”的功能。 ie classes. 即类。

The reason that reflection is allowed to override the visibility rules is that it is sometimes necessary to break encapsulation for pragmatic reasons. 允许反射覆盖可见性规则的原因是，出于实用的原因，有时有必要破坏封装。 It is most frequently done in abstraction cross-cutting functionality like dependency injection frameworks, serialization mechanisms where the concerns that encapsulation aims to address (eg unwanted coupling) are moot. 最常见的是在抽象横切功能中完成，例如依赖注入框架，序列化机制，其中封装旨在解决的问题（例如，不必要的耦合）无济于事。

In short, I don't see this as an issue that needs to be addressed ... for most Java application. 简而言之，对于大多数Java应用程序，我认为这不是需要解决的问题。 If an application or 3rd party library is using reflection that way, there is probably a good reason for doing it. 如果应用程序或第三方库以这种方式使用反射，则可能有充分的理由这样做。

Now I accept that some problem domains require a much higher level of security than a typical Java application. 现在，我承认某些问题域比典型的Java应用程序需要更高的安全级别。 For them, by all means implement a security manager ... and block reflective access to private variables. 对于他们来说，一定要实施安全管理器...并阻止对私有变量的反射访问。 However, I suggests that if your security requirements are such that you need to block encapsulation breaking, then a security manager is not sufficient to address the other security concerns that you have to deal with. 但是，我建议，如果您的安全要求足以阻止封装破坏，那么安全管理器不足以解决您必须处理的其他安全问题。

The classic approach to dealing with hard security requirements involves vetting your developers and operations staff, independent auditing of your code base, intrusion testing, and so on ... and air gaps. 处理严格的安全性要求的经典方法包括审核开发人员和操作人员，对代码库进行独立审核，入侵测试等，以及存在空白。