简体繁体 English

沙盒JSR-223

[英]Sandboxing JSR-223

原文 2009-09-09 12:52:27 8 3 java/ security/ scripting/ jsr223

I'm trying to sandbox JSR-223. 我正在尝试沙箱JSR-223。 Specifically, I don't want any script to have access to any of my classes. 具体来说，我不希望任何脚本可以访问我的任何类。 (I hear Rhino can do that with ClassShutter, but I want to do it generally. ie. for all script engines of JSR-223). （我听说Rhino可以用ClassShutter做到这一点，但我想一般性地做。即对于JSR-223的所有脚本引擎）。

I first tried to use the AccessController.doPrivileged solution, by passing no permissions at all . 我首先尝试使用AccessController.doPrivileged解决方案，完全不传递任何权限。 It works for most permissions, but the scripts can still access all my public classes (it seems to ignore "package access" permission ...?). 它适用于大多数权限，但脚本仍然可以访问我的所有公共类（它似乎忽略“包访问”权限......？）。

I found this . 我找到了这个。 My question is : how do I install a custom ClassLoader on the script engine ? 我的问题是：如何在脚本引擎上安装自定义ClassLoader？ (Or How do I replace the ClassLoader globally if I have to ?) （或者，如果必须，如何全局替换ClassLoader？）

3 个解决方案

There is a constructor for ScriptEngineManager that takes a classloader. ScriptEngineManager有一个构造函数，它接受一个类加载器。 The classloader is used to load the scripting engine implementation. 类加载器用于加载脚本引擎实现。 As classes inherit their classloaders, the scripting engine and any objects it creates should also use that classloader. 当类继承其类加载器时，脚本引擎及其创建的任何对象也应该使用该类加载器。

That classloader needs to deny the existence of any classes that are not white-listed. 该类加载器需要拒绝存在任何未列入白名单的类。

Top it off with a custom SecurityManager so you can base access checks on which classloader in use. 最后使用自定义SecurityManager，以便您可以对正在使用的类加载器进行访问检查。

Edit: Here's an article I found on Sandboxing Rhino in Java . 编辑：这是我在Java中使用Sandboxing Rhino发现的一篇文章。 Most of it should also apply to JSR-223. 其中大部分内容也适用于JSR-223。 Sun's implementation is Rhino with modifications, so there may be some differences. Sun的实现是Rhino的修改，因此可能存在一些差异。

Is it possible to run the part of your application that requires the scripting engine in a separate JVM? 是否可以在单独的JVM中运行需要脚本引擎的应用程序部分？ You could start the scripting engine JVM with a different classpath (and security manager) and then use some form of lightweight message passing between the 2 JVMs. 您可以使用不同的类路径（和安全管理器）启动脚本引擎JVM，然后在两个JVM之间使用某种形式的轻量级消息传递。

See http://code.google.com/p/prebake/source/browse/trunk/code/src/org/prebake/js/RhinoExecutor.java and related classes in the same package, especially the SANDBOXING_FACTORY there. 请参阅http://code.google.com/p/prebake/source/browse/trunk/code/src/org/prebake/js/RhinoExecutor.java以及相同包中的相关类，尤其是那里的SANDBOXING_FACTORY。

That's some code that sandboxes a rhino interpreter to allow it access to the filesystem mediated by a loader. 这是一些代码，用于对rhino解释器进行沙盒化，以允许它访问由加载器调解的文件系统。