堆栈内存溢出
  简体   繁体   English

授予单个班级的许可

[英]Grant permission to single class

 原文  2010-06-20 01:32:26       java/ security/ tomcat/ tomcat6

问题描述

I'm working with a security policy on Tomcat 6. I've successfully granted permissions to my entire webapp, but would like to grant some permissions only to specific classes. 我正在使用Tomcat 6上的安全策略。我已成功授予对整个webapp的权限,但是只想授予特定类的一些权限。 However, when I try this, my doPrivileged block receives an AccessControlException. 但是,当我尝试这个时,我的doPrivileged块会收到AccessControlException。

Because I've been successful granting to a more general code base, I went back to that codebase, and tested as I added each additional subdirectory. 因为我已成功授予更通用的代码库,所以我回到了代码库,并在添加每个附加子目录时进行了测试。 In this manner, the most specific grant I'm able to make work is: 通过这种方式,我能够完成的最具体的资助是:

grant codeBase "file:${catalina.home}/webapps/ROOT/WEB-INF/-" { ... } grant codeBase“file:$ {catalina.home} / webapps / ROOT / WEB-INF / - ”{...}

If I add "classes/", as in: 如果我添加“classes /”,如:

grant codeBase "file:${catalina.home}/webapps/ROOT/WEB-INF/classes/-" { ... } grant codeBase“file:$ {catalina.home} / webapps / ROOT / WEB-INF / classes / - ”{...}

then I resume seeing the AccessControlException. 然后我恢复看到AccessControlException。 The class I'm trying to allow is located beneath the classes directory. 我试图允许的类位于classes目录下。 The webapp was deployed as a .war file, and unpacked by Tomcat. webapp部署为.war文件,并由Tomcat解压缩。

What am I doing wrong here? 我在这做错了什么? I'm intending to follow the example provided in the catalina.policy provided with Tomcat. 我打算按照Tomcat提供的catalina.policy中提供的示例进行操作。

1 个解决方案

解决方案1
 3 已采纳  2010-12-25 04:54:30

The finest granularity for assigning permissions using the Java default policy file format is per-code source (ie, per-JAR or per-class-directory). 使用Java默认策略文件格式分配权限的最细粒度是每代码源(即,每个JAR或每个类目录)。 As a workaround, you could split each distinctly privileged class into its own JAR in WEB-INF/lib and grant specific permissions to that JAR. 作为一种变通方法,您可以将每个具有明显特权的类拆分为WEB-INF / lib中自己的JAR,并为该JAR授予特定权限。

A custom ClassLoader could be made to create unique ProtectionDomains for each defineClass. 可以使用自定义ClassLoader为每个defineClass创建唯一的ProtectionDomain。 The ProtectionDomains could either statically grant per-class permissions, or they could create specialized ProtectionDomains to allow a custom Policy to dynamically grant per-class permissions. ProtectionDomains可以静态授予每个类的权限,也可以创建专门的ProtectionDomains以允许自定义策略动态授予每个类的权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 授予对带有受保护文件的单词的权限 - Grant permission to word with a protected file Android onActivityResult 在授予权限时失败 - Android onActivityResult fails on permission grant 如何授予我的小程序权限 - how to grant permission to my applet 如何在策略中授予用户权限? - How to grant user permission in Policy? 用户的Facebook扩展许可授予 - Facebook extended permission grant by user 自动授予ACTION_MANAGE_OVERLAY_PERMISSION - Automatically grant ACTION_MANAGE_OVERLAY_PERMISSION 向压缩到JAR文件中的applet授予安全权限 - Grant security permission to an applet compressed into an JAR file 如何授予applet读取系统属性的权限? - How to grant applet permission to read system properties? 如何授予applet权限以访问所需的资源? - how to grant an applet permission for the resource accesses it needs? 策略文件中的Java安全授予权限 - Java security grant permission in the policy file
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM