RMI Security的一個說明
JDK1.2的安全模型比JDK1.1使用的更為成熟。Jdk1.2要求對代碼授于具體
的操作權才能被允許執行某個操作。
在JDK1.2,在class path里面的代碼是被信任的,能執行任何操作,下載的代碼被預裝載
的安全管理器的規則所管理。如果運行一個JDK1.2里面的例子,當你運行你的服務器和客
戶端,你需要特別指定一個policy file。下面是一個一般的policy file,它允許從任何
codebase(這個指代碼的路徑前綴,可以是URL)下載的代碼做兩件事:
1 連接任何主機上的一個非特權的端口(大于1024的端口),或者接受從這樣的連接;
2 連接80端口(HTTP port)
grant {
permission java.net.SocketPermission "*:1024-65535",
"connect,accept";
permission java.net.SocketPermission "*:80", "connect";
};
如果你想通過HTTP地址下載代碼有效,你必須使用上面的policy file(或者把這段
grant加到你的缺省的java policy file里面去)。還有,如你想使用file URL,
那么你用下面的policy file.
grant {
permission java.net.SocketPermission "*:1024-65535", "connect,accept";
permission java.io.FilePermission
"c:\\home\\ann\\public_html\\classes\\-", "read";
permission java.io.FilePermission
"c:\\home\\jones\\public_html\\classes\\-", "read";
};
======================================================================
原文:
The JDK1.2 security model is more sophisticated than the model used for
JDK1.1. JDK1.2 contains enhancements for finer-grained security and requires
code to be granted specific permissions to be allowed to perform certain
operations.
In JDK1.1, code in the class path is trusted and can perform any operation;
downloaded code is governed by the rules of the installed security manager.
If you run this example in JDK1.2, you need to specify a policy file when
you run your server and client. Here is a general policy file that allows
downloaded code, from any codebase, to do two things:
connect to or accept connections on unprivileged ports (ports greater than
1024) on any host, and
connect to port 80 (the port for HTTP).
grant {
permission java.net.SocketPermission "*:1024-65535",
"connect,accept";
permission java.net.SocketPermission "*:80", "connect";
};
If you make your code available for downloading via HTTP URLs, you should
use the policy file above when you run this example. However, if you use
file URLs instead, you can use the policy file below. Note that in
Windows-style file names, the backslash character needs to be represented by
two backslash characters in the policy file.
grant {
permission java.net.SocketPermission "*:1024-65535",
"connect,accept";
permission java.io.FilePermission
"c:\\home\\ann\\public_html\\classes\\-", "read";
permission java.io.FilePermission
"c:\\home\\jones\\public_html\\classes\\-", "read";
};
This example assumes that the policy file is called java.policy and contains
the appropriate permissions. If you run this example on JDK1.1, you will not
need to use a policy file, since the RMISecurityManager provides all the
protection you need.
凡是有該標志的文章,都是該blog博主Caoer(草兒)原創,凡是索引、收藏
、轉載請注明來處和原文作者。非常感謝。