securitymanager

Java security: Sandboxing plugins loaded via URLClassLoader

阅读更多关于 Java security: Sandboxing plugins loaded via URLClassLoader

问题 Question summary: How do I modify the code below so that untrusted, dynamically-loaded code runs in a security sandbox while the rest of the application remains unrestricted? Why doesn't URLClassLoader just handle it like it says it does? EDIT: Updated to respond to Ani B. EDIT 2: Added updated PluginSecurityManager. My application has a plug-in mechanism where a third party can provide a JAR containing a class which implements a particular interface. Using URLClassLoader, I am able to load

Java: no security manager: RMI class loader disabled

阅读更多关于 Java: no security manager: RMI class loader disabled

问题 Hi I have RMI application and now I try to invoke some methods at server from my client. I have following code: public static void main(final String[] args) { try { //Setting the security manager System.setSecurityManager(new RMISecurityManager()); IndicatorsService server = (IndicatorsService) Naming .lookup(\"rmi://localhost/\" + IndicatorsService.SERVICE_NAME); DataProvider provider = new OHLCProvider(server); server.registerOHLCProvider(provider); } catch (MalformedURLException e) { e

Disable Java reflection for the current thread

阅读更多关于 Disable Java reflection for the current thread

问题 I need to call some semi-trustworthy Java code and want to disable the ability to use reflection for the duration of that code\'s execution. try{ // disable reflection somehow someObject.method(); } finally{ // enable reflection again } Can this be done with a SecurityManager, and if so, how? Clarification/Context: This is a follow-up to another question about restricting the packages that can be called from JavaScript/Rhino. The accepted answer references a blog entry on how to do that, and

SpringBoot整合shiro

阅读更多关于 SpringBoot整合shiro

在 Spring Boot 中做权限管理，一般来说，主流的方案是 Spring Security ，但是，仅仅从技术角度来说，也可以使用 Shiro。一般来说，Spring Security 和 Shiro 的比较如下： Spring Security 是一个重量级的安全管理框架；Shiro 则是一个轻量级的安全管理框架 Spring Security 概念复杂，配置繁琐；Shiro 概念简单、配置简单 Spring Security 功能强大；Shiro 功能简单 ... 虽然 Shiro 功能简单，但是也能满足大部分的业务场景。所以在传统的 SSM 项目中，一般来说，可以整合 Shiro。在 Spring Boot 中，由于 Spring Boot 官方提供了大量的非常方便的开箱即用的 Starter ，当然也提供了 Spring Security 的 Starter ，使得在 Spring Boot 中使用 Spring Security 变得更加容易，甚至只需要添加一个依赖就可以保护所有的接口，所以，如果是 Spring Boot 项目，一般选择 Spring Security 。这只是一个建议的组合，单纯从技术上来说，无论怎么组合，都是没有问题的。在 Spring Boot 中整合 Shiro ，有两种不同的方案：第一种就是原封不动的，将 SSM 整合

why java security manager doesn't forbid neither creating new Thread() nor starting it?

阅读更多关于 why java security manager doesn't forbid neither creating new Thread() nor starting it?

问题 do you happen to know explanation why java security manager doesn\'t forbid creating new threads or starting them? new FileWriter is under security manager, but neither new Thread(), nor threadInstance.start() isn\'t uneder security manager, and are possible to call. Wouldn\'t it be usefull to forbid it ? Would it be hard to implement ? Or creating and starting new Thread isn\'t so relevant to forbid it? 回答1: There is an access check performed in the Thread constructor to see if the caller

springboot+shiro-redis 使用Redis sentinel（哨兵）主从实现

阅读更多关于 springboot+shiro-redis 使用Redis sentinel（哨兵）主从实现

最近公司项目遇到一台服务器崩溃导致项目无法运行，因项目采用单点的 Redis做session共享，权限处理，所以想到采用Redis主从方式这样降低耦合性，为方便以后查阅特记录此处。服务器系统为centos 7 redis 4.0.6 两台主从Redis服务器： 192.168.0.35 6379 主 192.168.0.34 6379 从一、Redis安装 cd /opt wget http://download.redis.io/releases/redis-4.0.6.tar.gz 若提示为找到该命令,那么需要安装：yum install wget tar xzf redis-4.0.6.tar.gz cd redis-4.0.6 make src/redis-server 客户端访问： src/redis-cli Redis设置开机自启动： 1.修改配置文件参数daemonize为yes .vi /opt/redis-4.0.6/redis.conf 复制redis配置文件(启动脚本需要用到配置文件内容,所以要复制) #1.在/etc下新建redis文件夹 $ mkdir /etc/redis #2.把安装redis目录里面的redis.conf文件复制/etc/redis/6379.conf面,6379.conf是取的文件名称,启动脚本里面的变量会读取这个名称