问题
I am working with Java security policies and it's still rather new for me. I will like to be able to run the code directly as a launch configuration, so I have a debugger and all the other nice IDE stuff.
I can get it to work until I use the codebase attribute in the policy.
I have a class in the package application that creates a LoginContext. The policy file is located in the root of my project. With this content it works fine:
grant {
permission javax.security.auth.AuthPermission "createLoginContext.Sample";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
But when I add the codebase it fails with Cannot create LoginContext. access denied ("javax.security.auth.AuthPermission" "createLoginContext.Sample")
grant codebase "file:./bin/application/-" {
permission javax.security.auth.AuthPermission "createLoginContext.Sample";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
I have tried these values for codebase
- file:application/-
- file:./application/-
- file:bin/application/-
- file:./bin/application/-
- file:C:/Full Path/to/project/bin/application/-
- file://C:/Full Path/to/project/bin/application/-
(In case it matters: The full path includes spaces)
回答1:
I managed to find the problem using JAAS's debug output, which I can really recommend.
In short the codebase is always the binary root folder (or jar) not the package folder containing the class file. In my case it meant that the codebase of all classes was path/to/project/bin which didn't match path/to/project/bin/application/- specified in the policy.
To solve this one needs to have multiple bin-folders or "output folder" as Eclipse name them. To get this:
- Go into
Project Properties > Java Build Pathand select theSourcetab - Activate
Allow output folders for source folders - Add as many source folders you like, by clicking
Add Folder - For each source folder, specify the output folder by first selecting the output folder item and then click edit.
After this you can have the policy point to each folder like this
grant codebase "file:binLogin/-" {
permission javax.security.auth.AuthPermission "modifyPrincipals";
};
grant codebase "file:binApp/-" {
permission javax.security.auth.AuthPermission "createLoginContext.Sample";
permission javax.security.auth.AuthPermission "doAsPrivileged";
};
I hope this might help others in the future.
回答2:
I realize this might qualify as a comment, but it is a bit too large and might help you find the answer yourself.
Your code looks like it's adapted from this tutorial. If so, you can modify the code in that example that catches the exception:
try {
lc = new LoginContext("Sample",
new MyCallbackHandler());
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
System.exit(-1);
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
System.exit(-1);
}
to this:
try {
lc = new LoginContext("Sample",
new MyCallbackHandler());
} catch (LoginException le) {
System.err.println("Cannot create LoginContext. "
+ le.getMessage());
le.printStackTrace();
System.exit(-1);
} catch (SecurityException se) {
System.err.println("Cannot create LoginContext. "
+ se.getMessage());
se.printStackTrace();
System.exit(-1);
}
That way, you (and we,) will learn something more about the error that might help you find the problem.
来源:https://stackoverflow.com/questions/20101381/working-with-codebases-in-the-security-policy-during-development-in-eclipse