Thread cooperation based on Java 2 runtime security model — turn

In versions prior to Java 2, the runtime security model used a very strictly restricted sandbox model（ Sand@R_172_2419 @）。 Readers should be familiar with the fact that Java untrusted applet code is based on this strictly restricted sandbox model to provide runtime security checks. The essence of sandbox model is that any locally running code is trusted and has full access to key system resources. For applets, they are untrusted code and can only access limited resources within the sandbox. Of course, you can configure your applet as trusted code through digital signature, with the same permissions as the local code.

Starting from Java 2, Java provides a runtime security model based on policy and stack authorization. It is a more fine-grained access control and easy to configure and expand. Its overall architecture is shown in Figure 1:

In short, When classes are loaded into the JVM by the class loader, these runtime classes will be given different permissions according to the configuration of the Java policy file. When these classes want to access some system resources (such as opening sockets, reading and writing files, etc.) or perform some sensitive operations (such as accessing passwords), the Java Security Manager (AVA. Lang. securitymanager) will be called to check whether these classes have the necessary permissions to perform the operation. Before further discussion, let's clarify the following concepts: policy, that is, system security policy, which is configured by users or managers to configure the permission to execute code. The java.security.policy object at runtime is used To represent the policy file. Permission, Java defines the permission object of the hierarchy, and the root class of all permission objects is Java security. Permission。 The definition of permission involves two core attributes: target and action. For example, for file related permission definitions, the target is a file or directory, and its actions include: read, write, delete, etc. A protection domain can be understood as a collection of classes with a common permission set. In Java 2, permissions are actually assigned to the protection domain, not directly to the class. The mapping relationship among permissions, protection domains and classes is shown in Figure 2.

As shown in Figure 2, the current runtime stack is from a.class to e.class. At runtime, each frame on the stack will be classified as a protection domain by Java (the protection domain is built by Java according to the policy file configuration). When Java's security manager performs permission check, it will check the permission of each stack frame on the stack if and only if the permission set given to each stack frame is implied (imply) the operation is allowed to be executed only when the required permission is. Otherwise, the java.security.accesscontrolexception exception will be thrown and the operation will fail. For the Java 2 security model, there are several points that need to be specially noted: the model is based on stack authorization, which is also applicable in a multithreaded environment. For example, when the parent thread creates a child thread, the child thread The execution of is regarded as the continuation of the execution of the parent thread, so the runtime stack checked by the Java Security Manager during permission check includes both the current child thread and the runtime stack inherited from the parent thread. This means that it is impossible for users to obtain additional permissions through the creation of threads. Java developers can use accesscontroller Doprivileged to optimize the additional performance overhead caused by permission checking. As shown in Figure 3, the permission check of Java will start from the top of the stack and go down one by one until it encounters the method call of doprivileged or reaches the bottom of the stack. Using doprivileged can avoid unnecessary stack traverses and improve program performance. In this model, there is a special protection domain, system domain (system domain). All classes loaded by the null class loader are called system code, which automatically has all permissions. Moreover, all important protected external resources, such as file system, network, screen, keyboard, etc., can only be obtained through system code.

Next, this article will give a simple example, and then we will go further according to this example to create an application of safe cooperation between threads.

Our example is very simple: the client calls the API provided by logservice and writes the message to the disk file.

//Construct a message log and use logservice to write it to C: \ \ paper \ \ server \ \ out tmp file < / a >. Message = new message (" C: \ \ paper \ \ server \ \ out. TMP ", this is called from client" + '\ n'); LogService. instance. log(message); } }

public void log(Message message) { final String destination = message.getDestination(); final String info = message.getInfo(); FileWriter filewriter = null; try { filewriter = new FileWriter(destination,true); filewriter.write(info); filewriter.close(); } catch (IOException ioexception) { ioexception.printStackTrace(); } } } As shown in listings 1 and 2, this is a normal Java application. We execute this program in the Java security model. The client class is placed in the client Jar package, and the logservice class is placed in server In the jar package, we first use the keytool tool to generate the keystore file and the digital certificate we need, as shown in Listing 3.

keytool -genkey -alias client -keyalg RSA -keystore C:\paper\. keystore >keytool -genkey -alias server -keyalg RSA -keystore C:\paper\. Keystore in Listing 3, we generated C: \ paper \ Keystore file, using RSA algorithm to generate two digital certificates alias client and server. (Note: for convenience, the keys of keystore, client and server certificates are 111111) we use the command shown in Listing 4 to sign client.jar and server.jar.

jarsigner. exe -keystore C:\paper\. keystore -storepass 111111 c:\paper\client. jar client >jarsigner. exe -keystore C:\paper\. keystore -storepass 111111 c:\paper\server. Jar server in Listing 4, we use a digital certificate alias client to sign client Jar file, and use the digital certificate alias server to sign the server Jar file. Use the graphical tool policytool Exe creates the policy file shown in Listing 5.

keystore " file:////C:/paper/.keystore "; grant signedBy "client" { permission java.io.FilePermission "c:\paper\client\*","read,write"; }; grant signedBy "server" { permission java.security.AllPermission; }; The policy file indicates that all code signed by "client" has the permission to read and write all files in the "C: \ \ paper \ \ client \ \" directory, while all code signed by "server" has all permissions. Java will create the corresponding protection domain according to the signer according to the policy file. When everything is ready, we run the code, as shown in Listing 6.

java -Djava. security. manager -Djava. security. policy=my. policy -classpath client. jar; server. jar sample. permtest. client. The client has two runtime options that are particularly important, - DJava security. The manager tells the JVM to load the Java Security Manager for runtime security checks, and - DJava security. Policy is used to specify the policy file we use. The result of the run is shown in Listing 7.

(Unk Nown Source) at java. io. FileOutputStream. (Unk Nown Source) at java. io. FileWriter. (Unk Nown Source) at sample. permtest. server. LogService. log(LogService.java:19) at sample. permtest. client. Client. Main (client. Java: 16) after the client runs, the first message is successfully written to C: \ \ paper \ \ client \ \ out TMP file, and the second message does not have C: \ paper \ server \ out The TMP file was denied execution due to write permission. The example given in the previous section of this article will become complex if it is placed in the environment of asynchronous cooperation between threads. As shown in Figure 4. As shown in Figure 4, in such a scenario, the runtime stack of the client thread is completely independent of the server thread, and they cooperate asynchronously only through the shared data structure message queue. For example, when the client thread puts in message x, and then the server thread gets message x for processing, we still assume that message x wants the server thread to write the message to C: \ paper \ server \ out TMP file. At this time, how can the service program ensure that the client has the ability to write C: \ paper \ server \ out TMP file permissions? Java provides a solution based on the thread collaboration scenario, as shown in Listing 8: the m of the message class_ The accesscontrolcontext member variable is an accesscontrolcontext object that encapsulates the execution environment snapshot of the current thread, which can be obtained by calling the getcontext method of accesscontroller. The working principle of safe thread cooperation is shown in Figure 5. The arrow in Figure 5 indicates the path of Java Security Manager permission check. Starting from the current frame, check along the runtime stack of the server-side thread until it encounters the accesscontroller Doprivileged frame. Because when we call the doprivileged method, we pass in M_ Accesscontrolcontext is the execution environment when the client thread inserts messages into the message queue, so the Java Security Manager will jump to the execution environment and check one by one along the execution stack when the client inserts messages. In the log service implementation of the thread version in this section, the client class is in sample permtest. thread. In the client package, the package is exported as thread_ client. Jar package, and logservice is in sample permtest. thread. Server package, which is exported as thread_ server. Jar jar package. The package signature related to this part is similar to the previous section, using the same digital certificate as the previous section. The complete source code can be downloaded from the resource list later in this article. Through examples, this paper describes in detail the characteristics of the security model of Java 2 runtime and how to build a secure thread collaboration application based on this model. It is worth mentioning that when your Java application uses the runtime security model provided by Java 2, the reduction of program performance is inevitable, because we have seen that the Java 2 security model is based on stack authorization, which means that every time the Java security manager checks the execution of the permission method, it will traverse all frames of the current runtime line stack, To determine whether the permission requirements are met. So your design must choose between safety and performance. Of course, after you have applied the Java security model, you still have the opportunity to optimize the performance. For example, you can use the doprivileged method to remove unnecessary stack traversal. Further, you can inherit Java Lang. securitymanager class to develop a security manager suitable for your application. Original address: http://www.ibm.com/developerworks/cn/java/j-lo-rtsecurity/ Appendix, Java permission control code: Java security. The above is a summary of the thread collaboration based on the Java 2 runtime security model collected and sorted out by the programming house. I hope this article can help you solve the program development problems encountered in the thread collaboration based on the Java 2 runtime security model. If you think the content of the programming home website is good, you are welcome to recommend the programming home website to programmers and friends. This graphic content is collected and provided by netizens on the Internet as a learning reference. The copyright belongs to the original author. Like to share programming technology and work experience with others. Welcome to join the official exchange group of programming house! Programming House official 1 group programming House official 2 group programming House official 3 group programming House official 4 group one: Java class loading process next: in-depth discussion of Java Lang.ref package -- transfer