如何禁用 Java 安全管理器?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/762459/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to disable Java security manager?
提问by Pawel Piatkowski
Is there any way to completely disable Java security manager?
有没有办法完全禁用 Java 安全管理器?
I'm experimenting with source code of db4o. It uses reflection to persist objects and it seems that security manager doesn't allow reflection to read and write private or protected fields.
我正在试验 db4o 的源代码。它使用反射来持久化对象,似乎安全管理器不允许反射读取和写入私有或受保护的字段。
My code:
我的代码:
public static void main(String[] args) throws IOException {
System.out.println("start");
new File( DB_FILE_NAME ).delete();
ObjectContainer container = Db4o.openFile( DB_FILE_NAME );
String ob = new String( "test" );
container.store( ob );
ObjectSet result = container.queryByExample( String.class );
System.out.println( "retrieved (" + result.size() + "):" );
while( result.hasNext() ) {
System.out.println( result.next() );
}
container.close();
System.out.println("finish");
}
Output:
输出:
start [db4o 7.4.68.12069 2009-04-18 00:21:30] AccessibleObject#setAccessible() is not available. Private fields can not be stored. retrieved (0): finish
This thread suggests modifying java.policy file to allow reflection but it doesn't seem to work for me.
该线程建议修改 java.policy 文件以允许反射,但它似乎对我不起作用。
I'm starting JVM with arguments-Djava.security.manager -Djava.security.policy==/home/pablo/.java.policy
so specified policy file will be the only policy file used
我正在使用参数启动 JVM,-Djava.security.manager -Djava.security.policy==/home/pablo/.java.policy
因此指定的策略文件将是唯一使用的策略文件
The file looks like this:
该文件如下所示:
grant {
permission java.security.AllPermission;
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
};
I spent last 3 hrs on this and don't have any ideas how to make this work. Any help appreciated.
我在这上面花了 3 个小时,但不知道如何进行这项工作。任何帮助表示赞赏。
回答by erickson
Do you really have two '=' signs in your java.security.policycommand line option? That won't work. Make sure you are setting the property as
您的java.security.policy命令行选项中真的有两个 '=' 符号吗?那行不通。确保您将属性设置为
-Djava.security.policy=/home/pablo/.java.policy
To actually disable the SecurityManager, simply leaving off the java.security.managersystem property altogether should be enough.
要真正禁用SecurityManager,只需java.security.manager完全关闭系统属性就足够了。
Update:As I was reading the documentation for policy files to learn more about the "==" syntax, I noticed that unless the policy file is in the current working directory, it needs to be specified as a URL (including scheme). Have you tried prefixing the policy path with the "file:" scheme?
更新:当我阅读策略文件的文档以了解有关“==”语法的更多信息时,我注意到除非策略文件位于当前工作目录中,否则需要将其指定为 URL(包括方案)。您是否尝试过使用“file:”方案为策略路径添加前缀?
I was also puzzled because (assuming you are running as user "pablo"), it looks like that policy should be loaded by default from your home directory, so you shouldn't need to specify it at all. On the other hand, if you are not running as the user "pablo", maybe the file is not readable.
我也很困惑,因为(假设您以用户“pablo”的身份运行),看起来该策略应该默认从您的主目录加载,因此您根本不需要指定它。另一方面,如果您不是以用户“pablo”的身份运行,则该文件可能不可读。
回答by hallidave
You could try adding this to the main() of your program:
您可以尝试将其添加到程序的 main() 中:
System.setSecurityManager(null);
Worked for me for a "trusted" WebStart application when I was having security manager issues. Not sure if it will work for your db4o case, but it might be worth a try.
当我遇到安全管理器问题时,我为“受信任的”WebStart 应用程序工作。不确定它是否适用于您的 db4o 案例,但可能值得一试。
EDIT: I'm not suggesting that this is a general solution to security manager problems. I was just proposing it as a way to help debug the original poster's problem. Clearly, if you want to benefit from a security manager then you should not disable it.
编辑:我并不是说这是安全管理器问题的通用解决方案。我只是提出它作为帮助调试原始海报问题的一种方式。显然,如果您想从安全管理器中受益,则不应禁用它。
回答by Kevin Williams
I found this example of how to make private fields and methods accessibleto your code. Basically, it distills down to the use of Field.setAccessible(true)and Method.setAccessible(true)
我找到了这个示例,说明如何使您的代码可以访问私有字段和方法。基本上,它归结为Field.setAccessible(true)和Method.setAccessible(true) 的使用
Field example:
字段示例:
Field privateStringField = PrivateObject.class.
getDeclaredField("privateString");
privateStringField.setAccessible(true);
Method example:
方法示例:
Method privateStringMethod = PrivateObject.class.
getDeclaredMethod("getPrivateString", null);
privateStringMethod.setAccessible(true);
You could also look at using Groovy with your Java code as it (currently) circumvents much of the access level restrictions of Java code. Although, this message board posting seems to suggest this 'feature' may change in future versions of Groovy.
您还可以考虑在 Java 代码中使用 Groovy,因为它(目前)绕过了 Java 代码的大部分访问级别限制。虽然,这个留言板帖子似乎暗示这个“功能”可能会在 Groovy 的未来版本中发生变化。
