本文主要向大家介绍了Java语言安全--安全管理器与访问权限问题解析，通过具体的内容向大家展示，希望对大家学习JAVA语言有所帮助。

1.定义

当类被加载到虚拟机中，校验器检查通过，Java平台的第二种安全机制就会启动，这个机制就是安全管理器，它是控制具体操作是否允许执行的操作。它的安全策略建立了代码来源和访问权限集之间的映射关系。

jdk8中的权限类（直接或者间接实现Permission抽象类）

2.Java平台安全性

????????java安全管理器这里主要涉及到两个概念一个是代码来源另一个就是权限集。代码来源是由代码位置和一个证书集指定的。代码位置指定了代码的来源。权限指由安全管理器负责检查的任何属性，如上展示的jdk8中的权限类，这里的每个权限类都封装了相应的权限详细信息。例如：

FilePermission filePermission=new FilePermission("/tmp/*","read,write");//允许在/tmp/*下进行读写操作

SocketPermission socketPermission=new SocketPermission("192.168.0.1:8080","listen");//监听192.168.0.1机器8080端口

? ? 每个类都有一个保护域，保护域中封装了代码来源和权限集合对象。当SecurityManager需要检查某个权限时，它要获取堆栈上所有方法对应类的保护域，并且判断保护域中是否允许当前正在被检查的操作。若允许则通过检测，否则将会抛出SecurityException异常。在jdk中所有系统类的代码来源都是null,权限都是AllPermission类的实例组成的。

? ?关键方法介绍：

? 1.java.lang.SecurityManager中的checkPermission方法

/**

     * Throws a <code>SecurityException if the requested

     * access, specified by the given permission, is not permitted based

     * on the security policy currently in effect.

     * </code>

* This method calls AccessController.checkPermission * with the given permission. * * @param perm the requested permission. * @exception SecurityException if access is not permitted based on * the current security policy. * @exception NullPointerException if the permission argument is * null. * @since 1.2 */ public void checkPermission(Permission perm) {//检查当前安全管理器是否授予指定的权限 java.security.AccessController.checkPermission(perm); }

2.java.lang.Class 的ProtectionDomain getProtectionDomain()

<code><code><code>public ProtectionDomain getProtectionDomain() {//获取某个类的保护域，若类被加载时没有保护域，则返回null

        SecurityManager var1 = System.getSecurityManager();

        if (var1 != null) {

            var1.checkPermission(SecurityConstants.GET_PD_PERMISSION);

        }

        ProtectionDomain var2 = this.getProtectionDomain0();

        if (var2 == null) {

            if (allPermDomain == null) {

                Permissions var3 = new Permissions();

                var3.add(SecurityConstants.ALL_PERMISSION);

                allPermDomain = new ProtectionDomain((CodeSource)null, var3);

            }

            var2 = allPermDomain;

        }

        return var2;

    }</code></code></code>

3.java.Security.ProtectionDomain

<code><code><code>public ProtectionDomain(CodeSource var1, PermissionCollection var2) {//通过代码来源和权限集合构建保护域

        this.codesource = var1;

        if (var2 != null) {

            this.permissions = var2;

            this.permissions.setReadOnly();

            if (var2 instanceof Permissions && ((Permissions)var2).allPermission != null) {

                this.hasAllPerm = true;

            }

        }

        this.classloader = null;

        this.principals = new Principal[0];

        this.staticPermissions = true;

    }

</code></code></code>

<code><code><code>public final CodeSource getCodeSource() {//获取保护域代码来源

        return this.codesource;

    }</code></code></code>

<code><code><code>public boolean implies(Permission var1) {//如果该保护域允许给定的权限，则返回true

        if (this.hasAllPerm) {

            return true;

        } else if (!this.staticPermissions && Policy.getPolicyNoCheck().implies(this, var1)) {

            return true;

        } else {

            return this.permissions != null ? this.permissions.implies(var1) : false;

        }

    }</code></code></code>

4.java.security.CodeSource

<code><code><code>public final Certificate[] getCertificates() {//获取与该代码来源相关联的用于类文件签名的证书链

        if (this.certs != null) {

            return (Certificate[])this.certs.clone();

        } else if (this.signers == null) {

            return null;

        } else {

            ArrayList var1 = new ArrayList();

            for(int var2 = 0; var2 < this.signers.length; ++var2) {

                var1.addAll(this.signers[var2].getSignerCertPath().getCertificates());

            }

            this.certs = (Certificate[])var1.toArray(new Certificate[var1.size()]);

            return (Certificate[])this.certs.clone();

        }

    }</code></code></code>

<code><code><code>public final URL getLocation() {//获取与该代码来源相关联的类文件代码位置

        return this.location;

    }</code></code></code>

3.安全策略文件

策略管理器要读取相应的策略文件（包含了将代码来源映射为权限的指令）

java.policy内容如下主要是配置了java.ext.dirs下所有文件的所有权限

<code><code><code>// Standard extensions get all permissions by default

grant codeBase "file:${{java.ext.dirs}}/*" {

        permission java.security.AllPermission;

};

// default permissions granted to all domains

grant {

        // Allows any thread to stop itself using the java.lang.Thread.stop()

        // method that takes no argument.

        // Note that this permission is granted by default only to remain

        // backwards compatible.

        // It is strongly recommended that you either remove this permission

        // from this policy file or further restrict it to code sources

        // that you specify, because Thread.stop() is potentially unsafe.

        // See the API specification of java.lang.Thread.stop() for more

        // information.

        permission java.lang.RuntimePermission "stopThread";

        // allows anyone to listen on dynamic ports

        permission java.net.SocketPermission "localhost:0", "listen";

        // "standard" properies that can be read by anyone

        permission java.util.PropertyPermission "java.version", "read";

        permission java.util.PropertyPermission "java.vendor", "read";

        permission java.util.PropertyPermission "java.vendor.url", "read";

        permission java.util.PropertyPermission "java.class.version", "read";

        permission java.util.PropertyPermission "os.name", "read";

        permission java.util.PropertyPermission "os.version", "read";

        permission java.util.PropertyPermission "os.arch", "read";

        permission java.util.PropertyPermission "file.separator", "read";

        permission java.util.PropertyPermission "path.separator", "read";

        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";

        permission java.util.PropertyPermission "java.specification.vendor", "read";

        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version", "read";

        permission java.util.PropertyPermission "java.vm.specification.vendor", "read";

        permission java.util.PropertyPermission "java.vm.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.version", "read";

        permission java.util.PropertyPermission "java.vm.vendor", "read";

        permission java.util.PropertyPermission "java.vm.name", "read";

};

</code></code></code>

安全策略文件默认位置是${java.home}/lib/security/java.policy和${user.home}/.java.policy

默认位置可以通过修改java.security文件进行更改。在自己的应用程序中可以显示的配置策略文件（注：java应用程序默认不安装安全管理器，所有看不到策略文件的作用）。两种方法：

一、在main方法内部设置系统属性System.setProperty("java.security.policy","MyApp.policy");

二、通过java -Djava.security.policy=MyApp.policy MyApp 方式启动虚拟机

正如java.policy文件所展示的一样。策略文件中授权方式

<code><code><code>grant codeBase "file:${{java.ext.dirs}}/*" {//典型的策略文件（codeBase后面跟的是url url以“/”结尾则代表目录，否则为jar文件）

        permission java.security.AllPermission;

};</code></code></code>

<code><code><code>grant {//一系列的grant项（这里省略了codeBase 是因为下面的授权使用于所有的代码来源）

        // Allows any thread to stop itself using the java.lang.Thread.stop()

        // method that takes no argument.

        // Note that this permission is granted by default only to remain

        // backwards compatible.

        // It is strongly recommended that you either remove this permission

        // from this policy file or further restrict it to code sources

        // that you specify, because Thread.stop() is potentially unsafe.

        // See the API specification of java.lang.Thread.stop() for more

        // information.

        permission java.lang.RuntimePermission "stopThread";

        // allows anyone to listen on dynamic ports

        permission java.net.SocketPermission "localhost:0", "listen";

        // "standard" properies that can be read by anyone

        permission java.util.PropertyPermission "java.version", "read";

        permission java.util.PropertyPermission "java.vendor", "read";

        permission java.util.PropertyPermission "java.vendor.url", "read";

        permission java.util.PropertyPermission "java.class.version", "read";

        permission java.util.PropertyPermission "os.name", "read";

        permission java.util.PropertyPermission "os.version", "read";

        permission java.util.PropertyPermission "os.arch", "read";

        permission java.util.PropertyPermission "file.separator", "read";

        permission java.util.PropertyPermission "path.separator", "read";

        permission java.util.PropertyPermission "line.separator", "read";

        permission java.util.PropertyPermission "java.specification.version", "read";

        permission java.util.PropertyPermission "java.specification.vendor", "read";

        permission java.util.PropertyPermission "java.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.specification.version", "read";

        permission java.util.PropertyPermission "java.vm.specification.vendor", "read";

        permission java.util.PropertyPermission "java.vm.specification.name", "read";

        permission java.util.PropertyPermission "java.vm.version", "read";

        permission java.util.PropertyPermission "java.vm.vendor", "read";

        permission java.util.PropertyPermission "java.vm.name", "read";

};</code></code></code>

授权（grant）中的格式为 grant codeBase "url"{permission1 权限1全类名 目标1 操作1;permission2 权限2 目标2 操作2;}