我正在尝试执行安全策略,为由某个签名者签名的 Java 类提供某些权限。我的安全策略文件如下所示:
// ========== SYSTEM CODE PERMISSIONS =========================================
grant codeBase "file:${java.home}/conf/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/*" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/lib/ext/*" {
permission java.security.AllPermission;
};
// ========== CLASS PERMISSIONS =========================================
keystore "file:/C:/Program Files/Java/openjdk-12/lib/security/cacerts";
keystorePasswordURL "file:/C:/Shared/Team/java-jar-signed/keystore.password";
grant signedBy "mycompany" {
permission java.security.AllPermission;
permission java.io.FilePermission "C:\\*", "read,write,execute";
permission java.io.FilePermission "C:\\", "read,write,execute";
};
Keystorecacerts包含一个别名为 的证书mycompany。用于测试安全策略的 JAR 文件已使用该证书的私钥签名。当我执行 JAR 文件时
java -Djava.security.manager -Djava.security.policy=rules.policy -Djava.security.debug=access -cp ReadC-signed.jar ReadC
我明白了
access: access denied ("java.io.FilePermission" "C:\" "read")
当我使用codeBase "path/to/jar"而不是它时,signedBy "mycompany"它工作得很好。有人知道这里可能出了什么问题吗?