我希望我的 SecurityManager 只阻止invoke方法和set字段反射。getDeclaredMethods或类似的应该保持允许。这可能吗?我想阻止更改security私有java.lang.System类的字段,但仍然允许反射。这是我的代码:
public class SecMan extends SecurityManager {
@Override
public void checkPermission(Permission perm) {
if (perm instanceof ReflectPermission) {
// called on setAccessible
// determine whether caller is permitted, but how?
// can't get reference name using getClassContext()
}
}
@Override
public void checkPackageAccess(String pkg) {
if (pkg.startsWith("sun.misc")) {
// do not allow Unsafe, as it could disable my SecurityManager too.
throw new SecurityException();
}
}
@Override
public void checkMemberAccess(Class<?> clazz, int which) {
// not called sadly, deprecated
}
}
特别是,我想阻止此代码:
Method getDeclaredFields0M = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class);
getDeclaredFields0M.setAccessible(true);
Field[] fields = (Field[]) getDeclaredFields0M.invoke(System.class, false);
Field securityField = null;
for (Field field : fields)
if (field.getName().equals("security")) {
securityField = field;
}
securityField.setAccessible(true);
securityField.set(null, null);