0

我希望我的 SecurityManager 只阻止invoke方法和set字段反射。getDeclaredMethods或类似的应该保持允许。这可能吗?我想阻止更改security私有java.lang.System类的字段,但仍然允许反射。这是我的代码:

public class SecMan extends SecurityManager {

  @Override
  public void checkPermission(Permission perm) {
    if (perm instanceof ReflectPermission) {
      // called on setAccessible
      // determine whether caller is permitted, but how? 
      // can't get reference name using getClassContext()
    }
  }

  @Override
  public void checkPackageAccess(String pkg) {
    if (pkg.startsWith("sun.misc")) {
      // do not allow Unsafe, as it could disable my SecurityManager too.
      throw new SecurityException();
    }
  }

  @Override
  public void checkMemberAccess(Class<?> clazz, int which) {
    // not called sadly, deprecated
  }
}

特别是,我想阻止此代码:

      Method getDeclaredFields0M = Class.class.getDeclaredMethod("getDeclaredFields0", boolean.class);
      getDeclaredFields0M.setAccessible(true);
      Field[] fields = (Field[]) getDeclaredFields0M.invoke(System.class, false);
      Field securityField = null;
      for (Field field : fields)
        if (field.getName().equals("security")) {
          securityField = field;
        }
      securityField.setAccessible(true);
      securityField.set(null, null);
4

0 回答 0