1

I would like to dynamically load a set of jars or classes (i.e. plugins loaded at runtime). At the same time, I would like to restrict what these plugins are able to do in the JVM. For a test case, I would like to restrict them to pretty much everything (right now I'm just allowing one System.getProperty value to be read).

I am currently using a security policy file, but I'm having difficulty specifying a policy for one folder or package in my codeBase, but not another.

Here is how my policy looks now:

grant codeBase "file:/home/max/programming/java/plugin/plugins/" {
    permission java.util.PropertyPermission "java.version", "read";
};
grant codeBase "file:/home/max/programming/java/plugin/api/" {
    permission java.security.AllPermission;
};

Where (for testing purposes), all files in the plugins package and folder are restricted, but the classes in the api folder are not. Is this possible? Do I have to create a custom class loader? Is there a better way to go about doing this?

Thanks.

Max
  • 6,901
  • 7
  • 46
  • 61
  • 1
    What do you have in those folders? .class files or .jar files? In order for Java to consider .jar files your codebases should end with /* or /- (for reference, see: http://mindprod.com/jgloss/policyfile.html) – Sami Koivu Apr 13 '10 at 21:56
  • If you really don't trust the plugin code, then you should load it in a different class loader (this is something that has apparently been forgotten, but known in the relatively early days of the Java2 security model...). – Tom Hawtin - tackline Apr 14 '10 at 00:42
  • The answer on this page has been very helpful to me: http://stackoverflow.com/questions/502218/sandbox-against-malicious-code-in-a-java-application – Max Apr 14 '10 at 03:12

1 Answers1

0

This answer solved my problems: Sandbox against malicious code in a Java application

Community
  • 1
  • 1
Max
  • 6,901
  • 7
  • 46
  • 61