I built an application that run uploaded user code written in java.
Because that application runs on the server, i wish to run the code written by the users in a safe way, meaning running the code without giving it any permissions to i/o operations, internet, and so on.
I was thinkin of 2 ways to do it:
- Load the jar class from a process with permissions, and than somehow pass the class to the process without the permission:
Problem is on the deserialization, the process without the permission attemp to new the class, but he is not familiar with that class so it crashes with "ClassNotFoundException".
To solve this issue i was thinkin maybe there is a way to add the class to the application classpath (when i'm first loading the class), and than where the other process(that has no permissions) will try to deserialize it, he will be familiar with that class. But how can i achieve this? how can one add a class to the classpath in runtime?
- The second way i was thiknin of only needs one process: I was thinkin about using the classloaders in a way that will read the jar file, and see what libraries it attemps to use, and if it uses something other than what i allow, we won't new that class.
But again, how can one do this? how do you see what classes .class/.jar file attemps to use(is importing)? And also, is this safe enough? there is no way for this classes to hide their imports/write low level code to handle i/o operations without any library?
Aucun commentaire:
Enregistrer un commentaire