After implementing my platform to have the ability to load jar files dynamically using reflection, I come across a security issue. The jar file could be 'dangerous' and contain code that could effect things, therefore I come across on SO the use of using a SecurityManager.
I am loading the jar file like this (example of hard coded file):
URLClassLoader clsLoader = URLClassLoader
.newInstance(new URL[] { new URL("file:/C://Temp/SettingsApp.jar") });
Class<?> cls = clsLoader.loadClass("iezon.app.SettingsApp");
JPanel settingsApp = (JPanel) cls.newInstance();
I have tried to use the SecurityManager like so:
try {
SecurityManager sm = new SecurityManager();
Object context = sm.getSecurityContext();
sm.checkPermission(new AllPermission(), context);
settingsAppPanel = (JPanel) cls.newInstance();
} catch (AccessControlException e) {
e.printStackTrace();
}
The test with AllPermission() works and gives me this exception:
java.security.AccessControlException: access denied ("java.security.AllPermission" "" "")
However, I am unable to find any information on how to bind the jar file to this security manager and not the current platform. I just don't want the jar file to be able to open sockets, etc.. without firstly requesting permissions that the user can then accept.
I stumbled across BasicPermission, however, this is an abstract class and cannot be instanced like the AllPermission and likewise, I am unable to find any information on approaching this. Any help would be appreciated!
Aucun commentaire:
Enregistrer un commentaire