http://huangyunbin.iteye.com/blog/1942509

AccessController.doPrivileged意思是這個(gè)是特別的,不用做權(quán)限檢查.

在什么地方會(huì)用到呢:加入1.jar中有類可以讀取一個(gè)文件,現(xiàn)在我們要使用1.jar去做這個(gè)事情.但是我們的類本生是沒有權(quán)限去讀取那個(gè)文件的,一般情況下就是眼睜睜的看著了.??

但是jiava提供了doPrivileged.在1.jar中如果讀取文件的方法是通過doPrivileged來實(shí)現(xiàn)的.就不會(huì)有后面的檢查了,現(xiàn)在我們就可以使用1.jar去讀取那個(gè)文件了.

例子:

Java代碼 package huangyunbin.client;import java.io.FilePermission; import java.security.AccessController; import java.security.Permission; import java.security.PrivilegedAction;public class Client {public void doCheck() {AccessController.doPrivileged( new PrivilegedAction() {public Object run() {check();return null ;}} );}private void check() {Permission perm = new FilePermission( "/1.txt" , "read" );AccessController.checkPermission(perm);System.out.println( " TestService has permission " );} }

把這個(gè)類打包成client.jar 放到/home/h/client/下
我們建立個(gè)my.policy文件,文件內(nèi)容是:

Java代碼 grant codeBase "file:/home/h/client/*" {permission java.io.FilePermission "/1.txt","read";};

配置文件的意思是 /home/h/client/下面的jar包或class類 可以讀取/1.txt.


現(xiàn)在我們?cè)賱?chuàng)建一個(gè)項(xiàng)目:創(chuàng)建一個(gè)類來調(diào)用前面的Client

Java代碼public class server {public static void main(String[] args){Client c =new Client();c.doCheck();} }

運(yùn)行這個(gè)server類.注意這里要用上之前的my.policy文件
在vm參數(shù)中寫上這樣的:

Java代碼-Djava.security.manager -Djava.security.policy=/home/h/my.policy

運(yùn)行,結(jié)果是
TestService has permission

在配置文件my.policy中我們沒有允許server去讀取/1.txt,但是現(xiàn)在卻可以正常訪問.這個(gè)就是 AccessController.doPrivileged的作用.

?

===http://www.blogjava.net/Phrancol/articles/259069.html

java.policy

grant?codeBase?"file:/D:/Workspaces/ExchangeConnect_V2_Trunk_Maven_workspace/ServiceCentre/bin/*"?{
????permission?java.io.FilePermission?"c:/TestService-1.0.jar",?"read";
????permission?java.lang.RuntimePermission?"createClassLoader";
};

grant?codeBase?"file:/c:/TestService-1.0.jar"?{
????permission?java.io.FilePermission?"C:/text.txt",?"read";
};

?

Project - ServiceCentre

?

package?test;

import?java.lang.reflect.Method;
import?java.net.URL;
import?java.net.URLClassLoader;

/**?*//**
?*?@author?Donf?Yang
?*/
public?class?ServiceCentreMain?{

????public?void?loadService()?{
????????URL[]?urls;
????????try?{
????????????urls?=?new?URL[]?{?new?URL("file:c:/TestService-1.0.jar")?};
????????????URLClassLoader?ll?=?new?URLClassLoader(urls);
????????????final?Class?a?=?ll.loadClass("test.TestService");
????????????Object?o?=?a.newInstance();
????????????Method?m?=?a.getMethod("doService",?null);
????????????m.invoke(o,?null);

????????}?catch?(Exception?e)?{
????????????e.printStackTrace();
????????}
????}

????/**?*//**
?????*?@param?args
?????*/
????public?static?void?main(String[]?args)?{
????????ServiceCentreMain?s?=?new?ServiceCentreMain();
????????s.loadService();
????}

}

?

?

Project - TestService
將TestService打包，放到C盤

package?test;

import?java.io.FilePermission;
import?java.security.AccessController;
import?java.security.Permission;

/**?*//**
?*?@author?Donf?Yang
?*?
?*/
public?class?TestService?{

????public?void?doService()?{
????????
????????doFileOperation();

????}

????private?void?doFileOperation()?{
????????Permission?perm?=?new?FilePermission("C:/text.txt",?"read");
????????AccessController.checkPermission(perm);
????????System.out.println("TestService?has?permission");
????}

}

運(yùn)行這個(gè)例子的時(shí)候，會(huì)出現(xiàn)權(quán)限錯(cuò)誤，把doService()修改一下，就可以順利通過

public?void?doService()?{

????????//?doFileOperation();

????????AccessController.doPrivileged(new?PrivilegedAction()?{
????????????public?Object?run()?{
????????????????doFileOperation();
????????????????return?null;
????????????}
????????});
????}

在這個(gè)例子中AccessControlContext的stack順序?yàn)?br /> 2. ?file:/D:/Workspaces/ExchangeConnect_V2_Trunk_Maven_workspace/ServiceCentre/bin/*
1?. file:/c:/TestService-1.0.jar

2沒有權(quán)限，1有權(quán)限，使用doPrivileged后，不檢查2



看一下java.security.AccessController的JavaDoc:

A?caller?can?be?marked?as?being?"privileged"?(see?doPrivileged?and?below).?When?making?access?control?decisions,?the?checkPermission?method?stops?checking?if?it?reaches?a?caller?that?was?marked?as?"privileged"?via?a?doPrivileged?call?without?a?context?argument?(see?below?for?information?about?a?context?argument).?If?that?caller's?domain?has?the?specified?permission,?no?further?checking?is?done?and?checkPermission?returns?quietly,?indicating?that?the?requested?access?is?allowed.?If?that?domain?does?not?have?the?specified?permission,?an?exception?is?thrown,?as?usual.?

其中提到的no further checking is done的意思是指stack中的checking

加入一個(gè)TestService2，文件操作在1，stack為(1,2,3為checking順序)
3?. file:/D:/Workspaces/ExchangeConnect_V2_Trunk_Maven_workspace/ServiceCentre/bin/*
2?. file:/c:/TestService-1.0.jar
1.? file:/c:/TestService2-1.0.jar
?checking順序?yàn)? 1->2->3
如果doPrivileged是在2中調(diào)用，那么1,2需要具有權(quán)限，3不再進(jìn)行檢查
如果doPrivileged是在1中調(diào)用，那么1需要具有權(quán)限，2,3不再進(jìn)行檢查


總結(jié)：
1.? 這里容易理解錯(cuò)誤的地方是checking順序，例如一個(gè)調(diào)用鏈 MethodA->MethodB->MethodC（這里的3個(gè)方法需要在3個(gè)不同的ProtectionDomain中），doPrivileged在MethodB中，很容易理解成檢查A,B而不檢查C，實(shí)際上stack中檢查順序?yàn)镃->B->A，也就是檢查C,B而不檢查A

2. ServiceCentre不需要太多權(quán)限，而Service就需要使用doPrivileged來避免受到ServiceCentre的權(quán)限限制（如果service有足夠的權(quán)限），Equinox中有很多這樣的例子（Equinox扮演Service的角色）。

總結(jié)

以上是生活随笔為你收集整理的java 的 AccessController.doPrivileged使用的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。