Is there a way to restrict a single class from writing to a file system or calling exec? I have looked at the Java security API and can only find two ways to do it: 1. Restrict the enclosing codebase (which restricts classes I don't want restricted) 2. Create a SecurityManager that will override checkExec() and checkWrite() with methods that search the call stack for the restricted class (seems kinda kludegy to me) Am I missing something? Is there a better way? -Anton
hi Anton, i am sorry but i am not able to understand why we want to restrict "some" class from writing a file whereas others are able to write?? i am not an expert on this but i have a code solution for this if you are able to change the code of the applet downloaded (its an applet , right?)... what you can do is- if you have a particular class that handles a request for file writing or a method that hanles the request for file writing then you can pass a boolean variable to indiate if the write should really happen or not. from the calling class you pass 'true' if the class is allowed to write else pass 'false' if you want that class not able to write and throw an exception... well, this you also might have thought about but i am not sure what you have so i just did put down my thoughts... there is another possiblity as well, you can have method enableFileWrite() where you set above mentioned boolean variable for the class that is actually performing File Write and then allow other classes to write the file via that File Writer class's method if that boolean variable is set to be true priorly you know...do you get what i mean here? i don't think there would be something on higher level that will allow you to restrict certain classes from writing while allowing others from the same code base... do you have multiple packages that gets downloaded and you want to restrict some other packages' class other than your package or something??? please clarify exact scenario you have... regards maulin
Joined: Dec 16, 2002
Thanks for the reply. Here is my exact situation: I am using 3rd party scripting interpreters (beanshell/jython) in my code. I do not want an interpreted script to gain access to the filesystem or to execute native commands. Since I do not want to go mucking around with the interepter source code, the only way I can see to do this is to restrict the interpreter object from performing these actions at the JVM level. I figured I can use the Java security package for this. I have found a way (see original post)... but I was wondering if there was a better or more standard way.
Joined: Nov 04, 2001
yeah.. i see what u mean. i thought u had some 3rd party thing otherwise you wouldn't want to achieve what you are trying to... i don't know about any standard way of achieving it. it seems there is a work ahead of you btw, i have never done anything with this SecurityManager on my own..i wish i would learn it someday... interesting problem, huh? regards maulin
Your options are based on what you are willing to do: 1) If you do not want to make severe code changes The Java SecurityManager and the java.policy file are pretty much the standard ways to impose such kind of a restriction. I would suggest using the AccessController (instead of SecurityManager) 2) If you want to make code changes I suggest pulling out code that writes to a file and executes OS calls into another class and have both these classes (one that does the illegal stuff and one that does not do the illegal stuff) implement an interface and expose that interface to your client calls.