java - AccessController doPrivileged 可以在未授予 modifyThreadGroup 时创建线程吗？

Question

我试图禁止在 AccessController.doPriviliged() 方法中创建线程。下面的方法创建并运行线程。我用 -Djava.security.manager 运行它。根据此链接，如果未授予 modifyThreadGroup，则应禁止创建线程？

http://docs.oracle.com/javase/7/docs/technotes/guides/security/permissions.html

谁能告诉我为什么会发生这种情况以及禁止使用 AccessController 创建线程的正确方法？

// .java.policy in $UserHome:

grant codeBase "file:/C:/-" {
    permission java.security.AllPermission;
};


public class ThreadTest {
  public void testModifyThreadGroup() {

    // grant no permissions
    Permissions perms = new Permissions();

    ProtectionDomain domain = new ProtectionDomain(
            new CodeSource( null, (Certificate[]) null ), perms );
    AccessControlContext _accessControlContext = new AccessControlContext(
            new ProtectionDomain[] { domain } );

    try {
        AccessController.doPrivileged(new PrivilegedExceptionAction(){
            @Override
            public Object run() {
                try {
                    // modifyThreadGroup not granted, so should not be able
                    // to call Thread constructor???
                    Thread t = new Thread(new Runnable() {
                        @Override
                        public void run() {
                            System.out.println("Thread.run()");
                        }
                    });
                    t.run();
                } catch (Exception ex) {
                    System.out.println("Error running thread: " + ex);
                }
                return null;
        }}, _accessControlContext);
    } catch(Exception e) {
        System.out.println("Access Error running doPrivileged: " + e);
    }
  }
}

Answer 1

创建或启动线程时所做的唯一检查是检查调用线程是否有权修改线程组。这并不像您想象的那样检查调用线程是否具有“modifyThreadGroup”权限。

相反，它的作用 (by default) 是始终授予访问权限，除非所讨论的线程组是系统线程组，在这种情况下会检查“modifyThreadGroup”权限。有问题的线程组几乎从来不是系统线程组。

您必须使用您自己的实现来扩展 SecurityManager 并进行一些您自己的检查。您可能应该自己制定新的许可。作为一个例子，我使用一个现有的权限实现了一个 hack，我知道在默认策略下线程将拥有 (exitVM):

import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.security.cert.Certificate;

public class QuickTest {

    public static class NoThreadsSecurityManager extends SecurityManager {

        public void checkAccess(ThreadGroup g) {
            super.checkAccess(g);
            checkPermission(new RuntimePermission("exitVM"));
        }

    }

    public static class SimpleRunnable implements PrivilegedExceptionAction<Object> {
        @Override
        public Object run() {
            try {
                Thread t = new Thread(new Runnable() {
                    @Override
                    public void run() {
                        System.out.println("Thread.run()");
                    }
                });
                t.start();
                t.join();
            } catch (Exception ex) {
                System.out.println("Error running thread: " + ex);
            }
            return null;
        }
    }

    public void testModifyThreadGroup() {

        // grant no permissions
        Permissions perms = new Permissions();

        ProtectionDomain domain = new ProtectionDomain(new CodeSource(null, (Certificate[]) null), perms);
        AccessControlContext _accessControlContext = new AccessControlContext(new ProtectionDomain[] { domain });

        try {
            AccessController.doPrivileged(new SimpleRunnable(), _accessControlContext);
        } catch (Exception e) {
            System.out.println("Access Error running doPrivileged: " + e);
        }

        new SimpleRunnable().run();

    }

    public static void main(String[] args) {
        System.setSecurityManager(new NoThreadsSecurityManager());
        new QuickTest().testModifyThreadGroup();
    }

}