Project Home
JavaDoc API
Downloads
Mailing List
Featured
Class Marshaling - a mobile code on the tip of your finger
POJO State - observe everything everywhere
Fikin Ant Tasks - a directory of wonderful libraries
Search:
Donate to this project Statistics of this project RSS feeds of this project
Java Container
This library makes creation of execution containers for your application very easy and painless.
All source code is released under :
Apache License V2
Latest release and changes :
WHATSNEW
Installation instructions :
INSTALL
If you feel generous, donate and be honored forever :
Donate
If you feel like business, sign up a maintenance contract and be privileged :
Sign-Up
If you feel cool, buy a t-shirt and make a statement :
T-shirt
If you feel like hacking, send me a patch :
Submit patch
If you feel nothing like it don't panic, drink water and hangover will soon be over
Executing Java code in constrained environment is relatively straight forward
task using Java Security API. It actually boils down to two thinks:
Java Applets and Java WebStart are two great examples of running code in constrained environment. But both are separate executable binaries, they are not
In order to get normal Java applications operate in constrained environment one has to enable the security manager
But these permissions are global i.e. they will be valid for any code running within that same JVM.
Now, how about if you have some unknown code you want to run from your application?
Apparently the code should be executed in a constrained environment (in order to protect yourself).
Security manager would allow you to do that. This is the easy part.
The problem comes with the assembling of permission sets. You'd have to do that manually.
Why? Because there is no interface able to read policy files at your disposal.
The only available is built-in in Sun's security framework and there is no publicly available interface.
For addressing this and few more problems, this library is.
- Enabling
java.security.managerupon startup of your application - Executing the constrained code via
java.security.AccessController.doPrivileged(XXX)method
Java Applets and Java WebStart are two great examples of running code in constrained environment. But both are separate executable binaries, they are not
java.In order to get normal Java applications operate in constrained environment one has to enable the security manager
-Djava.security.manager and
provide a policy file -Djava.security.policy=<some url> upon
JVM startup.But these permissions are global i.e. they will be valid for any code running within that same JVM.
Now, how about if you have some unknown code you want to run from your application?
Apparently the code should be executed in a constrained environment (in order to protect yourself).
Security manager would allow you to do that. This is the easy part.
The problem comes with the assembling of permission sets. You'd have to do that manually.
Why? Because there is no interface able to read policy files at your disposal.
The only available is built-in in Sun's security framework and there is no publicly available interface.
For addressing this and few more problems, this library is.
Using the library is rather straight forward:
Passing different codebase
In order to
import java.net.URL;
import net.sf.container.Container;
import net.sf.container.imp.CodebaseFactory;
URL policyUrl = new URL( "file://myPermissions.policy" );
CodebaseFactory factory = new CodebaseFactory( policyURL );
Container sandbox = factory.newContainer( "file://no.domain/sandbox" );
Runnable myAction = ...;
sandbox.doPrivileged( myAction );
...
"file://myPermissions.policy" content is:
grant codeBase "file://no.domain/sandbox" {
permission java.util.PropertyPermission "java.version", "read";
};
grant codeBase "file://${java.home}/no.domain/trusted" {
permission java.util.PropertyPermission "java.path", "read";
permission java.util.PropertyPermission "java.version", "read";
};
Passing different codebase
factory.newContainer( "file://no.domain/sandbox" )myAction in "trusted" type of environment.In order to
Container:
Container objects are abstracting execution of custom code in a constrained environment. The exact set of permissions is defined during their instantiation.
ContainerFactory:
ContainerFactory objects are abstracting creation of
Typically they are instantiated with an input policy file, outlining all permission sets one would need.
One can instantiate a varying set of
Currently available are
PolicyParser:
PolicyParser objects are abstracting parsing of various policy-file formats.
As Java Security Policy file format presumably would not be the only one file format to express policy rules, implementing this interface would integrate it within the library.
Currently available is
Container objects are abstracting execution of custom code in a constrained environment. The exact set of permissions is defined during their instantiation.
ContainerFactory:
ContainerFactory objects are abstracting creation of
Container objects in a configurable manner.Typically they are instantiated with an input policy file, outlining all permission sets one would need.
One can instantiate a varying set of
Container object by
passing various permissionsCriteria to
ContainerFactory.newContainer(Object permissionsCriteria)ContainerFactory implementation.Currently available are
net.sf.container.imp.CodebaseFactory and
net.sf.container.imp.CertificateAuthorityFactory implementations.PolicyParser:
PolicyParser objects are abstracting parsing of various policy-file formats.
As Java Security Policy file format presumably would not be the only one file format to express policy rules, implementing this interface would integrate it within the library.
Currently available is
net.sf.container.imp.PolicyFileParser
implementation.
©2006-2007 Nikolay Fiykov
