Tomcat 8 源码学习三之SecurityClassLoad
Contents
关于Java的 SecurityManager
默认情况下,JVM是不会启用SecurityManager的,想要开启,则需要在启动时指定-Djava.security.manager,如果还想指定你的应用的策略文件,还可以添加多一个参数-Djava.security.policy=/path/to/my.policy
Tomcat中的 SecurityClassLoad
为了安全加载类,Tomcat中通过org.apache.catalina.security.SecurityClassLoad来预加载Tomcat自身的核心类(如果启用了SecurityManager的话,通过Tomcat的参数-security来开启),以免在之后触发AccessControlException的RuntimePermission.
错误
在调试的时候,开启了-Djava.security.manager
-Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src
-Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src
-Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed
-Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties
-Djava.security.manager
-Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy
-Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin
发现报如下错误:
Connected to the target VM, address: '127.0.0.1:43769', transport: 'socket'
Exception in thread "main" java.lang.ExceptionInInitializerError
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:115)
at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:137)
at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:188)
at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:52)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.util.logging.config.class" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
at java.lang.System.getProperty(System.java:717)
at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:40)
... 4 more
解决办法:
根据报错的提示,将相应的Permission添加到catalina.policy文件中,我的环境是Ubuntu 14.04 LTS 64位, JDK 1.8.修改后的policy文件内容为:
// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements. See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// ============================================================================
// catalina.policy - Security Policy Permissions for Tomcat
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option. In addition
// to the permissions granted here, the following additional permissions are
// granted to each web application:
//
// * Read access to the web application's document root directory
// * Read, write and delete access to the web application's working directory
// ============================================================================
// ========== SYSTEM CODE PERMISSIONS =========================================
// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
permission java.security.AllPermission;
};
// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
permission java.security.AllPermission;
};
// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
permission java.security.AllPermission;
};
// ========== CATALINA CODE PERMISSIONS =======================================
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
permission java.security.AllPermission;
};
// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
permission java.security.AllPermission;
};
// If using a per instance lib directory, i.e. ${catalina.base}/lib,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/lib/-" {
// permission java.security.AllPermission;
// };
// ========== WEB APPLICATION PERMISSIONS =====================================
// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
// Required for JNDI lookup of named JDBC DataSource's and
// javamail named MimePart DataSource used to send mail
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.naming.*", "read";
permission java.util.PropertyPermission "javax.sql.*", "read";
// OS Specific properties to allow read access
permission java.util.PropertyPermission "os.name", "read";
permission java.util.PropertyPermission "os.version", "read";
permission java.util.PropertyPermission "os.arch", "read";
permission java.util.PropertyPermission "file.separator", "read";
permission java.util.PropertyPermission "path.separator", "read";
permission java.util.PropertyPermission "line.separator", "read";
// JVM properties to allow read access
permission java.util.PropertyPermission "java.version", "read";
permission java.util.PropertyPermission "java.vendor", "read";
permission java.util.PropertyPermission "java.vendor.url", "read";
permission java.util.PropertyPermission "java.class.version", "read";
permission java.util.PropertyPermission "java.specification.version", "read";
permission java.util.PropertyPermission "java.specification.vendor", "read";
permission java.util.PropertyPermission "java.specification.name", "read";
permission java.util.PropertyPermission "java.vm.specification.version", "read";
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
permission java.util.PropertyPermission "java.vm.specification.name", "read";
permission java.util.PropertyPermission "java.vm.version", "read";
permission java.util.PropertyPermission "java.vm.vendor", "read";
permission java.util.PropertyPermission "java.vm.name", "read";
// Required for OpenJMX
permission java.lang.RuntimePermission "getAttribute";
// Allow read of JAXP compliant XML parser debug
permission java.util.PropertyPermission "jaxp.debug", "read";
// All JSPs need to be able to read this package
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
// Precompiled JSPs need access to these packages.
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.jasper.runtime.*";
// Precompiled JSPs need access to these system properties.
permission java.util.PropertyPermission
"org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
permission java.util.PropertyPermission
"org.apache.el.parser.COERCE_TO_ZERO", "read";
// The cookie code needs these.
permission java.util.PropertyPermission
"org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
permission java.util.PropertyPermission
"org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
permission java.util.PropertyPermission
"org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";
// Applications using Comet need to be able to access this package
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";
// Applications using WebSocket need to be able to access these packages
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";
// by sky start ---
permission java.util.PropertyPermission "java.util.logging.config.class", "read";
permission java.util.PropertyPermission "java.util.logging.config.file", "read";
permission java.util.PropertyPermission "user.dir", "read";
permission java.util.PropertyPermission "user.home", "read";
permission java.util.PropertyPermission "java.*", "read";
permission java.util.PropertyPermission "javax.*", "read";
permission java.util.PropertyPermission "javax.net.ssl.trustStore", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
permission java.util.PropertyPermission "org.apache.tomcat.*", "read";
permission java.util.PropertyPermission "catalina.base", "read";
permission java.util.PropertyPermission "catalina.base", "write";
permission java.util.PropertyPermission "catalina.home", "read";
permission java.util.PropertyPermission "catalina.home", "write";
permission java.util.PropertyPermission "catalina.*", "read";
permission java.util.PropertyPermission "catalina.useNaming", "write";
permission java.util.PropertyPermission "java.naming.factory.url.pkgs", "write";
permission java.util.PropertyPermission "java.naming.factory.initial", "write";
permission java.util.PropertyPermission "java.io.tmpdir", "read";
permission java.util.PropertyPermission "org.apache.tomcat.util.digester.PROPERTY_SOURCE", "read";
permission java.util.PropertyPermission "org.apache.catalina.*", "read";
permission java.util.PropertyPermission "tomcat.util.*", "read";
permission java.lang.RuntimePermission "shutdownHooks";
permission java.lang.RuntimePermission "setContextClassLoader";
//permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.*";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.startup";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote.*";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "org.apache.naming.ContextAccessController.setSecurityToken";
permission java.lang.RuntimePermission "org.apache.naming.factory.ResourceLinkFactory.setGlobalContext";
permission java.lang.RuntimePermission "modifyThread";
permission java.io.FilePermission "/usr/java/packages/lib/amd64/liblibtcnative-1.so", "read";
permission java.io.FilePermission "/usr/java/packages/lib/amd64/libtcnative-1.so", "read";
permission java.io.FilePermission "/usr/lib64/liblibtcnative-1.so", "read";
permission java.io.FilePermission "/usr/lib64/libtcnative-1.so", "read";
permission java.io.FilePermission "/lib64/liblibtcnative-1.so", "read";
permission java.io.FilePermission "/lib64/libtcnative-1.so", "read";
permission java.io.FilePermission "/lib/liblibtcnative-1.so", "read";
permission java.io.FilePermission "/lib/libtcnative-1.so", "read";
permission java.io.FilePermission "/usr/lib/liblibtcnative-1.so", "read";
permission java.io.FilePermission "/usr/lib/libtcnative-1.so", "read";
permission java.util.logging.LoggingPermission "control";
permission java.util.PropertyPermission "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", "read";
permission java.util.PropertyPermission "org.apache.tomcat.util.http.FastHttpDateFormat.CACHE_SIZE", "read";
permission java.security.SecurityPermission "getProperty.package.definition";
permission java.security.SecurityPermission "setProperty.package.definition";
permission java.security.SecurityPermission "getProperty.package.access";
permission java.security.SecurityPermission "setProperty.package.access";
permission javax.security.auth.AuthPermission "getPolicy";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanServerPermission "findMBeanServer";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission javax.management.MBeanPermission "org.apache.tomcat.*", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "org.apache.catalina.*", "registerMBean,unregisterMBean";
permission javax.management.MBeanPermission "-#-[-]", "queryNames";
permission javax.management.MBeanTrustPermission "register";
permission java.net.SocketPermission "localhost:8080", "listen,resolve";
permission java.net.SocketPermission "localhost:8009", "listen,resolve";
// by sky end ---
};
// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/-" {
permission java.security.AllPermission;
};
// The Manager application needs access to the following packages to support the
// session display functionality. These settings support the following
// configurations:
// - default CATALINA_HOME == CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server. You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
// permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
从这个配置文件里,我们也可以看到,整个Tomcat如果开启了SecurityManager后,需要什么权限.可以大概知道整体的情况~~.
命令行启动的命令:
╭─sky@sky-linux /ihome/java/tomcat/apache-tomcat-8.0.36-src/target/classes
╰─➤ java -Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src -Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src -Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed -Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties -Djava.security.manager -Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy -Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin org.apache.catalina.startup.Bootstrap
28-Jun-2016 11:58:47.274 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version: Apache Tomcat/@VERSION@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built: @VERSION_BUILT@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number: @VERSION_NUMBER@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name: Linux
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version: 3.19.0-32-generic
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture: amd64
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home: /ihome/java/jdk/jdk1.8.0_60/jre
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version: 1.8.0_60-b27
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor: Oracle Corporation
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE: /ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME: /ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.manager
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
28-Jun-2016 11:58:47.625 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
28-Jun-2016 11:58:47.634 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
28-Jun-2016 11:58:47.635 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
28-Jun-2016 11:58:47.637 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
28-Jun-2016 11:58:47.638 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 330 ms
28-Jun-2016 11:58:47.650 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina
28-Jun-2016 11:58:47.650 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/@VERSION@
28-Jun-2016 11:58:47.656 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /ihome/java/tomcat/apache-tomcat-8.0.36-src/webapps/ROOT
28-Jun-2016 11:58:47.830 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /ihome/java/tomcat/apache-tomcat-8.0.36-src/webapps/ROOT has finished in 173 ms
28-Jun-2016 11:58:47.831 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
28-Jun-2016 11:58:47.838 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
28-Jun-2016 11:58:47.839 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 200 ms
可以看到开启安全管理器后成功启动了.
为什么用Security Manager可以达到安全沙箱的目的?
这是因为在JDK底层所有的api中,都已经加上了这种检验处理。举个例子,getProperty()方法,可以看到它的源码是:
public static String getProperty(String key) {
checkKey(key);
SecurityManager sm = getSecurityManager();
if (sm != null) {
sm.checkPropertyAccess(key);
}
return props.getProperty(key);
}
即,如果开启了SecurityManager,则会根据policy策略文件来检查相应的权限.其他的api类似.