关于Java的 SecurityManager

默认情况下,JVM是不会启用SecurityManager的,想要开启,则需要在启动时指定-Djava.security.manager,如果还想指定你的应用的策略文件,还可以添加多一个参数-Djava.security.policy=/path/to/my.policy

Tomcat中的 SecurityClassLoad

为了安全加载类,Tomcat中通过org.apache.catalina.security.SecurityClassLoad来预加载Tomcat自身的核心类(如果启用了SecurityManager的话,通过Tomcat的参数-security来开启),以免在之后触发AccessControlExceptionRuntimePermission.

错误

在调试的时候,开启了-Djava.security.manager

-Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src
-Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src
-Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed
-Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties
-Djava.security.manager
-Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy

-Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin

发现报如下错误:

Connected to the target VM, address: '127.0.0.1:43769', transport: 'socket'
Exception in thread "main" java.lang.ExceptionInInitializerError
	at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:115)
	at org.apache.juli.logging.LogFactory.getInstance(LogFactory.java:137)
	at org.apache.juli.logging.LogFactory.getLog(LogFactory.java:188)
	at org.apache.catalina.startup.Bootstrap.<clinit>(Bootstrap.java:52)
Caused by: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.util.logging.config.class" "read")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
	at java.lang.System.getProperty(System.java:717)
	at org.apache.juli.logging.DirectJDKLog.<clinit>(DirectJDKLog.java:40)
	... 4 more

解决办法:

根据报错的提示,将相应的Permission添加到catalina.policy文件中,我的环境是Ubuntu 14.04 LTS 64位, JDK 1.8.修改后的policy文件内容为:

// Licensed to the Apache Software Foundation (ASF) under one or more
// contributor license agreements.  See the NOTICE file distributed with
// this work for additional information regarding copyright ownership.
// The ASF licenses this file to You under the Apache License, Version 2.0
// (the "License"); you may not use this file except in compliance with
// the License.  You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// ============================================================================
// catalina.policy - Security Policy Permissions for Tomcat
//
// This file contains a default set of security policies to be enforced (by the
// JVM) when Catalina is executed with the "-security" option.  In addition
// to the permissions granted here, the following additional permissions are
// granted to each web application:
//
// * Read access to the web application's document root directory
// * Read, write and delete access to the web application's working directory
// ============================================================================


// ========== SYSTEM CODE PERMISSIONS =========================================


// These permissions apply to javac
grant codeBase "file:${java.home}/lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions
grant codeBase "file:${java.home}/jre/lib/ext/-" {
        permission java.security.AllPermission;
};

// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/../lib/-" {
        permission java.security.AllPermission;
};

// These permissions apply to all shared system extensions when
// ${java.home} points at $JAVA_HOME/jre
grant codeBase "file:${java.home}/lib/ext/-" {
        permission java.security.AllPermission;
};


// ========== CATALINA CODE PERMISSIONS =======================================


// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the logging API
// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home},
// update this section accordingly.
//  grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..}
grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the server startup code
grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
        permission java.security.AllPermission;
};

// These permissions apply to the servlet API classes
// and those that are shared across all class loaders
// located in the "lib" directory
grant codeBase "file:${catalina.home}/lib/-" {
        permission java.security.AllPermission;
};


// If using a per instance lib directory, i.e. ${catalina.base}/lib,
// then the following permission will need to be uncommented
// grant codeBase "file:${catalina.base}/lib/-" {
//         permission java.security.AllPermission;
// };


// ========== WEB APPLICATION PERMISSIONS =====================================


// These permissions are granted by default to all web applications
// In addition, a web application will be given a read FilePermission
// for all files and directories in its document root.
grant {
    // Required for JNDI lookup of named JDBC DataSource's and
    // javamail named MimePart DataSource used to send mail
    permission java.util.PropertyPermission "java.home", "read";
    permission java.util.PropertyPermission "java.naming.*", "read";
    permission java.util.PropertyPermission "javax.sql.*", "read";

    // OS Specific properties to allow read access
    permission java.util.PropertyPermission "os.name", "read";
    permission java.util.PropertyPermission "os.version", "read";
    permission java.util.PropertyPermission "os.arch", "read";
    permission java.util.PropertyPermission "file.separator", "read";
    permission java.util.PropertyPermission "path.separator", "read";
    permission java.util.PropertyPermission "line.separator", "read";

    // JVM properties to allow read access
    permission java.util.PropertyPermission "java.version", "read";
    permission java.util.PropertyPermission "java.vendor", "read";
    permission java.util.PropertyPermission "java.vendor.url", "read";
    permission java.util.PropertyPermission "java.class.version", "read";
    permission java.util.PropertyPermission "java.specification.version", "read";
    permission java.util.PropertyPermission "java.specification.vendor", "read";
    permission java.util.PropertyPermission "java.specification.name", "read";

    permission java.util.PropertyPermission "java.vm.specification.version", "read";
    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
    permission java.util.PropertyPermission "java.vm.specification.name", "read";
    permission java.util.PropertyPermission "java.vm.version", "read";
    permission java.util.PropertyPermission "java.vm.vendor", "read";
    permission java.util.PropertyPermission "java.vm.name", "read";

    // Required for OpenJMX
    permission java.lang.RuntimePermission "getAttribute";

    // Allow read of JAXP compliant XML parser debug
    permission java.util.PropertyPermission "jaxp.debug", "read";

    // All JSPs need to be able to read this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";

    // Precompiled JSPs need access to these packages.
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
    permission java.lang.RuntimePermission
     "accessClassInPackage.org.apache.jasper.runtime.*";

    // Precompiled JSPs need access to these system properties.
    permission java.util.PropertyPermission
     "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
    permission java.util.PropertyPermission
     "org.apache.el.parser.COERCE_TO_ZERO", "read";

    // The cookie code needs these.
    permission java.util.PropertyPermission
     "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read";
    permission java.util.PropertyPermission
     "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read";

    // Applications using Comet need to be able to access this package
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet";

    // Applications using WebSocket need to be able to access these packages
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.websocket.server";

	// by sky start ---
	permission java.util.PropertyPermission "java.util.logging.config.class", "read";
	permission java.util.PropertyPermission "java.util.logging.config.file", "read";
	permission java.util.PropertyPermission "user.dir", "read";
	permission java.util.PropertyPermission "user.home", "read";
	permission java.util.PropertyPermission "java.*", "read";
	permission java.util.PropertyPermission "javax.*", "read";
	permission java.util.PropertyPermission "javax.net.ssl.trustStore", "read";

    permission java.util.PropertyPermission "org.apache.juli.AsyncOverflowDropType", "read";
	permission java.util.PropertyPermission "org.apache.juli.AsyncMaxRecordCount", "read";
	permission java.util.PropertyPermission "org.apache.juli.AsyncLoggerPollInterval", "read";
	permission java.util.PropertyPermission "org.apache.tomcat.*", "read";

	permission java.util.PropertyPermission "catalina.base", "read";
	permission java.util.PropertyPermission "catalina.base", "write";
	permission java.util.PropertyPermission "catalina.home", "read";
	permission java.util.PropertyPermission "catalina.home", "write";

	permission java.util.PropertyPermission "catalina.*", "read";

	permission java.util.PropertyPermission "catalina.useNaming", "write";
	permission java.util.PropertyPermission "java.naming.factory.url.pkgs", "write";
	permission java.util.PropertyPermission "java.naming.factory.initial", "write";
	permission java.util.PropertyPermission "java.io.tmpdir", "read";
	permission java.util.PropertyPermission "org.apache.tomcat.util.digester.PROPERTY_SOURCE", "read";
	permission java.util.PropertyPermission "org.apache.catalina.*", "read";
	permission java.util.PropertyPermission "tomcat.util.*", "read";


	permission java.lang.RuntimePermission "shutdownHooks";
	permission java.lang.RuntimePermission "setContextClassLoader";
	//permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.util.digester";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat.*";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.startup";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.*";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote";
	permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote.*";
	permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
	permission java.lang.RuntimePermission "accessClassInPackage.sun.misc.*";

	permission java.lang.RuntimePermission "setIO";
	permission java.lang.RuntimePermission "accessDeclaredMembers";

	permission java.lang.RuntimePermission "org.apache.naming.ContextAccessController.setSecurityToken";
	permission java.lang.RuntimePermission "org.apache.naming.factory.ResourceLinkFactory.setGlobalContext";
	permission java.lang.RuntimePermission "modifyThread";


	permission java.io.FilePermission "/usr/java/packages/lib/amd64/liblibtcnative-1.so", "read";
	permission java.io.FilePermission "/usr/java/packages/lib/amd64/libtcnative-1.so", "read";

	permission java.io.FilePermission "/usr/lib64/liblibtcnative-1.so", "read";
	permission java.io.FilePermission "/usr/lib64/libtcnative-1.so", "read";


	permission java.io.FilePermission "/lib64/liblibtcnative-1.so", "read";
	permission java.io.FilePermission "/lib64/libtcnative-1.so", "read";

	permission java.io.FilePermission "/lib/liblibtcnative-1.so", "read";
	permission java.io.FilePermission "/lib/libtcnative-1.so", "read";

	permission java.io.FilePermission "/usr/lib/liblibtcnative-1.so", "read";
	permission java.io.FilePermission "/usr/lib/libtcnative-1.so", "read";


    permission java.util.logging.LoggingPermission "control";
	permission java.util.PropertyPermission "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", "read";
    permission java.util.PropertyPermission "org.apache.tomcat.util.http.FastHttpDateFormat.CACHE_SIZE", "read";


	permission java.security.SecurityPermission "getProperty.package.definition";
	permission java.security.SecurityPermission "setProperty.package.definition";
	permission java.security.SecurityPermission "getProperty.package.access";
	permission java.security.SecurityPermission "setProperty.package.access";

	permission javax.security.auth.AuthPermission "getPolicy";

	permission java.lang.management.ManagementPermission "monitor";

	permission javax.management.MBeanServerPermission "findMBeanServer";
	permission javax.management.MBeanServerPermission "createMBeanServer";

	permission javax.management.MBeanPermission "org.apache.tomcat.*", "registerMBean,unregisterMBean";
	permission javax.management.MBeanPermission "org.apache.catalina.*", "registerMBean,unregisterMBean";
	permission javax.management.MBeanPermission "-#-[-]", "queryNames";

	permission javax.management.MBeanTrustPermission "register";
	permission java.net.SocketPermission "localhost:8080", "listen,resolve";
	permission java.net.SocketPermission "localhost:8009", "listen,resolve";




	// by sky end ---
};

// These permissions apply to the daemon code
grant codeBase "file:${catalina.home}/-" {
        permission java.security.AllPermission;
};

// The Manager application needs access to the following packages to support the
// session display functionality. These settings support the following
// configurations:
// - default CATALINA_HOME == CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
grant codeBase "file:${catalina.base}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};
grant codeBase "file:${catalina.home}/webapps/manager/-" {
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
};

// You can assign additional permissions to particular web applications by
// adding additional "grant" entries here, based on the code base for that
// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
//
// Different permissions can be granted to JSP pages, classes loaded from
// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
//
// For instance, assume that the standard "examples" application
// included a JDBC driver that needed to establish a network connection to the
// corresponding database and used the scrape taglib to get the weather from
// the NOAA web server.  You might create a "grant" entries like this:
//
// The permissions granted to the context root directory apply to JSP pages.
// grant codeBase "file:${catalina.base}/webapps/examples/-" {
//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };
//
// The permissions granted to the context WEB-INF/classes directory
// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
// };
//
// The permission granted to your JDBC driver
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
// };
// The permission granted to the scrape taglib
// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
// };

从这个配置文件里,我们也可以看到,整个Tomcat如果开启了SecurityManager后,需要什么权限.可以大概知道整体的情况~~.

命令行启动的命令:

╭─sky@sky-linux /ihome/java/tomcat/apache-tomcat-8.0.36-src/target/classes  
╰─➤  java -Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src -Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src -Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed -Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties -Djava.security.manager -Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy -Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin org.apache.catalina.startup.Bootstrap

28-Jun-2016 11:58:47.274 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.275 WARNING [main] org.apache.catalina.startup.ClassLoaderFactory.validateFile Problem with directory [/ihome/java/tomcat/apache-tomcat-8.0.36-src/lib], exists: [false], isDirectory: [false], canRead: [false]
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:        Apache Tomcat/@VERSION@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          @VERSION_BUILT@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server number:         @VERSION_NUMBER@
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            3.19.0-32-generic
28-Jun-2016 11:58:47.536 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /ihome/java/jdk/jdk1.8.0_60/jre
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_60-b27
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/ihome/java/tomcat/apache-tomcat-8.0.36-src
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.endorsed.dirs=/ihome/java/tomcat/apache-tomcat-8.0.36-src/endorsed
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/ihome/java/tomcat/apache-tomcat-8.0.36-src/temp
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
28-Jun-2016 11:58:47.537 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/logging.properties
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.manager
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.policy=/ihome/java/tomcat/apache-tomcat-8.0.36-src/conf/catalina.policy
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Didea.launcher.bin.path=/ihome/java/ide/idea-IU-145.258.11/bin
28-Jun-2016 11:58:47.538 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
28-Jun-2016 11:58:47.625 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
28-Jun-2016 11:58:47.634 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
28-Jun-2016 11:58:47.635 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-8009"]
28-Jun-2016 11:58:47.637 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
28-Jun-2016 11:58:47.638 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 330 ms
28-Jun-2016 11:58:47.650 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Catalina
28-Jun-2016 11:58:47.650 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/@VERSION@
28-Jun-2016 11:58:47.656 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory /ihome/java/tomcat/apache-tomcat-8.0.36-src/webapps/ROOT
28-Jun-2016 11:58:47.830 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory /ihome/java/tomcat/apache-tomcat-8.0.36-src/webapps/ROOT has finished in 173 ms
28-Jun-2016 11:58:47.831 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
28-Jun-2016 11:58:47.838 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"]
28-Jun-2016 11:58:47.839 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 200 ms

可以看到开启安全管理器后成功启动了.

为什么用Security Manager可以达到安全沙箱的目的?

这是因为在JDK底层所有的api中,都已经加上了这种检验处理。举个例子,getProperty()方法,可以看到它的源码是:

    public static String getProperty(String key) {
        checkKey(key);
        SecurityManager sm = getSecurityManager();
        if (sm != null) {
            sm.checkPropertyAccess(key);
        }

        return props.getProperty(key);
    }

即,如果开启了SecurityManager,则会根据policy策略文件来检查相应的权限.其他的api类似.

参考资料

cnblogs xing901022

importnew

CSDN kevinkevin

epubit

OSC xionghui