The Design of Software (CLOSED)

A public forum for discussing the design of software, from the user interface to the code architecture. Now closed.

The "Design of Software" discussion group has been merged with the main Joel on Software discussion group.

The archives will remain online indefinitely.

Sandboxing Plug-In Code with Java?

I'm facing a problem with a Java project that I'm developing. I'd like to allow users to load third-party code (via jar files or class files in a particular directory). I'd probably require plug-in classes to implement a particular interface, and then I'd just load them with a classloader and call the interface methods on those classes from within the main application. It actually should be very easy.

The one caveat is that I'd like to provide some sort of guarantees about what types of operations the plug-in classes are allowed to utilize. These plug-ins will be used solely for loading new algorithms into the system, so they shouldn’t need access to the filesystem or to the network, and I’d like to prevent them from using any of the Reflection classes.

I've taken a look at the java.security package, and I've spent about an hour searching for tutorials on the internet, but with no luck. All of the tutorials I've found deal with applets: how to sign an applet so that it can use the Java SecurityManager to break out of the application sandbox in trusted environments. What I want to do is the opposite: I want to create a sandbox within my application. Code in the sandbox will be severly restricted. Code outside the sandbox will be unrestricted.

I know it's possible to do this in the .NET CLR, and I’m pretty sure it’s possible to do it in Java (isn’t that what an app server does when it loads a webapp?), but I just can't find any good information on the internet about how to do it. Does anyone have any tips?
BenjiSmith Send private email
Saturday, June 25, 2005
 
 
I wonder if the java plugin framework deals with this?

http://www.theserverside.com/news/thread.tss?thread_id=34801
son of parnas
Saturday, June 25, 2005
 
 
Not as far as I can tell.

There doesn't seem to be any mention of security on the JPF pages. Looks like JPF is only good for loading completely trusted plugins (i.e., ones you've authored yourself).

Thanks for pointing that out to me. It may be useful on another project I'm thinking about. But not this one.
BenjiSmith Send private email
Saturday, June 25, 2005
 
 
What you want to do is run your application under a SecurityManager. You can grant permissions to code based on "CodeSource" (i.e. the location from which classes were loaded). A very simple example would be a directory strucutre like

/myapp/lib/myapp.jar
/myapp/plugins/plugin0/lib/plugin0.jar
/myapp/plugins/plugin1/lib/plugin1.jar

And then run with a policy file that looked something like :

grant codeBase file:/myapp/lib/* {
  permission java.security.AllPermission
}

grant codeBase file:/myapp/plugins/- {
  //some list of permissions that does NOT include
  //java.lang.reflect.ReflectPermission
  //java.io.FilePermission, etc.
}

Java permissioning is tricky but very powerful. One thing that always gets me is wildcard chars in codeBase urls: * does not recurse down directories while - does.
matt. Send private email
Saturday, June 25, 2005
 
 
Thanks matt, I didn't know this existed in java.

http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html
son of parnas
Saturday, June 25, 2005
 
 
Wow. I had no idea that the Java permissions were so granular. Thanks for the info. It'll be very helpful.
BenjiSmith Send private email
Monday, June 27, 2005
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz