问题
I want to create JShell programmatically when the security manager is set before. However, this causes an access control exception. Without the security manager set the code works correctly. I thought that the Java platform modules have all permissions by default.
What shall I set or configure to create JShell without any exception caused by the security manager?
Below is the code that I tried. I use OpenJDK 12.0.2.
The policy file:
grant codeBase "file:${user.dir}/-" {
permission java.security.AllPermission;
};
The java module:
module test {
requires jdk.jshell;
requires java.logging;
}
The class:
package test;
import jdk.jshell.JShell;
public class HelloJShell {
public static void main(String[] args) {
URI uri = HelloJShell.class.getResource("/conf/security/java.policy").toURI();
Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(uri));
Policy.setPolicy(policy);
// When the line below is commented the code works fine.
System.setSecurityManager(new SecurityManager());
JShell js = JShell.create();
System.out.println(js);
}
}
I also tried:
public static void main(String[] args) {
URI uri = HelloJShell.class.getResource("/conf/security/java.policy").toURI();
Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(uri));
Policy.setPolicy(policy);
System.setSecurityManager(new SecurityManager());
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
try (JShell js = JShell.create()) {
System.out.println(js);
}
return null;
});
}
I expect that the JShell will be created without an exception.
It throws this exception:
Exception in thread "main" java.lang.IllegalStateException: Launching JShell execution engine threw: access denied ("java.util.logging.LoggingPermission" "control")
at jdk.jshell/jdk.jshell.JShell.<init>(JShell.java:139)
at jdk.jshell/jdk.jshell.JShell$Builder.build(JShell.java:405)
at jdk.jshell/jdk.jshell.JShell.create(JShell.java:420)
at test/test.HelloJShell.main(HelloJShell.java:10)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1044)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
at java.logging/java.util.logging.LogManager.checkPermission(LogManager.java:2432)
at java.logging/java.util.logging.Logger.checkPermission(Logger.java:622)
at java.logging/java.util.logging.Logger.setLevel(Logger.java:2001)
at jdk.jshell/jdk.jshell.execution.FailOverExecutionControlProvider.logger(FailOverExecutionControlProvider.java:138)
at jdk.jshell/jdk.jshell.execution.FailOverExecutionControlProvider.generate(FailOverExecutionControlProvider.java:109)
at jdk.jshell/jdk.jshell.spi.ExecutionControl.generate(ExecutionControl.java:179)
at jdk.jshell/jdk.jshell.spi.ExecutionControl.generate(ExecutionControl.java:296)
at jdk.jshell/jdk.jshell.JShell.<init>(JShell.java:136)
... 3 more
回答1:
I found the solution. It is necessary to configure the following permissions in the policy file:
grant codeBase "jrt:/jdk.jshell" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.jdi" {
permission java.security.AllPermission;
};
grant codeBase "jrt:/jdk.compiler" {
permission java.security.AllPermission;
};
It is defined here: https://docs.oracle.com/en/java/javase/12/security/permissions-jdk1.html#GUID-7450CEFD-8EDC-495E-A7A3-6C2561FA4999
If you are using a modular runtime image (see the jlink tool), you can grant permissions to the application and library modules in the image by specifying a jrt URL as the codeBase value in a policy file. See JEP 220: Modular Run-Time Images for more information about jrt URLs.
来源:https://stackoverflow.com/questions/57663086/how-to-create-jshell-programmatically-when-securitymanager-is-set