如何在设置SecurityManager时以编程方式创建JShell

Question

当之前设置了安全管理器时，我想以编程方式创建JShell。但是，这会导致访问控制异常。在没有安全管理器设置的情况下，代码可以正常工作。我认为默认情况下Java平台模块具有所有权限。

我应该设置或配置什么才能创建无任何由安全管理器引起的异常的JShell？

下面是我尝试过的代码。我使用的是OpenJDK 12.0.2。

策略文件：

grant codeBase "file:${user.dir}/-" {
    permission java.security.AllPermission;
};

java模块：

module test {

    requires jdk.jshell;
    requires java.logging;
}

类：

package test;

import jdk.jshell.JShell;

public class HelloJShell {

    public static void main(String[] args) {

        URI uri = HelloJShell.class.getResource("/conf/security/java.policy").toURI();
        Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(uri));
        Policy.setPolicy(policy);

        // When the line below is commented the code works fine. 
        System.setSecurityManager(new SecurityManager());

        JShell js = JShell.create();
        System.out.println(js);
    }
}

我也试过了：

    public static void main(String[] args) {

        URI uri = HelloJShell.class.getResource("/conf/security/java.policy").toURI();
        Policy policy = Policy.getInstance("JavaPolicy", new URIParameter(uri));
        Policy.setPolicy(policy);

        System.setSecurityManager(new SecurityManager());
        AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
            try (JShell js = JShell.create()) {
                System.out.println(js);
            }
            return null;
        });
    }

我希望创建JShell时不会出现异常。

它抛出这个异常：

Exception in thread "main" java.lang.IllegalStateException: Launching JShell execution engine threw: access denied ("java.util.logging.LoggingPermission" "control")
    at jdk.jshell/jdk.jshell.JShell.<init>(JShell.java:139)
    at jdk.jshell/jdk.jshell.JShell$Builder.build(JShell.java:405)
    at jdk.jshell/jdk.jshell.JShell.create(JShell.java:420)
    at test/test.HelloJShell.main(HelloJShell.java:10)
Caused by: java.security.AccessControlException: access denied ("java.util.logging.LoggingPermission" "control")
    at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
    at java.base/java.security.AccessController.checkPermission(AccessController.java:1044)
    at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
    at java.logging/java.util.logging.LogManager.checkPermission(LogManager.java:2432)
    at java.logging/java.util.logging.Logger.checkPermission(Logger.java:622)
    at java.logging/java.util.logging.Logger.setLevel(Logger.java:2001)
    at jdk.jshell/jdk.jshell.execution.FailOverExecutionControlProvider.logger(FailOverExecutionControlProvider.java:138)
    at jdk.jshell/jdk.jshell.execution.FailOverExecutionControlProvider.generate(FailOverExecutionControlProvider.java:109)
    at jdk.jshell/jdk.jshell.spi.ExecutionControl.generate(ExecutionControl.java:179)
    at jdk.jshell/jdk.jshell.spi.ExecutionControl.generate(ExecutionControl.java:296)
    at jdk.jshell/jdk.jshell.JShell.<init>(JShell.java:136)
    ... 3 more

Answer 1

我找到了解决方案。需要在策略文件中配置以下权限：

grant codeBase "jrt:/jdk.jshell" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.jdi" {
    permission java.security.AllPermission;
};

grant codeBase "jrt:/jdk.compiler" {
    permission java.security.AllPermission;
};

它的定义如下：https://docs.oracle.com/en/java/javase/12/security/permissions-jdk1.html#GUID-7450CEFD-8EDC-495E-A7A3-6C2561FA4999

如果使用模块化运行时镜像(请参阅jlink工具)，则可以通过将jrt URL指定为策略文件中的codeBase值来授予镜像中应用程序和库模块的权限。有关jrt的更多信息，请参见JEP 220:模块化运行时图像。