Does anyone know how a whitelist class access approach similar to the Google App Engine can be implemented?

Question

Does anyone know how a whitelist class access approach similar to the Google App Engine can be implemented?

I am writing a container infrastructure that can dynamically deploy a Jar file containing classes developed by the user in the container, and then use the web interface to execute specific classes from the Jar file.

Everything else is well established, including checks. However, you only need to allow access to certain JDK classes and other libraries from a user-developed class. It is clear that this is due to the fact that the container will need to ensure that someone (intentionally or otherwise) finishes work with a piece of Java code, which leads to "bad" behavior.

As a rule, I find material on Google on almost all topics. In this case, I just could not: (

+3

java google-app-engine whitelist

Kartik Mar 03 '10 at 1:05

source share

2 answers

Please note that a custom class loader is not enough for an attacker - he can gain access to the parent class loader and load restricted classes through it. In addition to the custom classloader, you must install the security manager and revoke getClassLoader(and possibly some other permissions too).

+2

axtavt Mar 03 '10 at 2:41

source share

Stefan de boey · Accepted Answer · 2010-03-03T01:22:18+0000

see Is it possible to deny access to the jvm class by setting the java.policy file?

he suggests using a custom classloader

Does anyone know how a whitelist class access approach similar to the Google App Engine can be implemented?

More articles: