一些笔记来自《Chapter 3 of Inside the Java Virtual Machine》
1。JAVA的一些安全机制:
- type-safe reference casting
- structured memory access (no pointer arithmetic)
- automatic garbage collection (can't explicitly free allocated memory)
- array bounds checking
- checking references for
null
2。
structured
memory access--is the unspecified manner in which the runtime data areas are laid out inside the Java
virtual machine.
When the Java virtual machine loads a class file, it decides where in its internal memory
to put the bytecodes and other data it parses from the class file. When the Java virtual machine starts a
thread, it decides where to put the Java stack it creates for the thread. When it creates a new object, it
decides where in memory to put the object.
结构化内存读取,由JVM自动分配数据内存地址,由于没有在VM SPEC里没说明内存地址、CLASS文件也没有说明、各种JVM的实现也不同,所以黑客很难找到内存地址实现恶意代码。
3。First of all, the
robustness guarantees don't hold for native methods. Although you can't corrupt memory from a Java
method, you can from a native method. But most importantly, native methods don't go through the Java API
(they are how you go around the Java API) so the security manager isn't checked before a native method
attempts to do something that could be potentially damaging.
本地方法是不安全的,它不经JAVA的安全管理器校验
4.One final mechanism built into the Java virtual machine that contributes to security is structured error
handling with exceptions. Because of its support for exceptions, the Java virtual machine has something
structured to do when a security violation occurs.
结构化的异常捕获机制,防止系统死。
Throwing an error (as opposed to throwing an exception) almost always results in the death of the thread in
which the error was thrown.
异常只能终止该线程,不能终止整个系统。
5.安全管理器方面:
Prior to 1.2, java.lang.SecurityManager
was an abstract class. To
establish a custom security policy in 1.0 or 1.1, you had to write your own security manager by subclassing
SecurityManager
and implementing its check methods.
The concrete SecurityManager
class allows you to define your custom policy
not in Java code, but in an ASCII file called a policy file
.
page 6
分享到:
相关推荐
深入理解Android之Java Security
Java Security.pdf
java security可以复用的模板
programming secure oracle database applications with java
Java Security,安全编码和代码审计Java Security,安全编码和代码审计Java Security,安全编码和代码审计Java Security,安全编码和代码审计Java Security,安全编码和代码审计Java Security,安全编码和代码审计
Embedded Java Security _ Security for Mobile Devices
java开发安全方面的问题考虑。比较老的书了。但还是可以作为参考。
SQLServer JDBC 驱动程序无法通过使用安全套接字层(SSL)加密与 SQL Server 建立安全连接报错,修改这个java.security文件即可。如遇报错,直接下载该文件覆盖即可。文件路径在jre\lib\security\java.security
Embedded Java Security
复制并覆盖%JAVA_HOME%/jre/lib/security下的local_policy.jar 和 US_export_policy.jar
Java Platform, Standard Edition Security Developer’s Guide
使用AES加密时,当密钥大于128时,代码会抛出java.security.InvalidKeyException: Illegal key size or default parameters Illegal key size or default parameters是指密钥长度是受限制的,java运行时环境读到的...
java 加密 解密 jar security java 加密 解密 jar security,助你有效安全开发系统 java 加密 解密 jar security,助你有效安全开发系统 ,需bcprov-ext-jdk15-146.jar commons-codec.jar
结合实例讲解java安全编程相关知识:加解密、SSL等。通俗易懂
Represents the Service Provider Interface (SPI) for java.security.Policy class.
Java安全机制的实例程序,有助于了解Java提供的安全机制编程接口