diff --git a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java index fa303ce829..5767cba554 100644 --- a/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java +++ b/hugegraph-core/src/main/java/com/baidu/hugegraph/security/HugeSecurityManager.java @@ -24,6 +24,7 @@ import java.security.Permission; import java.util.Map; import java.util.Set; +import java.util.concurrent.CopyOnWriteArraySet; import org.slf4j.Logger; @@ -126,6 +127,17 @@ public class HugeSecurityManager extends SecurityManager { ImmutableSet.of("newSecurityException") ); + private static final Set ignoreCheckedClasses = new CopyOnWriteArraySet<>(); + + public static void ignoreCheckedClass(String clazz) { + if (callFromGremlin()) { + throw newSecurityException( + "Not allowed to add ignore check via Gremlin"); + } + + ignoreCheckedClasses.add(clazz); + } + @Override public void checkPermission(Permission permission) { if (DENIED_PERMISSIONS.contains(permission.getName()) && @@ -167,7 +179,7 @@ public void checkAccess(Thread thread) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && !callFromIgnoreCheckedClass()) { throw newSecurityException( "Not allowed to access thread via Gremlin"); } @@ -179,7 +191,8 @@ public void checkAccess(ThreadGroup threadGroup) { if (callFromGremlin() && !callFromCaffeine() && !callFromAsyncTasks() && !callFromEventHubNotify() && !callFromBackendThread() && !callFromBackendHbase() && - !callFromRaft() && !callFromSofaRpc()) { + !callFromRaft() && !callFromSofaRpc() && + !callFromIgnoreCheckedClass()) { throw newSecurityException( "Not allowed to access thread group via Gremlin"); } @@ -475,6 +488,10 @@ private static boolean callFromNewSecurityException() { return callFromMethods(NEW_SECURITY_EXCEPTION); } + private static boolean callFromIgnoreCheckedClass() { + return callFromWorkerWithClass(ignoreCheckedClasses); + } + private static boolean callFromWorkerWithClass(Set classes) { Thread curThread = Thread.currentThread(); if (curThread.getName().startsWith(GREMLIN_SERVER_WORKER) ||