Grant java.net.SocketPermission (infinilabs#565)

Author: rueian

src/main/assemblies/plugin.xml

@@ -18,6 +18,11 @@
             <outputDirectory/>
             <filtered>true</filtered>
         </file>
+        <file>
+            <source>${project.basedir}/src/main/resources/plugin-security.policy</source>
+            <outputDirectory/>
+            <filtered>true</filtered>
+        </file>
     </files>
     <dependencySets>
         <dependencySet>

src/main/java/org/wltea/analyzer/dic/Dictionary.java

@@ -36,6 +36,8 @@
 import java.nio.file.FileVisitResult;
 import java.nio.file.Path;
 import java.nio.file.SimpleFileVisitor;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.*;
 import java.util.concurrent.Executors;
 import java.util.concurrent.ScheduledExecutorService;
@@ -47,6 +49,7 @@
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.io.PathUtils;
 import org.elasticsearch.common.logging.ESLoggerFactory;
 import org.elasticsearch.plugin.analysis.ik.AnalysisIkPlugin;
@@ -439,10 +442,17 @@ private void loadRemoteExtDict() {
 
 	}
 
+	private static List<String> getRemoteWords(String location) {
+		SpecialPermission.check();
+		return AccessController.doPrivileged((PrivilegedAction<List<String>>) () -> {
+			return getRemoteWordsUnprivileged(location);
+		});
+	}
+
 	/**
 	 * 从远程服务器上下载自定义词条
 	 */
-	private static List<String> getRemoteWords(String location) {
+	private static List<String> getRemoteWordsUnprivileged(String location) {
 
 		List<String> buffer = new ArrayList<String>();
 		RequestConfig rc = RequestConfig.custom().setConnectionRequestTimeout(10 * 1000).setConnectTimeout(10 * 1000)

src/main/java/org/wltea/analyzer/dic/Monitor.java

@@ -1,13 +1,16 @@
 package org.wltea.analyzer.dic;
 
 import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import org.apache.http.client.config.RequestConfig;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.client.methods.HttpHead;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.logging.log4j.Logger;
+import org.elasticsearch.SpecialPermission;
 import org.elasticsearch.common.logging.ESLoggerFactory;
 
 public class Monitor implements Runnable {
@@ -34,6 +37,15 @@ public Monitor(String location) {
 		this.last_modified = null;
 		this.eTags = null;
 	}
+
+	public void run() {
+		SpecialPermission.check();
+		AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+			this.runUnprivileged();
+			return null;
+		});
+	}
+
 	/**
 	 * 监控流程：
 	 *  ①向词库服务器发送Head请求
@@ -43,7 +55,7 @@ public Monitor(String location) {
 	 *  ⑤休眠1min，返回第①步
 	 */
 
-	public void run() {
+	public void runUnprivileged() {
 
 		//超时设置
 		RequestConfig rc = RequestConfig.custom().setConnectionRequestTimeout(10*1000)

src/main/resources/plugin-security.policy

@@ -0,0 +1,4 @@
+grant {
+  // needed because of the hot reload functionality
+  permission java.net.SocketPermission "*", "connect,resolve";
+};