Monitoring network connections can be done with JFR. It will tell you which classes perform the connections. It does not require a Java agent.
Setting up the SM to *block* connections while also not allowing those libraries to disable the SM is not very easy. Those libraries are trusted, and monitoring is more effective than sandboxing for trusted code. — Ron > On 21 Apr 2021, at 06:26, Lim <lim.chainz11+mail...@gmail.com> wrote: > > Hi all, apologize if I interrupted this thread. > > I agreed on what Reinier has said and I have similar concerns about > the removal of SecurityManager. > > I have developed a "Mod" for a certain game to monitor which "Mods" > are using network connections. The mod is a kind of library since > other libraries can use them to extend the library functionality such > as add-on. In this context, library refers to Mod, a modification that > can provide extra features to the base game. These libraries are > usually obtained from reputable websites by the end user. However, not > all libraries can be obtained in these websites, some which are hosted > by the author themselves that are readily compiled. > > Most of the library in this game does not require network connections > to work except, for legitimate reasons such as version checker, > downloading required resources, but some requested network connections > anyway without reasons. This gives the concern, are the network calls > justified for a game that can be played offline? > > Besides that, Reinier gives good point of why the ability to > deny/allow network is important and I would like to give an example > when I am developing the library: > > On 2021-04-16 09:29, Reinier Zwitserloot wrote: >> * Any library could have the bright idea to 'phone home' and make a >> network call simply to give the library author some idea of how >> widespread their library is used. This could have an entirely innocuous >> purpose: The library author thought it'd be a cool idea to have a live >> map of the planet on their website, with a little animated blip every >> time their library is used to, say, parse some JSON. SecurityManager is >> the simplest way to spot this and stop it. > > Although most of the recent libraries do not have analytics that I've > seen, I have seen one older version of the library that has analytics > enabled without any way to disable except performing bytecode > modifications. This has implications to the users' privacy since they > do not anticipate it has analytics within them and libraries that have > analytics are frowned upon in the mod community. This also violates > some of the privacy laws in some countries. > > The security manager is the only viable way to control these libraries > from "phone home" in my opinion. Since the end user "install" these > libraries by putting into a specific folder for the loader to launch > the game with these modifications. They are not expected to change > their system just to know if a particular library has these > "features". For example, using firewall/hosts file/DNS/other > monitoring tools. It might help but it does not provide insight into > which class/package which Reinier has said and that's where the > SecurityManager can help. > > By using the "checkConnect" methods in SecurityManager, I can > allow/deny and notify appropriate messages in the log for the end user > to check. In addition, there is a configuration that allows the end > user to configure which hosts are allowed for the network connections. > > I hope that the core SecurityManager functionality will be preserved. > Will there be an alternative that is able to provide similar > functionality through programmatic means for my use case? I have read > the comments about using JFR stream/bytecode instrumentation but it > required the usage of Java Agent and command line flags which is not > acceptable in this use case. > > Thanks
