1 /* 2 * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security; 27 28 import java.util.Enumeration; 29 import java.util.Map; 30 import java.util.HashMap; 31 import java.util.Hashtable; 32 import java.util.Collections; 33 import java.io.ObjectStreamField; 34 import java.io.ObjectOutputStream; 35 import java.io.ObjectInputStream; 36 import java.io.IOException; 37 38 /** 39 * The BasicPermission class extends the Permission class, and 40 * can be used as the base class for permissions that want to 41 * follow the same naming convention as BasicPermission. 42 * <P> 43 * The name for a BasicPermission is the name of the given permission 44 * (for example, "exit", 45 * "setFactory", "print.queueJob", etc). The naming 46 * convention follows the hierarchical property naming convention. 47 * An asterisk may appear by itself, or if immediately preceded by a "." 48 * may appear at the end of the name, to signify a wildcard match. 49 * For example, "*" and "java.*" signify a wildcard match, while "*java", "a*b", 50 * and "java*" do not. 51 * <P> 52 * The action string (inherited from Permission) is unused. 53 * Thus, BasicPermission is commonly used as the base class for 54 * "named" permissions 55 * (ones that contain a name but no actions list; you either have the 56 * named permission or you don't.) 57 * Subclasses may implement actions on top of BasicPermission, 58 * if desired. 59 * 60 * @see java.security.Permission 61 * @see java.security.Permissions 62 * @see java.security.PermissionCollection 63 * @see java.lang.SecurityManager 64 * 65 * @author Marianne Mueller 66 * @author Roland Schemers 67 */ 68 69 public abstract class BasicPermission extends Permission 70 implements java.io.Serializable 71 { 72 73 private static final long serialVersionUID = 6279438298436773498L; 74 75 // does this permission have a wildcard at the end? 76 private transient boolean wildcard; 77 78 // the name without the wildcard on the end 79 private transient String path; 80 81 // is this permission the old-style exitVM permission (pre JDK 1.6)? 82 private transient boolean exitVM; 83 84 /** 85 * initialize a BasicPermission object. Common to all constructors. 86 */ 87 private void init(String name) { 88 if (name == null) 89 throw new NullPointerException("name can't be null"); 90 91 int len = name.length(); 92 93 if (len == 0) { 94 throw new IllegalArgumentException("name can't be empty"); 95 } 96 97 char last = name.charAt(len - 1); 98 99 // Is wildcard or ends with ".*"? 100 if (last == '*' && (len == 1 || name.charAt(len - 2) == '.')) { 101 wildcard = true; 102 if (len == 1) { 103 path = ""; 104 } else { 105 path = name.substring(0, len - 1); 106 } 107 } else { 108 if (name.equals("exitVM")) { 109 wildcard = true; 110 path = "exitVM."; 111 exitVM = true; 112 } else { 113 path = name; 114 } 115 } 116 } 117 118 /** 119 * Creates a new BasicPermission with the specified name. 120 * Name is the symbolic name of the permission, such as 121 * "setFactory", 122 * "print.queueJob", or "topLevelWindow", etc. 123 * 124 * @param name the name of the BasicPermission. 125 * 126 * @throws NullPointerException if {@code name} is {@code null}. 127 * @throws IllegalArgumentException if {@code name} is empty. 128 */ 129 public BasicPermission(String name) { 130 super(name); 131 init(name); 132 } 133 134 135 /** 136 * Creates a new BasicPermission object with the specified name. 137 * The name is the symbolic name of the BasicPermission, and the 138 * actions String is currently unused. 139 * 140 * @param name the name of the BasicPermission. 141 * @param actions ignored. 142 * 143 * @throws NullPointerException if {@code name} is {@code null}. 144 * @throws IllegalArgumentException if {@code name} is empty. 145 */ 146 public BasicPermission(String name, String actions) { 147 super(name); 148 init(name); 149 } 150 151 /** 152 * Checks if the specified permission is "implied" by 153 * this object. 154 * <P> 155 * More specifically, this method returns true if: 156 * <ul> 157 * <li> {@code p}'s class is the same as this object's class, and 158 * <li> {@code p}'s name equals or (in the case of wildcards) 159 * is implied by this object's 160 * name. For example, "a.b.*" implies "a.b.c". 161 * </ul> 162 * 163 * @param p the permission to check against. 164 * 165 * @return true if the passed permission is equal to or 166 * implied by this permission, false otherwise. 167 */ 168 public boolean implies(Permission p) { 169 if ((p == null) || (p.getClass() != getClass())) 170 return false; 171 172 BasicPermission that = (BasicPermission) p; 173 174 if (this.wildcard) { 175 if (that.wildcard) { 176 // one wildcard can imply another 177 return that.path.startsWith(path); 178 } else { 179 // make sure ap.path is longer so a.b.* doesn't imply a.b 180 return (that.path.length() > this.path.length()) && 181 that.path.startsWith(this.path); 182 } 183 } else { 184 if (that.wildcard) { 185 // a non-wildcard can't imply a wildcard 186 return false; 187 } 188 else { 189 return this.path.equals(that.path); 190 } 191 } 192 } 193 194 /** 195 * Checks two BasicPermission objects for equality. 196 * Checks that {@code obj}'s class is the same as this object's class 197 * and has the same name as this object. 198 * 199 * @param obj the object we are testing for equality with this object. 200 * @return true if {@code obj}'s class is the same as this object's class 201 * and has the same name as this BasicPermission object, false otherwise. 202 */ 203 public boolean equals(Object obj) { 204 if (obj == this) 205 return true; 206 207 if ((obj == null) || (obj.getClass() != getClass())) 208 return false; 209 210 BasicPermission bp = (BasicPermission) obj; 211 212 return getName().equals(bp.getName()); 213 } 214 215 216 /** 217 * Returns the hash code value for this object. 218 * The hash code used is the hash code of the name, that is, 219 * {@code getName().hashCode()}, where {@code getName} is 220 * from the Permission superclass. 221 * 222 * @return a hash code value for this object. 223 */ 224 public int hashCode() { 225 return this.getName().hashCode(); 226 } 227 228 /** 229 * Returns the canonical string representation of the actions, 230 * which currently is the empty string "", since there are no actions for 231 * a BasicPermission. 232 * 233 * @return the empty string "". 234 */ 235 public String getActions() { 236 return ""; 237 } 238 239 /** 240 * Returns a new PermissionCollection object for storing BasicPermission 241 * objects. 242 * 243 * <p>BasicPermission objects must be stored in a manner that allows them 244 * to be inserted in any order, but that also enables the 245 * PermissionCollection {@code implies} method 246 * to be implemented in an efficient (and consistent) manner. 247 * 248 * @return a new PermissionCollection object suitable for 249 * storing BasicPermissions. 250 */ 251 public PermissionCollection newPermissionCollection() { 252 return new BasicPermissionCollection(this.getClass()); 253 } 254 255 /** 256 * readObject is called to restore the state of the BasicPermission from 257 * a stream. 258 */ 259 private void readObject(ObjectInputStream s) 260 throws IOException, ClassNotFoundException 261 { 262 s.defaultReadObject(); 263 // init is called to initialize the rest of the values. 264 init(getName()); 265 } 266 267 /** 268 * Returns the canonical name of this BasicPermission. 269 * All internal invocations of getName should invoke this method, so 270 * that the pre-JDK 1.6 "exitVM" and current "exitVM.*" permission are 271 * equivalent in equals/hashCode methods. 272 * 273 * @return the canonical name of this BasicPermission. 274 */ 275 final String getCanonicalName() { 276 return exitVM ? "exitVM.*" : getName(); 277 } 278 } 279 280 /** 281 * A BasicPermissionCollection stores a collection 282 * of BasicPermission permissions. BasicPermission objects 283 * must be stored in a manner that allows them to be inserted in any 284 * order, but enable the implies function to evaluate the implies 285 * method in an efficient (and consistent) manner. 286 * 287 * A BasicPermissionCollection handles comparing a permission like "a.b.c.d.e" 288 * with a Permission such as "a.b.*", or "*". 289 * 290 * @see java.security.Permission 291 * @see java.security.Permissions 292 * 293 * 294 * @author Roland Schemers 295 * 296 * @serial include 297 */ 298 299 final class BasicPermissionCollection 300 extends PermissionCollection 301 implements java.io.Serializable 302 { 303 304 private static final long serialVersionUID = 739301742472979399L; 305 306 /** 307 * Key is name, value is permission. All permission objects in 308 * collection must be of the same type. 309 * Not serialized; see serialization section at end of class. 310 */ 311 private transient Map<String, Permission> perms; 312 313 /** 314 * This is set to {@code true} if this BasicPermissionCollection 315 * contains a BasicPermission with '*' as its permission name. 316 * 317 * @see #serialPersistentFields 318 */ 319 private boolean all_allowed; 320 321 /** 322 * The class to which all BasicPermissions in this 323 * BasicPermissionCollection belongs. 324 * 325 * @see #serialPersistentFields 326 */ 327 private Class<?> permClass; 328 329 /** 330 * Create an empty BasicPermissionCollection object. 331 * 332 */ 333 334 public BasicPermissionCollection(Class<?> clazz) { 335 perms = new HashMap<>(11); 336 all_allowed = false; 337 permClass = clazz; 338 } 339 340 /** 341 * Adds a permission to the BasicPermissions. The key for the hash is 342 * permission.path. 343 * 344 * @param permission the Permission object to add. 345 * 346 * @exception IllegalArgumentException - if the permission is not a 347 * BasicPermission, or if 348 * the permission is not of the 349 * same Class as the other 350 * permissions in this collection. 351 * 352 * @exception SecurityException - if this BasicPermissionCollection object 353 * has been marked readonly 354 */ 355 public void add(Permission permission) { 356 if (! (permission instanceof BasicPermission)) 357 throw new IllegalArgumentException("invalid permission: "+ 358 permission); 359 if (isReadOnly()) 360 throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection"); 361 362 BasicPermission bp = (BasicPermission) permission; 363 364 // make sure we only add new BasicPermissions of the same class 365 // Also check null for compatibility with deserialized form from 366 // previous versions. 367 if (permClass == null) { 368 // adding first permission 369 permClass = bp.getClass(); 370 } else { 371 if (bp.getClass() != permClass) 372 throw new IllegalArgumentException("invalid permission: " + 373 permission); 374 } 375 376 synchronized (this) { 377 perms.put(bp.getCanonicalName(), permission); 378 } 379 380 // No sync on all_allowed; staleness OK 381 if (!all_allowed) { 382 if (bp.getCanonicalName().equals("*")) 383 all_allowed = true; 384 } 385 } 386 387 /** 388 * Check and see if this set of permissions implies the permissions 389 * expressed in "permission". 390 * 391 * @param permission the Permission object to compare 392 * 393 * @return true if "permission" is a proper subset of a permission in 394 * the set, false if not. 395 */ 396 public boolean implies(Permission permission) { 397 if (! (permission instanceof BasicPermission)) 398 return false; 399 400 BasicPermission bp = (BasicPermission) permission; 401 402 // random subclasses of BasicPermission do not imply each other 403 if (bp.getClass() != permClass) 404 return false; 405 406 // short circuit if the "*" Permission was added 407 if (all_allowed) 408 return true; 409 410 // strategy: 411 // Check for full match first. Then work our way up the 412 // path looking for matches on a.b..* 413 414 String path = bp.getCanonicalName(); 415 //System.out.println("check "+path); 416 417 Permission x; 418 419 synchronized (this) { 420 x = perms.get(path); 421 } 422 423 if (x != null) { 424 // we have a direct hit! 425 return x.implies(permission); 426 } 427 428 // work our way up the tree... 429 int last, offset; 430 431 offset = path.length()-1; 432 433 while ((last = path.lastIndexOf('.', offset)) != -1) { 434 435 path = path.substring(0, last+1) + "*"; 436 //System.out.println("check "+path); 437 438 synchronized (this) { 439 x = perms.get(path); 440 } 441 442 if (x != null) { 443 return x.implies(permission); 444 } 445 offset = last -1; 446 } 447 448 // we don't have to check for "*" as it was already checked 449 // at the top (all_allowed), so we just return false 450 return false; 451 } 452 453 /** 454 * Returns an enumeration of all the BasicPermission objects in the 455 * container. 456 * 457 * @return an enumeration of all the BasicPermission objects. 458 */ 459 public Enumeration<Permission> elements() { 460 // Convert Iterator of Map values into an Enumeration 461 synchronized (this) { 462 return Collections.enumeration(perms.values()); 463 } 464 } 465 466 // Need to maintain serialization interoperability with earlier releases, 467 // which had the serializable field: 468 // 469 // @serial the Hashtable is indexed by the BasicPermission name 470 // 471 // private Hashtable permissions; 472 /** 473 * @serialField permissions java.util.Hashtable 474 * The BasicPermissions in this BasicPermissionCollection. 475 * All BasicPermissions in the collection must belong to the same class. 476 * The Hashtable is indexed by the BasicPermission name; the value 477 * of the Hashtable entry is the permission. 478 * @serialField all_allowed boolean 479 * This is set to {@code true} if this BasicPermissionCollection 480 * contains a BasicPermission with '*' as its permission name. 481 * @serialField permClass java.lang.Class 482 * The class to which all BasicPermissions in this 483 * BasicPermissionCollection belongs. 484 */ 485 private static final ObjectStreamField[] serialPersistentFields = { 486 new ObjectStreamField("permissions", Hashtable.class), 487 new ObjectStreamField("all_allowed", Boolean.TYPE), 488 new ObjectStreamField("permClass", Class.class), 489 }; 490 491 /** 492 * @serialData Default fields. 493 */ 494 /* 495 * Writes the contents of the perms field out as a Hashtable for 496 * serialization compatibility with earlier releases. all_allowed 497 * and permClass unchanged. 498 */ 499 private void writeObject(ObjectOutputStream out) throws IOException { 500 // Don't call out.defaultWriteObject() 501 502 // Copy perms into a Hashtable 503 Hashtable<String, Permission> permissions = 504 new Hashtable<>(perms.size()*2); 505 506 synchronized (this) { 507 permissions.putAll(perms); 508 } 509 510 // Write out serializable fields 511 ObjectOutputStream.PutField pfields = out.putFields(); 512 pfields.put("all_allowed", all_allowed); 513 pfields.put("permissions", permissions); 514 pfields.put("permClass", permClass); 515 out.writeFields(); 516 } 517 518 /** 519 * readObject is called to restore the state of the 520 * BasicPermissionCollection from a stream. 521 */ 522 private void readObject(java.io.ObjectInputStream in) 523 throws IOException, ClassNotFoundException 524 { 525 // Don't call defaultReadObject() 526 527 // Read in serialized fields 528 ObjectInputStream.GetField gfields = in.readFields(); 529 530 // Get permissions 531 // writeObject writes a Hashtable<String, Permission> for the 532 // permissions key, so this cast is safe, unless the data is corrupt. 533 @SuppressWarnings("unchecked") 534 Hashtable<String, Permission> permissions = 535 (Hashtable<String, Permission>)gfields.get("permissions", null); 536 perms = new HashMap<>(permissions.size()*2); 537 perms.putAll(permissions); 538 539 // Get all_allowed 540 all_allowed = gfields.get("all_allowed", false); 541 542 // Get permClass 543 permClass = (Class<?>) gfields.get("permClass", null); 544 545 if (permClass == null) { 546 // set permClass 547 Enumeration<Permission> e = permissions.elements(); 548 if (e.hasMoreElements()) { 549 Permission p = e.nextElement(); 550 permClass = p.getClass(); 551 } 552 } 553 } 554 }