46 import sun.net.util.IPAddressUtil;
47 import sun.net.PortConfig;
48 import sun.security.util.RegisteredDomain;
49 import sun.security.util.SecurityConstants;
50 import sun.security.util.Debug;
51
52
53 /**
54 * This class represents access to a network via sockets.
55 * A SocketPermission consists of a
56 * host specification and a set of "actions" specifying ways to
57 * connect to that host. The host is specified as
58 * <pre>
59 * host = (hostname | IPv4address | iPv6reference) [:portrange]
60 * portrange = portnumber | -portnumber | portnumber-[portnumber]
61 * </pre>
62 * The host is expressed as a DNS name, as a numerical IP address,
63 * or as "localhost" (for the local machine).
64 * The wildcard "*" may be included once in a DNS name host
65 * specification. If it is included, it must be in the leftmost
66 * position, as in "*.sun.com".
67 * <p>
68 * The format of the IPv6reference should follow that specified in <a
69 * href="http://www.ietf.org/rfc/rfc2732.txt"><i>RFC 2732: Format
70 * for Literal IPv6 Addresses in URLs</i></a>:
71 * <pre>
72 * ipv6reference = "[" IPv6address "]"
73 *</pre>
74 * For example, you can construct a SocketPermission instance
75 * as the following:
76 * <pre>
77 * String hostAddress = inetaddress.getHostAddress();
78 * if (inetaddress instanceof Inet6Address) {
79 * sp = new SocketPermission("[" + hostAddress + "]:" + port, action);
80 * } else {
81 * sp = new SocketPermission(hostAddress + ":" + port, action);
82 * }
83 * </pre>
84 * or
85 * <pre>
86 * String host = url.getHost();
98 * port range. This is a fixed range of ports a system may use to
99 * allocate dynamic ports from. The actual range may be system dependent.
100 * <p>
101 * The possible ways to connect to the host are
102 * <pre>
103 * accept
104 * connect
105 * listen
106 * resolve
107 * </pre>
108 * The "listen" action is only meaningful when used with "localhost" and
109 * means the ability to bind to a specified port.
110 * The "resolve" action is implied when any of the other actions are present.
111 * The action "resolve" refers to host/ip name service lookups.
112 * <P>
113 * The actions string is converted to lowercase before processing.
114 * <p>As an example of the creation and meaning of SocketPermissions,
115 * note that if the following permission:
116 *
117 * <pre>
118 * p1 = new SocketPermission("puffin.eng.sun.com:7777", "connect,accept");
119 * </pre>
120 *
121 * is granted to some code, it allows that code to connect to port 7777 on
122 * {@code puffin.eng.sun.com}, and to accept connections on that port.
123 *
124 * <p>Similarly, if the following permission:
125 *
126 * <pre>
127 * p2 = new SocketPermission("localhost:1024-", "accept,connect,listen");
128 * </pre>
129 *
130 * is granted to some code, it allows that code to
131 * accept connections on, connect to, or listen on any port between
132 * 1024 and 65535 on the local host.
133 *
134 * <p>Note: Granting code permission to accept or make connections to remote
135 * hosts may be dangerous because malevolent code can then more easily
136 * transfer and share confidential data among parties who may not
137 * otherwise have access to the data.
138 *
139 * @see java.security.Permissions
140 * @see SocketPermission
141 *
142 *
194 /**
195 * the actions string.
196 *
197 * @serial
198 */
199
200 private String actions; // Left null as long as possible, then
201 // created and re-used in the getAction function.
202
203 // hostname part as it is passed
204 private transient String hostname;
205
206 // the canonical name of the host
207 // in the case of "*.foo.com", cname is ".foo.com".
208
209 private transient String cname;
210
211 // all the IP addresses of the host
212 private transient InetAddress[] addresses;
213
214 // true if the hostname is a wildcard (e.g. "*.sun.com")
215 private transient boolean wildcard;
216
217 // true if we were initialized with a single numeric IP address
218 private transient boolean init_with_ip;
219
220 // true if this SocketPermission represents an invalid/unknown host
221 // used for implies when the delayed lookup has already failed
222 private transient boolean invalid;
223
224 // port range on host
225 private transient int[] portrange;
226
227 private transient boolean defaultDeny = false;
228
229 // true if this SocketPermission represents a hostname
230 // that failed our reverse mapping heuristic test
231 private transient boolean untrusted;
232 private transient boolean trusted;
233
234 // true if the sun.net.trustNameService system property is set
257 return debug;
258 }
259
260 /**
261 * Creates a new SocketPermission object with the specified actions.
262 * The host is expressed as a DNS name, or as a numerical IP address.
263 * Optionally, a port or a portrange may be supplied (separated
264 * from the DNS name or IP address by a colon).
265 * <p>
266 * To specify the local machine, use "localhost" as the <i>host</i>.
267 * Also note: An empty <i>host</i> String ("") is equivalent to "localhost".
268 * <p>
269 * The <i>actions</i> parameter contains a comma-separated list of the
270 * actions granted for the specified host (and port(s)). Possible actions are
271 * "connect", "listen", "accept", "resolve", or
272 * any combination of those. "resolve" is automatically added
273 * when any of the other three are specified.
274 * <p>
275 * Examples of SocketPermission instantiation are the following:
276 * <pre>
277 * nr = new SocketPermission("www.catalog.com", "connect");
278 * nr = new SocketPermission("www.sun.com:80", "connect");
279 * nr = new SocketPermission("*.sun.com", "connect");
280 * nr = new SocketPermission("*.edu", "resolve");
281 * nr = new SocketPermission("204.160.241.0", "connect");
282 * nr = new SocketPermission("localhost:1024-65535", "listen");
283 * nr = new SocketPermission("204.160.241.0:1024-65535", "connect");
284 * </pre>
285 *
286 * @param host the hostname or IP address of the computer, optionally
287 * including a colon followed by a port or port range.
288 * @param action the action string.
289 */
290 public SocketPermission(String host, String action) {
291 super(getHost(host));
292 // name initialized to getHost(host); NPE detected in getHost()
293 init(getName(), getMask(action));
294 }
295
296
297 SocketPermission(String host, int mask) {
298 super(getHost(host));
299 // name initialized to getHost(host); NPE detected in getHost()
383 private boolean includesEphemerals() {
384 return portrange[0] == 0;
385 }
386
387 /**
388 * Initialize the SocketPermission object. We don't do any DNS lookups
389 * as this point, instead we hold off until the implies method is
390 * called.
391 */
392 private void init(String host, int mask) {
393 // Set the integer mask that represents the actions
394
395 if ((mask & ALL) != mask)
396 throw new IllegalArgumentException("invalid actions mask");
397
398 // always OR in RESOLVE if we allow any of the others
399 this.mask = mask | RESOLVE;
400
401 // Parse the host name. A name has up to three components, the
402 // hostname, a port number, or two numbers representing a port
403 // range. "www.sun.com:8080-9090" is a valid host name.
404
405 // With IPv6 an address can be 2010:836B:4179::836B:4179
406 // An IPv6 address needs to be enclose in []
407 // For ex: [2010:836B:4179::836B:4179]:8080-9090
408 // Refer to RFC 2732 for more information.
409
410 int rb = 0 ;
411 int start = 0, end = 0;
412 int sep = -1;
413 String hostport = host;
414 if (host.charAt(0) == '[') {
415 start = 1;
416 rb = host.indexOf(']');
417 if (rb != -1) {
418 host = host.substring(start, rb);
419 } else {
420 throw new
421 IllegalArgumentException("invalid host/port: "+host);
422 }
423 sep = hostport.indexOf(':', rb+1);
818
819 /**
820 * Checks if this socket permission object "implies" the
821 * specified permission.
822 * <P>
823 * More specifically, this method first ensures that all of the following
824 * are true (and returns false if any of them are not):
825 * <ul>
826 * <li> <i>p</i> is an instanceof SocketPermission,
827 * <li> <i>p</i>'s actions are a proper subset of this
828 * object's actions, and
829 * <li> <i>p</i>'s port range is included in this port range. Note:
830 * port range is ignored when p only contains the action, 'resolve'.
831 * </ul>
832 *
833 * Then {@code implies} checks each of the following, in order,
834 * and for each returns true if the stated condition is true:
835 * <ul>
836 * <li> If this object was initialized with a single IP address and one of <i>p</i>'s
837 * IP addresses is equal to this object's IP address.
838 * <li>If this object is a wildcard domain (such as *.sun.com), and
839 * <i>p</i>'s canonical name (the name without any preceding *)
840 * ends with this object's canonical host name. For example, *.sun.com
841 * implies *.eng.sun.com.
842 * <li>If this object was not initialized with a single IP address, and one of this
843 * object's IP addresses equals one of <i>p</i>'s IP addresses.
844 * <li>If this canonical name equals <i>p</i>'s canonical name.
845 * </ul>
846 *
847 * If none of the above are true, {@code implies} returns false.
848 * @param p the permission to check against.
849 *
850 * @return true if the specified permission is implied by this object,
851 * false if not.
852 */
853 @Override
854 public boolean implies(Permission p) {
855 int i,j;
856
857 if (!(p instanceof SocketPermission))
858 return false;
859
860 if (p == this)
861 return true;
862
863 SocketPermission that = (SocketPermission) p;
864
865 return ((this.mask & that.mask) == that.mask) &&
866 impliesIgnoreMask(that);
867 }
868
869 /**
870 * Checks if the incoming Permission's action are a proper subset of
871 * the this object's actions.
872 * <P>
873 * Check, in the following order:
874 * <ul>
875 * <li> Checks that "p" is an instanceof a SocketPermission
876 * <li> Checks that "p"'s actions are a proper subset of the
877 * current object's actions.
878 * <li> Checks that "p"'s port range is included in this port range
879 * <li> If this object was initialized with an IP address, checks that
880 * one of "p"'s IP addresses is equal to this object's IP address.
881 * <li> If either object is a wildcard domain (i.e., "*.sun.com"),
882 * attempt to match based on the wildcard.
883 * <li> If this object was not initialized with an IP address, attempt
884 * to find a match based on the IP addresses in both objects.
885 * <li> Attempt to match on the canonical hostnames of both objects.
886 * </ul>
887 * @param that the incoming permission request
888 *
889 * @return true if "permission" is a proper subset of the current object,
890 * false if not.
891 */
892 boolean impliesIgnoreMask(SocketPermission that) {
893 int i,j;
894
895 if ((that.mask & RESOLVE) != that.mask) {
896
897 // check simple port range
898 if ((that.portrange[0] < this.portrange[0]) ||
899 (that.portrange[1] > this.portrange[1])) {
900
901 // if either includes the ephemeral range, do full check
927
928 if (that.init_with_ip) {
929 return (this.addresses[0].equals(that.addresses[0]));
930 } else {
931 if (that.addresses == null) {
932 that.getIP();
933 }
934 for (i=0; i < that.addresses.length; i++) {
935 if (this.addresses[0].equals(that.addresses[i]))
936 return true;
937 }
938 }
939 // since "this" was initialized with an IP address, we
940 // don't check any other cases
941 return false;
942 }
943
944 // check and see if we have any wildcards...
945 if (this.wildcard || that.wildcard) {
946 // if they are both wildcards, return true iff
947 // that's cname ends with this cname (i.e., *.sun.com
948 // implies *.eng.sun.com)
949 if (this.wildcard && that.wildcard)
950 return (that.cname.endsWith(this.cname));
951
952 // a non-wildcard can't imply a wildcard
953 if (that.wildcard)
954 return false;
955
956 // this is a wildcard, lets see if that's cname ends with
957 // it...
958 if (that.cname == null) {
959 that.getCanonName();
960 }
961 return (that.cname.endsWith(this.cname));
962 }
963
964 // compare IP addresses
965 if (this.addresses == null) {
966 this.getIP();
967 }
968
1040 SocketPermission that = (SocketPermission) obj;
1041
1042 //this is (overly?) complex!!!
1043
1044 // check the mask first
1045 if (this.mask != that.mask) return false;
1046
1047 if ((that.mask & RESOLVE) != that.mask) {
1048 // now check the port range...
1049 if ((this.portrange[0] != that.portrange[0]) ||
1050 (this.portrange[1] != that.portrange[1])) {
1051 return false;
1052 }
1053 }
1054
1055 // short cut. This catches:
1056 // "crypto" equal to "crypto", or
1057 // "1.2.3.4" equal to "1.2.3.4.", or
1058 // "*.edu" equal to "*.edu", but it
1059 // does not catch "crypto" equal to
1060 // "crypto.eng.sun.com".
1061
1062 if (this.getName().equalsIgnoreCase(that.getName())) {
1063 return true;
1064 }
1065
1066 // we now attempt to get the Canonical (FQDN) name and
1067 // compare that. If this fails, about all we can do is return
1068 // false.
1069
1070 try {
1071 this.getCanonName();
1072 that.getCanonName();
1073 } catch (UnknownHostException uhe) {
1074 return false;
1075 }
1076
1077 if (this.invalid || that.invalid)
1078 return false;
1079
1080 if (this.cname != null) {
1296 s.append("(no addresses)\n");
1297 }
1298
1299 return s.toString();
1300 }
1301
1302 public static void main(String args[]) throws Exception {
1303 SocketPermission this_ = new SocketPermission(args[0], "connect");
1304 SocketPermission that_ = new SocketPermission(args[1], "connect");
1305 System.out.println("-----\n");
1306 System.out.println("this.implies(that) = " + this_.implies(that_));
1307 System.out.println("-----\n");
1308 System.out.println("this = "+this_);
1309 System.out.println("-----\n");
1310 System.out.println("that = "+that_);
1311 System.out.println("-----\n");
1312
1313 SocketPermissionCollection nps = new SocketPermissionCollection();
1314 nps.add(this_);
1315 nps.add(new SocketPermission("www-leland.stanford.edu","connect"));
1316 nps.add(new SocketPermission("www-sun.com","connect"));
1317 System.out.println("nps.implies(that) = " + nps.implies(that_));
1318 System.out.println("-----\n");
1319 }
1320 */
1321 }
1322
1323 /**
1324
1325 if (init'd with IP, key is IP as string)
1326 if wildcard, its the wild card
1327 else its the cname?
1328
1329 *
1330 * @see java.security.Permission
1331 * @see java.security.Permissions
1332 * @see java.security.PermissionCollection
1333 *
1334 *
1335 * @author Roland Schemers
1336 *
|
46 import sun.net.util.IPAddressUtil;
47 import sun.net.PortConfig;
48 import sun.security.util.RegisteredDomain;
49 import sun.security.util.SecurityConstants;
50 import sun.security.util.Debug;
51
52
53 /**
54 * This class represents access to a network via sockets.
55 * A SocketPermission consists of a
56 * host specification and a set of "actions" specifying ways to
57 * connect to that host. The host is specified as
58 * <pre>
59 * host = (hostname | IPv4address | iPv6reference) [:portrange]
60 * portrange = portnumber | -portnumber | portnumber-[portnumber]
61 * </pre>
62 * The host is expressed as a DNS name, as a numerical IP address,
63 * or as "localhost" (for the local machine).
64 * The wildcard "*" may be included once in a DNS name host
65 * specification. If it is included, it must be in the leftmost
66 * position, as in "*.example.com".
67 * <p>
68 * The format of the IPv6reference should follow that specified in <a
69 * href="http://www.ietf.org/rfc/rfc2732.txt"><i>RFC 2732: Format
70 * for Literal IPv6 Addresses in URLs</i></a>:
71 * <pre>
72 * ipv6reference = "[" IPv6address "]"
73 *</pre>
74 * For example, you can construct a SocketPermission instance
75 * as the following:
76 * <pre>
77 * String hostAddress = inetaddress.getHostAddress();
78 * if (inetaddress instanceof Inet6Address) {
79 * sp = new SocketPermission("[" + hostAddress + "]:" + port, action);
80 * } else {
81 * sp = new SocketPermission(hostAddress + ":" + port, action);
82 * }
83 * </pre>
84 * or
85 * <pre>
86 * String host = url.getHost();
98 * port range. This is a fixed range of ports a system may use to
99 * allocate dynamic ports from. The actual range may be system dependent.
100 * <p>
101 * The possible ways to connect to the host are
102 * <pre>
103 * accept
104 * connect
105 * listen
106 * resolve
107 * </pre>
108 * The "listen" action is only meaningful when used with "localhost" and
109 * means the ability to bind to a specified port.
110 * The "resolve" action is implied when any of the other actions are present.
111 * The action "resolve" refers to host/ip name service lookups.
112 * <P>
113 * The actions string is converted to lowercase before processing.
114 * <p>As an example of the creation and meaning of SocketPermissions,
115 * note that if the following permission:
116 *
117 * <pre>
118 * p1 = new SocketPermission("foo.example.com:7777", "connect,accept");
119 * </pre>
120 *
121 * is granted to some code, it allows that code to connect to port 7777 on
122 * {@code foo.example.com}, and to accept connections on that port.
123 *
124 * <p>Similarly, if the following permission:
125 *
126 * <pre>
127 * p2 = new SocketPermission("localhost:1024-", "accept,connect,listen");
128 * </pre>
129 *
130 * is granted to some code, it allows that code to
131 * accept connections on, connect to, or listen on any port between
132 * 1024 and 65535 on the local host.
133 *
134 * <p>Note: Granting code permission to accept or make connections to remote
135 * hosts may be dangerous because malevolent code can then more easily
136 * transfer and share confidential data among parties who may not
137 * otherwise have access to the data.
138 *
139 * @see java.security.Permissions
140 * @see SocketPermission
141 *
142 *
194 /**
195 * the actions string.
196 *
197 * @serial
198 */
199
200 private String actions; // Left null as long as possible, then
201 // created and re-used in the getAction function.
202
203 // hostname part as it is passed
204 private transient String hostname;
205
206 // the canonical name of the host
207 // in the case of "*.foo.com", cname is ".foo.com".
208
209 private transient String cname;
210
211 // all the IP addresses of the host
212 private transient InetAddress[] addresses;
213
214 // true if the hostname is a wildcard (e.g. "*.example.com")
215 private transient boolean wildcard;
216
217 // true if we were initialized with a single numeric IP address
218 private transient boolean init_with_ip;
219
220 // true if this SocketPermission represents an invalid/unknown host
221 // used for implies when the delayed lookup has already failed
222 private transient boolean invalid;
223
224 // port range on host
225 private transient int[] portrange;
226
227 private transient boolean defaultDeny = false;
228
229 // true if this SocketPermission represents a hostname
230 // that failed our reverse mapping heuristic test
231 private transient boolean untrusted;
232 private transient boolean trusted;
233
234 // true if the sun.net.trustNameService system property is set
257 return debug;
258 }
259
260 /**
261 * Creates a new SocketPermission object with the specified actions.
262 * The host is expressed as a DNS name, or as a numerical IP address.
263 * Optionally, a port or a portrange may be supplied (separated
264 * from the DNS name or IP address by a colon).
265 * <p>
266 * To specify the local machine, use "localhost" as the <i>host</i>.
267 * Also note: An empty <i>host</i> String ("") is equivalent to "localhost".
268 * <p>
269 * The <i>actions</i> parameter contains a comma-separated list of the
270 * actions granted for the specified host (and port(s)). Possible actions are
271 * "connect", "listen", "accept", "resolve", or
272 * any combination of those. "resolve" is automatically added
273 * when any of the other three are specified.
274 * <p>
275 * Examples of SocketPermission instantiation are the following:
276 * <pre>
277 * nr = new SocketPermission("www.example.com", "connect");
278 * nr = new SocketPermission("www.example.com:80", "connect");
279 * nr = new SocketPermission("*.example.com", "connect");
280 * nr = new SocketPermission("*.edu", "resolve");
281 * nr = new SocketPermission("204.160.241.0", "connect");
282 * nr = new SocketPermission("localhost:1024-65535", "listen");
283 * nr = new SocketPermission("204.160.241.0:1024-65535", "connect");
284 * </pre>
285 *
286 * @param host the hostname or IP address of the computer, optionally
287 * including a colon followed by a port or port range.
288 * @param action the action string.
289 */
290 public SocketPermission(String host, String action) {
291 super(getHost(host));
292 // name initialized to getHost(host); NPE detected in getHost()
293 init(getName(), getMask(action));
294 }
295
296
297 SocketPermission(String host, int mask) {
298 super(getHost(host));
299 // name initialized to getHost(host); NPE detected in getHost()
383 private boolean includesEphemerals() {
384 return portrange[0] == 0;
385 }
386
387 /**
388 * Initialize the SocketPermission object. We don't do any DNS lookups
389 * as this point, instead we hold off until the implies method is
390 * called.
391 */
392 private void init(String host, int mask) {
393 // Set the integer mask that represents the actions
394
395 if ((mask & ALL) != mask)
396 throw new IllegalArgumentException("invalid actions mask");
397
398 // always OR in RESOLVE if we allow any of the others
399 this.mask = mask | RESOLVE;
400
401 // Parse the host name. A name has up to three components, the
402 // hostname, a port number, or two numbers representing a port
403 // range. "www.example.com:8080-9090" is a valid host name.
404
405 // With IPv6 an address can be 2010:836B:4179::836B:4179
406 // An IPv6 address needs to be enclose in []
407 // For ex: [2010:836B:4179::836B:4179]:8080-9090
408 // Refer to RFC 2732 for more information.
409
410 int rb = 0 ;
411 int start = 0, end = 0;
412 int sep = -1;
413 String hostport = host;
414 if (host.charAt(0) == '[') {
415 start = 1;
416 rb = host.indexOf(']');
417 if (rb != -1) {
418 host = host.substring(start, rb);
419 } else {
420 throw new
421 IllegalArgumentException("invalid host/port: "+host);
422 }
423 sep = hostport.indexOf(':', rb+1);
818
819 /**
820 * Checks if this socket permission object "implies" the
821 * specified permission.
822 * <P>
823 * More specifically, this method first ensures that all of the following
824 * are true (and returns false if any of them are not):
825 * <ul>
826 * <li> <i>p</i> is an instanceof SocketPermission,
827 * <li> <i>p</i>'s actions are a proper subset of this
828 * object's actions, and
829 * <li> <i>p</i>'s port range is included in this port range. Note:
830 * port range is ignored when p only contains the action, 'resolve'.
831 * </ul>
832 *
833 * Then {@code implies} checks each of the following, in order,
834 * and for each returns true if the stated condition is true:
835 * <ul>
836 * <li> If this object was initialized with a single IP address and one of <i>p</i>'s
837 * IP addresses is equal to this object's IP address.
838 * <li>If this object is a wildcard domain (such as *.example.com), and
839 * <i>p</i>'s canonical name (the name without any preceding *)
840 * ends with this object's canonical host name. For example, *.example.com
841 * implies *.foo.example.com.
842 * <li>If this object was not initialized with a single IP address, and one of this
843 * object's IP addresses equals one of <i>p</i>'s IP addresses.
844 * <li>If this canonical name equals <i>p</i>'s canonical name.
845 * </ul>
846 *
847 * If none of the above are true, {@code implies} returns false.
848 * @param p the permission to check against.
849 *
850 * @return true if the specified permission is implied by this object,
851 * false if not.
852 */
853 @Override
854 public boolean implies(Permission p) {
855 int i,j;
856
857 if (!(p instanceof SocketPermission))
858 return false;
859
860 if (p == this)
861 return true;
862
863 SocketPermission that = (SocketPermission) p;
864
865 return ((this.mask & that.mask) == that.mask) &&
866 impliesIgnoreMask(that);
867 }
868
869 /**
870 * Checks if the incoming Permission's action are a proper subset of
871 * the this object's actions.
872 * <P>
873 * Check, in the following order:
874 * <ul>
875 * <li> Checks that "p" is an instanceof a SocketPermission
876 * <li> Checks that "p"'s actions are a proper subset of the
877 * current object's actions.
878 * <li> Checks that "p"'s port range is included in this port range
879 * <li> If this object was initialized with an IP address, checks that
880 * one of "p"'s IP addresses is equal to this object's IP address.
881 * <li> If either object is a wildcard domain (i.e., "*.example.com"),
882 * attempt to match based on the wildcard.
883 * <li> If this object was not initialized with an IP address, attempt
884 * to find a match based on the IP addresses in both objects.
885 * <li> Attempt to match on the canonical hostnames of both objects.
886 * </ul>
887 * @param that the incoming permission request
888 *
889 * @return true if "permission" is a proper subset of the current object,
890 * false if not.
891 */
892 boolean impliesIgnoreMask(SocketPermission that) {
893 int i,j;
894
895 if ((that.mask & RESOLVE) != that.mask) {
896
897 // check simple port range
898 if ((that.portrange[0] < this.portrange[0]) ||
899 (that.portrange[1] > this.portrange[1])) {
900
901 // if either includes the ephemeral range, do full check
927
928 if (that.init_with_ip) {
929 return (this.addresses[0].equals(that.addresses[0]));
930 } else {
931 if (that.addresses == null) {
932 that.getIP();
933 }
934 for (i=0; i < that.addresses.length; i++) {
935 if (this.addresses[0].equals(that.addresses[i]))
936 return true;
937 }
938 }
939 // since "this" was initialized with an IP address, we
940 // don't check any other cases
941 return false;
942 }
943
944 // check and see if we have any wildcards...
945 if (this.wildcard || that.wildcard) {
946 // if they are both wildcards, return true iff
947 // that's cname ends with this cname (i.e., *.example.com
948 // implies *.foo.example.com)
949 if (this.wildcard && that.wildcard)
950 return (that.cname.endsWith(this.cname));
951
952 // a non-wildcard can't imply a wildcard
953 if (that.wildcard)
954 return false;
955
956 // this is a wildcard, lets see if that's cname ends with
957 // it...
958 if (that.cname == null) {
959 that.getCanonName();
960 }
961 return (that.cname.endsWith(this.cname));
962 }
963
964 // compare IP addresses
965 if (this.addresses == null) {
966 this.getIP();
967 }
968
1040 SocketPermission that = (SocketPermission) obj;
1041
1042 //this is (overly?) complex!!!
1043
1044 // check the mask first
1045 if (this.mask != that.mask) return false;
1046
1047 if ((that.mask & RESOLVE) != that.mask) {
1048 // now check the port range...
1049 if ((this.portrange[0] != that.portrange[0]) ||
1050 (this.portrange[1] != that.portrange[1])) {
1051 return false;
1052 }
1053 }
1054
1055 // short cut. This catches:
1056 // "crypto" equal to "crypto", or
1057 // "1.2.3.4" equal to "1.2.3.4.", or
1058 // "*.edu" equal to "*.edu", but it
1059 // does not catch "crypto" equal to
1060 // "crypto.foo.example.com".
1061
1062 if (this.getName().equalsIgnoreCase(that.getName())) {
1063 return true;
1064 }
1065
1066 // we now attempt to get the Canonical (FQDN) name and
1067 // compare that. If this fails, about all we can do is return
1068 // false.
1069
1070 try {
1071 this.getCanonName();
1072 that.getCanonName();
1073 } catch (UnknownHostException uhe) {
1074 return false;
1075 }
1076
1077 if (this.invalid || that.invalid)
1078 return false;
1079
1080 if (this.cname != null) {
1296 s.append("(no addresses)\n");
1297 }
1298
1299 return s.toString();
1300 }
1301
1302 public static void main(String args[]) throws Exception {
1303 SocketPermission this_ = new SocketPermission(args[0], "connect");
1304 SocketPermission that_ = new SocketPermission(args[1], "connect");
1305 System.out.println("-----\n");
1306 System.out.println("this.implies(that) = " + this_.implies(that_));
1307 System.out.println("-----\n");
1308 System.out.println("this = "+this_);
1309 System.out.println("-----\n");
1310 System.out.println("that = "+that_);
1311 System.out.println("-----\n");
1312
1313 SocketPermissionCollection nps = new SocketPermissionCollection();
1314 nps.add(this_);
1315 nps.add(new SocketPermission("www-leland.stanford.edu","connect"));
1316 nps.add(new SocketPermission("www-example.com","connect"));
1317 System.out.println("nps.implies(that) = " + nps.implies(that_));
1318 System.out.println("-----\n");
1319 }
1320 */
1321 }
1322
1323 /**
1324
1325 if (init'd with IP, key is IP as string)
1326 if wildcard, its the wild card
1327 else its the cname?
1328
1329 *
1330 * @see java.security.Permission
1331 * @see java.security.Permissions
1332 * @see java.security.PermissionCollection
1333 *
1334 *
1335 * @author Roland Schemers
1336 *
|