27 28 import java.security.*; 29 import java.util.Enumeration; 30 import java.util.Hashtable; 31 import java.util.StringTokenizer; 32 33 /** 34 * This class is for Serializable permissions. A SerializablePermission 35 * contains a name (also referred to as a "target name") but 36 * no actions list; you either have the named permission 37 * or you don't. 38 * 39 * <P> 40 * The target name is the name of the Serializable permission (see below). 41 * 42 * <P> 43 * The following table lists the standard {@code SerializablePermission} target names, 44 * and for each provides a description of what the permission allows 45 * and a discussion of the risks of granting code the permission. 46 * 47 * <table border=1 cellpadding=5 summary="Permission target name, what the permission allows, and associated risks"> 48 * <tr> 49 * <th>Permission Target Name</th> 50 * <th>What the Permission Allows</th> 51 * <th>Risks of Allowing this Permission</th> 52 * </tr> 53 * 54 * <tr> 55 * <td>enableSubclassImplementation</td> 56 * <td>Subclass implementation of ObjectOutputStream or ObjectInputStream 57 * to override the default serialization or deserialization, respectively, 58 * of objects</td> 59 * <td>Code can use this to serialize or 60 * deserialize classes in a purposefully malfeasant manner. For example, 61 * during serialization, malicious code can use this to 62 * purposefully store confidential private field data in a way easily accessible 63 * to attackers. Or, during deserialization it could, for example, deserialize 64 * a class with all its private fields zeroed out.</td> 65 * </tr> 66 * 67 * <tr> 68 * <td>enableSubstitution</td> 69 * <td>Substitution of one object for another during 70 * serialization or deserialization</td> 71 * <td>This is dangerous because malicious code 72 * can replace the actual object with one which has incorrect or 73 * malignant data.</td> 74 * </tr> 75 * 76 * <tr> 77 * <td>serialFilter</td> 78 * <td>Setting a filter for ObjectInputStreams.</td> 79 * <td>Code could remove a configured filter and remove protections 80 * already established.</td> 81 * </tr> 82 * 83 * </table> 84 * 85 * @see java.security.BasicPermission 86 * @see java.security.Permission 87 * @see java.security.Permissions 88 * @see java.security.PermissionCollection 89 * @see java.lang.SecurityManager 90 * 91 * 92 * @author Joe Fialli 93 * @since 1.2 94 */ 95 96 /* code was borrowed originally from java.lang.RuntimePermission. */ 97 98 public final class SerializablePermission extends BasicPermission { 99 100 private static final long serialVersionUID = 8537212141160296410L; 101 102 /** | 27 28 import java.security.*; 29 import java.util.Enumeration; 30 import java.util.Hashtable; 31 import java.util.StringTokenizer; 32 33 /** 34 * This class is for Serializable permissions. A SerializablePermission 35 * contains a name (also referred to as a "target name") but 36 * no actions list; you either have the named permission 37 * or you don't. 38 * 39 * <P> 40 * The target name is the name of the Serializable permission (see below). 41 * 42 * <P> 43 * The following table lists the standard {@code SerializablePermission} target names, 44 * and for each provides a description of what the permission allows 45 * and a discussion of the risks of granting code the permission. 46 * 47 * <table class="striped"> 48 * <caption style="display:none">Permission target name, what the permission allows, and associated risks</caption> 49 * <thead> 50 * <tr> 51 * <th>Permission Target Name</th> 52 * <th>What the Permission Allows</th> 53 * <th>Risks of Allowing this Permission</th> 54 * </tr> 55 * </thead> 56 * <tbody> 57 * 58 * <tr> 59 * <td>enableSubclassImplementation</td> 60 * <td>Subclass implementation of ObjectOutputStream or ObjectInputStream 61 * to override the default serialization or deserialization, respectively, 62 * of objects</td> 63 * <td>Code can use this to serialize or 64 * deserialize classes in a purposefully malfeasant manner. For example, 65 * during serialization, malicious code can use this to 66 * purposefully store confidential private field data in a way easily accessible 67 * to attackers. Or, during deserialization it could, for example, deserialize 68 * a class with all its private fields zeroed out.</td> 69 * </tr> 70 * 71 * <tr> 72 * <td>enableSubstitution</td> 73 * <td>Substitution of one object for another during 74 * serialization or deserialization</td> 75 * <td>This is dangerous because malicious code 76 * can replace the actual object with one which has incorrect or 77 * malignant data.</td> 78 * </tr> 79 * 80 * <tr> 81 * <td>serialFilter</td> 82 * <td>Setting a filter for ObjectInputStreams.</td> 83 * <td>Code could remove a configured filter and remove protections 84 * already established.</td> 85 * </tr> 86 * </tbody> 87 * </table> 88 * 89 * @see java.security.BasicPermission 90 * @see java.security.Permission 91 * @see java.security.Permissions 92 * @see java.security.PermissionCollection 93 * @see java.lang.SecurityManager 94 * 95 * 96 * @author Joe Fialli 97 * @since 1.2 98 */ 99 100 /* code was borrowed originally from java.lang.RuntimePermission. */ 101 102 public final class SerializablePermission extends BasicPermission { 103 104 private static final long serialVersionUID = 8537212141160296410L; 105 106 /** |