28 import java.security.*;
29 import java.util.Enumeration;
30 import java.util.Hashtable;
31 import java.util.StringTokenizer;
32
33 /**
34 * This class is for security permissions. A {@code SecurityPermission}
35 * contains a name (also referred to as a "target name") but no actions list;
36 * you either have the named permission or you don't.
37 * <p>
38 * The target name is the name of a security configuration parameter
39 * (see below). Currently the {@code SecurityPermission} object is used to
40 * guard access to the {@link AccessControlContext}, {@link Policy},
41 * {@link Provider}, {@link Security}, {@link Signer}, and {@link Identity}
42 * objects.
43 * <p>
44 * The following table lists the standard {@code SecurityPermission}
45 * target names, and for each provides a description of what the permission
46 * allows and a discussion of the risks of granting code the permission.
47 *
48 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
49 * <tr>
50 * <th>Permission Target Name</th>
51 * <th>What the Permission Allows</th>
52 * <th>Risks of Allowing this Permission</th>
53 * </tr>
54 *
55 * <tr>
56 * <td>authProvider.{provider name}</td>
57 * <td>Allow the named provider to be an AuthProvider for login and
58 * logout operations. </td>
59 * <td>This allows the named provider to perform login and logout
60 * operations. The named provider must extend {@code AuthProvider}
61 * and care must be taken to grant to a trusted provider since
62 * login operations involve sensitive authentication information
63 * such as PINs and passwords. </td>
64 * </tr>
65 *
66 * <tr>
67 * <td>createAccessControlContext</td>
68 * <td>Creation of an AccessControlContext</td>
69 * <td>This allows someone to instantiate an AccessControlContext
70 * with a {@code DomainCombiner}. Extreme care must be taken when
71 * granting this permission. Malicious code could create a DomainCombiner
72 * that augments the set of permissions granted to code, and even grant the
73 * code {@link java.security.AllPermission}.</td>
179 * <tr>
180 * <td>putProviderProperty.{provider name}</td>
181 * <td>Setting of properties for the specified Provider</td>
182 * <td>The provider properties each specify the name and location
183 * of a particular service implemented by the provider. By granting
184 * this permission, you let code replace the service specification
185 * with another one, thereby specifying a different implementation.</td>
186 * </tr>
187 *
188 * <tr>
189 * <td>removeProviderProperty.{provider name}</td>
190 * <td>Removal of properties from the specified Provider</td>
191 * <td>This disables the lookup of services implemented by the
192 * provider. They are no longer accessible due to removal of the properties
193 * specifying their names and locations. This
194 * may change the behavior or disable execution of other
195 * parts of the program that would normally utilize the Provider, as
196 * described under the "removeProvider.{provider name}" permission.</td>
197 * </tr>
198 *
199 * </table>
200 *
201 * <P>
202 * The following permissions have been superseded by newer permissions or are
203 * associated with classes that have been deprecated: {@link Identity},
204 * {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the
205 * applicable classes for more information.
206 *
207 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
208 * <tr>
209 * <th>Permission Target Name</th>
210 * <th>What the Permission Allows</th>
211 * <th>Risks of Allowing this Permission</th>
212 * </tr>
213 *
214 * <tr>
215 * <td>insertProvider.{provider name}</td>
216 * <td>Addition of a new provider, with the specified name</td>
217 * <td>Use of this permission is discouraged from further use because it is
218 * possible to circumvent the name restrictions by overriding the
219 * {@link java.security.Provider#getName} method. Also, there is an equivalent
220 * level of risk associated with granting code permission to insert a provider
221 * with a specific name, or any name it chooses. Users should use the
222 * "insertProvider" permission instead.
223 * <p>This would allow somebody to introduce a possibly
224 * malicious provider (e.g., one that discloses the private keys passed
225 * to it) as the highest-priority provider. This would be possible
226 * because the Security object (which manages the installed providers)
227 * currently does not check the integrity or authenticity of a provider
228 * before attaching it.</td>
229 * </tr>
230 *
231 * <tr>
232 * <td>setSystemScope</td>
233 * <td>Setting of the system identity scope</td>
291 * <td>Retrieval of a Signer's private key</td>
292 * <td>It is very dangerous to allow access to a private key; private
293 * keys are supposed to be kept secret. Otherwise, code can use the
294 * private key to sign various files and claim the signature came from
295 * the Signer.</td>
296 * </tr>
297 *
298 * <tr>
299 * <td>setSignerKeyPair</td>
300 * <td>Setting of the key pair (public key and private key) for a Signer</td>
301 * <td>This would allow an attacker to replace somebody else's (the "target's")
302 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
303 * keysize). This also would allow the attacker to listen in on encrypted
304 * communication between the target and its peers. The target's peers
305 * might wrap an encryption session key under the target's "new" public
306 * key, which would allow the attacker (who possesses the corresponding
307 * private key) to unwrap the session key and decipher the communication
308 * data encrypted under that session key.</td>
309 * </tr>
310 *
311 * </table>
312 *
313 * @implNote
314 * Implementations may define additional target names, but should use naming
315 * conventions such as reverse domain name notation to avoid name clashes.
316 *
317 * @see java.security.BasicPermission
318 * @see java.security.Permission
319 * @see java.security.Permissions
320 * @see java.security.PermissionCollection
321 * @see java.lang.SecurityManager
322 *
323 *
324 * @author Marianne Mueller
325 * @author Roland Schemers
326 */
327
328 public final class SecurityPermission extends BasicPermission {
329
330 private static final long serialVersionUID = 5236109936224050470L;
|
28 import java.security.*;
29 import java.util.Enumeration;
30 import java.util.Hashtable;
31 import java.util.StringTokenizer;
32
33 /**
34 * This class is for security permissions. A {@code SecurityPermission}
35 * contains a name (also referred to as a "target name") but no actions list;
36 * you either have the named permission or you don't.
37 * <p>
38 * The target name is the name of a security configuration parameter
39 * (see below). Currently the {@code SecurityPermission} object is used to
40 * guard access to the {@link AccessControlContext}, {@link Policy},
41 * {@link Provider}, {@link Security}, {@link Signer}, and {@link Identity}
42 * objects.
43 * <p>
44 * The following table lists the standard {@code SecurityPermission}
45 * target names, and for each provides a description of what the permission
46 * allows and a discussion of the risks of granting code the permission.
47 *
48 * <table class="striped">
49 * <caption style="display:none">target name, what the permission allows, and associated risks</caption>
50 * <thead>
51 * <tr>
52 * <th>Permission Target Name</th>
53 * <th>What the Permission Allows</th>
54 * <th>Risks of Allowing this Permission</th>
55 * </tr>
56 * </thead>
57 * <tbody>
58 *
59 * <tr>
60 * <td>authProvider.{provider name}</td>
61 * <td>Allow the named provider to be an AuthProvider for login and
62 * logout operations. </td>
63 * <td>This allows the named provider to perform login and logout
64 * operations. The named provider must extend {@code AuthProvider}
65 * and care must be taken to grant to a trusted provider since
66 * login operations involve sensitive authentication information
67 * such as PINs and passwords. </td>
68 * </tr>
69 *
70 * <tr>
71 * <td>createAccessControlContext</td>
72 * <td>Creation of an AccessControlContext</td>
73 * <td>This allows someone to instantiate an AccessControlContext
74 * with a {@code DomainCombiner}. Extreme care must be taken when
75 * granting this permission. Malicious code could create a DomainCombiner
76 * that augments the set of permissions granted to code, and even grant the
77 * code {@link java.security.AllPermission}.</td>
183 * <tr>
184 * <td>putProviderProperty.{provider name}</td>
185 * <td>Setting of properties for the specified Provider</td>
186 * <td>The provider properties each specify the name and location
187 * of a particular service implemented by the provider. By granting
188 * this permission, you let code replace the service specification
189 * with another one, thereby specifying a different implementation.</td>
190 * </tr>
191 *
192 * <tr>
193 * <td>removeProviderProperty.{provider name}</td>
194 * <td>Removal of properties from the specified Provider</td>
195 * <td>This disables the lookup of services implemented by the
196 * provider. They are no longer accessible due to removal of the properties
197 * specifying their names and locations. This
198 * may change the behavior or disable execution of other
199 * parts of the program that would normally utilize the Provider, as
200 * described under the "removeProvider.{provider name}" permission.</td>
201 * </tr>
202 *
203 * </tbody>
204 * </table>
205 *
206 * <P>
207 * The following permissions have been superseded by newer permissions or are
208 * associated with classes that have been deprecated: {@link Identity},
209 * {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the
210 * applicable classes for more information.
211 *
212 * <table class="striped">
213 * <caption style="display:none">target name, what the permission allows, and associated risks</caption>
214 * <thead>
215 * <tr>
216 * <th>Permission Target Name</th>
217 * <th>What the Permission Allows</th>
218 * <th>Risks of Allowing this Permission</th>
219 * </tr>
220 * </thead>
221 *
222 * <tbody>
223 * <tr>
224 * <td>insertProvider.{provider name}</td>
225 * <td>Addition of a new provider, with the specified name</td>
226 * <td>Use of this permission is discouraged from further use because it is
227 * possible to circumvent the name restrictions by overriding the
228 * {@link java.security.Provider#getName} method. Also, there is an equivalent
229 * level of risk associated with granting code permission to insert a provider
230 * with a specific name, or any name it chooses. Users should use the
231 * "insertProvider" permission instead.
232 * <p>This would allow somebody to introduce a possibly
233 * malicious provider (e.g., one that discloses the private keys passed
234 * to it) as the highest-priority provider. This would be possible
235 * because the Security object (which manages the installed providers)
236 * currently does not check the integrity or authenticity of a provider
237 * before attaching it.</td>
238 * </tr>
239 *
240 * <tr>
241 * <td>setSystemScope</td>
242 * <td>Setting of the system identity scope</td>
300 * <td>Retrieval of a Signer's private key</td>
301 * <td>It is very dangerous to allow access to a private key; private
302 * keys are supposed to be kept secret. Otherwise, code can use the
303 * private key to sign various files and claim the signature came from
304 * the Signer.</td>
305 * </tr>
306 *
307 * <tr>
308 * <td>setSignerKeyPair</td>
309 * <td>Setting of the key pair (public key and private key) for a Signer</td>
310 * <td>This would allow an attacker to replace somebody else's (the "target's")
311 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
312 * keysize). This also would allow the attacker to listen in on encrypted
313 * communication between the target and its peers. The target's peers
314 * might wrap an encryption session key under the target's "new" public
315 * key, which would allow the attacker (who possesses the corresponding
316 * private key) to unwrap the session key and decipher the communication
317 * data encrypted under that session key.</td>
318 * </tr>
319 *
320 * </tbody>
321 * </table>
322 *
323 * @implNote
324 * Implementations may define additional target names, but should use naming
325 * conventions such as reverse domain name notation to avoid name clashes.
326 *
327 * @see java.security.BasicPermission
328 * @see java.security.Permission
329 * @see java.security.Permissions
330 * @see java.security.PermissionCollection
331 * @see java.lang.SecurityManager
332 *
333 *
334 * @author Marianne Mueller
335 * @author Roland Schemers
336 */
337
338 public final class SecurityPermission extends BasicPermission {
339
340 private static final long serialVersionUID = 5236109936224050470L;
|