< prev index next >

src/java.base/share/classes/java/security/SecurityPermission.java

Print this page 







  28 import java.security.*;
  29 import java.util.Enumeration;
  30 import java.util.Hashtable;
  31 import java.util.StringTokenizer;
  32 
  33 /**
  34  * This class is for security permissions. A {@code SecurityPermission}
  35  * contains a name (also referred to as a "target name") but no actions list;
  36  * you either have the named permission or you don't.
  37  * <p>
  38  * The target name is the name of a security configuration parameter
  39  * (see below). Currently the {@code SecurityPermission} object is used to
  40  * guard access to the {@link AccessControlContext}, {@link Policy},
  41  * {@link Provider}, {@link Security}, {@link Signer}, and {@link Identity}
  42  * objects.
  43  * <p>
  44  * The following table lists the standard {@code SecurityPermission}
  45  * target names, and for each provides a description of what the permission
  46  * allows and a discussion of the risks of granting code the permission.
  47  *
  48  * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">


  49  * <tr>
  50  * <th>Permission Target Name</th>
  51  * <th>What the Permission Allows</th>
  52  * <th>Risks of Allowing this Permission</th>
  53  * </tr>


  54  *
  55  * <tr>
  56  *   <td>authProvider.{provider name}</td>
  57  *   <td>Allow the named provider to be an AuthProvider for login and
  58  * logout operations. </td>
  59  *   <td>This allows the named provider to perform login and logout
  60  * operations. The named provider must extend {@code AuthProvider}
  61  * and care must be taken to grant to a trusted provider since
  62  * login operations involve sensitive authentication information
  63  * such as PINs and passwords. </td>
  64  * </tr>
  65  *
  66  * <tr>
  67  *   <td>createAccessControlContext</td>
  68  *   <td>Creation of an AccessControlContext</td>
  69  *   <td>This allows someone to instantiate an AccessControlContext
  70  * with a {@code DomainCombiner}.  Extreme care must be taken when
  71  * granting this permission. Malicious code could create a DomainCombiner
  72  * that augments the set of permissions granted to code, and even grant the
  73  * code {@link java.security.AllPermission}.</td>


 179  * <tr>
 180  *   <td>putProviderProperty.{provider name}</td>
 181  *   <td>Setting of properties for the specified Provider</td>
 182  *   <td>The provider properties each specify the name and location
 183  * of a particular service implemented by the provider. By granting
 184  * this permission, you let code replace the service specification
 185  * with another one, thereby specifying a different implementation.</td>
 186  * </tr>
 187  *
 188  * <tr>
 189  *   <td>removeProviderProperty.{provider name}</td>
 190  *   <td>Removal of properties from the specified Provider</td>
 191  *   <td>This disables the lookup of services implemented by the
 192  * provider. They are no longer accessible due to removal of the properties
 193  * specifying their names and locations. This
 194  * may change the behavior or disable execution of other
 195  * parts of the program that would normally utilize the Provider, as
 196  * described under the "removeProvider.{provider name}" permission.</td>
 197  * </tr>
 198  *

 199  * </table>
 200  *
 201  * <P>
 202  * The following permissions have been superseded by newer permissions or are
 203  * associated with classes that have been deprecated: {@link Identity},
 204  * {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the
 205  * applicable classes for more information.
 206  *
 207  * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">


 208  * <tr>
 209  * <th>Permission Target Name</th>
 210  * <th>What the Permission Allows</th>
 211  * <th>Risks of Allowing this Permission</th>
 212  * </tr>

 213  *

 214  * <tr>
 215  *   <td>insertProvider.{provider name}</td>
 216  *   <td>Addition of a new provider, with the specified name</td>
 217  *   <td>Use of this permission is discouraged from further use because it is
 218  * possible to circumvent the name restrictions by overriding the
 219  * {@link java.security.Provider#getName} method. Also, there is an equivalent
 220  * level of risk associated with granting code permission to insert a provider
 221  * with a specific name, or any name it chooses. Users should use the
 222  * "insertProvider" permission instead.
 223  * <p>This would allow somebody to introduce a possibly
 224  * malicious provider (e.g., one that discloses the private keys passed
 225  * to it) as the highest-priority provider. This would be possible
 226  * because the Security object (which manages the installed providers)
 227  * currently does not check the integrity or authenticity of a provider
 228  * before attaching it.</td>
 229  * </tr>
 230  *
 231  * <tr>
 232  *   <td>setSystemScope</td>
 233  *   <td>Setting of the system identity scope</td>


 291  *   <td>Retrieval of a Signer's private key</td>
 292  *   <td>It is very dangerous to allow access to a private key; private
 293  * keys are supposed to be kept secret. Otherwise, code can use the
 294  * private key to sign various files and claim the signature came from
 295  * the Signer.</td>
 296  * </tr>
 297  *
 298  * <tr>
 299  *   <td>setSignerKeyPair</td>
 300  *   <td>Setting of the key pair (public key and private key) for a Signer</td>
 301  *   <td>This would allow an attacker to replace somebody else's (the "target's")
 302  * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
 303  * keysize).  This also would allow the attacker to listen in on encrypted
 304  * communication between the target and its peers. The target's peers
 305  * might wrap an encryption session key under the target's "new" public
 306  * key, which would allow the attacker (who possesses the corresponding
 307  * private key) to unwrap the session key and decipher the communication
 308  * data encrypted under that session key.</td>
 309  * </tr>
 310  *

 311  * </table>
 312  *
 313  * @implNote
 314  * Implementations may define additional target names, but should use naming
 315  * conventions such as reverse domain name notation to avoid name clashes.
 316  *
 317  * @see java.security.BasicPermission
 318  * @see java.security.Permission
 319  * @see java.security.Permissions
 320  * @see java.security.PermissionCollection
 321  * @see java.lang.SecurityManager
 322  *
 323  *
 324  * @author Marianne Mueller
 325  * @author Roland Schemers
 326  */
 327 
 328 public final class SecurityPermission extends BasicPermission {
 329 
 330     private static final long serialVersionUID = 5236109936224050470L;






  28 import java.security.*;
  29 import java.util.Enumeration;
  30 import java.util.Hashtable;
  31 import java.util.StringTokenizer;
  32 
  33 /**
  34  * This class is for security permissions. A {@code SecurityPermission}
  35  * contains a name (also referred to as a "target name") but no actions list;
  36  * you either have the named permission or you don't.
  37  * <p>
  38  * The target name is the name of a security configuration parameter
  39  * (see below). Currently the {@code SecurityPermission} object is used to
  40  * guard access to the {@link AccessControlContext}, {@link Policy},
  41  * {@link Provider}, {@link Security}, {@link Signer}, and {@link Identity}
  42  * objects.
  43  * <p>
  44  * The following table lists the standard {@code SecurityPermission}
  45  * target names, and for each provides a description of what the permission
  46  * allows and a discussion of the risks of granting code the permission.
  47  *
  48  * <table class="striped">
  49  * <caption style="display:none">target name, what the permission allows, and associated risks</caption>
  50  * <thead>
  51  * <tr>
  52  * <th>Permission Target Name</th>
  53  * <th>What the Permission Allows</th>
  54  * <th>Risks of Allowing this Permission</th>
  55  * </tr>
  56  * </thead>
  57  * <tbody>
  58  *
  59  * <tr>
  60  *   <td>authProvider.{provider name}</td>
  61  *   <td>Allow the named provider to be an AuthProvider for login and
  62  * logout operations. </td>
  63  *   <td>This allows the named provider to perform login and logout
  64  * operations. The named provider must extend {@code AuthProvider}
  65  * and care must be taken to grant to a trusted provider since
  66  * login operations involve sensitive authentication information
  67  * such as PINs and passwords. </td>
  68  * </tr>
  69  *
  70  * <tr>
  71  *   <td>createAccessControlContext</td>
  72  *   <td>Creation of an AccessControlContext</td>
  73  *   <td>This allows someone to instantiate an AccessControlContext
  74  * with a {@code DomainCombiner}.  Extreme care must be taken when
  75  * granting this permission. Malicious code could create a DomainCombiner
  76  * that augments the set of permissions granted to code, and even grant the
  77  * code {@link java.security.AllPermission}.</td>


 183  * <tr>
 184  *   <td>putProviderProperty.{provider name}</td>
 185  *   <td>Setting of properties for the specified Provider</td>
 186  *   <td>The provider properties each specify the name and location
 187  * of a particular service implemented by the provider. By granting
 188  * this permission, you let code replace the service specification
 189  * with another one, thereby specifying a different implementation.</td>
 190  * </tr>
 191  *
 192  * <tr>
 193  *   <td>removeProviderProperty.{provider name}</td>
 194  *   <td>Removal of properties from the specified Provider</td>
 195  *   <td>This disables the lookup of services implemented by the
 196  * provider. They are no longer accessible due to removal of the properties
 197  * specifying their names and locations. This
 198  * may change the behavior or disable execution of other
 199  * parts of the program that would normally utilize the Provider, as
 200  * described under the "removeProvider.{provider name}" permission.</td>
 201  * </tr>
 202  *
 203  * </tbody>
 204  * </table>
 205  *
 206  * <P>
 207  * The following permissions have been superseded by newer permissions or are
 208  * associated with classes that have been deprecated: {@link Identity},
 209  * {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the
 210  * applicable classes for more information.
 211  *
 212  * <table class="striped">
 213  * <caption style="display:none">target name, what the permission allows, and associated risks</caption>
 214  * <thead>
 215  * <tr>
 216  * <th>Permission Target Name</th>
 217  * <th>What the Permission Allows</th>
 218  * <th>Risks of Allowing this Permission</th>
 219  * </tr>
 220  * </thead>
 221  *
 222  * <tbody>
 223  * <tr>
 224  *   <td>insertProvider.{provider name}</td>
 225  *   <td>Addition of a new provider, with the specified name</td>
 226  *   <td>Use of this permission is discouraged from further use because it is
 227  * possible to circumvent the name restrictions by overriding the
 228  * {@link java.security.Provider#getName} method. Also, there is an equivalent
 229  * level of risk associated with granting code permission to insert a provider
 230  * with a specific name, or any name it chooses. Users should use the
 231  * "insertProvider" permission instead.
 232  * <p>This would allow somebody to introduce a possibly
 233  * malicious provider (e.g., one that discloses the private keys passed
 234  * to it) as the highest-priority provider. This would be possible
 235  * because the Security object (which manages the installed providers)
 236  * currently does not check the integrity or authenticity of a provider
 237  * before attaching it.</td>
 238  * </tr>
 239  *
 240  * <tr>
 241  *   <td>setSystemScope</td>
 242  *   <td>Setting of the system identity scope</td>


 300  *   <td>Retrieval of a Signer's private key</td>
 301  *   <td>It is very dangerous to allow access to a private key; private
 302  * keys are supposed to be kept secret. Otherwise, code can use the
 303  * private key to sign various files and claim the signature came from
 304  * the Signer.</td>
 305  * </tr>
 306  *
 307  * <tr>
 308  *   <td>setSignerKeyPair</td>
 309  *   <td>Setting of the key pair (public key and private key) for a Signer</td>
 310  *   <td>This would allow an attacker to replace somebody else's (the "target's")
 311  * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
 312  * keysize).  This also would allow the attacker to listen in on encrypted
 313  * communication between the target and its peers. The target's peers
 314  * might wrap an encryption session key under the target's "new" public
 315  * key, which would allow the attacker (who possesses the corresponding
 316  * private key) to unwrap the session key and decipher the communication
 317  * data encrypted under that session key.</td>
 318  * </tr>
 319  *
 320  * </tbody>
 321  * </table>
 322  *
 323  * @implNote
 324  * Implementations may define additional target names, but should use naming
 325  * conventions such as reverse domain name notation to avoid name clashes.
 326  *
 327  * @see java.security.BasicPermission
 328  * @see java.security.Permission
 329  * @see java.security.Permissions
 330  * @see java.security.PermissionCollection
 331  * @see java.lang.SecurityManager
 332  *
 333  *
 334  * @author Marianne Mueller
 335  * @author Roland Schemers
 336  */
 337 
 338 public final class SecurityPermission extends BasicPermission {
 339 
 340     private static final long serialVersionUID = 5236109936224050470L;







< prev index next >