1 /* 2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.io; 27 28 import java.security.*; 29 import java.util.Enumeration; 30 import java.util.Hashtable; 31 import java.util.StringTokenizer; 32 33 /** 34 * This class is for Serializable permissions. A SerializablePermission 35 * contains a name (also referred to as a "target name") but 36 * no actions list; you either have the named permission 37 * or you don't. 38 * 39 * <P> 40 * The target name is the name of the Serializable permission (see below). 41 * 42 * <P> 43 * The following table lists the standard {@code SerializablePermission} target names, 44 * and for each provides a description of what the permission allows 45 * and a discussion of the risks of granting code the permission. 46 * 47 * <table class="altrows"> 48 * <caption style="display:none">Permission target name, what the permission allows, and associated risks</caption> 49 * <thead> 50 * <tr> 51 * <th>Permission Target Name</th> 52 * <th>What the Permission Allows</th> 53 * <th>Risks of Allowing this Permission</th> 54 * </tr> 55 * </thead> 56 * <tbody> 57 * 58 * <tr> 59 * <td>enableSubclassImplementation</td> 60 * <td>Subclass implementation of ObjectOutputStream or ObjectInputStream 61 * to override the default serialization or deserialization, respectively, 62 * of objects</td> 63 * <td>Code can use this to serialize or 64 * deserialize classes in a purposefully malfeasant manner. For example, 65 * during serialization, malicious code can use this to 66 * purposefully store confidential private field data in a way easily accessible 67 * to attackers. Or, during deserialization it could, for example, deserialize 68 * a class with all its private fields zeroed out.</td> 69 * </tr> 70 * 71 * <tr> 72 * <td>enableSubstitution</td> 73 * <td>Substitution of one object for another during 74 * serialization or deserialization</td> 75 * <td>This is dangerous because malicious code 76 * can replace the actual object with one which has incorrect or 77 * malignant data.</td> 78 * </tr> 79 * 80 * <tr> 81 * <td>serialFilter</td> 82 * <td>Setting a filter for ObjectInputStreams.</td> 83 * <td>Code could remove a configured filter and remove protections 84 * already established.</td> 85 * </tr> 86 * </tbody> 87 * </table> 88 * 89 * @see java.security.BasicPermission 90 * @see java.security.Permission 91 * @see java.security.Permissions 92 * @see java.security.PermissionCollection 93 * @see java.lang.SecurityManager 94 * 95 * 96 * @author Joe Fialli 97 * @since 1.2 98 */ 99 100 /* code was borrowed originally from java.lang.RuntimePermission. */ 101 102 public final class SerializablePermission extends BasicPermission { 103 104 private static final long serialVersionUID = 8537212141160296410L; 105 106 /** 107 * @serial 108 */ 109 private String actions; 110 111 /** 112 * Creates a new SerializablePermission with the specified name. 113 * The name is the symbolic name of the SerializablePermission, such as 114 * "enableSubstitution", etc. 115 * 116 * @param name the name of the SerializablePermission. 117 * 118 * @throws NullPointerException if <code>name</code> is <code>null</code>. 119 * @throws IllegalArgumentException if <code>name</code> is empty. 120 */ 121 public SerializablePermission(String name) 122 { 123 super(name); 124 } 125 126 /** 127 * Creates a new SerializablePermission object with the specified name. 128 * The name is the symbolic name of the SerializablePermission, and the 129 * actions String is currently unused and should be null. 130 * 131 * @param name the name of the SerializablePermission. 132 * @param actions currently unused and must be set to null 133 * 134 * @throws NullPointerException if <code>name</code> is <code>null</code>. 135 * @throws IllegalArgumentException if <code>name</code> is empty. 136 */ 137 138 public SerializablePermission(String name, String actions) 139 { 140 super(name, actions); 141 } 142 }