55 * separated by ".". <i>IPv4address</i> is a standard literal IPv4 address and
56 * <i>IPv6address</i> is as defined in <a href="http://www.ietf.org/rfc/rfc2732.txt">
57 * RFC 2732</a>. Literal IPv6 addresses must however, be enclosed in '[]' characters.
58 * The <i>dnsname</i> specification can be preceded by "*." which means
59 * the name will match any hostname whose right-most domain labels are the same as
60 * this name. For example, "*.oracle.com" matches "foo.bar.oracle.com"
61 * <p>
62 * <i>portrange</i> is used to specify a port number, or a bounded or unbounded range of ports
63 * that this permission applies to. If portrange is absent or invalid, then a default
64 * port number is assumed if the scheme is {@code http} (default 80) or {@code https}
65 * (default 443). No default is assumed for other schemes. A wildcard may be specified
66 * which means all ports.
67 * <p>
68 * <i>userinfo</i> is optional. A userinfo component if present, is ignored when
69 * creating a URLPermission, and has no effect on any other methods defined by this class.
70 * <p>
71 * The <i>path</i> component comprises a sequence of path segments,
72 * separated by '/' characters. <i>path</i> may also be empty. The path is specified
73 * in a similar way to the path in {@link java.io.FilePermission}. There are
74 * three different ways as the following examples show:
75 * <table class="plain">
76 * <caption>URL Examples</caption>
77 * <thead>
78 * <tr><th>Example url</th><th>Description</th></tr>
79 * </thead>
80 * <tbody>
81 * <tr><td style="white-space:nowrap;">http://www.oracle.com/a/b/c.html</td>
82 * <td>A url which identifies a specific (single) resource</td>
83 * </tr>
84 * <tr><td>http://www.oracle.com/a/b/*</td>
85 * <td>The '*' character refers to all resources in the same "directory" - in
86 * other words all resources with the same number of path components, and
87 * which only differ in the final path component, represented by the '*'.
88 * </td>
89 * </tr>
90 * <tr><td>http://www.oracle.com/a/b/-</td>
91 * <td>The '-' character refers to all resources recursively below the
92 * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this
93 * example).
94 * </td>
95 * </tr>
96 * </tbody>
97 * </table>
98 * <p>
99 * The '*' and '-' may only be specified in the final segment of a path and must be
100 * the only character in that segment. Any query or fragment components of the
101 * url are ignored when constructing URLPermissions.
102 * <p>
103 * As a special case, urls of the form, "scheme:*" are accepted to
104 * mean any url of the given scheme.
105 * <p>
106 * The <i>scheme</i> and <i>authority</i> components of the url string are handled
107 * without regard to case. This means {@link #equals(Object)},
108 * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
109 * to these components. If the <i>authority</i> contains a literal IP address,
110 * then the address is normalized for comparison. The path component is case sensitive.
111 * <p><b>The actions string</b><p>
112 * The actions string of a URLPermission is a concatenation of the <i>method list</i>
113 * and the <i>request headers list</i>. These are lists of the permitted request
114 * methods and permitted request headers of the permission (respectively). The two lists
115 * are separated by a colon ':' character and elements of each list are comma separated.
116 * Some examples are:
117 * <pre>
118 * "POST,GET,DELETE"
119 * "GET:X-Foo-Request,X-Bar-Request"
120 * "POST,GET:Header1,Header2"
121 * </pre>
122 * The first example specifies the methods: POST, GET and DELETE, but no request headers.
123 * The second example specifies one request method and two headers. The third
124 * example specifies two request methods, and two headers.
125 * <p>
126 * The colon separator need not be present if the request headers list is empty.
127 * No white-space is permitted in the actions string. The action strings supplied to
128 * the URLPermission constructors are case-insensitive and are normalized by converting
129 * method names to upper-case and header names to the form defines in RFC2616 (lower case
130 * with initial letter of each word capitalized). Either list can contain a wild-card '*'
131 * character which signifies all request methods or headers respectively.
132 * <p>
133 * Note. Depending on the context of use, some request methods and headers may be permitted
134 * at all times, and others may not be permitted at any time. For example, the
135 * HTTP protocol handler might disallow certain headers such as Content-Length
136 * from being set by application code, regardless of whether the security policy
137 * in force, permits it.
138 *
139 * @since 1.8
140 */
141 public final class URLPermission extends Permission {
236 * <li>if any of p's methods are not in this's method list, and if
237 * this's method list is not equal to "*", then return false.</li>
238 * <li>if any of p's headers are not in this's request header list, and if
239 * this's request header list is not equal to "*", then return false.</li>
240 * <li>if this's url scheme is not equal to p's url scheme return false</li>
241 * <li>if the scheme specific part of this's url is '*' return true</li>
242 * <li>if the set of hosts defined by p's url hostrange is not a subset of
243 * this's url hostrange then return false. For example, "*.foo.oracle.com"
244 * is a subset of "*.oracle.com". "foo.bar.oracle.com" is not
245 * a subset of "*.foo.oracle.com"</li>
246 * <li>if the portrange defined by p's url is not a subset of the
247 * portrange defined by this's url then return false.
248 * <li>if the path or paths specified by p's url are contained in the
249 * set of paths specified by this's url, then return true
250 * <li>otherwise, return false</li>
251 * </ul>
252 * <p>Some examples of how paths are matched are shown below:
253 * <table class="plain">
254 * <caption>Examples of Path Matching</caption>
255 * <thead>
256 * <tr><th>this's path</th><th>p's path</th><th>match</th></tr>
257 * </thead>
258 * <tbody>
259 * <tr><td>/a/b</td><td>/a/b</td><td>yes</td></tr>
260 * <tr><td>/a/b/*</td><td>/a/b/c</td><td>yes</td></tr>
261 * <tr><td>/a/b/*</td><td>/a/b/c/d</td><td>no</td></tr>
262 * <tr><td>/a/b/-</td><td>/a/b/c/d</td><td>yes</td></tr>
263 * <tr><td>/a/b/-</td><td>/a/b/c/d/e</td><td>yes</td></tr>
264 * <tr><td>/a/b/-</td><td>/a/b/c/*</td><td>yes</td></tr>
265 * <tr><td>/a/b/*</td><td>/a/b/c/-</td><td>no</td></tr>
266 * </tbody>
267 * </table>
268 */
269 public boolean implies(Permission p) {
270 if (! (p instanceof URLPermission)) {
271 return false;
272 }
273
274 URLPermission that = (URLPermission)p;
275
276 if (this.methods.isEmpty() && !that.methods.isEmpty()) {
277 return false;
278 }
279
280 if (!this.methods.isEmpty() &&
281 !this.methods.get(0).equals("*") &&
282 Collections.indexOfSubList(this.methods,
283 that.methods) == -1) {
284 return false;
285 }
|
55 * separated by ".". <i>IPv4address</i> is a standard literal IPv4 address and
56 * <i>IPv6address</i> is as defined in <a href="http://www.ietf.org/rfc/rfc2732.txt">
57 * RFC 2732</a>. Literal IPv6 addresses must however, be enclosed in '[]' characters.
58 * The <i>dnsname</i> specification can be preceded by "*." which means
59 * the name will match any hostname whose right-most domain labels are the same as
60 * this name. For example, "*.oracle.com" matches "foo.bar.oracle.com"
61 * <p>
62 * <i>portrange</i> is used to specify a port number, or a bounded or unbounded range of ports
63 * that this permission applies to. If portrange is absent or invalid, then a default
64 * port number is assumed if the scheme is {@code http} (default 80) or {@code https}
65 * (default 443). No default is assumed for other schemes. A wildcard may be specified
66 * which means all ports.
67 * <p>
68 * <i>userinfo</i> is optional. A userinfo component if present, is ignored when
69 * creating a URLPermission, and has no effect on any other methods defined by this class.
70 * <p>
71 * The <i>path</i> component comprises a sequence of path segments,
72 * separated by '/' characters. <i>path</i> may also be empty. The path is specified
73 * in a similar way to the path in {@link java.io.FilePermission}. There are
74 * three different ways as the following examples show:
75 * <table class="striped">
76 * <caption>URL Examples</caption>
77 * <thead>
78 * <tr><th scope="col">Example url</th><th scope="col">Description</th></tr>
79 * </thead>
80 * <tbody style="text-align:left">
81 * <tr><th scope="row" style="white-space:nowrap;">http://www.oracle.com/a/b/c.html</th>
82 * <td>A url which identifies a specific (single) resource</td>
83 * </tr>
84 * <tr><th scope="row">http://www.oracle.com/a/b/*</th>
85 * <td>The '*' character refers to all resources in the same "directory" - in
86 * other words all resources with the same number of path components, and
87 * which only differ in the final path component, represented by the '*'.
88 * </td>
89 * </tr>
90 * <tr><th scope="row">http://www.oracle.com/a/b/-</th>
91 * <td>The '-' character refers to all resources recursively below the
92 * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this
93 * example).
94 * </td>
95 * </tr>
96 * </tbody>
97 * </table>
98 * <p>
99 * The '*' and '-' may only be specified in the final segment of a path and must be
100 * the only character in that segment. Any query or fragment components of the
101 * url are ignored when constructing URLPermissions.
102 * <p>
103 * As a special case, urls of the form, "scheme:*" are accepted to
104 * mean any url of the given scheme.
105 * <p>
106 * The <i>scheme</i> and <i>authority</i> components of the url string are handled
107 * without regard to case. This means {@link #equals(Object)},
108 * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
109 * to these components. If the <i>authority</i> contains a literal IP address,
110 * then the address is normalized for comparison. The path component is case sensitive.
111 * <p><b>The actions string</b><p>
112 * The actions string of a URLPermission is a concatenation of the <i>method list</i>
113 * and the <i>request headers list</i>. These are lists of the permitted request
114 * methods and permitted request headers of the permission (respectively). The two lists
115 * are separated by a colon ':' character and elements of each list are comma separated.
116 * Some examples are:
117 * <ul>
118 * <li>"POST,GET,DELETE"
119 * <li>"GET:X-Foo-Request,X-Bar-Request"
120 * <li>"POST,GET:Header1,Header2"
121 * </ul>
122 * The first example specifies the methods: POST, GET and DELETE, but no request headers.
123 * The second example specifies one request method and two headers. The third
124 * example specifies two request methods, and two headers.
125 * <p>
126 * The colon separator need not be present if the request headers list is empty.
127 * No white-space is permitted in the actions string. The action strings supplied to
128 * the URLPermission constructors are case-insensitive and are normalized by converting
129 * method names to upper-case and header names to the form defines in RFC2616 (lower case
130 * with initial letter of each word capitalized). Either list can contain a wild-card '*'
131 * character which signifies all request methods or headers respectively.
132 * <p>
133 * Note. Depending on the context of use, some request methods and headers may be permitted
134 * at all times, and others may not be permitted at any time. For example, the
135 * HTTP protocol handler might disallow certain headers such as Content-Length
136 * from being set by application code, regardless of whether the security policy
137 * in force, permits it.
138 *
139 * @since 1.8
140 */
141 public final class URLPermission extends Permission {
236 * <li>if any of p's methods are not in this's method list, and if
237 * this's method list is not equal to "*", then return false.</li>
238 * <li>if any of p's headers are not in this's request header list, and if
239 * this's request header list is not equal to "*", then return false.</li>
240 * <li>if this's url scheme is not equal to p's url scheme return false</li>
241 * <li>if the scheme specific part of this's url is '*' return true</li>
242 * <li>if the set of hosts defined by p's url hostrange is not a subset of
243 * this's url hostrange then return false. For example, "*.foo.oracle.com"
244 * is a subset of "*.oracle.com". "foo.bar.oracle.com" is not
245 * a subset of "*.foo.oracle.com"</li>
246 * <li>if the portrange defined by p's url is not a subset of the
247 * portrange defined by this's url then return false.
248 * <li>if the path or paths specified by p's url are contained in the
249 * set of paths specified by this's url, then return true
250 * <li>otherwise, return false</li>
251 * </ul>
252 * <p>Some examples of how paths are matched are shown below:
253 * <table class="plain">
254 * <caption>Examples of Path Matching</caption>
255 * <thead>
256 * <tr><th scope="col">this's path</th><th scope="col">p's path</th><th>match</th></tr>
257 * </thead>
258 * <tbody style="text-align:left">
259 * <tr><th scope="row">/a/b</th><th scope="row">/a/b</th><td>yes</td></tr>
260 * <tr><th scope="row" rowspan="3">/a/b/*</th><th scope="row">/a/b/c</th><td>yes</td></tr>
261 * <tr> <th scope="row">/a/b/c/d</th><td>no</td></tr>
262 * <tr> <th scope="row">/a/b/c/-</th><td>no</td></tr>
263 * <tr><th scope="row" rowspan="3">/a/b/-</th><th scope="row">/a/b/c/d</th><td>yes</td></tr>
264 * <tr> <th scope="row">/a/b/c/d/e</th><td>yes</td></tr>
265 * <tr> <th scope="row">/a/b/c/*</th><td>yes</td></tr>
266 * </tbody>
267 * </table>
268 */
269 public boolean implies(Permission p) {
270 if (! (p instanceof URLPermission)) {
271 return false;
272 }
273
274 URLPermission that = (URLPermission)p;
275
276 if (this.methods.isEmpty() && !that.methods.isEmpty()) {
277 return false;
278 }
279
280 if (!this.methods.isEmpty() &&
281 !this.methods.get(0).equals("*") &&
282 Collections.indexOfSubList(this.methods,
283 that.methods) == -1) {
284 return false;
285 }
|