1 /*
2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security;
27
28 import java.util.Enumeration;
29 import java.util.Hashtable;
30 import java.util.NoSuchElementException;
31 import java.util.Map;
32 import java.util.HashMap;
33 import java.util.List;
34 import java.util.Iterator;
35 import java.util.Collections;
36 import java.io.Serializable;
37 import java.io.ObjectStreamField;
38 import java.io.ObjectOutputStream;
39 import java.io.ObjectInputStream;
40 import java.io.IOException;
41
42
43 /**
44 * This class represents a heterogeneous collection of Permissions. That is,
45 * it contains different types of Permission objects, organized into
46 * PermissionCollections. For example, if any
47 * {@code java.io.FilePermission} objects are added to an instance of
48 * this class, they are all stored in a single
49 * PermissionCollection. It is the PermissionCollection returned by a call to
50 * the {@code newPermissionCollection} method in the FilePermission class.
51 * Similarly, any {@code java.lang.RuntimePermission} objects are
52 * stored in the PermissionCollection returned by a call to the
53 * {@code newPermissionCollection} method in the
54 * RuntimePermission class. Thus, this class represents a collection of
55 * PermissionCollections.
56 *
57 * <p>When the {@code add} method is called to add a Permission, the
58 * Permission is stored in the appropriate PermissionCollection. If no such
59 * collection exists yet, the Permission object's class is determined and the
60 * {@code newPermissionCollection} method is called on that class to create
61 * the PermissionCollection and add it to the Permissions object. If
62 * {@code newPermissionCollection} returns null, then a default
63 * PermissionCollection that uses a hashtable will be created and used. Each
64 * hashtable entry stores a Permission object as both the key and the value.
65 *
66 * <p> Enumerations returned via the {@code elements} method are
67 * not <em>fail-fast</em>. Modifications to a collection should not be
68 * performed while enumerating over that collection.
69 *
70 * @see Permission
71 * @see PermissionCollection
72 * @see AllPermission
73 *
74 *
75 * @author Marianne Mueller
76 * @author Roland Schemers
77 *
78 * @serial exclude
79 */
80
81 public final class Permissions extends PermissionCollection
82 implements Serializable
83 {
84 /**
85 * Key is permissions Class, value is PermissionCollection for that class.
86 * Not serialized; see serialization section at end of class.
87 */
88 private transient Map<Class<?>, PermissionCollection> permsMap;
89
90 // optimization. keep track of whether unresolved permissions need to be
91 // checked
92 private transient boolean hasUnresolved = false;
93
94 // optimization. keep track of the AllPermission collection
95 // - package private for ProtectionDomain optimization
96 PermissionCollection allPermission;
97
98 /**
99 * Creates a new Permissions object containing no PermissionCollections.
100 */
101 public Permissions() {
102 permsMap = new HashMap<Class<?>, PermissionCollection>(11);
103 allPermission = null;
104 }
105
106 /**
107 * Adds a permission object to the PermissionCollection for the class the
108 * permission belongs to. For example, if <i>permission</i> is a
109 * FilePermission, it is added to the FilePermissionCollection stored
110 * in this Permissions object.
111 *
112 * This method creates
113 * a new PermissionCollection object (and adds the permission to it)
114 * if an appropriate collection does not yet exist. <p>
115 *
116 * @param permission the Permission object to add.
117 *
118 * @exception SecurityException if this Permissions object is
119 * marked as readonly.
120 *
121 * @see PermissionCollection#isReadOnly()
122 */
123
124 public void add(Permission permission) {
125 if (isReadOnly())
126 throw new SecurityException(
127 "attempt to add a Permission to a readonly Permissions object");
128
129 PermissionCollection pc;
130
131 synchronized (this) {
132 pc = getPermissionCollection(permission, true);
133 pc.add(permission);
134 }
135
136 // No sync; staleness -> optimizations delayed, which is OK
137 if (permission instanceof AllPermission) {
138 allPermission = pc;
139 }
140 if (permission instanceof UnresolvedPermission) {
141 hasUnresolved = true;
142 }
143 }
144
145 /**
146 * Checks to see if this object's PermissionCollection for permissions of
147 * the specified permission's class implies the permissions
148 * expressed in the <i>permission</i> object. Returns true if the
149 * combination of permissions in the appropriate PermissionCollection
150 * (e.g., a FilePermissionCollection for a FilePermission) together
151 * imply the specified permission.
152 *
153 * <p>For example, suppose there is a FilePermissionCollection in this
154 * Permissions object, and it contains one FilePermission that specifies
155 * "read" access for all files in all subdirectories of the "/tmp"
156 * directory, and another FilePermission that specifies "write" access
157 * for all files in the "/tmp/scratch/foo" directory.
158 * Then if the {@code implies} method
159 * is called with a permission specifying both "read" and "write" access
160 * to files in the "/tmp/scratch/foo" directory, {@code true} is
161 * returned.
162 *
163 * <p>Additionally, if this PermissionCollection contains the
164 * AllPermission, this method will always return true.
165 * <p>
166 * @param permission the Permission object to check.
167 *
168 * @return true if "permission" is implied by the permissions in the
169 * PermissionCollection it
170 * belongs to, false if not.
171 */
172
173 public boolean implies(Permission permission) {
174 // No sync; staleness -> skip optimization, which is OK
175 if (allPermission != null) {
176 return true; // AllPermission has already been added
177 } else {
178 synchronized (this) {
179 PermissionCollection pc = getPermissionCollection(permission,
180 false);
181 if (pc != null) {
182 return pc.implies(permission);
183 } else {
184 // none found
185 return false;
186 }
187 }
188 }
189 }
190
191 /**
192 * Returns an enumeration of all the Permission objects in all the
193 * PermissionCollections in this Permissions object.
194 *
195 * @return an enumeration of all the Permissions.
196 */
197
198 public Enumeration<Permission> elements() {
199 // go through each Permissions in the hash table
200 // and call their elements() function.
201
202 synchronized (this) {
203 return new PermissionsEnumerator(permsMap.values().iterator());
204 }
205 }
206
207 /**
208 * Gets the PermissionCollection in this Permissions object for
209 * permissions whose type is the same as that of <i>p</i>.
210 * For example, if <i>p</i> is a FilePermission,
211 * the FilePermissionCollection
212 * stored in this Permissions object will be returned.
213 *
214 * If createEmpty is true,
215 * this method creates a new PermissionCollection object for the specified
216 * type of permission objects if one does not yet exist.
217 * To do so, it first calls the {@code newPermissionCollection} method
218 * on <i>p</i>. Subclasses of class Permission
219 * override that method if they need to store their permissions in a
220 * particular PermissionCollection object in order to provide the
221 * correct semantics when the {@code PermissionCollection.implies}
222 * method is called.
223 * If the call returns a PermissionCollection, that collection is stored
224 * in this Permissions object. If the call returns null and createEmpty
225 * is true, then
226 * this method instantiates and stores a default PermissionCollection
227 * that uses a hashtable to store its permission objects.
228 *
229 * createEmpty is ignored when creating empty PermissionCollection
230 * for unresolved permissions because of the overhead of determining the
231 * PermissionCollection to use.
232 *
233 * createEmpty should be set to false when this method is invoked from
234 * implies() because it incurs the additional overhead of creating and
235 * adding an empty PermissionCollection that will just return false.
236 * It should be set to true when invoked from add().
237 */
238 private PermissionCollection getPermissionCollection(Permission p,
239 boolean createEmpty) {
240 Class<?> c = p.getClass();
241
242 PermissionCollection pc = permsMap.get(c);
243
244 if (!hasUnresolved && !createEmpty) {
245 return pc;
246 } else if (pc == null) {
247
248 // Check for unresolved permissions
249 pc = (hasUnresolved ? getUnresolvedPermissions(p) : null);
250
251 // if still null, create a new collection
252 if (pc == null && createEmpty) {
253
254 pc = p.newPermissionCollection();
255
256 // still no PermissionCollection?
257 // We'll give them a PermissionsHash.
258 if (pc == null)
259 pc = new PermissionsHash();
260 }
261
262 if (pc != null) {
263 permsMap.put(c, pc);
264 }
265 }
266 return pc;
267 }
268
269 /**
270 * Resolves any unresolved permissions of type p.
271 *
272 * @param p the type of unresolved permission to resolve
273 *
274 * @return PermissionCollection containing the unresolved permissions,
275 * or null if there were no unresolved permissions of type p.
276 *
277 */
278 private PermissionCollection getUnresolvedPermissions(Permission p)
279 {
280 // Called from within synchronized method so permsMap doesn't need lock
281
282 UnresolvedPermissionCollection uc =
283 (UnresolvedPermissionCollection) permsMap.get(UnresolvedPermission.class);
284
285 // we have no unresolved permissions if uc is null
286 if (uc == null)
287 return null;
288
289 List<UnresolvedPermission> unresolvedPerms =
290 uc.getUnresolvedPermissions(p);
291
292 // we have no unresolved permissions of this type if unresolvedPerms is null
293 if (unresolvedPerms == null)
294 return null;
295
296 java.security.cert.Certificate certs[] = null;
297
298 Object signers[] = p.getClass().getSigners();
299
300 int n = 0;
301 if (signers != null) {
302 for (int j=0; j < signers.length; j++) {
303 if (signers[j] instanceof java.security.cert.Certificate) {
304 n++;
305 }
306 }
307 certs = new java.security.cert.Certificate[n];
308 n = 0;
309 for (int j=0; j < signers.length; j++) {
310 if (signers[j] instanceof java.security.cert.Certificate) {
311 certs[n++] = (java.security.cert.Certificate)signers[j];
312 }
313 }
314 }
315
316 PermissionCollection pc = null;
317 synchronized (unresolvedPerms) {
318 int len = unresolvedPerms.size();
319 for (int i = 0; i < len; i++) {
320 UnresolvedPermission up = unresolvedPerms.get(i);
321 Permission perm = up.resolve(p, certs);
322 if (perm != null) {
323 if (pc == null) {
324 pc = p.newPermissionCollection();
325 if (pc == null)
326 pc = new PermissionsHash();
327 }
328 pc.add(perm);
329 }
330 }
331 }
332 return pc;
333 }
334
335 private static final long serialVersionUID = 4858622370623524688L;
336
337 // Need to maintain serialization interoperability with earlier releases,
338 // which had the serializable field:
339 // private Hashtable perms;
340
341 /**
342 * @serialField perms java.util.Hashtable
343 * A table of the Permission classes and PermissionCollections.
344 * @serialField allPermission java.security.PermissionCollection
345 */
346 private static final ObjectStreamField[] serialPersistentFields = {
347 new ObjectStreamField("perms", Hashtable.class),
348 new ObjectStreamField("allPermission", PermissionCollection.class),
349 };
350
351 /**
352 * @serialData Default fields.
353 */
354 /*
355 * Writes the contents of the permsMap field out as a Hashtable for
356 * serialization compatibility with earlier releases. allPermission
357 * unchanged.
358 */
359 private void writeObject(ObjectOutputStream out) throws IOException {
360 // Don't call out.defaultWriteObject()
361
362 // Copy perms into a Hashtable
363 Hashtable<Class<?>, PermissionCollection> perms =
364 new Hashtable<>(permsMap.size()*2); // no sync; estimate
365 synchronized (this) {
366 perms.putAll(permsMap);
367 }
368
369 // Write out serializable fields
370 ObjectOutputStream.PutField pfields = out.putFields();
371
372 pfields.put("allPermission", allPermission); // no sync; staleness OK
373 pfields.put("perms", perms);
374 out.writeFields();
375 }
376
377 /*
378 * Reads in a Hashtable of Class/PermissionCollections and saves them in the
379 * permsMap field. Reads in allPermission.
380 */
381 private void readObject(ObjectInputStream in) throws IOException,
382 ClassNotFoundException {
383 // Don't call defaultReadObject()
384
385 // Read in serialized fields
386 ObjectInputStream.GetField gfields = in.readFields();
387
388 // Get allPermission
389 allPermission = (PermissionCollection) gfields.get("allPermission", null);
390
391 // Get permissions
392 // writeObject writes a Hashtable<Class<?>, PermissionCollection> for
393 // the perms key, so this cast is safe, unless the data is corrupt.
394 @SuppressWarnings("unchecked")
395 Hashtable<Class<?>, PermissionCollection> perms =
396 (Hashtable<Class<?>, PermissionCollection>)gfields.get("perms", null);
397 permsMap = new HashMap<Class<?>, PermissionCollection>(perms.size()*2);
398 permsMap.putAll(perms);
399
400 // Set hasUnresolved
401 UnresolvedPermissionCollection uc =
402 (UnresolvedPermissionCollection) permsMap.get(UnresolvedPermission.class);
403 hasUnresolved = (uc != null && uc.elements().hasMoreElements());
404 }
405 }
406
407 final class PermissionsEnumerator implements Enumeration<Permission> {
408
409 // all the perms
410 private Iterator<PermissionCollection> perms;
411 // the current set
412 private Enumeration<Permission> permset;
413
414 PermissionsEnumerator(Iterator<PermissionCollection> e) {
415 perms = e;
416 permset = getNextEnumWithMore();
417 }
418
419 // No need to synchronize; caller should sync on object as required
420 public boolean hasMoreElements() {
421 // if we enter with permissionimpl null, we know
422 // there are no more left.
423
424 if (permset == null)
425 return false;
426
427 // try to see if there are any left in the current one
428
429 if (permset.hasMoreElements())
430 return true;
431
432 // get the next one that has something in it...
433 permset = getNextEnumWithMore();
434
435 // if it is null, we are done!
436 return (permset != null);
437 }
438
439 // No need to synchronize; caller should sync on object as required
440 public Permission nextElement() {
441
442 // hasMoreElements will update permset to the next permset
443 // with something in it...
444
445 if (hasMoreElements()) {
446 return permset.nextElement();
447 } else {
448 throw new NoSuchElementException("PermissionsEnumerator");
449 }
450
451 }
452
453 private Enumeration<Permission> getNextEnumWithMore() {
454 while (perms.hasNext()) {
455 PermissionCollection pc = perms.next();
456 Enumeration<Permission> next =pc.elements();
457 if (next.hasMoreElements())
458 return next;
459 }
460 return null;
461
462 }
463 }
464
465 /**
466 * A PermissionsHash stores a homogeneous set of permissions in a hashtable.
467 *
468 * @see Permission
469 * @see Permissions
470 *
471 *
472 * @author Roland Schemers
473 *
474 * @serial include
475 */
476
477 final class PermissionsHash extends PermissionCollection
478 implements Serializable
479 {
480 /**
481 * Key and value are (same) permissions objects.
482 * Not serialized; see serialization section at end of class.
483 */
484 private transient Map<Permission, Permission> permsMap;
485
486 /**
487 * Create an empty PermissionsHash object.
488 */
489
490 PermissionsHash() {
491 permsMap = new HashMap<Permission, Permission>(11);
492 }
493
494 /**
495 * Adds a permission to the PermissionsHash.
496 *
497 * @param permission the Permission object to add.
498 */
499
500 public void add(Permission permission) {
501 synchronized (this) {
502 permsMap.put(permission, permission);
503 }
504 }
505
506 /**
507 * Check and see if this set of permissions implies the permissions
508 * expressed in "permission".
509 *
510 * @param permission the Permission object to compare
511 *
512 * @return true if "permission" is a proper subset of a permission in
513 * the set, false if not.
514 */
515
516 public boolean implies(Permission permission) {
517 // attempt a fast lookup and implies. If that fails
518 // then enumerate through all the permissions.
519 synchronized (this) {
520 Permission p = permsMap.get(permission);
521
522 // If permission is found, then p.equals(permission)
523 if (p == null) {
524 for (Permission p_ : permsMap.values()) {
525 if (p_.implies(permission))
526 return true;
527 }
528 return false;
529 } else {
530 return true;
531 }
532 }
533 }
534
535 /**
536 * Returns an enumeration of all the Permission objects in the container.
537 *
538 * @return an enumeration of all the Permissions.
539 */
540
541 public Enumeration<Permission> elements() {
542 // Convert Iterator of Map values into an Enumeration
543 synchronized (this) {
544 return Collections.enumeration(permsMap.values());
545 }
546 }
547
548 private static final long serialVersionUID = -8491988220802933440L;
549 // Need to maintain serialization interoperability with earlier releases,
550 // which had the serializable field:
551 // private Hashtable perms;
552 /**
553 * @serialField perms java.util.Hashtable
554 * A table of the Permissions (both key and value are same).
555 */
556 private static final ObjectStreamField[] serialPersistentFields = {
557 new ObjectStreamField("perms", Hashtable.class),
558 };
559
560 /**
561 * @serialData Default fields.
562 */
563 /*
564 * Writes the contents of the permsMap field out as a Hashtable for
565 * serialization compatibility with earlier releases.
566 */
567 private void writeObject(ObjectOutputStream out) throws IOException {
568 // Don't call out.defaultWriteObject()
569
570 // Copy perms into a Hashtable
571 Hashtable<Permission, Permission> perms =
572 new Hashtable<>(permsMap.size()*2);
573 synchronized (this) {
574 perms.putAll(permsMap);
575 }
576
577 // Write out serializable fields
578 ObjectOutputStream.PutField pfields = out.putFields();
579 pfields.put("perms", perms);
580 out.writeFields();
581 }
582
583 /*
584 * Reads in a Hashtable of Permission/Permission and saves them in the
585 * permsMap field.
586 */
587 private void readObject(ObjectInputStream in) throws IOException,
588 ClassNotFoundException {
589 // Don't call defaultReadObject()
590
591 // Read in serialized fields
592 ObjectInputStream.GetField gfields = in.readFields();
593
594 // Get permissions
595 // writeObject writes a Hashtable<Class<?>, PermissionCollection> for
596 // the perms key, so this cast is safe, unless the data is corrupt.
597 @SuppressWarnings("unchecked")
598 Hashtable<Permission, Permission> perms =
599 (Hashtable<Permission, Permission>)gfields.get("perms", null);
600 permsMap = new HashMap<Permission, Permission>(perms.size()*2);
601 permsMap.putAll(perms);
602 }
603 }