1 /*
2 * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security;
27
28 import java.security.*;
29 import java.util.Enumeration;
30 import java.util.Hashtable;
31 import java.util.StringTokenizer;
32
33 /**
34 * This class is for security permissions.
35 * A SecurityPermission contains a name (also referred to as a "target name")
36 * but no actions list; you either have the named permission
37 * or you don't.
38 * <P>
39 * The target name is the name of a security configuration parameter (see below).
40 * Currently the SecurityPermission object is used to guard access
41 * to the Policy, Security, Provider, Signer, and Identity
42 * objects.
43 * <P>
44 * The following table lists all the possible SecurityPermission target names,
45 * and for each provides a description of what the permission allows
46 * and a discussion of the risks of granting code the permission.
47 * <P>
48 *
49 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
50 * <tr>
51 * <th>Permission Target Name</th>
52 * <th>What the Permission Allows</th>
53 * <th>Risks of Allowing this Permission</th>
54 * </tr>
55 *
56 * <tr>
57 * <td>createAccessControlContext</td>
58 * <td>Creation of an AccessControlContext</td>
59 * <td>This allows someone to instantiate an AccessControlContext
60 * with a <code>DomainCombiner</code>. Extreme care must be taken when
61 * granting this permission. Malicious code could create a DomainCombiner
62 * that augments the set of permissions granted to code, and even grant the
63 * code {@link java.security.AllPermission}.</td>
64 * </tr>
65 *
66 * <tr>
67 * <td>getDomainCombiner</td>
68 * <td>Retrieval of an AccessControlContext's DomainCombiner</td>
69 * <td>This allows someone to retrieve an AccessControlContext's
70 * <code>DomainCombiner</code>. Since DomainCombiners may contain
71 * sensitive information, this could potentially lead to a privacy leak.</td>
72 * </tr>
73 *
74 * <tr>
75 * <td>getPolicy</td>
76 * <td>Retrieval of the system-wide security policy (specifically, of the
77 * currently-installed Policy object)</td>
78 * <td>This allows someone to query the policy via the
79 * <code>getPermissions</code> call,
80 * which discloses which permissions would be granted to a given CodeSource.
81 * While revealing the policy does not compromise the security of
82 * the system, it does provide malicious code with additional information
83 * which it may use to better aim an attack. It is wise
84 * not to divulge more information than necessary.</td>
85 * </tr>
86 *
87 * <tr>
88 * <td>setPolicy</td>
89 * <td>Setting of the system-wide security policy (specifically,
90 * the Policy object)</td>
91 * <td>Granting this permission is extremely dangerous, as malicious
92 * code may grant itself all the necessary permissions it needs
93 * to successfully mount an attack on the system.</td>
94 * </tr>
95 *
96 * <tr>
97 * <td>createPolicy.{policy type}</td>
98 * <td>Getting an instance of a Policy implementation from a provider</td>
99 * <td>Granting this permission enables code to obtain a Policy object.
100 * Malicious code may query the Policy object to determine what permissions
101 * have been granted to code other than itself. </td>
102 * </tr>
103 *
104 * <tr>
105 * <td>getProperty.{key}</td>
106 * <td>Retrieval of the security property with the specified key</td>
107 * <td>Depending on the particular key for which access has
108 * been granted, the code may have access to the list of security
109 * providers, as well as the location of the system-wide and user
110 * security policies. while revealing this information does not
111 * compromise the security of the system, it does provide malicious
112 * code with additional information which it may use to better aim
113 * an attack.
114 </td>
115 * </tr>
116 *
117 * <tr>
118 * <td>setProperty.{key}</td>
119 * <td>Setting of the security property with the specified key</td>
120 * <td>This could include setting a security provider or defining
121 * the location of the system-wide security policy. Malicious
122 * code that has permission to set a new security provider may
123 * set a rogue provider that steals confidential information such
124 * as cryptographic private keys. In addition, malicious code with
125 * permission to set the location of the system-wide security policy
126 * may point it to a security policy that grants the attacker
127 * all the necessary permissions it requires to successfully mount
128 * an attack on the system.
129 </td>
130 * </tr>
131 *
132 * <tr>
133 * <td>insertProvider.{provider name}</td>
134 * <td>Addition of a new provider, with the specified name</td>
135 * <td>This would allow somebody to introduce a possibly
136 * malicious provider (e.g., one that discloses the private keys passed
137 * to it) as the highest-priority provider. This would be possible
138 * because the Security object (which manages the installed providers)
139 * currently does not check the integrity or authenticity of a provider
140 * before attaching it.</td>
141 * </tr>
142 *
143 * <tr>
144 * <td>removeProvider.{provider name}</td>
145 * <td>Removal of the specified provider</td>
146 * <td>This may change the behavior or disable execution of other
147 * parts of the program. If a provider subsequently requested by the
148 * program has been removed, execution may fail. Also, if the removed
149 * provider is not explicitly requested by the rest of the program, but
150 * it would normally be the provider chosen when a cryptography service
151 * is requested (due to its previous order in the list of providers),
152 * a different provider will be chosen instead, or no suitable provider
153 * will be found, thereby resulting in program failure.</td>
154 * </tr>
155 *
156 * <tr>
157 * <td>clearProviderProperties.{provider name}</td>
158 * <td>"Clearing" of a Provider so that it no longer contains the properties
159 * used to look up services implemented by the provider</td>
160 * <td>This disables the lookup of services implemented by the provider.
161 * This may thus change the behavior or disable execution of other
162 * parts of the program that would normally utilize the Provider, as
163 * described under the "removeProvider.{provider name}" permission.</td>
164 * </tr>
165 *
166 * <tr>
167 * <td>putProviderProperty.{provider name}</td>
168 * <td>Setting of properties for the specified Provider</td>
169 * <td>The provider properties each specify the name and location
170 * of a particular service implemented by the provider. By granting
171 * this permission, you let code replace the service specification
172 * with another one, thereby specifying a different implementation.</td>
173 * </tr>
174 *
175 * <tr>
176 * <td>removeProviderProperty.{provider name}</td>
177 * <td>Removal of properties from the specified Provider</td>
178 * <td>This disables the lookup of services implemented by the
179 * provider. They are no longer accessible due to removal of the properties
180 * specifying their names and locations. This
181 * may change the behavior or disable execution of other
182 * parts of the program that would normally utilize the Provider, as
183 * described under the "removeProvider.{provider name}" permission.</td>
184 * </tr>
185 *
186 * </table>
187 *
188 * <P>
189 * The following permissions are associated with classes that have been
190 * deprecated: {@link Identity}, {@link IdentityScope}, {@link Signer}. Use of
191 * them is discouraged. See the applicable classes for more information.
192 * <P>
193 *
194 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
195 * <tr>
196 * <th>Permission Target Name</th>
197 * <th>What the Permission Allows</th>
198 * <th>Risks of Allowing this Permission</th>
199 * </tr>
200 *
201 * <tr>
202 * <td>setSystemScope</td>
203 * <td>Setting of the system identity scope</td>
204 * <td>This would allow an attacker to configure the system identity scope with
205 * certificates that should not be trusted, thereby granting applet or
206 * application code signed with those certificates privileges that
207 * would have been denied by the system's original identity scope.</td>
208 * </tr>
209 *
210 * <tr>
211 * <td>setIdentityPublicKey</td>
212 * <td>Setting of the public key for an Identity</td>
213 * <td>If the identity is marked as "trusted", this allows an attacker to
214 * introduce a different public key (e.g., its own) that is not trusted
215 * by the system's identity scope, thereby granting applet or
216 * application code signed with that public key privileges that
217 * would have been denied otherwise.</td>
218 * </tr>
219 *
220 * <tr>
221 * <td>setIdentityInfo</td>
222 * <td>Setting of a general information string for an Identity</td>
223 * <td>This allows attackers to set the general description for
224 * an identity. This may trick applications into using a different
225 * identity than intended or may prevent applications from finding a
226 * particular identity.</td>
227 * </tr>
228 *
229 * <tr>
230 * <td>addIdentityCertificate</td>
231 * <td>Addition of a certificate for an Identity</td>
232 * <td>This allows attackers to set a certificate for
233 * an identity's public key. This is dangerous because it affects
234 * the trust relationship across the system. This public key suddenly
235 * becomes trusted to a wider audience than it otherwise would be.</td>
236 * </tr>
237 *
238 * <tr>
239 * <td>removeIdentityCertificate</td>
240 * <td>Removal of a certificate for an Identity</td>
241 * <td>This allows attackers to remove a certificate for
242 * an identity's public key. This is dangerous because it affects
243 * the trust relationship across the system. This public key suddenly
244 * becomes considered less trustworthy than it otherwise would be.</td>
245 * </tr>
246 *
247 * <tr>
248 * <td>printIdentity</td>
249 * <td>Viewing the name of a principal
250 * and optionally the scope in which it is used, and whether
251 * or not it is considered "trusted" in that scope</td>
252 * <td>The scope that is printed out may be a filename, in which case
253 * it may convey local system information. For example, here's a sample
254 * printout of an identity named "carol", who is
255 * marked not trusted in the user's identity database:<br>
256 * carol[/home/luehe/identitydb.obj][not trusted]</td>
257 *</tr>
258 *
259 * <tr>
260 * <td>getSignerPrivateKey</td>
261 * <td>Retrieval of a Signer's private key</td>
262 * <td>It is very dangerous to allow access to a private key; private
263 * keys are supposed to be kept secret. Otherwise, code can use the
264 * private key to sign various files and claim the signature came from
265 * the Signer.</td>
266 * </tr>
267 *
268 * <tr>
269 * <td>setSignerKeyPair</td>
270 * <td>Setting of the key pair (public key and private key) for a Signer</td>
271 * <td>This would allow an attacker to replace somebody else's (the "target's")
272 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
273 * keysize). This also would allow the attacker to listen in on encrypted
274 * communication between the target and its peers. The target's peers
275 * might wrap an encryption session key under the target's "new" public
276 * key, which would allow the attacker (who possesses the corresponding
277 * private key) to unwrap the session key and decipher the communication
278 * data encrypted under that session key.</td>
279 * </tr>
280 *
281 * </table>
282 *
283 * @see java.security.BasicPermission
284 * @see java.security.Permission
285 * @see java.security.Permissions
286 * @see java.security.PermissionCollection
287 * @see java.lang.SecurityManager
288 *
289 *
290 * @author Marianne Mueller
291 * @author Roland Schemers
292 */
293
294 public final class SecurityPermission extends BasicPermission {
295
296 private static final long serialVersionUID = 5236109936224050470L;
297
298 /**
299 * Creates a new SecurityPermission with the specified name.
300 * The name is the symbolic name of the SecurityPermission. An asterisk
301 * may appear at the end of the name, following a ".", or by itself, to
302 * signify a wildcard match.
303 *
304 * @param name the name of the SecurityPermission
305 *
306 * @throws NullPointerException if <code>name</code> is <code>null</code>.
307 * @throws IllegalArgumentException if <code>name</code> is empty.
308 */
309
310 public SecurityPermission(String name)
311 {
312 super(name);
313 }
314
315 /**
316 * Creates a new SecurityPermission object with the specified name.
317 * The name is the symbolic name of the SecurityPermission, and the
318 * actions String is currently unused and should be null.
319 *
320 * @param name the name of the SecurityPermission
321 * @param actions should be null.
322 *
323 * @throws NullPointerException if <code>name</code> is <code>null</code>.
324 * @throws IllegalArgumentException if <code>name</code> is empty.
325 */
326
327 public SecurityPermission(String name, String actions)
328 {
329 super(name, actions);
330 }
331 }