1 /* 2 * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security; 27 28 import java.security.*; 29 import java.util.Enumeration; 30 import java.util.Hashtable; 31 import java.util.StringTokenizer; 32 33 /** 34 * This class is for security permissions. 35 * A SecurityPermission contains a name (also referred to as a "target name") 36 * but no actions list; you either have the named permission 37 * or you don't. 38 * <P> 39 * The target name is the name of a security configuration parameter (see below). 40 * Currently the SecurityPermission object is used to guard access 41 * to the Policy, Security, Provider, Signer, and Identity 42 * objects. 43 * <P> 44 * The following table lists all the possible SecurityPermission target names, 45 * and for each provides a description of what the permission allows 46 * and a discussion of the risks of granting code the permission. 47 * <P> 48 * 49 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks"> 50 * <tr> 51 * <th>Permission Target Name</th> 52 * <th>What the Permission Allows</th> 53 * <th>Risks of Allowing this Permission</th> 54 * </tr> 55 * 56 * <tr> 57 * <td>createAccessControlContext</td> 58 * <td>Creation of an AccessControlContext</td> 59 * <td>This allows someone to instantiate an AccessControlContext 60 * with a {@code DomainCombiner}. Extreme care must be taken when 61 * granting this permission. Malicious code could create a DomainCombiner 62 * that augments the set of permissions granted to code, and even grant the 63 * code {@link java.security.AllPermission}.</td> 64 * </tr> 65 * 66 * <tr> 67 * <td>getDomainCombiner</td> 68 * <td>Retrieval of an AccessControlContext's DomainCombiner</td> 69 * <td>This allows someone to retrieve an AccessControlContext's 70 * {@code DomainCombiner}. Since DomainCombiners may contain 71 * sensitive information, this could potentially lead to a privacy leak.</td> 72 * </tr> 73 * 74 * <tr> 75 * <td>getPolicy</td> 76 * <td>Retrieval of the system-wide security policy (specifically, of the 77 * currently-installed Policy object)</td> 78 * <td>This allows someone to query the policy via the 79 * {@code getPermissions} call, 80 * which discloses which permissions would be granted to a given CodeSource. 81 * While revealing the policy does not compromise the security of 82 * the system, it does provide malicious code with additional information 83 * which it may use to better aim an attack. It is wise 84 * not to divulge more information than necessary.</td> 85 * </tr> 86 * 87 * <tr> 88 * <td>setPolicy</td> 89 * <td>Setting of the system-wide security policy (specifically, 90 * the Policy object)</td> 91 * <td>Granting this permission is extremely dangerous, as malicious 92 * code may grant itself all the necessary permissions it needs 93 * to successfully mount an attack on the system.</td> 94 * </tr> 95 * 96 * <tr> 97 * <td>createPolicy.{policy type}</td> 98 * <td>Getting an instance of a Policy implementation from a provider</td> 99 * <td>Granting this permission enables code to obtain a Policy object. 100 * Malicious code may query the Policy object to determine what permissions 101 * have been granted to code other than itself. </td> 102 * </tr> 103 * 104 * <tr> 105 * <td>getProperty.{key}</td> 106 * <td>Retrieval of the security property with the specified key</td> 107 * <td>Depending on the particular key for which access has 108 * been granted, the code may have access to the list of security 109 * providers, as well as the location of the system-wide and user 110 * security policies. while revealing this information does not 111 * compromise the security of the system, it does provide malicious 112 * code with additional information which it may use to better aim 113 * an attack. 114 </td> 115 * </tr> 116 * 117 * <tr> 118 * <td>setProperty.{key}</td> 119 * <td>Setting of the security property with the specified key</td> 120 * <td>This could include setting a security provider or defining 121 * the location of the system-wide security policy. Malicious 122 * code that has permission to set a new security provider may 123 * set a rogue provider that steals confidential information such 124 * as cryptographic private keys. In addition, malicious code with 125 * permission to set the location of the system-wide security policy 126 * may point it to a security policy that grants the attacker 127 * all the necessary permissions it requires to successfully mount 128 * an attack on the system. 129 </td> 130 * </tr> 131 * 132 * <tr> 133 * <td>insertProvider.{provider name}</td> 134 * <td>Addition of a new provider, with the specified name</td> 135 * <td>This would allow somebody to introduce a possibly 136 * malicious provider (e.g., one that discloses the private keys passed 137 * to it) as the highest-priority provider. This would be possible 138 * because the Security object (which manages the installed providers) 139 * currently does not check the integrity or authenticity of a provider 140 * before attaching it.</td> 141 * </tr> 142 * 143 * <tr> 144 * <td>removeProvider.{provider name}</td> 145 * <td>Removal of the specified provider</td> 146 * <td>This may change the behavior or disable execution of other 147 * parts of the program. If a provider subsequently requested by the 148 * program has been removed, execution may fail. Also, if the removed 149 * provider is not explicitly requested by the rest of the program, but 150 * it would normally be the provider chosen when a cryptography service 151 * is requested (due to its previous order in the list of providers), 152 * a different provider will be chosen instead, or no suitable provider 153 * will be found, thereby resulting in program failure.</td> 154 * </tr> 155 * 156 * <tr> 157 * <td>clearProviderProperties.{provider name}</td> 158 * <td>"Clearing" of a Provider so that it no longer contains the properties 159 * used to look up services implemented by the provider</td> 160 * <td>This disables the lookup of services implemented by the provider. 161 * This may thus change the behavior or disable execution of other 162 * parts of the program that would normally utilize the Provider, as 163 * described under the "removeProvider.{provider name}" permission.</td> 164 * </tr> 165 * 166 * <tr> 167 * <td>putProviderProperty.{provider name}</td> 168 * <td>Setting of properties for the specified Provider</td> 169 * <td>The provider properties each specify the name and location 170 * of a particular service implemented by the provider. By granting 171 * this permission, you let code replace the service specification 172 * with another one, thereby specifying a different implementation.</td> 173 * </tr> 174 * 175 * <tr> 176 * <td>removeProviderProperty.{provider name}</td> 177 * <td>Removal of properties from the specified Provider</td> 178 * <td>This disables the lookup of services implemented by the 179 * provider. They are no longer accessible due to removal of the properties 180 * specifying their names and locations. This 181 * may change the behavior or disable execution of other 182 * parts of the program that would normally utilize the Provider, as 183 * described under the "removeProvider.{provider name}" permission.</td> 184 * </tr> 185 * 186 * </table> 187 * 188 * <P> 189 * The following permissions are associated with classes that have been 190 * deprecated: {@link Identity}, {@link IdentityScope}, {@link Signer}. Use of 191 * them is discouraged. See the applicable classes for more information. 192 * <P> 193 * 194 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks"> 195 * <tr> 196 * <th>Permission Target Name</th> 197 * <th>What the Permission Allows</th> 198 * <th>Risks of Allowing this Permission</th> 199 * </tr> 200 * 201 * <tr> 202 * <td>setSystemScope</td> 203 * <td>Setting of the system identity scope</td> 204 * <td>This would allow an attacker to configure the system identity scope with 205 * certificates that should not be trusted, thereby granting applet or 206 * application code signed with those certificates privileges that 207 * would have been denied by the system's original identity scope.</td> 208 * </tr> 209 * 210 * <tr> 211 * <td>setIdentityPublicKey</td> 212 * <td>Setting of the public key for an Identity</td> 213 * <td>If the identity is marked as "trusted", this allows an attacker to 214 * introduce a different public key (e.g., its own) that is not trusted 215 * by the system's identity scope, thereby granting applet or 216 * application code signed with that public key privileges that 217 * would have been denied otherwise.</td> 218 * </tr> 219 * 220 * <tr> 221 * <td>setIdentityInfo</td> 222 * <td>Setting of a general information string for an Identity</td> 223 * <td>This allows attackers to set the general description for 224 * an identity. This may trick applications into using a different 225 * identity than intended or may prevent applications from finding a 226 * particular identity.</td> 227 * </tr> 228 * 229 * <tr> 230 * <td>addIdentityCertificate</td> 231 * <td>Addition of a certificate for an Identity</td> 232 * <td>This allows attackers to set a certificate for 233 * an identity's public key. This is dangerous because it affects 234 * the trust relationship across the system. This public key suddenly 235 * becomes trusted to a wider audience than it otherwise would be.</td> 236 * </tr> 237 * 238 * <tr> 239 * <td>removeIdentityCertificate</td> 240 * <td>Removal of a certificate for an Identity</td> 241 * <td>This allows attackers to remove a certificate for 242 * an identity's public key. This is dangerous because it affects 243 * the trust relationship across the system. This public key suddenly 244 * becomes considered less trustworthy than it otherwise would be.</td> 245 * </tr> 246 * 247 * <tr> 248 * <td>printIdentity</td> 249 * <td>Viewing the name of a principal 250 * and optionally the scope in which it is used, and whether 251 * or not it is considered "trusted" in that scope</td> 252 * <td>The scope that is printed out may be a filename, in which case 253 * it may convey local system information. For example, here's a sample 254 * printout of an identity named "carol", who is 255 * marked not trusted in the user's identity database:<br> 256 * carol[/home/luehe/identitydb.obj][not trusted]</td> 257 *</tr> 258 * 259 * <tr> 260 * <td>getSignerPrivateKey</td> 261 * <td>Retrieval of a Signer's private key</td> 262 * <td>It is very dangerous to allow access to a private key; private 263 * keys are supposed to be kept secret. Otherwise, code can use the 264 * private key to sign various files and claim the signature came from 265 * the Signer.</td> 266 * </tr> 267 * 268 * <tr> 269 * <td>setSignerKeyPair</td> 270 * <td>Setting of the key pair (public key and private key) for a Signer</td> 271 * <td>This would allow an attacker to replace somebody else's (the "target's") 272 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller 273 * keysize). This also would allow the attacker to listen in on encrypted 274 * communication between the target and its peers. The target's peers 275 * might wrap an encryption session key under the target's "new" public 276 * key, which would allow the attacker (who possesses the corresponding 277 * private key) to unwrap the session key and decipher the communication 278 * data encrypted under that session key.</td> 279 * </tr> 280 * 281 * </table> 282 * 283 * @see java.security.BasicPermission 284 * @see java.security.Permission 285 * @see java.security.Permissions 286 * @see java.security.PermissionCollection 287 * @see java.lang.SecurityManager 288 * 289 * 290 * @author Marianne Mueller 291 * @author Roland Schemers 292 */ 293 294 public final class SecurityPermission extends BasicPermission { 295 296 private static final long serialVersionUID = 5236109936224050470L; 297 298 /** 299 * Creates a new SecurityPermission with the specified name. 300 * The name is the symbolic name of the SecurityPermission. An asterisk 301 * may appear at the end of the name, following a ".", or by itself, to 302 * signify a wildcard match. 303 * 304 * @param name the name of the SecurityPermission 305 * 306 * @throws NullPointerException if {@code name} is {@code null}. 307 * @throws IllegalArgumentException if {@code name} is empty. 308 */ 309 310 public SecurityPermission(String name) 311 { 312 super(name); 313 } 314 315 /** 316 * Creates a new SecurityPermission object with the specified name. 317 * The name is the symbolic name of the SecurityPermission, and the 318 * actions String is currently unused and should be null. 319 * 320 * @param name the name of the SecurityPermission 321 * @param actions should be null. 322 * 323 * @throws NullPointerException if {@code name} is {@code null}. 324 * @throws IllegalArgumentException if {@code name} is empty. 325 */ 326 327 public SecurityPermission(String name, String actions) 328 { 329 super(name, actions); 330 } 331 }