The url
* The url string has the following expected structure. *
* scheme : // authority [ / path ] [ ignored-query-or-fragment ] ** scheme will typically be http or https, but is not restricted by this * class. * authority is specified as: *
* authority = [ userinfo @ ] hostrange [ : portrange ] * portrange = portnumber | -portnumber | portnumber-[portnumber] | * * hostrange = ([*.] dnsname) | IPv4address | IPv6address ** dnsname is a standard DNS host or domain name, i.e. one or more labels * separated by ".". IPv4address is a standard literal IPv4 address and * IPv6address is as defined in * RFC 2732. Literal IPv6 addresses must however, be enclosed in '[]' characters. * The dnsname specification can be preceded by "*." which means * the name will match any hostname whose right-most domain labels are the same as * this name. For example, "*.example.com" matches "foo.bar.example.com" *
* portrange is used to specify a port number, or a bounded or unbounded range of ports * that this permission applies to. If portrange is absent or invalid, then a default * port number is assumed if the scheme is {@code http} (default 80) or {@code https} * (default 443). No default is assumed for other schemes. A wildcard may be specified * which means all ports. *
* userinfo is optional. A userinfo component if present, is ignored when * creating a URLPermission, and has no effect on any other methods defined by this class. *
* The path component comprises a sequence of path segments, * separated by '/' characters. path may also be empty. The path is specified * in a similar way to the path in {@link java.io.FilePermission}. There are * three different ways as the following examples show: *
| Example url | Description |
|---|---|
| http://www.example.com/a/b/c.html | *A url which identifies a specific (single) resource | *
| http://www.example.com/a/b/* | *The '*' character refers to all resources in the same "directory" - in * other words all resources with the same number of path components, and * which only differ in the final path component, represented by the '*'. * | *
| http://www.example.com/a/b/- | *The '-' character refers to all resources recursively below the * preceding path (e.g. http://www.example.com/a/b/c/d/e.html matches this * example). * | *
* The '*' and '-' may only be specified in the final segment of a path and must be * the only character in that segment. Any query or fragment components of the * url are ignored when constructing URLPermissions. *
* As a special case, urls of the form, "scheme:*" are accepted to * mean any url of the given scheme. *
* The scheme and authority components of the url string are handled * without regard to case. This means {@link #equals(Object)}, * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect * to these components. If the authority contains a literal IP address, * then the address is normalized for comparison. The path component is case sensitive. *
* ignored-query-or-fragment refers to any query or fragment which appears after the * path component, and which is ignored by the constructors of this class. It is defined as: *
* ignored-query-or-fragment = [ ? query ] [ # fragment ] ** where query and fragment are as defined in * RFC2396. {@link #getName() getName()} therefore returns * only the scheme, authority and path components of the url string that * the permission was created with. *
The actions string
* The actions string of a URLPermission is a concatenation of the method list * and the request headers list. These are lists of the permitted request * methods and permitted request headers of the permission (respectively). The two lists * are separated by a colon ':' character and elements of each list are comma separated. * Some examples are: *
* The first example specifies the methods: POST, GET and DELETE, but no request headers. * The second example specifies one request method and two headers. The third * example specifies two request methods, and two headers. *
* The colon separator need not be present if the request headers list is empty. * No white-space is permitted in the actions string. The action strings supplied to * the URLPermission constructors are case-insensitive and are normalized by converting * method names to upper-case and header names to the form defines in RFC2616 (lower case * with initial letter of each word capitalized). Either list can contain a wild-card '*' * character which signifies all request methods or headers respectively. *
* Note. Depending on the context of use, some request methods and headers may be permitted
* at all times, and others may not be permitted at any time. For example, the
* HTTP protocol handler might disallow certain headers such as Content-Length
* from being set by application code, regardless of whether the security policy
* in force, permits it.
*
* @since 1.8
*/
public final class URLPermission extends Permission {
private static final long serialVersionUID = -2702463814894478682L;
private transient String scheme;
private transient String ssp; // scheme specific part
private transient String path;
private transient List
* where method-names is the list of methods separated by commas
* and header-names is the list of permitted headers separated by commas.
* There is no white space in the returned String. If header-names is empty
* then the colon separator may not be present.
*/
public String getActions() {
return actions;
}
/**
* Checks if this URLPermission implies the given permission.
* Specifically, the following checks are done as if in the
* following sequence:
* Some examples of how paths are matched are shown below:
*
* "method-names : header-names"
*
*
*
*
*
*/
public boolean implies(Permission p) {
if (! (p instanceof URLPermission)) {
return false;
}
URLPermission that = (URLPermission)p;
if (this.methods.isEmpty() && !that.methods.isEmpty()) {
return false;
}
if (!this.methods.isEmpty() &&
!this.methods.get(0).equals("*") &&
Collections.indexOfSubList(this.methods,
that.methods) == -1) {
return false;
}
if (this.requestHeaders.isEmpty() && !that.requestHeaders.isEmpty()) {
return false;
}
if (!this.requestHeaders.isEmpty() &&
!this.requestHeaders.get(0).equals("*") &&
Collections.indexOfSubList(this.requestHeaders,
that.requestHeaders) == -1) {
return false;
}
if (!this.scheme.equals(that.scheme)) {
return false;
}
if (this.ssp.equals("*")) {
return true;
}
if (!this.authority.implies(that.authority)) {
return false;
}
if (this.path == null) {
return that.path == null;
}
if (that.path == null) {
return false;
}
if (this.path.endsWith("/-")) {
String thisprefix = this.path.substring(0, this.path.length() - 1);
return that.path.startsWith(thisprefix);
}
if (this.path.endsWith("/*")) {
String thisprefix = this.path.substring(0, this.path.length() - 1);
if (!that.path.startsWith(thisprefix)) {
return false;
}
String thatsuffix = that.path.substring(thisprefix.length());
// suffix must not contain '/' chars
if (thatsuffix.indexOf('/') != -1) {
return false;
}
if (thatsuffix.equals("-")) {
return false;
}
return true;
}
return this.path.equals(that.path);
}
/**
* Returns true if, this.getActions().equals(p.getActions())
* and p's url equals this's url. Returns false otherwise.
*/
public boolean equals(Object p) {
if (!(p instanceof URLPermission)) {
return false;
}
URLPermission that = (URLPermission)p;
if (!this.scheme.equals(that.scheme)) {
return false;
}
if (!this.getActions().equals(that.getActions())) {
return false;
}
if (!this.authority.equals(that.authority)) {
return false;
}
if (this.path != null) {
return this.path.equals(that.path);
} else {
return that.path == null;
}
}
/**
* Returns a hashcode calculated from the hashcode of the
* actions String and the url string.
*/
public int hashCode() {
return getActions().hashCode()
+ scheme.hashCode()
+ authority.hashCode()
+ (path == null ? 0 : path.hashCode());
}
private Listthis's path p's path match /a/b /a/b yes /a/b/* /a/b/c yes
* /a/b/c/d no
* /a/b/c/- no /a/b/- /a/b/c/d yes
* /a/b/c/d/e yes
*
* /a/b/c/* yes