1 /*
2 * Copyright (c) 1995, 2014, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang;
27
28 import java.security.*;
29 import java.io.FileDescriptor;
30 import java.io.File;
31 import java.io.FilePermission;
32 import java.util.PropertyPermission;
33 import java.lang.RuntimePermission;
34 import java.net.SocketPermission;
35 import java.net.NetPermission;
36 import java.util.Hashtable;
37 import java.net.InetAddress;
38 import java.lang.reflect.*;
39 import java.net.URL;
40
41 import sun.reflect.CallerSensitive;
42 import sun.security.util.SecurityConstants;
43
44 /**
45 * The security manager is a class that allows
46 * applications to implement a security policy. It allows an
47 * application to determine, before performing a possibly unsafe or
48 * sensitive operation, what the operation is and whether
49 * it is being attempted in a security context that allows the
50 * operation to be performed. The
51 * application can allow or disallow the operation.
52 * <p>
53 * The <code>SecurityManager</code> class contains many methods with
54 * names that begin with the word <code>check</code>. These methods
55 * are called by various methods in the Java libraries before those
56 * methods perform certain potentially sensitive operations. The
57 * invocation of such a <code>check</code> method typically looks like this:
58 * <blockquote><pre>
59 * SecurityManager security = System.getSecurityManager();
60 * if (security != null) {
61 * security.check<i>XXX</i>(argument, . . . );
62 * }
63 * </pre></blockquote>
64 * <p>
65 * The security manager is thereby given an opportunity to prevent
66 * completion of the operation by throwing an exception. A security
67 * manager routine simply returns if the operation is permitted, but
68 * throws a <code>SecurityException</code> if the operation is not
69 * permitted.
70 * <p>
71 * The current security manager is set by the
72 * <code>setSecurityManager</code> method in class
73 * <code>System</code>. The current security manager is obtained
74 * by the <code>getSecurityManager</code> method.
75 * <p>
76 * The special method
77 * {@link SecurityManager#checkPermission(java.security.Permission)}
78 * determines whether an access request indicated by a specified
79 * permission should be granted or denied. The
80 * default implementation calls
81 *
82 * <pre>
83 * AccessController.checkPermission(perm);
84 * </pre>
85 *
86 * <p>
87 * If a requested access is allowed,
88 * <code>checkPermission</code> returns quietly. If denied, a
89 * <code>SecurityException</code> is thrown.
90 * <p>
91 * As of Java 2 SDK v1.2, the default implementation of each of the other
92 * <code>check</code> methods in <code>SecurityManager</code> is to
93 * call the <code>SecurityManager checkPermission</code> method
94 * to determine if the calling thread has permission to perform the requested
95 * operation.
96 * <p>
97 * Note that the <code>checkPermission</code> method with
98 * just a single permission argument always performs security checks
99 * within the context of the currently executing thread.
100 * Sometimes a security check that should be made within a given context
101 * will actually need to be done from within a
102 * <i>different</i> context (for example, from within a worker thread).
103 * The {@link SecurityManager#getSecurityContext getSecurityContext} method
104 * and the {@link SecurityManager#checkPermission(java.security.Permission,
105 * java.lang.Object) checkPermission}
106 * method that includes a context argument are provided
107 * for this situation. The
108 * <code>getSecurityContext</code> method returns a "snapshot"
109 * of the current calling context. (The default implementation
110 * returns an AccessControlContext object.) A sample call is
111 * the following:
112 *
113 * <pre>
114 * Object context = null;
115 * SecurityManager sm = System.getSecurityManager();
116 * if (sm != null) context = sm.getSecurityContext();
117 * </pre>
118 *
119 * <p>
120 * The <code>checkPermission</code> method
121 * that takes a context object in addition to a permission
122 * makes access decisions based on that context,
123 * rather than on that of the current execution thread.
124 * Code within a different context can thus call that method,
125 * passing the permission and the
126 * previously-saved context object. A sample call, using the
127 * SecurityManager <code>sm</code> obtained as in the previous example,
128 * is the following:
129 *
130 * <pre>
131 * if (sm != null) sm.checkPermission(permission, context);
132 * </pre>
133 *
134 * <p>Permissions fall into these categories: File, Socket, Net,
135 * Security, Runtime, Property, AWT, Reflect, and Serializable.
136 * The classes managing these various
137 * permission categories are <code>java.io.FilePermission</code>,
138 * <code>java.net.SocketPermission</code>,
139 * <code>java.net.NetPermission</code>,
140 * <code>java.security.SecurityPermission</code>,
141 * <code>java.lang.RuntimePermission</code>,
142 * <code>java.util.PropertyPermission</code>,
143 * <code>java.awt.AWTPermission</code>,
144 * <code>java.lang.reflect.ReflectPermission</code>, and
145 * <code>java.io.SerializablePermission</code>.
146 *
147 * <p>All but the first two (FilePermission and SocketPermission) are
148 * subclasses of <code>java.security.BasicPermission</code>, which itself
149 * is an abstract subclass of the
150 * top-level class for permissions, which is
151 * <code>java.security.Permission</code>. BasicPermission defines the
152 * functionality needed for all permissions that contain a name
153 * that follows the hierarchical property naming convention
154 * (for example, "exitVM", "setFactory", "queuePrintJob", etc).
155 * An asterisk
156 * may appear at the end of the name, following a ".", or by itself, to
157 * signify a wildcard match. For example: "a.*" or "*" is valid,
158 * "*a" or "a*b" is not valid.
159 *
160 * <p>FilePermission and SocketPermission are subclasses of the
161 * top-level class for permissions
162 * (<code>java.security.Permission</code>). Classes like these
163 * that have a more complicated name syntax than that used by
164 * BasicPermission subclass directly from Permission rather than from
165 * BasicPermission. For example,
166 * for a <code>java.io.FilePermission</code> object, the permission name is
167 * the path name of a file (or directory).
168 *
169 * <p>Some of the permission classes have an "actions" list that tells
170 * the actions that are permitted for the object. For example,
171 * for a <code>java.io.FilePermission</code> object, the actions list
172 * (such as "read, write") specifies which actions are granted for the
173 * specified file (or for files in the specified directory).
174 *
175 * <p>Other permission classes are for "named" permissions -
176 * ones that contain a name but no actions list; you either have the
177 * named permission or you don't.
178 *
179 * <p>Note: There is also a <code>java.security.AllPermission</code>
180 * permission that implies all permissions. It exists to simplify the work
181 * of system administrators who might need to perform multiple
182 * tasks that require all (or numerous) permissions.
183 * <p>
184 * See <a href ="../../../technotes/guides/security/permissions.html">
185 * Permissions in the JDK</a> for permission-related information.
186 * This document includes, for example, a table listing the various SecurityManager
187 * <code>check</code> methods and the permission(s) the default
188 * implementation of each such method requires.
189 * It also contains a table of all the version 1.2 methods
190 * that require permissions, and for each such method tells
191 * which permission it requires.
192 * <p>
193 * For more information about <code>SecurityManager</code> changes made in
194 * the JDK and advice regarding porting of 1.1-style security managers,
195 * see the <a href="../../../technotes/guides/security/index.html">security documentation</a>.
196 *
197 * @author Arthur van Hoff
198 * @author Roland Schemers
199 *
200 * @see java.lang.ClassLoader
201 * @see java.lang.SecurityException
202 * @see java.lang.System#getSecurityManager() getSecurityManager
203 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager)
204 * setSecurityManager
205 * @see java.security.AccessController AccessController
206 * @see java.security.AccessControlContext AccessControlContext
207 * @see java.security.AccessControlException AccessControlException
208 * @see java.security.Permission
209 * @see java.security.BasicPermission
210 * @see java.io.FilePermission
211 * @see java.net.SocketPermission
212 * @see java.util.PropertyPermission
213 * @see java.lang.RuntimePermission
214 * @see java.awt.AWTPermission
215 * @see java.security.Policy Policy
216 * @see java.security.SecurityPermission SecurityPermission
217 * @see java.security.ProtectionDomain
218 *
219 * @since JDK1.0
220 */
221 public
222 class SecurityManager {
223
224 /**
225 * This field is <code>true</code> if there is a security check in
226 * progress; <code>false</code> otherwise.
227 *
228 * @deprecated This type of security checking is not recommended.
229 * It is recommended that the <code>checkPermission</code>
230 * call be used instead.
231 */
232 @Deprecated
233 protected boolean inCheck;
234
235 /*
236 * Have we been initialized. Effective against finalizer attacks.
237 */
238 private boolean initialized = false;
239
240
241 /**
242 * returns true if the current context has been granted AllPermission
243 */
244 private boolean hasAllPermission() {
245 try {
246 checkPermission(SecurityConstants.ALL_PERMISSION);
247 return true;
248 } catch (SecurityException se) {
249 return false;
250 }
251 }
252
253 /**
254 * Tests if there is a security check in progress.
255 *
256 * @return the value of the <code>inCheck</code> field. This field
257 * should contain <code>true</code> if a security check is
258 * in progress,
259 * <code>false</code> otherwise.
260 * @see java.lang.SecurityManager#inCheck
261 * @deprecated This type of security checking is not recommended.
262 * It is recommended that the <code>checkPermission</code>
263 * call be used instead.
264 */
265 @Deprecated
266 public boolean getInCheck() {
267 return inCheck;
268 }
269
270 /**
271 * Constructs a new <code>SecurityManager</code>.
272 *
273 * <p> If there is a security manager already installed, this method first
274 * calls the security manager's <code>checkPermission</code> method
275 * with the <code>RuntimePermission("createSecurityManager")</code>
276 * permission to ensure the calling thread has permission to create a new
277 * security manager.
278 * This may result in throwing a <code>SecurityException</code>.
279 *
280 * @exception java.lang.SecurityException if a security manager already
281 * exists and its <code>checkPermission</code> method
282 * doesn't allow creation of a new security manager.
283 * @see java.lang.System#getSecurityManager()
284 * @see #checkPermission(java.security.Permission) checkPermission
285 * @see java.lang.RuntimePermission
286 */
287 public SecurityManager() {
288 synchronized(SecurityManager.class) {
289 SecurityManager sm = System.getSecurityManager();
290 if (sm != null) {
291 // ask the currently installed security manager if we
292 // can create a new one.
293 sm.checkPermission(new RuntimePermission
294 ("createSecurityManager"));
295 }
296 initialized = true;
297 }
298 }
299
300 /**
301 * Returns the current execution stack as an array of classes.
302 * <p>
303 * The length of the array is the number of methods on the execution
304 * stack. The element at index <code>0</code> is the class of the
305 * currently executing method, the element at index <code>1</code> is
306 * the class of that method's caller, and so on.
307 *
308 * @return the execution stack.
309 */
310 protected native Class<?>[] getClassContext();
311
312 /**
313 * Returns the class loader of the most recently executing method from
314 * a class defined using a non-system class loader. A non-system
315 * class loader is defined as being a class loader that is not equal to
316 * the system class loader (as returned
317 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
318 * <p>
319 * This method will return
320 * <code>null</code> in the following three cases:
321 * <ol>
322 * <li>All methods on the execution stack are from classes
323 * defined using the system class loader or one of its ancestors.
324 *
325 * <li>All methods on the execution stack up to the first
326 * "privileged" caller
327 * (see {@link java.security.AccessController#doPrivileged})
328 * are from classes
329 * defined using the system class loader or one of its ancestors.
330 *
331 * <li> A call to <code>checkPermission</code> with
332 * <code>java.security.AllPermission</code> does not
333 * result in a SecurityException.
334 *
335 * </ol>
336 *
337 * @return the class loader of the most recent occurrence on the stack
338 * of a method from a class defined using a non-system class
339 * loader.
340 *
341 * @deprecated This type of security checking is not recommended.
342 * It is recommended that the <code>checkPermission</code>
343 * call be used instead.
344 *
345 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
346 * @see #checkPermission(java.security.Permission) checkPermission
347 */
348 @Deprecated
349 protected ClassLoader currentClassLoader() {
350 ClassLoader cl = currentClassLoader0();
351 if ((cl != null) && hasAllPermission())
352 cl = null;
353 return cl;
354 }
355
356 private native ClassLoader currentClassLoader0();
357
358 /**
359 * Returns the class of the most recently executing method from
360 * a class defined using a non-system class loader. A non-system
361 * class loader is defined as being a class loader that is not equal to
362 * the system class loader (as returned
363 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
364 * <p>
365 * This method will return
366 * <code>null</code> in the following three cases:
367 * <ol>
368 * <li>All methods on the execution stack are from classes
369 * defined using the system class loader or one of its ancestors.
370 *
371 * <li>All methods on the execution stack up to the first
372 * "privileged" caller
373 * (see {@link java.security.AccessController#doPrivileged})
374 * are from classes
375 * defined using the system class loader or one of its ancestors.
376 *
377 * <li> A call to <code>checkPermission</code> with
378 * <code>java.security.AllPermission</code> does not
379 * result in a SecurityException.
380 *
381 * </ol>
382 *
383 * @return the class of the most recent occurrence on the stack
384 * of a method from a class defined using a non-system class
385 * loader.
386 *
387 * @deprecated This type of security checking is not recommended.
388 * It is recommended that the <code>checkPermission</code>
389 * call be used instead.
390 *
391 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
392 * @see #checkPermission(java.security.Permission) checkPermission
393 */
394 @Deprecated
395 protected Class<?> currentLoadedClass() {
396 Class<?> c = currentLoadedClass0();
397 if ((c != null) && hasAllPermission())
398 c = null;
399 return c;
400 }
401
402 /**
403 * Returns the stack depth of the specified class.
404 *
405 * @param name the fully qualified name of the class to search for.
406 * @return the depth on the stack frame of the first occurrence of a
407 * method from a class with the specified name;
408 * <code>-1</code> if such a frame cannot be found.
409 * @deprecated This type of security checking is not recommended.
410 * It is recommended that the <code>checkPermission</code>
411 * call be used instead.
412 *
413 */
414 @Deprecated
415 protected native int classDepth(String name);
416
417 /**
418 * Returns the stack depth of the most recently executing method
419 * from a class defined using a non-system class loader. A non-system
420 * class loader is defined as being a class loader that is not equal to
421 * the system class loader (as returned
422 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
423 * <p>
424 * This method will return
425 * -1 in the following three cases:
426 * <ol>
427 * <li>All methods on the execution stack are from classes
428 * defined using the system class loader or one of its ancestors.
429 *
430 * <li>All methods on the execution stack up to the first
431 * "privileged" caller
432 * (see {@link java.security.AccessController#doPrivileged})
433 * are from classes
434 * defined using the system class loader or one of its ancestors.
435 *
436 * <li> A call to <code>checkPermission</code> with
437 * <code>java.security.AllPermission</code> does not
438 * result in a SecurityException.
439 *
440 * </ol>
441 *
442 * @return the depth on the stack frame of the most recent occurrence of
443 * a method from a class defined using a non-system class loader.
444 *
445 * @deprecated This type of security checking is not recommended.
446 * It is recommended that the <code>checkPermission</code>
447 * call be used instead.
448 *
449 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
450 * @see #checkPermission(java.security.Permission) checkPermission
451 */
452 @Deprecated
453 protected int classLoaderDepth() {
454 int depth = classLoaderDepth0();
455 if (depth != -1) {
456 if (hasAllPermission())
457 depth = -1;
458 else
459 depth--; // make sure we don't include ourself
460 }
461 return depth;
462 }
463
464 private native int classLoaderDepth0();
465
466 /**
467 * Tests if a method from a class with the specified
468 * name is on the execution stack.
469 *
470 * @param name the fully qualified name of the class.
471 * @return <code>true</code> if a method from a class with the specified
472 * name is on the execution stack; <code>false</code> otherwise.
473 * @deprecated This type of security checking is not recommended.
474 * It is recommended that the <code>checkPermission</code>
475 * call be used instead.
476 */
477 @Deprecated
478 protected boolean inClass(String name) {
479 return classDepth(name) >= 0;
480 }
481
482 /**
483 * Basically, tests if a method from a class defined using a
484 * class loader is on the execution stack.
485 *
486 * @return <code>true</code> if a call to <code>currentClassLoader</code>
487 * has a non-null return value.
488 *
489 * @deprecated This type of security checking is not recommended.
490 * It is recommended that the <code>checkPermission</code>
491 * call be used instead.
492 * @see #currentClassLoader() currentClassLoader
493 */
494 @Deprecated
495 protected boolean inClassLoader() {
496 return currentClassLoader() != null;
497 }
498
499 /**
500 * Creates an object that encapsulates the current execution
501 * environment. The result of this method is used, for example, by the
502 * three-argument <code>checkConnect</code> method and by the
503 * two-argument <code>checkRead</code> method.
504 * These methods are needed because a trusted method may be called
505 * on to read a file or open a socket on behalf of another method.
506 * The trusted method needs to determine if the other (possibly
507 * untrusted) method would be allowed to perform the operation on its
508 * own.
509 * <p> The default implementation of this method is to return
510 * an <code>AccessControlContext</code> object.
511 *
512 * @return an implementation-dependent object that encapsulates
513 * sufficient information about the current execution environment
514 * to perform some security checks later.
515 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int,
516 * java.lang.Object) checkConnect
517 * @see java.lang.SecurityManager#checkRead(java.lang.String,
518 * java.lang.Object) checkRead
519 * @see java.security.AccessControlContext AccessControlContext
520 */
521 public Object getSecurityContext() {
522 return AccessController.getContext();
523 }
524
525 /**
526 * Throws a <code>SecurityException</code> if the requested
527 * access, specified by the given permission, is not permitted based
528 * on the security policy currently in effect.
529 * <p>
530 * This method calls <code>AccessController.checkPermission</code>
531 * with the given permission.
532 *
533 * @param perm the requested permission.
534 * @exception SecurityException if access is not permitted based on
535 * the current security policy.
536 * @exception NullPointerException if the permission argument is
537 * <code>null</code>.
538 * @since 1.2
539 */
540 public void checkPermission(Permission perm) {
541 java.security.AccessController.checkPermission(perm);
542 }
543
544 /**
545 * Throws a <code>SecurityException</code> if the
546 * specified security context is denied access to the resource
547 * specified by the given permission.
548 * The context must be a security
549 * context returned by a previous call to
550 * <code>getSecurityContext</code> and the access control
551 * decision is based upon the configured security policy for
552 * that security context.
553 * <p>
554 * If <code>context</code> is an instance of
555 * <code>AccessControlContext</code> then the
556 * <code>AccessControlContext.checkPermission</code> method is
557 * invoked with the specified permission.
558 * <p>
559 * If <code>context</code> is not an instance of
560 * <code>AccessControlContext</code> then a
561 * <code>SecurityException</code> is thrown.
562 *
563 * @param perm the specified permission
564 * @param context a system-dependent security context.
565 * @exception SecurityException if the specified security context
566 * is not an instance of <code>AccessControlContext</code>
567 * (e.g., is <code>null</code>), or is denied access to the
568 * resource specified by the given permission.
569 * @exception NullPointerException if the permission argument is
570 * <code>null</code>.
571 * @see java.lang.SecurityManager#getSecurityContext()
572 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
573 * @since 1.2
574 */
575 public void checkPermission(Permission perm, Object context) {
576 if (context instanceof AccessControlContext) {
577 ((AccessControlContext)context).checkPermission(perm);
578 } else {
579 throw new SecurityException();
580 }
581 }
582
583 /**
584 * Throws a <code>SecurityException</code> if the
585 * calling thread is not allowed to create a new class loader.
586 * <p>
587 * This method calls <code>checkPermission</code> with the
588 * <code>RuntimePermission("createClassLoader")</code>
589 * permission.
590 * <p>
591 * If you override this method, then you should make a call to
592 * <code>super.checkCreateClassLoader</code>
593 * at the point the overridden method would normally throw an
594 * exception.
595 *
596 * @exception SecurityException if the calling thread does not
597 * have permission
598 * to create a new class loader.
599 * @see java.lang.ClassLoader#ClassLoader()
600 * @see #checkPermission(java.security.Permission) checkPermission
601 */
602 public void checkCreateClassLoader() {
603 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);
604 }
605
606 /**
607 * reference to the root thread group, used for the checkAccess
608 * methods.
609 */
610
611 private static ThreadGroup rootGroup = getRootGroup();
612
613 private static ThreadGroup getRootGroup() {
614 ThreadGroup root = Thread.currentThread().getThreadGroup();
615 while (root.getParent() != null) {
616 root = root.getParent();
617 }
618 return root;
619 }
620
621 /**
622 * Throws a <code>SecurityException</code> if the
623 * calling thread is not allowed to modify the thread argument.
624 * <p>
625 * This method is invoked for the current security manager by the
626 * <code>stop</code>, <code>suspend</code>, <code>resume</code>,
627 * <code>setPriority</code>, <code>setName</code>, and
628 * <code>setDaemon</code> methods of class <code>Thread</code>.
629 * <p>
630 * If the thread argument is a system thread (belongs to
631 * the thread group with a <code>null</code> parent) then
632 * this method calls <code>checkPermission</code> with the
633 * <code>RuntimePermission("modifyThread")</code> permission.
634 * If the thread argument is <i>not</i> a system thread,
635 * this method just returns silently.
636 * <p>
637 * Applications that want a stricter policy should override this
638 * method. If this method is overridden, the method that overrides
639 * it should additionally check to see if the calling thread has the
640 * <code>RuntimePermission("modifyThread")</code> permission, and
641 * if so, return silently. This is to ensure that code granted
642 * that permission (such as the JDK itself) is allowed to
643 * manipulate any thread.
644 * <p>
645 * If this method is overridden, then
646 * <code>super.checkAccess</code> should
647 * be called by the first statement in the overridden method, or the
648 * equivalent security check should be placed in the overridden method.
649 *
650 * @param t the thread to be checked.
651 * @exception SecurityException if the calling thread does not have
652 * permission to modify the thread.
653 * @exception NullPointerException if the thread argument is
654 * <code>null</code>.
655 * @see java.lang.Thread#resume() resume
656 * @see java.lang.Thread#setDaemon(boolean) setDaemon
657 * @see java.lang.Thread#setName(java.lang.String) setName
658 * @see java.lang.Thread#setPriority(int) setPriority
659 * @see java.lang.Thread#stop() stop
660 * @see java.lang.Thread#suspend() suspend
661 * @see #checkPermission(java.security.Permission) checkPermission
662 */
663 public void checkAccess(Thread t) {
664 if (t == null) {
665 throw new NullPointerException("thread can't be null");
666 }
667 if (t.getThreadGroup() == rootGroup) {
668 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION);
669 } else {
670 // just return
671 }
672 }
673 /**
674 * Throws a <code>SecurityException</code> if the
675 * calling thread is not allowed to modify the thread group argument.
676 * <p>
677 * This method is invoked for the current security manager when a
678 * new child thread or child thread group is created, and by the
679 * <code>setDaemon</code>, <code>setMaxPriority</code>,
680 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and
681 * <code>destroy</code> methods of class <code>ThreadGroup</code>.
682 * <p>
683 * If the thread group argument is the system thread group (
684 * has a <code>null</code> parent) then
685 * this method calls <code>checkPermission</code> with the
686 * <code>RuntimePermission("modifyThreadGroup")</code> permission.
687 * If the thread group argument is <i>not</i> the system thread group,
688 * this method just returns silently.
689 * <p>
690 * Applications that want a stricter policy should override this
691 * method. If this method is overridden, the method that overrides
692 * it should additionally check to see if the calling thread has the
693 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and
694 * if so, return silently. This is to ensure that code granted
695 * that permission (such as the JDK itself) is allowed to
696 * manipulate any thread.
697 * <p>
698 * If this method is overridden, then
699 * <code>super.checkAccess</code> should
700 * be called by the first statement in the overridden method, or the
701 * equivalent security check should be placed in the overridden method.
702 *
703 * @param g the thread group to be checked.
704 * @exception SecurityException if the calling thread does not have
705 * permission to modify the thread group.
706 * @exception NullPointerException if the thread group argument is
707 * <code>null</code>.
708 * @see java.lang.ThreadGroup#destroy() destroy
709 * @see java.lang.ThreadGroup#resume() resume
710 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon
711 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority
712 * @see java.lang.ThreadGroup#stop() stop
713 * @see java.lang.ThreadGroup#suspend() suspend
714 * @see #checkPermission(java.security.Permission) checkPermission
715 */
716 public void checkAccess(ThreadGroup g) {
717 if (g == null) {
718 throw new NullPointerException("thread group can't be null");
719 }
720 if (g == rootGroup) {
721 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION);
722 } else {
723 // just return
724 }
725 }
726
727 /**
728 * Throws a <code>SecurityException</code> if the
729 * calling thread is not allowed to cause the Java Virtual Machine to
730 * halt with the specified status code.
731 * <p>
732 * This method is invoked for the current security manager by the
733 * <code>exit</code> method of class <code>Runtime</code>. A status
734 * of <code>0</code> indicates success; other values indicate various
735 * errors.
736 * <p>
737 * This method calls <code>checkPermission</code> with the
738 * <code>RuntimePermission("exitVM."+status)</code> permission.
739 * <p>
740 * If you override this method, then you should make a call to
741 * <code>super.checkExit</code>
742 * at the point the overridden method would normally throw an
743 * exception.
744 *
745 * @param status the exit status.
746 * @exception SecurityException if the calling thread does not have
747 * permission to halt the Java Virtual Machine with
748 * the specified status.
749 * @see java.lang.Runtime#exit(int) exit
750 * @see #checkPermission(java.security.Permission) checkPermission
751 */
752 public void checkExit(int status) {
753 checkPermission(new RuntimePermission("exitVM."+status));
754 }
755
756 /**
757 * Throws a <code>SecurityException</code> if the
758 * calling thread is not allowed to create a subprocess.
759 * <p>
760 * This method is invoked for the current security manager by the
761 * <code>exec</code> methods of class <code>Runtime</code>.
762 * <p>
763 * This method calls <code>checkPermission</code> with the
764 * <code>FilePermission(cmd,"execute")</code> permission
765 * if cmd is an absolute path, otherwise it calls
766 * <code>checkPermission</code> with
767 * <code>FilePermission("<<ALL FILES>>","execute")</code>.
768 * <p>
769 * If you override this method, then you should make a call to
770 * <code>super.checkExec</code>
771 * at the point the overridden method would normally throw an
772 * exception.
773 *
774 * @param cmd the specified system command.
775 * @exception SecurityException if the calling thread does not have
776 * permission to create a subprocess.
777 * @exception NullPointerException if the <code>cmd</code> argument is
778 * <code>null</code>.
779 * @see java.lang.Runtime#exec(java.lang.String)
780 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[])
781 * @see java.lang.Runtime#exec(java.lang.String[])
782 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[])
783 * @see #checkPermission(java.security.Permission) checkPermission
784 */
785 public void checkExec(String cmd) {
786 File f = new File(cmd);
787 if (f.isAbsolute()) {
788 checkPermission(new FilePermission(cmd,
789 SecurityConstants.FILE_EXECUTE_ACTION));
790 } else {
791 checkPermission(new FilePermission("<<ALL FILES>>",
792 SecurityConstants.FILE_EXECUTE_ACTION));
793 }
794 }
795
796 /**
797 * Throws a <code>SecurityException</code> if the
798 * calling thread is not allowed to dynamic link the library code
799 * specified by the string argument file. The argument is either a
800 * simple library name or a complete filename.
801 * <p>
802 * This method is invoked for the current security manager by
803 * methods <code>load</code> and <code>loadLibrary</code> of class
804 * <code>Runtime</code>.
805 * <p>
806 * This method calls <code>checkPermission</code> with the
807 * <code>RuntimePermission("loadLibrary."+lib)</code> permission.
808 * <p>
809 * If you override this method, then you should make a call to
810 * <code>super.checkLink</code>
811 * at the point the overridden method would normally throw an
812 * exception.
813 *
814 * @param lib the name of the library.
815 * @exception SecurityException if the calling thread does not have
816 * permission to dynamically link the library.
817 * @exception NullPointerException if the <code>lib</code> argument is
818 * <code>null</code>.
819 * @see java.lang.Runtime#load(java.lang.String)
820 * @see java.lang.Runtime#loadLibrary(java.lang.String)
821 * @see #checkPermission(java.security.Permission) checkPermission
822 */
823 public void checkLink(String lib) {
824 if (lib == null) {
825 throw new NullPointerException("library can't be null");
826 }
827 checkPermission(new RuntimePermission("loadLibrary."+lib));
828 }
829
830 /**
831 * Throws a <code>SecurityException</code> if the
832 * calling thread is not allowed to read from the specified file
833 * descriptor.
834 * <p>
835 * This method calls <code>checkPermission</code> with the
836 * <code>RuntimePermission("readFileDescriptor")</code>
837 * permission.
838 * <p>
839 * If you override this method, then you should make a call to
840 * <code>super.checkRead</code>
841 * at the point the overridden method would normally throw an
842 * exception.
843 *
844 * @param fd the system-dependent file descriptor.
845 * @exception SecurityException if the calling thread does not have
846 * permission to access the specified file descriptor.
847 * @exception NullPointerException if the file descriptor argument is
848 * <code>null</code>.
849 * @see java.io.FileDescriptor
850 * @see #checkPermission(java.security.Permission) checkPermission
851 */
852 public void checkRead(FileDescriptor fd) {
853 if (fd == null) {
854 throw new NullPointerException("file descriptor can't be null");
855 }
856 checkPermission(new RuntimePermission("readFileDescriptor"));
857 }
858
859 /**
860 * Throws a <code>SecurityException</code> if the
861 * calling thread is not allowed to read the file specified by the
862 * string argument.
863 * <p>
864 * This method calls <code>checkPermission</code> with the
865 * <code>FilePermission(file,"read")</code> permission.
866 * <p>
867 * If you override this method, then you should make a call to
868 * <code>super.checkRead</code>
869 * at the point the overridden method would normally throw an
870 * exception.
871 *
872 * @param file the system-dependent file name.
873 * @exception SecurityException if the calling thread does not have
874 * permission to access the specified file.
875 * @exception NullPointerException if the <code>file</code> argument is
876 * <code>null</code>.
877 * @see #checkPermission(java.security.Permission) checkPermission
878 */
879 public void checkRead(String file) {
880 checkPermission(new FilePermission(file,
881 SecurityConstants.FILE_READ_ACTION));
882 }
883
884 /**
885 * Throws a <code>SecurityException</code> if the
886 * specified security context is not allowed to read the file
887 * specified by the string argument. The context must be a security
888 * context returned by a previous call to
889 * <code>getSecurityContext</code>.
890 * <p> If <code>context</code> is an instance of
891 * <code>AccessControlContext</code> then the
892 * <code>AccessControlContext.checkPermission</code> method will
893 * be invoked with the <code>FilePermission(file,"read")</code> permission.
894 * <p> If <code>context</code> is not an instance of
895 * <code>AccessControlContext</code> then a
896 * <code>SecurityException</code> is thrown.
897 * <p>
898 * If you override this method, then you should make a call to
899 * <code>super.checkRead</code>
900 * at the point the overridden method would normally throw an
901 * exception.
902 *
903 * @param file the system-dependent filename.
904 * @param context a system-dependent security context.
905 * @exception SecurityException if the specified security context
906 * is not an instance of <code>AccessControlContext</code>
907 * (e.g., is <code>null</code>), or does not have permission
908 * to read the specified file.
909 * @exception NullPointerException if the <code>file</code> argument is
910 * <code>null</code>.
911 * @see java.lang.SecurityManager#getSecurityContext()
912 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
913 */
914 public void checkRead(String file, Object context) {
915 checkPermission(
916 new FilePermission(file, SecurityConstants.FILE_READ_ACTION),
917 context);
918 }
919
920 /**
921 * Throws a <code>SecurityException</code> if the
922 * calling thread is not allowed to write to the specified file
923 * descriptor.
924 * <p>
925 * This method calls <code>checkPermission</code> with the
926 * <code>RuntimePermission("writeFileDescriptor")</code>
927 * permission.
928 * <p>
929 * If you override this method, then you should make a call to
930 * <code>super.checkWrite</code>
931 * at the point the overridden method would normally throw an
932 * exception.
933 *
934 * @param fd the system-dependent file descriptor.
935 * @exception SecurityException if the calling thread does not have
936 * permission to access the specified file descriptor.
937 * @exception NullPointerException if the file descriptor argument is
938 * <code>null</code>.
939 * @see java.io.FileDescriptor
940 * @see #checkPermission(java.security.Permission) checkPermission
941 */
942 public void checkWrite(FileDescriptor fd) {
943 if (fd == null) {
944 throw new NullPointerException("file descriptor can't be null");
945 }
946 checkPermission(new RuntimePermission("writeFileDescriptor"));
947
948 }
949
950 /**
951 * Throws a <code>SecurityException</code> if the
952 * calling thread is not allowed to write to the file specified by
953 * the string argument.
954 * <p>
955 * This method calls <code>checkPermission</code> with the
956 * <code>FilePermission(file,"write")</code> permission.
957 * <p>
958 * If you override this method, then you should make a call to
959 * <code>super.checkWrite</code>
960 * at the point the overridden method would normally throw an
961 * exception.
962 *
963 * @param file the system-dependent filename.
964 * @exception SecurityException if the calling thread does not
965 * have permission to access the specified file.
966 * @exception NullPointerException if the <code>file</code> argument is
967 * <code>null</code>.
968 * @see #checkPermission(java.security.Permission) checkPermission
969 */
970 public void checkWrite(String file) {
971 checkPermission(new FilePermission(file,
972 SecurityConstants.FILE_WRITE_ACTION));
973 }
974
975 /**
976 * Throws a <code>SecurityException</code> if the
977 * calling thread is not allowed to delete the specified file.
978 * <p>
979 * This method is invoked for the current security manager by the
980 * <code>delete</code> method of class <code>File</code>.
981 * <p>
982 * This method calls <code>checkPermission</code> with the
983 * <code>FilePermission(file,"delete")</code> permission.
984 * <p>
985 * If you override this method, then you should make a call to
986 * <code>super.checkDelete</code>
987 * at the point the overridden method would normally throw an
988 * exception.
989 *
990 * @param file the system-dependent filename.
991 * @exception SecurityException if the calling thread does not
992 * have permission to delete the file.
993 * @exception NullPointerException if the <code>file</code> argument is
994 * <code>null</code>.
995 * @see java.io.File#delete()
996 * @see #checkPermission(java.security.Permission) checkPermission
997 */
998 public void checkDelete(String file) {
999 checkPermission(new FilePermission(file,
1000 SecurityConstants.FILE_DELETE_ACTION));
1001 }
1002
1003 /**
1004 * Throws a <code>SecurityException</code> if the
1005 * calling thread is not allowed to open a socket connection to the
1006 * specified host and port number.
1007 * <p>
1008 * A port number of <code>-1</code> indicates that the calling
1009 * method is attempting to determine the IP address of the specified
1010 * host name.
1011 * <p>
1012 * This method calls <code>checkPermission</code> with the
1013 * <code>SocketPermission(host+":"+port,"connect")</code> permission if
1014 * the port is not equal to -1. If the port is equal to -1, then
1015 * it calls <code>checkPermission</code> with the
1016 * <code>SocketPermission(host,"resolve")</code> permission.
1017 * <p>
1018 * If you override this method, then you should make a call to
1019 * <code>super.checkConnect</code>
1020 * at the point the overridden method would normally throw an
1021 * exception.
1022 *
1023 * @param host the host name port to connect to.
1024 * @param port the protocol port to connect to.
1025 * @exception SecurityException if the calling thread does not have
1026 * permission to open a socket connection to the specified
1027 * <code>host</code> and <code>port</code>.
1028 * @exception NullPointerException if the <code>host</code> argument is
1029 * <code>null</code>.
1030 * @see #checkPermission(java.security.Permission) checkPermission
1031 */
1032 public void checkConnect(String host, int port) {
1033 if (host == null) {
1034 throw new NullPointerException("host can't be null");
1035 }
1036 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1037 host = "[" + host + "]";
1038 }
1039 if (port == -1) {
1040 checkPermission(new SocketPermission(host,
1041 SecurityConstants.SOCKET_RESOLVE_ACTION));
1042 } else {
1043 checkPermission(new SocketPermission(host+":"+port,
1044 SecurityConstants.SOCKET_CONNECT_ACTION));
1045 }
1046 }
1047
1048 /**
1049 * Throws a <code>SecurityException</code> if the
1050 * specified security context is not allowed to open a socket
1051 * connection to the specified host and port number.
1052 * <p>
1053 * A port number of <code>-1</code> indicates that the calling
1054 * method is attempting to determine the IP address of the specified
1055 * host name.
1056 * <p> If <code>context</code> is not an instance of
1057 * <code>AccessControlContext</code> then a
1058 * <code>SecurityException</code> is thrown.
1059 * <p>
1060 * Otherwise, the port number is checked. If it is not equal
1061 * to -1, the <code>context</code>'s <code>checkPermission</code>
1062 * method is called with a
1063 * <code>SocketPermission(host+":"+port,"connect")</code> permission.
1064 * If the port is equal to -1, then
1065 * the <code>context</code>'s <code>checkPermission</code> method
1066 * is called with a
1067 * <code>SocketPermission(host,"resolve")</code> permission.
1068 * <p>
1069 * If you override this method, then you should make a call to
1070 * <code>super.checkConnect</code>
1071 * at the point the overridden method would normally throw an
1072 * exception.
1073 *
1074 * @param host the host name port to connect to.
1075 * @param port the protocol port to connect to.
1076 * @param context a system-dependent security context.
1077 * @exception SecurityException if the specified security context
1078 * is not an instance of <code>AccessControlContext</code>
1079 * (e.g., is <code>null</code>), or does not have permission
1080 * to open a socket connection to the specified
1081 * <code>host</code> and <code>port</code>.
1082 * @exception NullPointerException if the <code>host</code> argument is
1083 * <code>null</code>.
1084 * @see java.lang.SecurityManager#getSecurityContext()
1085 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
1086 */
1087 public void checkConnect(String host, int port, Object context) {
1088 if (host == null) {
1089 throw new NullPointerException("host can't be null");
1090 }
1091 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1092 host = "[" + host + "]";
1093 }
1094 if (port == -1)
1095 checkPermission(new SocketPermission(host,
1096 SecurityConstants.SOCKET_RESOLVE_ACTION),
1097 context);
1098 else
1099 checkPermission(new SocketPermission(host+":"+port,
1100 SecurityConstants.SOCKET_CONNECT_ACTION),
1101 context);
1102 }
1103
1104 /**
1105 * Throws a <code>SecurityException</code> if the
1106 * calling thread is not allowed to wait for a connection request on
1107 * the specified local port number.
1108 * <p>
1109 * This method calls <code>checkPermission</code> with the
1110 * <code>SocketPermission("localhost:"+port,"listen")</code>.
1111 * <p>
1112 * If you override this method, then you should make a call to
1113 * <code>super.checkListen</code>
1114 * at the point the overridden method would normally throw an
1115 * exception.
1116 *
1117 * @param port the local port.
1118 * @exception SecurityException if the calling thread does not have
1119 * permission to listen on the specified port.
1120 * @see #checkPermission(java.security.Permission) checkPermission
1121 */
1122 public void checkListen(int port) {
1123 checkPermission(new SocketPermission("localhost:"+port,
1124 SecurityConstants.SOCKET_LISTEN_ACTION));
1125 }
1126
1127 /**
1128 * Throws a <code>SecurityException</code> if the
1129 * calling thread is not permitted to accept a socket connection from
1130 * the specified host and port number.
1131 * <p>
1132 * This method is invoked for the current security manager by the
1133 * <code>accept</code> method of class <code>ServerSocket</code>.
1134 * <p>
1135 * This method calls <code>checkPermission</code> with the
1136 * <code>SocketPermission(host+":"+port,"accept")</code> permission.
1137 * <p>
1138 * If you override this method, then you should make a call to
1139 * <code>super.checkAccept</code>
1140 * at the point the overridden method would normally throw an
1141 * exception.
1142 *
1143 * @param host the host name of the socket connection.
1144 * @param port the port number of the socket connection.
1145 * @exception SecurityException if the calling thread does not have
1146 * permission to accept the connection.
1147 * @exception NullPointerException if the <code>host</code> argument is
1148 * <code>null</code>.
1149 * @see java.net.ServerSocket#accept()
1150 * @see #checkPermission(java.security.Permission) checkPermission
1151 */
1152 public void checkAccept(String host, int port) {
1153 if (host == null) {
1154 throw new NullPointerException("host can't be null");
1155 }
1156 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1157 host = "[" + host + "]";
1158 }
1159 checkPermission(new SocketPermission(host+":"+port,
1160 SecurityConstants.SOCKET_ACCEPT_ACTION));
1161 }
1162
1163 /**
1164 * Throws a <code>SecurityException</code> if the
1165 * calling thread is not allowed to use
1166 * (join/leave/send/receive) IP multicast.
1167 * <p>
1168 * This method calls <code>checkPermission</code> with the
1169 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1170 * "accept,connect")</code> permission.
1171 * <p>
1172 * If you override this method, then you should make a call to
1173 * <code>super.checkMulticast</code>
1174 * at the point the overridden method would normally throw an
1175 * exception.
1176 *
1177 * @param maddr Internet group address to be used.
1178 * @exception SecurityException if the calling thread is not allowed to
1179 * use (join/leave/send/receive) IP multicast.
1180 * @exception NullPointerException if the address argument is
1181 * <code>null</code>.
1182 * @since JDK1.1
1183 * @see #checkPermission(java.security.Permission) checkPermission
1184 */
1185 public void checkMulticast(InetAddress maddr) {
1186 String host = maddr.getHostAddress();
1187 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1188 host = "[" + host + "]";
1189 }
1190 checkPermission(new SocketPermission(host,
1191 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1192 }
1193
1194 /**
1195 * Throws a <code>SecurityException</code> if the
1196 * calling thread is not allowed to use
1197 * (join/leave/send/receive) IP multicast.
1198 * <p>
1199 * This method calls <code>checkPermission</code> with the
1200 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1201 * "accept,connect")</code> permission.
1202 * <p>
1203 * If you override this method, then you should make a call to
1204 * <code>super.checkMulticast</code>
1205 * at the point the overridden method would normally throw an
1206 * exception.
1207 *
1208 * @param maddr Internet group address to be used.
1209 * @param ttl value in use, if it is multicast send.
1210 * Note: this particular implementation does not use the ttl
1211 * parameter.
1212 * @exception SecurityException if the calling thread is not allowed to
1213 * use (join/leave/send/receive) IP multicast.
1214 * @exception NullPointerException if the address argument is
1215 * <code>null</code>.
1216 * @since JDK1.1
1217 * @deprecated Use #checkPermission(java.security.Permission) instead
1218 * @see #checkPermission(java.security.Permission) checkPermission
1219 */
1220 @Deprecated
1221 public void checkMulticast(InetAddress maddr, byte ttl) {
1222 String host = maddr.getHostAddress();
1223 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1224 host = "[" + host + "]";
1225 }
1226 checkPermission(new SocketPermission(host,
1227 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1228 }
1229
1230 /**
1231 * Throws a <code>SecurityException</code> if the
1232 * calling thread is not allowed to access or modify the system
1233 * properties.
1234 * <p>
1235 * This method is used by the <code>getProperties</code> and
1236 * <code>setProperties</code> methods of class <code>System</code>.
1237 * <p>
1238 * This method calls <code>checkPermission</code> with the
1239 * <code>PropertyPermission("*", "read,write")</code> permission.
1240 * <p>
1241 * If you override this method, then you should make a call to
1242 * <code>super.checkPropertiesAccess</code>
1243 * at the point the overridden method would normally throw an
1244 * exception.
1245 * <p>
1246 *
1247 * @exception SecurityException if the calling thread does not have
1248 * permission to access or modify the system properties.
1249 * @see java.lang.System#getProperties()
1250 * @see java.lang.System#setProperties(java.util.Properties)
1251 * @see #checkPermission(java.security.Permission) checkPermission
1252 */
1253 public void checkPropertiesAccess() {
1254 checkPermission(new PropertyPermission("*",
1255 SecurityConstants.PROPERTY_RW_ACTION));
1256 }
1257
1258 /**
1259 * Throws a <code>SecurityException</code> if the
1260 * calling thread is not allowed to access the system property with
1261 * the specified <code>key</code> name.
1262 * <p>
1263 * This method is used by the <code>getProperty</code> method of
1264 * class <code>System</code>.
1265 * <p>
1266 * This method calls <code>checkPermission</code> with the
1267 * <code>PropertyPermission(key, "read")</code> permission.
1268 * <p>
1269 * If you override this method, then you should make a call to
1270 * <code>super.checkPropertyAccess</code>
1271 * at the point the overridden method would normally throw an
1272 * exception.
1273 *
1274 * @param key a system property key.
1275 *
1276 * @exception SecurityException if the calling thread does not have
1277 * permission to access the specified system property.
1278 * @exception NullPointerException if the <code>key</code> argument is
1279 * <code>null</code>.
1280 * @exception IllegalArgumentException if <code>key</code> is empty.
1281 *
1282 * @see java.lang.System#getProperty(java.lang.String)
1283 * @see #checkPermission(java.security.Permission) checkPermission
1284 */
1285 public void checkPropertyAccess(String key) {
1286 checkPermission(new PropertyPermission(key,
1287 SecurityConstants.PROPERTY_READ_ACTION));
1288 }
1289
1290 /**
1291 * Returns {@code true} if the calling thread has {@code AllPermission}.
1292 *
1293 * @param window not used except to check if it is {@code null}.
1294 * @return {@code true} if the calling thread has {@code AllPermission}.
1295 * @exception NullPointerException if the {@code window} argument is
1296 * {@code null}.
1297 * @deprecated This method was originally used to check if the calling thread
1298 * was trusted to bring up a top-level window. The method has been
1299 * obsoleted and code should instead use {@link #checkPermission}
1300 * to check {@code AWTPermission("showWindowWithoutWarningBanner")}.
1301 * @see #checkPermission(java.security.Permission) checkPermission
1302 */
1303 @Deprecated
1304 public boolean checkTopLevelWindow(Object window) {
1305 if (window == null) {
1306 throw new NullPointerException("window can't be null");
1307 }
1308 return hasAllPermission();
1309 }
1310
1311 /**
1312 * Throws a <code>SecurityException</code> if the
1313 * calling thread is not allowed to initiate a print job request.
1314 * <p>
1315 * This method calls
1316 * <code>checkPermission</code> with the
1317 * <code>RuntimePermission("queuePrintJob")</code> permission.
1318 * <p>
1319 * If you override this method, then you should make a call to
1320 * <code>super.checkPrintJobAccess</code>
1321 * at the point the overridden method would normally throw an
1322 * exception.
1323 * <p>
1324 *
1325 * @exception SecurityException if the calling thread does not have
1326 * permission to initiate a print job request.
1327 * @since JDK1.1
1328 * @see #checkPermission(java.security.Permission) checkPermission
1329 */
1330 public void checkPrintJobAccess() {
1331 checkPermission(new RuntimePermission("queuePrintJob"));
1332 }
1333
1334 /**
1335 * Throws {@code SecurityException} if the calling thread does
1336 * not have {@code AllPermission}.
1337 *
1338 * @since JDK1.1
1339 * @exception SecurityException if the calling thread does not have
1340 * {@code AllPermission}
1341 * @deprecated This method was originally used to check if the calling
1342 * thread could access the system clipboard. The method has been
1343 * obsoleted and code should instead use {@link #checkPermission}
1344 * to check {@code AWTPermission("accessClipboard")}.
1345 * @see #checkPermission(java.security.Permission) checkPermission
1346 */
1347 @Deprecated
1348 public void checkSystemClipboardAccess() {
1349 checkPermission(SecurityConstants.ALL_PERMISSION);
1350 }
1351
1352 /**
1353 * Throws {@code SecurityException} if the calling thread does
1354 * not have {@code AllPermission}.
1355 *
1356 * @since JDK1.1
1357 * @exception SecurityException if the calling thread does not have
1358 * {@code AllPermission}
1359 * @deprecated This method was originally used to check if the calling
1360 * thread could access the AWT event queue. The method has been
1361 * obsoleted and code should instead use {@link #checkPermission}
1362 * to check {@code AWTPermission("accessEventQueue")}.
1363 * @see #checkPermission(java.security.Permission) checkPermission
1364 */
1365 @Deprecated
1366 public void checkAwtEventQueueAccess() {
1367 checkPermission(SecurityConstants.ALL_PERMISSION);
1368 }
1369
1370 /*
1371 * We have an initial invalid bit (initially false) for the class
1372 * variables which tell if the cache is valid. If the underlying
1373 * java.security.Security property changes via setProperty(), the
1374 * Security class uses reflection to change the variable and thus
1375 * invalidate the cache.
1376 *
1377 * Locking is handled by synchronization to the
1378 * packageAccessLock/packageDefinitionLock objects. They are only
1379 * used in this class.
1380 *
1381 * Note that cache invalidation as a result of the property change
1382 * happens without using these locks, so there may be a delay between
1383 * when a thread updates the property and when other threads updates
1384 * the cache.
1385 */
1386 private static boolean packageAccessValid = false;
1387 private static String[] packageAccess;
1388 private static final Object packageAccessLock = new Object();
1389
1390 private static boolean packageDefinitionValid = false;
1391 private static String[] packageDefinition;
1392 private static final Object packageDefinitionLock = new Object();
1393
1394 private static String[] getPackages(String p) {
1395 String packages[] = null;
1396 if (p != null && !p.equals("")) {
1397 java.util.StringTokenizer tok =
1398 new java.util.StringTokenizer(p, ",");
1399 int n = tok.countTokens();
1400 if (n > 0) {
1401 packages = new String[n];
1402 int i = 0;
1403 while (tok.hasMoreElements()) {
1404 String s = tok.nextToken().trim();
1405 packages[i++] = s;
1406 }
1407 }
1408 }
1409
1410 if (packages == null)
1411 packages = new String[0];
1412 return packages;
1413 }
1414
1415 /**
1416 * Throws a <code>SecurityException</code> if the
1417 * calling thread is not allowed to access the package specified by
1418 * the argument.
1419 * <p>
1420 * This method is used by the <code>loadClass</code> method of class
1421 * loaders.
1422 * <p>
1423 * This method first gets a list of
1424 * restricted packages by obtaining a comma-separated list from
1425 * a call to
1426 * <code>java.security.Security.getProperty("package.access")</code>,
1427 * and checks to see if <code>pkg</code> starts with or equals
1428 * any of the restricted packages. If it does, then
1429 * <code>checkPermission</code> gets called with the
1430 * <code>RuntimePermission("accessClassInPackage."+pkg)</code>
1431 * permission.
1432 * <p>
1433 * If this method is overridden, then
1434 * <code>super.checkPackageAccess</code> should be called
1435 * as the first line in the overridden method.
1436 *
1437 * @param pkg the package name.
1438 * @exception SecurityException if the calling thread does not have
1439 * permission to access the specified package.
1440 * @exception NullPointerException if the package name argument is
1441 * <code>null</code>.
1442 * @see java.lang.ClassLoader#loadClass(java.lang.String, boolean)
1443 * loadClass
1444 * @see java.security.Security#getProperty getProperty
1445 * @see #checkPermission(java.security.Permission) checkPermission
1446 */
1447 public void checkPackageAccess(String pkg) {
1448 if (pkg == null) {
1449 throw new NullPointerException("package name can't be null");
1450 }
1451
1452 String[] pkgs;
1453 synchronized (packageAccessLock) {
1454 /*
1455 * Do we need to update our property array?
1456 */
1457 if (!packageAccessValid) {
1458 String tmpPropertyStr =
1459 AccessController.doPrivileged(
1460 new PrivilegedAction<String>() {
1461 public String run() {
1462 return java.security.Security.getProperty(
1463 "package.access");
1464 }
1465 }
1466 );
1467 packageAccess = getPackages(tmpPropertyStr);
1468 packageAccessValid = true;
1469 }
1470
1471 // Using a snapshot of packageAccess -- don't care if static field
1472 // changes afterwards; array contents won't change.
1473 pkgs = packageAccess;
1474 }
1475
1476 /*
1477 * Traverse the list of packages, check for any matches.
1478 */
1479 for (String restrictedPkg : pkgs) {
1480 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) {
1481 checkPermission(
1482 new RuntimePermission("accessClassInPackage." + pkg));
1483 break; // No need to continue; only need to check this once
1484 }
1485 }
1486 }
1487
1488 /**
1489 * Throws a <code>SecurityException</code> if the
1490 * calling thread is not allowed to define classes in the package
1491 * specified by the argument.
1492 * <p>
1493 * This method is used by the <code>loadClass</code> method of some
1494 * class loaders.
1495 * <p>
1496 * This method first gets a list of restricted packages by
1497 * obtaining a comma-separated list from a call to
1498 * <code>java.security.Security.getProperty("package.definition")</code>,
1499 * and checks to see if <code>pkg</code> starts with or equals
1500 * any of the restricted packages. If it does, then
1501 * <code>checkPermission</code> gets called with the
1502 * <code>RuntimePermission("defineClassInPackage."+pkg)</code>
1503 * permission.
1504 * <p>
1505 * If this method is overridden, then
1506 * <code>super.checkPackageDefinition</code> should be called
1507 * as the first line in the overridden method.
1508 *
1509 * @param pkg the package name.
1510 * @exception SecurityException if the calling thread does not have
1511 * permission to define classes in the specified package.
1512 * @see java.lang.ClassLoader#loadClass(java.lang.String, boolean)
1513 * @see java.security.Security#getProperty getProperty
1514 * @see #checkPermission(java.security.Permission) checkPermission
1515 */
1516 public void checkPackageDefinition(String pkg) {
1517 if (pkg == null) {
1518 throw new NullPointerException("package name can't be null");
1519 }
1520
1521 String[] pkgs;
1522 synchronized (packageDefinitionLock) {
1523 /*
1524 * Do we need to update our property array?
1525 */
1526 if (!packageDefinitionValid) {
1527 String tmpPropertyStr =
1528 AccessController.doPrivileged(
1529 new PrivilegedAction<String>() {
1530 public String run() {
1531 return java.security.Security.getProperty(
1532 "package.definition");
1533 }
1534 }
1535 );
1536 packageDefinition = getPackages(tmpPropertyStr);
1537 packageDefinitionValid = true;
1538 }
1539 // Using a snapshot of packageDefinition -- don't care if static
1540 // field changes afterwards; array contents won't change.
1541 pkgs = packageDefinition;
1542 }
1543
1544 /*
1545 * Traverse the list of packages, check for any matches.
1546 */
1547 for (String restrictedPkg : pkgs) {
1548 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) {
1549 checkPermission(
1550 new RuntimePermission("defineClassInPackage." + pkg));
1551 break; // No need to continue; only need to check this once
1552 }
1553 }
1554 }
1555
1556 /**
1557 * Throws a <code>SecurityException</code> if the
1558 * calling thread is not allowed to set the socket factory used by
1559 * <code>ServerSocket</code> or <code>Socket</code>, or the stream
1560 * handler factory used by <code>URL</code>.
1561 * <p>
1562 * This method calls <code>checkPermission</code> with the
1563 * <code>RuntimePermission("setFactory")</code> permission.
1564 * <p>
1565 * If you override this method, then you should make a call to
1566 * <code>super.checkSetFactory</code>
1567 * at the point the overridden method would normally throw an
1568 * exception.
1569 * <p>
1570 *
1571 * @exception SecurityException if the calling thread does not have
1572 * permission to specify a socket factory or a stream
1573 * handler factory.
1574 *
1575 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory
1576 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory
1577 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory
1578 * @see #checkPermission(java.security.Permission) checkPermission
1579 */
1580 public void checkSetFactory() {
1581 checkPermission(new RuntimePermission("setFactory"));
1582 }
1583
1584 /**
1585 * Throws a <code>SecurityException</code> if the
1586 * calling thread is not allowed to access members.
1587 * <p>
1588 * The default policy is to allow access to PUBLIC members, as well
1589 * as access to classes that have the same class loader as the caller.
1590 * In all other cases, this method calls <code>checkPermission</code>
1591 * with the <code>RuntimePermission("accessDeclaredMembers")
1592 * </code> permission.
1593 * <p>
1594 * If this method is overridden, then a call to
1595 * <code>super.checkMemberAccess</code> cannot be made,
1596 * as the default implementation of <code>checkMemberAccess</code>
1597 * relies on the code being checked being at a stack depth of
1598 * 4.
1599 *
1600 * @param clazz the class that reflection is to be performed on.
1601 *
1602 * @param which type of access, PUBLIC or DECLARED.
1603 *
1604 * @exception SecurityException if the caller does not have
1605 * permission to access members.
1606 * @exception NullPointerException if the <code>clazz</code> argument is
1607 * <code>null</code>.
1608 *
1609 * @deprecated This method relies on the caller being at a stack depth
1610 * of 4 which is error-prone and cannot be enforced by the runtime.
1611 * Users of this method should instead invoke {@link #checkPermission}
1612 * directly. This method will be changed in a future release
1613 * to check the permission {@code java.security.AllPermission}.
1614 *
1615 * @see java.lang.reflect.Member
1616 * @since JDK1.1
1617 * @see #checkPermission(java.security.Permission) checkPermission
1618 */
1619 @Deprecated
1620 @CallerSensitive
1621 public void checkMemberAccess(Class<?> clazz, int which) {
1622 if (clazz == null) {
1623 throw new NullPointerException("class can't be null");
1624 }
1625 if (which != Member.PUBLIC) {
1626 Class<?> stack[] = getClassContext();
1627 /*
1628 * stack depth of 4 should be the caller of one of the
1629 * methods in java.lang.Class that invoke checkMember
1630 * access. The stack should look like:
1631 *
1632 * someCaller [3]
1633 * java.lang.Class.someReflectionAPI [2]
1634 * java.lang.Class.checkMemberAccess [1]
1635 * SecurityManager.checkMemberAccess [0]
1636 *
1637 */
1638 if ((stack.length<4) ||
1639 (stack[3].getClassLoader() != clazz.getClassLoader())) {
1640 checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION);
1641 }
1642 }
1643 }
1644
1645 /**
1646 * Determines whether the permission with the specified permission target
1647 * name should be granted or denied.
1648 *
1649 * <p> If the requested permission is allowed, this method returns
1650 * quietly. If denied, a SecurityException is raised.
1651 *
1652 * <p> This method creates a <code>SecurityPermission</code> object for
1653 * the given permission target name and calls <code>checkPermission</code>
1654 * with it.
1655 *
1656 * <p> See the documentation for
1657 * <code>{@link java.security.SecurityPermission}</code> for
1658 * a list of possible permission target names.
1659 *
1660 * <p> If you override this method, then you should make a call to
1661 * <code>super.checkSecurityAccess</code>
1662 * at the point the overridden method would normally throw an
1663 * exception.
1664 *
1665 * @param target the target name of the <code>SecurityPermission</code>.
1666 *
1667 * @exception SecurityException if the calling thread does not have
1668 * permission for the requested access.
1669 * @exception NullPointerException if <code>target</code> is null.
1670 * @exception IllegalArgumentException if <code>target</code> is empty.
1671 *
1672 * @since JDK1.1
1673 * @see #checkPermission(java.security.Permission) checkPermission
1674 */
1675 public void checkSecurityAccess(String target) {
1676 checkPermission(new SecurityPermission(target));
1677 }
1678
1679 private native Class<?> currentLoadedClass0();
1680
1681 /**
1682 * Returns the thread group into which to instantiate any new
1683 * thread being created at the time this is being called.
1684 * By default, it returns the thread group of the current
1685 * thread. This should be overridden by a specific security
1686 * manager to return the appropriate thread group.
1687 *
1688 * @return ThreadGroup that new threads are instantiated into
1689 * @since JDK1.1
1690 * @see java.lang.ThreadGroup
1691 */
1692 public ThreadGroup getThreadGroup() {
1693 return Thread.currentThread().getThreadGroup();
1694 }
1695
1696 }