1 /*
   2  * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any
  23  * questions.
  24  */
  25 
  26 package java.security;
  27 
  28 import java.util.Enumeration;
  29 import java.util.Map;
  30 import java.util.HashMap;
  31 import java.util.Hashtable;
  32 import java.util.Collections;
  33 import java.io.ObjectStreamField;
  34 import java.io.ObjectOutputStream;
  35 import java.io.ObjectInputStream;
  36 import java.io.IOException;
  37 
  38 /**
  39  * The BasicPermission class extends the Permission class, and
  40  * can be used as the base class for permissions that want to
  41  * follow the same naming convention as BasicPermission.
  42  * <P>
  43  * The name for a BasicPermission is the name of the given permission
  44  * (for example, "exit",
  45  * "setFactory", "print.queueJob", etc). The naming
  46  * convention follows the  hierarchical property naming convention.
  47  * An asterisk may appear by itself, or if immediately preceded by a "."
  48  * may appear at the end of the name, to signify a wildcard match.
  49  * For example, "*" and "java.*" are valid, while "*java", "a*b",
  50  * and "java*" are not valid.
  51  * <P>
  52  * The action string (inherited from Permission) is unused.
  53  * Thus, BasicPermission is commonly used as the base class for
  54  * "named" permissions
  55  * (ones that contain a name but no actions list; you either have the
  56  * named permission or you don't.)
  57  * Subclasses may implement actions on top of BasicPermission,
  58  * if desired.
  59  * <p>
  60  * <P>
  61  * @see java.security.Permission
  62  * @see java.security.Permissions
  63  * @see java.security.PermissionCollection
  64  * @see java.lang.SecurityManager
  65  *
  66  * @author Marianne Mueller
  67  * @author Roland Schemers
  68  */
  69 
  70 public abstract class BasicPermission extends Permission
  71     implements java.io.Serializable
  72 {
  73 
  74     private static final long serialVersionUID = 6279438298436773498L;
  75 
  76     // does this permission have a wildcard at the end?
  77     private transient boolean wildcard;
  78 
  79     // the name without the wildcard on the end
  80     private transient String path;
  81 
  82     // is this permission the old-style exitVM permission (pre JDK 1.6)?
  83     private transient boolean exitVM;
  84 
  85     /**
  86      * initialize a BasicPermission object. Common to all constructors.
  87      */
  88     private void init(String name) {
  89         if (name == null)
  90             throw new NullPointerException("name can't be null");
  91 
  92         int len = name.length();
  93 
  94         if (len == 0) {
  95             throw new IllegalArgumentException("name can't be empty");
  96         }
  97 
  98         char last = name.charAt(len - 1);
  99 
 100         // Is wildcard or ends with ".*"?
 101         if (last == '*' && (len == 1 || name.charAt(len - 2) == '.')) {
 102             wildcard = true;
 103             if (len == 1) {
 104                 path = "";
 105             } else {
 106                 path = name.substring(0, len - 1);
 107             }
 108         } else {
 109             if (name.equals("exitVM")) {
 110                 wildcard = true;
 111                 path = "exitVM.";
 112                 exitVM = true;
 113             } else {
 114                 path = name;
 115             }
 116         }
 117     }
 118 
 119     /**
 120      * Creates a new BasicPermission with the specified name.
 121      * Name is the symbolic name of the permission, such as
 122      * "setFactory",
 123      * "print.queueJob", or "topLevelWindow", etc.
 124      *
 125      * @param name the name of the BasicPermission.
 126      *
 127      * @throws NullPointerException if <code>name</code> is <code>null</code>.
 128      * @throws IllegalArgumentException if <code>name</code> is empty.
 129      */
 130     public BasicPermission(String name) {
 131         super(name);
 132         init(name);
 133     }
 134 
 135 
 136     /**
 137      * Creates a new BasicPermission object with the specified name.
 138      * The name is the symbolic name of the BasicPermission, and the
 139      * actions String is currently unused.
 140      *
 141      * @param name the name of the BasicPermission.
 142      * @param actions ignored.
 143      *
 144      * @throws NullPointerException if <code>name</code> is <code>null</code>.
 145      * @throws IllegalArgumentException if <code>name</code> is empty.
 146      */
 147     public BasicPermission(String name, String actions) {
 148         super(name);
 149         init(name);
 150     }
 151 
 152     /**
 153      * Checks if the specified permission is "implied" by
 154      * this object.
 155      * <P>
 156      * More specifically, this method returns true if:<p>
 157      * <ul>
 158      * <li> <i>p</i>'s class is the same as this object's class, and<p>
 159      * <li> <i>p</i>'s name equals or (in the case of wildcards)
 160      *      is implied by this object's
 161      *      name. For example, "a.b.*" implies "a.b.c".
 162      * </ul>
 163      *
 164      * @param p the permission to check against.
 165      *
 166      * @return true if the passed permission is equal to or
 167      * implied by this permission, false otherwise.
 168      */
 169     public boolean implies(Permission p) {
 170         if ((p == null) || (p.getClass() != getClass()))
 171             return false;
 172 
 173         BasicPermission that = (BasicPermission) p;
 174 
 175         if (this.wildcard) {
 176             if (that.wildcard) {
 177                 // one wildcard can imply another
 178                 return that.path.startsWith(path);
 179             } else {
 180                 // make sure ap.path is longer so a.b.* doesn't imply a.b
 181                 return (that.path.length() > this.path.length()) &&
 182                     that.path.startsWith(this.path);
 183             }
 184         } else {
 185             if (that.wildcard) {
 186                 // a non-wildcard can't imply a wildcard
 187                 return false;
 188             }
 189             else {
 190                 return this.path.equals(that.path);
 191             }
 192         }
 193     }
 194 
 195     /**
 196      * Checks two BasicPermission objects for equality.
 197      * Checks that <i>obj</i>'s class is the same as this object's class
 198      * and has the same name as this object.
 199      * <P>
 200      * @param obj the object we are testing for equality with this object.
 201      * @return true if <i>obj</i>'s class is the same as this object's class
 202      *  and has the same name as this BasicPermission object, false otherwise.
 203      */
 204     public boolean equals(Object obj) {
 205         if (obj == this)
 206             return true;
 207 
 208         if ((obj == null) || (obj.getClass() != getClass()))
 209             return false;
 210 
 211         BasicPermission bp = (BasicPermission) obj;
 212 
 213         return getName().equals(bp.getName());
 214     }
 215 
 216 
 217     /**
 218      * Returns the hash code value for this object.
 219      * The hash code used is the hash code of the name, that is,
 220      * <code>getName().hashCode()</code>, where <code>getName</code> is
 221      * from the Permission superclass.
 222      *
 223      * @return a hash code value for this object.
 224      */
 225     public int hashCode() {
 226         return this.getName().hashCode();
 227     }
 228 
 229     /**
 230      * Returns the canonical string representation of the actions,
 231      * which currently is the empty string "", since there are no actions for
 232      * a BasicPermission.
 233      *
 234      * @return the empty string "".
 235      */
 236     public String getActions() {
 237         return "";
 238     }
 239 
 240     /**
 241      * Returns a new PermissionCollection object for storing BasicPermission
 242      * objects.
 243      *
 244      * <p>BasicPermission objects must be stored in a manner that allows them
 245      * to be inserted in any order, but that also enables the
 246      * PermissionCollection <code>implies</code> method
 247      * to be implemented in an efficient (and consistent) manner.
 248      *
 249      * @return a new PermissionCollection object suitable for
 250      * storing BasicPermissions.
 251      */
 252     public PermissionCollection newPermissionCollection() {
 253         return new BasicPermissionCollection(this.getClass());
 254     }
 255 
 256     /**
 257      * readObject is called to restore the state of the BasicPermission from
 258      * a stream.
 259      */
 260     private void readObject(ObjectInputStream s)
 261          throws IOException, ClassNotFoundException
 262     {
 263         s.defaultReadObject();
 264         // init is called to initialize the rest of the values.
 265         init(getName());
 266     }
 267 
 268     /**
 269      * Returns the canonical name of this BasicPermission.
 270      * All internal invocations of getName should invoke this method, so
 271      * that the pre-JDK 1.6 "exitVM" and current "exitVM.*" permission are
 272      * equivalent in equals/hashCode methods.
 273      *
 274      * @return the canonical name of this BasicPermission.
 275      */
 276     final String getCanonicalName() {
 277         return exitVM ? "exitVM.*" : getName();
 278     }
 279 }
 280 
 281 /**
 282  * A BasicPermissionCollection stores a collection
 283  * of BasicPermission permissions. BasicPermission objects
 284  * must be stored in a manner that allows them to be inserted in any
 285  * order, but enable the implies function to evaluate the implies
 286  * method in an efficient (and consistent) manner.
 287  *
 288  * A BasicPermissionCollection handles comparing a permission like "a.b.c.d.e"
 289  * with a Permission such as "a.b.*", or "*".
 290  *
 291  * @see java.security.Permission
 292  * @see java.security.Permissions
 293  *
 294  *
 295  * @author Roland Schemers
 296  *
 297  * @serial include
 298  */
 299 
 300 final class BasicPermissionCollection
 301     extends PermissionCollection
 302     implements java.io.Serializable
 303 {
 304 
 305     private static final long serialVersionUID = 739301742472979399L;
 306 
 307     /**
 308       * Key is name, value is permission. All permission objects in
 309       * collection must be of the same type.
 310       * Not serialized; see serialization section at end of class.
 311       */
 312     private transient Map<String, Permission> perms;
 313 
 314     /**
 315      * This is set to <code>true</code> if this BasicPermissionCollection
 316      * contains a BasicPermission with '*' as its permission name.
 317      *
 318      * @see #serialPersistentFields
 319      */
 320     private boolean all_allowed;
 321 
 322     /**
 323      * The class to which all BasicPermissions in this
 324      * BasicPermissionCollection belongs.
 325      *
 326      * @see #serialPersistentFields
 327      */
 328     private Class<?> permClass;
 329 
 330     /**
 331      * Create an empty BasicPermissionCollection object.
 332      *
 333      */
 334 
 335     public BasicPermissionCollection(Class<?> clazz) {
 336         perms = new HashMap<String, Permission>(11);
 337         all_allowed = false;
 338         permClass = clazz;
 339     }
 340 
 341     /**
 342      * Adds a permission to the BasicPermissions. The key for the hash is
 343      * permission.path.
 344      *
 345      * @param permission the Permission object to add.
 346      *
 347      * @exception IllegalArgumentException - if the permission is not a
 348      *                                       BasicPermission, or if
 349      *                                       the permission is not of the
 350      *                                       same Class as the other
 351      *                                       permissions in this collection.
 352      *
 353      * @exception SecurityException - if this BasicPermissionCollection object
 354      *                                has been marked readonly
 355      */
 356     public void add(Permission permission) {
 357         if (! (permission instanceof BasicPermission))
 358             throw new IllegalArgumentException("invalid permission: "+
 359                                                permission);
 360         if (isReadOnly())
 361             throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection");
 362 
 363         BasicPermission bp = (BasicPermission) permission;
 364 
 365         // make sure we only add new BasicPermissions of the same class
 366         // Also check null for compatibility with deserialized form from
 367         // previous versions.
 368         if (permClass == null) {
 369             // adding first permission
 370             permClass = bp.getClass();
 371         } else {
 372             if (bp.getClass() != permClass)
 373                 throw new IllegalArgumentException("invalid permission: " +
 374                                                 permission);
 375         }
 376 
 377         synchronized (this) {
 378             perms.put(bp.getCanonicalName(), permission);
 379         }
 380 
 381         // No sync on all_allowed; staleness OK
 382         if (!all_allowed) {
 383             if (bp.getCanonicalName().equals("*"))
 384                 all_allowed = true;
 385         }
 386     }
 387 
 388     /**
 389      * Check and see if this set of permissions implies the permissions
 390      * expressed in "permission".
 391      *
 392      * @param permission the Permission object to compare
 393      *
 394      * @return true if "permission" is a proper subset of a permission in
 395      * the set, false if not.
 396      */
 397     public boolean implies(Permission permission) {
 398         if (! (permission instanceof BasicPermission))
 399             return false;
 400 
 401         BasicPermission bp = (BasicPermission) permission;
 402 
 403         // random subclasses of BasicPermission do not imply each other
 404         if (bp.getClass() != permClass)
 405             return false;
 406 
 407         // short circuit if the "*" Permission was added
 408         if (all_allowed)
 409             return true;
 410 
 411         // strategy:
 412         // Check for full match first. Then work our way up the
 413         // path looking for matches on a.b..*
 414 
 415         String path = bp.getCanonicalName();
 416         //System.out.println("check "+path);
 417 
 418         Permission x;
 419 
 420         synchronized (this) {
 421             x = perms.get(path);
 422         }
 423 
 424         if (x != null) {
 425             // we have a direct hit!
 426             return x.implies(permission);
 427         }
 428 
 429         // work our way up the tree...
 430         int last, offset;
 431 
 432         offset = path.length()-1;
 433 
 434         while ((last = path.lastIndexOf(".", offset)) != -1) {
 435 
 436             path = path.substring(0, last+1) + "*";
 437             //System.out.println("check "+path);
 438 
 439             synchronized (this) {
 440                 x = perms.get(path);
 441             }
 442 
 443             if (x != null) {
 444                 return x.implies(permission);
 445             }
 446             offset = last -1;
 447         }
 448 
 449         // we don't have to check for "*" as it was already checked
 450         // at the top (all_allowed), so we just return false
 451         return false;
 452     }
 453 
 454     /**
 455      * Returns an enumeration of all the BasicPermission objects in the
 456      * container.
 457      *
 458      * @return an enumeration of all the BasicPermission objects.
 459      */
 460     public Enumeration<Permission> elements() {
 461         // Convert Iterator of Map values into an Enumeration
 462         synchronized (this) {
 463             return Collections.enumeration(perms.values());
 464         }
 465     }
 466 
 467     // Need to maintain serialization interoperability with earlier releases,
 468     // which had the serializable field:
 469     //
 470     // @serial the Hashtable is indexed by the BasicPermission name
 471     //
 472     // private Hashtable permissions;
 473     /**
 474      * @serialField permissions java.util.Hashtable
 475      *    The BasicPermissions in this BasicPermissionCollection.
 476      *    All BasicPermissions in the collection must belong to the same class.
 477      *    The Hashtable is indexed by the BasicPermission name; the value
 478      *    of the Hashtable entry is the permission.
 479      * @serialField all_allowed boolean
 480      *   This is set to <code>true</code> if this BasicPermissionCollection
 481      *   contains a BasicPermission with '*' as its permission name.
 482      * @serialField permClass java.lang.Class
 483      *   The class to which all BasicPermissions in this
 484      *   BasicPermissionCollection belongs.
 485      */
 486     private static final ObjectStreamField[] serialPersistentFields = {
 487         new ObjectStreamField("permissions", Hashtable.class),
 488         new ObjectStreamField("all_allowed", Boolean.TYPE),
 489         new ObjectStreamField("permClass", Class.class),
 490     };
 491 
 492     /**
 493      * @serialData Default fields.
 494      */
 495     /*
 496      * Writes the contents of the perms field out as a Hashtable for
 497      * serialization compatibility with earlier releases. all_allowed
 498      * and permClass unchanged.
 499      */
 500     private void writeObject(ObjectOutputStream out) throws IOException {
 501         // Don't call out.defaultWriteObject()
 502 
 503         // Copy perms into a Hashtable
 504         Hashtable<String, Permission> permissions =
 505                 new Hashtable<>(perms.size()*2);
 506 
 507         synchronized (this) {
 508             permissions.putAll(perms);
 509         }
 510 
 511         // Write out serializable fields
 512         ObjectOutputStream.PutField pfields = out.putFields();
 513         pfields.put("all_allowed", all_allowed);
 514         pfields.put("permissions", permissions);
 515         pfields.put("permClass", permClass);
 516         out.writeFields();
 517     }
 518 
 519     /**
 520      * readObject is called to restore the state of the
 521      * BasicPermissionCollection from a stream.
 522      */
 523     private void readObject(java.io.ObjectInputStream in)
 524          throws IOException, ClassNotFoundException
 525     {
 526         // Don't call defaultReadObject()
 527 
 528         // Read in serialized fields
 529         ObjectInputStream.GetField gfields = in.readFields();
 530 
 531         // Get permissions
 532         // writeObject writes a Hashtable<String, Permission> for the
 533         // permissions key, so this cast is safe, unless the data is corrupt.
 534         @SuppressWarnings("unchecked")
 535         Hashtable<String, Permission> permissions =
 536                 (Hashtable<String, Permission>)gfields.get("permissions", null);
 537         perms = new HashMap<String, Permission>(permissions.size()*2);
 538         perms.putAll(permissions);
 539 
 540         // Get all_allowed
 541         all_allowed = gfields.get("all_allowed", false);
 542 
 543         // Get permClass
 544         permClass = (Class<?>) gfields.get("permClass", null);
 545 
 546         if (permClass == null) {
 547             // set permClass
 548             Enumeration<Permission> e = permissions.elements();
 549             if (e.hasMoreElements()) {
 550                 Permission p = e.nextElement();
 551                 permClass = p.getClass();
 552             }
 553         }
 554     }
 555 }