1 /* 2 * Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.lang; 27 28 import java.lang.RuntimePermission; 29 import java.lang.module.ModuleDescriptor; 30 import java.lang.module.ModuleDescriptor.Exports; 31 import java.lang.module.ModuleDescriptor.Opens; 32 import java.lang.reflect.Layer; 33 import java.lang.reflect.Member; 34 import java.lang.reflect.Module; 35 import java.io.FileDescriptor; 36 import java.io.File; 37 import java.io.FilePermission; 38 import java.net.InetAddress; 39 import java.net.SocketPermission; 40 import java.security.AccessControlContext; 41 import java.security.AccessController; 42 import java.security.Permission; 43 import java.security.PrivilegedAction; 44 import java.security.Security; 45 import java.security.SecurityPermission; 46 import java.util.HashSet; 47 import java.util.Objects; 48 import java.util.PropertyPermission; 49 import java.util.Set; 50 import java.util.stream.Collectors; 51 import java.util.stream.Stream; 52 53 import jdk.internal.reflect.CallerSensitive; 54 import sun.security.util.SecurityConstants; 55 56 /** 57 * The security manager is a class that allows 58 * applications to implement a security policy. It allows an 59 * application to determine, before performing a possibly unsafe or 60 * sensitive operation, what the operation is and whether 61 * it is being attempted in a security context that allows the 62 * operation to be performed. The 63 * application can allow or disallow the operation. 64 * <p> 65 * The <code>SecurityManager</code> class contains many methods with 66 * names that begin with the word <code>check</code>. These methods 67 * are called by various methods in the Java libraries before those 68 * methods perform certain potentially sensitive operations. The 69 * invocation of such a <code>check</code> method typically looks like this: 70 * <blockquote><pre> 71 * SecurityManager security = System.getSecurityManager(); 72 * if (security != null) { 73 * security.check<i>XXX</i>(argument, . . . ); 74 * } 75 * </pre></blockquote> 76 * <p> 77 * The security manager is thereby given an opportunity to prevent 78 * completion of the operation by throwing an exception. A security 79 * manager routine simply returns if the operation is permitted, but 80 * throws a <code>SecurityException</code> if the operation is not 81 * permitted. 82 * <p> 83 * The current security manager is set by the 84 * <code>setSecurityManager</code> method in class 85 * <code>System</code>. The current security manager is obtained 86 * by the <code>getSecurityManager</code> method. 87 * <p> 88 * The special method 89 * {@link SecurityManager#checkPermission(java.security.Permission)} 90 * determines whether an access request indicated by a specified 91 * permission should be granted or denied. The 92 * default implementation calls 93 * 94 * <pre> 95 * AccessController.checkPermission(perm); 96 * </pre> 97 * 98 * <p> 99 * If a requested access is allowed, 100 * <code>checkPermission</code> returns quietly. If denied, a 101 * <code>SecurityException</code> is thrown. 102 * <p> 103 * As of Java 2 SDK v1.2, the default implementation of each of the other 104 * <code>check</code> methods in <code>SecurityManager</code> is to 105 * call the <code>SecurityManager checkPermission</code> method 106 * to determine if the calling thread has permission to perform the requested 107 * operation. 108 * <p> 109 * Note that the <code>checkPermission</code> method with 110 * just a single permission argument always performs security checks 111 * within the context of the currently executing thread. 112 * Sometimes a security check that should be made within a given context 113 * will actually need to be done from within a 114 * <i>different</i> context (for example, from within a worker thread). 115 * The {@link SecurityManager#getSecurityContext getSecurityContext} method 116 * and the {@link SecurityManager#checkPermission(java.security.Permission, 117 * java.lang.Object) checkPermission} 118 * method that includes a context argument are provided 119 * for this situation. The 120 * <code>getSecurityContext</code> method returns a "snapshot" 121 * of the current calling context. (The default implementation 122 * returns an AccessControlContext object.) A sample call is 123 * the following: 124 * 125 * <pre> 126 * Object context = null; 127 * SecurityManager sm = System.getSecurityManager(); 128 * if (sm != null) context = sm.getSecurityContext(); 129 * </pre> 130 * 131 * <p> 132 * The <code>checkPermission</code> method 133 * that takes a context object in addition to a permission 134 * makes access decisions based on that context, 135 * rather than on that of the current execution thread. 136 * Code within a different context can thus call that method, 137 * passing the permission and the 138 * previously-saved context object. A sample call, using the 139 * SecurityManager <code>sm</code> obtained as in the previous example, 140 * is the following: 141 * 142 * <pre> 143 * if (sm != null) sm.checkPermission(permission, context); 144 * </pre> 145 * 146 * <p>Permissions fall into these categories: File, Socket, Net, 147 * Security, Runtime, Property, AWT, Reflect, and Serializable. 148 * The classes managing these various 149 * permission categories are <code>java.io.FilePermission</code>, 150 * <code>java.net.SocketPermission</code>, 151 * <code>java.net.NetPermission</code>, 152 * <code>java.security.SecurityPermission</code>, 153 * <code>java.lang.RuntimePermission</code>, 154 * <code>java.util.PropertyPermission</code>, 155 * <code>java.awt.AWTPermission</code>, 156 * <code>java.lang.reflect.ReflectPermission</code>, and 157 * <code>java.io.SerializablePermission</code>. 158 * 159 * <p>All but the first two (FilePermission and SocketPermission) are 160 * subclasses of <code>java.security.BasicPermission</code>, which itself 161 * is an abstract subclass of the 162 * top-level class for permissions, which is 163 * <code>java.security.Permission</code>. BasicPermission defines the 164 * functionality needed for all permissions that contain a name 165 * that follows the hierarchical property naming convention 166 * (for example, "exitVM", "setFactory", "queuePrintJob", etc). 167 * An asterisk 168 * may appear at the end of the name, following a ".", or by itself, to 169 * signify a wildcard match. For example: "a.*" or "*" is valid, 170 * "*a" or "a*b" is not valid. 171 * 172 * <p>FilePermission and SocketPermission are subclasses of the 173 * top-level class for permissions 174 * (<code>java.security.Permission</code>). Classes like these 175 * that have a more complicated name syntax than that used by 176 * BasicPermission subclass directly from Permission rather than from 177 * BasicPermission. For example, 178 * for a <code>java.io.FilePermission</code> object, the permission name is 179 * the path name of a file (or directory). 180 * 181 * <p>Some of the permission classes have an "actions" list that tells 182 * the actions that are permitted for the object. For example, 183 * for a <code>java.io.FilePermission</code> object, the actions list 184 * (such as "read, write") specifies which actions are granted for the 185 * specified file (or for files in the specified directory). 186 * 187 * <p>Other permission classes are for "named" permissions - 188 * ones that contain a name but no actions list; you either have the 189 * named permission or you don't. 190 * 191 * <p>Note: There is also a <code>java.security.AllPermission</code> 192 * permission that implies all permissions. It exists to simplify the work 193 * of system administrators who might need to perform multiple 194 * tasks that require all (or numerous) permissions. 195 * <p> 196 * See <a href ="../../../technotes/guides/security/permissions.html"> 197 * Permissions in the JDK</a> for permission-related information. 198 * This document includes, for example, a table listing the various SecurityManager 199 * <code>check</code> methods and the permission(s) the default 200 * implementation of each such method requires. 201 * It also contains a table of all the version 1.2 methods 202 * that require permissions, and for each such method tells 203 * which permission it requires. 204 * <p> 205 * For more information about <code>SecurityManager</code> changes made in 206 * the JDK and advice regarding porting of 1.1-style security managers, 207 * see the <a href="../../../technotes/guides/security/index.html">security documentation</a>. 208 * 209 * @author Arthur van Hoff 210 * @author Roland Schemers 211 * 212 * @see java.lang.ClassLoader 213 * @see java.lang.SecurityException 214 * @see java.lang.System#getSecurityManager() getSecurityManager 215 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager) 216 * setSecurityManager 217 * @see java.security.AccessController AccessController 218 * @see java.security.AccessControlContext AccessControlContext 219 * @see java.security.AccessControlException AccessControlException 220 * @see java.security.Permission 221 * @see java.security.BasicPermission 222 * @see java.io.FilePermission 223 * @see java.net.SocketPermission 224 * @see java.util.PropertyPermission 225 * @see java.lang.RuntimePermission 226 * @see java.awt.AWTPermission 227 * @see java.security.Policy Policy 228 * @see java.security.SecurityPermission SecurityPermission 229 * @see java.security.ProtectionDomain 230 * 231 * @since 1.0 232 */ 233 public 234 class SecurityManager { 235 236 /** 237 * This field is <code>true</code> if there is a security check in 238 * progress; <code>false</code> otherwise. 239 * 240 * @deprecated This type of security checking is not recommended. 241 * It is recommended that the <code>checkPermission</code> 242 * call be used instead. This field is subject to removal in a 243 * future version of Java SE. 244 */ 245 @Deprecated(since="1.2", forRemoval=true) 246 protected boolean inCheck; 247 248 /* 249 * Have we been initialized. Effective against finalizer attacks. 250 */ 251 private boolean initialized = false; 252 253 254 /** 255 * returns true if the current context has been granted AllPermission 256 */ 257 private boolean hasAllPermission() { 258 try { 259 checkPermission(SecurityConstants.ALL_PERMISSION); 260 return true; 261 } catch (SecurityException se) { 262 return false; 263 } 264 } 265 266 /** 267 * Tests if there is a security check in progress. 268 * 269 * @return the value of the <code>inCheck</code> field. This field 270 * should contain <code>true</code> if a security check is 271 * in progress, 272 * <code>false</code> otherwise. 273 * @see java.lang.SecurityManager#inCheck 274 * @deprecated This type of security checking is not recommended. 275 * It is recommended that the <code>checkPermission</code> 276 * call be used instead. This method is subject to removal in a 277 * future version of Java SE. 278 */ 279 @Deprecated(since="1.2", forRemoval=true) 280 public boolean getInCheck() { 281 return inCheck; 282 } 283 284 /** 285 * Constructs a new <code>SecurityManager</code>. 286 * 287 * <p> If there is a security manager already installed, this method first 288 * calls the security manager's <code>checkPermission</code> method 289 * with the <code>RuntimePermission("createSecurityManager")</code> 290 * permission to ensure the calling thread has permission to create a new 291 * security manager. 292 * This may result in throwing a <code>SecurityException</code>. 293 * 294 * @exception java.lang.SecurityException if a security manager already 295 * exists and its <code>checkPermission</code> method 296 * doesn't allow creation of a new security manager. 297 * @see java.lang.System#getSecurityManager() 298 * @see #checkPermission(java.security.Permission) checkPermission 299 * @see java.lang.RuntimePermission 300 */ 301 public SecurityManager() { 302 synchronized(SecurityManager.class) { 303 SecurityManager sm = System.getSecurityManager(); 304 if (sm != null) { 305 // ask the currently installed security manager if we 306 // can create a new one. 307 sm.checkPermission(new RuntimePermission 308 ("createSecurityManager")); 309 } 310 initialized = true; 311 } 312 } 313 314 /** 315 * Returns the current execution stack as an array of classes. 316 * <p> 317 * The length of the array is the number of methods on the execution 318 * stack. The element at index <code>0</code> is the class of the 319 * currently executing method, the element at index <code>1</code> is 320 * the class of that method's caller, and so on. 321 * 322 * @return the execution stack. 323 */ 324 protected native Class<?>[] getClassContext(); 325 326 /** 327 * Returns the class loader of the most recently executing method from 328 * a class defined using a non-system class loader. A non-system 329 * class loader is defined as being a class loader that is not equal to 330 * the system class loader (as returned 331 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 332 * <p> 333 * This method will return 334 * <code>null</code> in the following three cases: 335 * <ol> 336 * <li>All methods on the execution stack are from classes 337 * defined using the system class loader or one of its ancestors. 338 * 339 * <li>All methods on the execution stack up to the first 340 * "privileged" caller 341 * (see {@link java.security.AccessController#doPrivileged}) 342 * are from classes 343 * defined using the system class loader or one of its ancestors. 344 * 345 * <li> A call to <code>checkPermission</code> with 346 * <code>java.security.AllPermission</code> does not 347 * result in a SecurityException. 348 * 349 * </ol> 350 * 351 * @return the class loader of the most recent occurrence on the stack 352 * of a method from a class defined using a non-system class 353 * loader. 354 * 355 * @deprecated This type of security checking is not recommended. 356 * It is recommended that the <code>checkPermission</code> 357 * call be used instead. This method is subject to removal in a 358 * future version of Java SE. 359 * 360 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 361 * @see #checkPermission(java.security.Permission) checkPermission 362 */ 363 @Deprecated(since="1.2", forRemoval=true) 364 protected ClassLoader currentClassLoader() { 365 ClassLoader cl = currentClassLoader0(); 366 if ((cl != null) && hasAllPermission()) 367 cl = null; 368 return cl; 369 } 370 371 private native ClassLoader currentClassLoader0(); 372 373 /** 374 * Returns the class of the most recently executing method from 375 * a class defined using a non-system class loader. A non-system 376 * class loader is defined as being a class loader that is not equal to 377 * the system class loader (as returned 378 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 379 * <p> 380 * This method will return 381 * <code>null</code> in the following three cases: 382 * <ol> 383 * <li>All methods on the execution stack are from classes 384 * defined using the system class loader or one of its ancestors. 385 * 386 * <li>All methods on the execution stack up to the first 387 * "privileged" caller 388 * (see {@link java.security.AccessController#doPrivileged}) 389 * are from classes 390 * defined using the system class loader or one of its ancestors. 391 * 392 * <li> A call to <code>checkPermission</code> with 393 * <code>java.security.AllPermission</code> does not 394 * result in a SecurityException. 395 * 396 * </ol> 397 * 398 * @return the class of the most recent occurrence on the stack 399 * of a method from a class defined using a non-system class 400 * loader. 401 * 402 * @deprecated This type of security checking is not recommended. 403 * It is recommended that the <code>checkPermission</code> 404 * call be used instead. This method is subject to removal in a 405 * future version of Java SE. 406 * 407 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 408 * @see #checkPermission(java.security.Permission) checkPermission 409 */ 410 @Deprecated(since="1.2", forRemoval=true) 411 protected Class<?> currentLoadedClass() { 412 Class<?> c = currentLoadedClass0(); 413 if ((c != null) && hasAllPermission()) 414 c = null; 415 return c; 416 } 417 418 /** 419 * Returns the stack depth of the specified class. 420 * 421 * @param name the fully qualified name of the class to search for. 422 * @return the depth on the stack frame of the first occurrence of a 423 * method from a class with the specified name; 424 * <code>-1</code> if such a frame cannot be found. 425 * @deprecated This type of security checking is not recommended. 426 * It is recommended that the <code>checkPermission</code> 427 * call be used instead. This method is subject to removal in a 428 * future version of Java SE. 429 */ 430 @Deprecated(since="1.2", forRemoval=true) 431 protected native int classDepth(String name); 432 433 /** 434 * Returns the stack depth of the most recently executing method 435 * from a class defined using a non-system class loader. A non-system 436 * class loader is defined as being a class loader that is not equal to 437 * the system class loader (as returned 438 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 439 * <p> 440 * This method will return 441 * -1 in the following three cases: 442 * <ol> 443 * <li>All methods on the execution stack are from classes 444 * defined using the system class loader or one of its ancestors. 445 * 446 * <li>All methods on the execution stack up to the first 447 * "privileged" caller 448 * (see {@link java.security.AccessController#doPrivileged}) 449 * are from classes 450 * defined using the system class loader or one of its ancestors. 451 * 452 * <li> A call to <code>checkPermission</code> with 453 * <code>java.security.AllPermission</code> does not 454 * result in a SecurityException. 455 * 456 * </ol> 457 * 458 * @return the depth on the stack frame of the most recent occurrence of 459 * a method from a class defined using a non-system class loader. 460 * 461 * @deprecated This type of security checking is not recommended. 462 * It is recommended that the <code>checkPermission</code> 463 * call be used instead. This method is subject to removal in a 464 * future version of Java SE. 465 * 466 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 467 * @see #checkPermission(java.security.Permission) checkPermission 468 */ 469 @Deprecated(since="1.2", forRemoval=true) 470 protected int classLoaderDepth() { 471 int depth = classLoaderDepth0(); 472 if (depth != -1) { 473 if (hasAllPermission()) 474 depth = -1; 475 else 476 depth--; // make sure we don't include ourself 477 } 478 return depth; 479 } 480 481 private native int classLoaderDepth0(); 482 483 /** 484 * Tests if a method from a class with the specified 485 * name is on the execution stack. 486 * 487 * @param name the fully qualified name of the class. 488 * @return <code>true</code> if a method from a class with the specified 489 * name is on the execution stack; <code>false</code> otherwise. 490 * @deprecated This type of security checking is not recommended. 491 * It is recommended that the <code>checkPermission</code> 492 * call be used instead. This method is subject to removal in a 493 * future version of Java SE. 494 */ 495 @Deprecated(since="1.2", forRemoval=true) 496 protected boolean inClass(String name) { 497 return classDepth(name) >= 0; 498 } 499 500 /** 501 * Basically, tests if a method from a class defined using a 502 * class loader is on the execution stack. 503 * 504 * @return <code>true</code> if a call to <code>currentClassLoader</code> 505 * has a non-null return value. 506 * 507 * @deprecated This type of security checking is not recommended. 508 * It is recommended that the <code>checkPermission</code> 509 * call be used instead. This method is subject to removal in a 510 * future version of Java SE. 511 * @see #currentClassLoader() currentClassLoader 512 */ 513 @Deprecated(since="1.2", forRemoval=true) 514 protected boolean inClassLoader() { 515 return currentClassLoader() != null; 516 } 517 518 /** 519 * Creates an object that encapsulates the current execution 520 * environment. The result of this method is used, for example, by the 521 * three-argument <code>checkConnect</code> method and by the 522 * two-argument <code>checkRead</code> method. 523 * These methods are needed because a trusted method may be called 524 * on to read a file or open a socket on behalf of another method. 525 * The trusted method needs to determine if the other (possibly 526 * untrusted) method would be allowed to perform the operation on its 527 * own. 528 * <p> The default implementation of this method is to return 529 * an <code>AccessControlContext</code> object. 530 * 531 * @return an implementation-dependent object that encapsulates 532 * sufficient information about the current execution environment 533 * to perform some security checks later. 534 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int, 535 * java.lang.Object) checkConnect 536 * @see java.lang.SecurityManager#checkRead(java.lang.String, 537 * java.lang.Object) checkRead 538 * @see java.security.AccessControlContext AccessControlContext 539 */ 540 public Object getSecurityContext() { 541 return AccessController.getContext(); 542 } 543 544 /** 545 * Throws a <code>SecurityException</code> if the requested 546 * access, specified by the given permission, is not permitted based 547 * on the security policy currently in effect. 548 * <p> 549 * This method calls <code>AccessController.checkPermission</code> 550 * with the given permission. 551 * 552 * @param perm the requested permission. 553 * @exception SecurityException if access is not permitted based on 554 * the current security policy. 555 * @exception NullPointerException if the permission argument is 556 * <code>null</code>. 557 * @since 1.2 558 */ 559 public void checkPermission(Permission perm) { 560 java.security.AccessController.checkPermission(perm); 561 } 562 563 /** 564 * Throws a <code>SecurityException</code> if the 565 * specified security context is denied access to the resource 566 * specified by the given permission. 567 * The context must be a security 568 * context returned by a previous call to 569 * <code>getSecurityContext</code> and the access control 570 * decision is based upon the configured security policy for 571 * that security context. 572 * <p> 573 * If <code>context</code> is an instance of 574 * <code>AccessControlContext</code> then the 575 * <code>AccessControlContext.checkPermission</code> method is 576 * invoked with the specified permission. 577 * <p> 578 * If <code>context</code> is not an instance of 579 * <code>AccessControlContext</code> then a 580 * <code>SecurityException</code> is thrown. 581 * 582 * @param perm the specified permission 583 * @param context a system-dependent security context. 584 * @exception SecurityException if the specified security context 585 * is not an instance of <code>AccessControlContext</code> 586 * (e.g., is <code>null</code>), or is denied access to the 587 * resource specified by the given permission. 588 * @exception NullPointerException if the permission argument is 589 * <code>null</code>. 590 * @see java.lang.SecurityManager#getSecurityContext() 591 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 592 * @since 1.2 593 */ 594 public void checkPermission(Permission perm, Object context) { 595 if (context instanceof AccessControlContext) { 596 ((AccessControlContext)context).checkPermission(perm); 597 } else { 598 throw new SecurityException(); 599 } 600 } 601 602 /** 603 * Throws a <code>SecurityException</code> if the 604 * calling thread is not allowed to create a new class loader. 605 * <p> 606 * This method calls <code>checkPermission</code> with the 607 * <code>RuntimePermission("createClassLoader")</code> 608 * permission. 609 * <p> 610 * If you override this method, then you should make a call to 611 * <code>super.checkCreateClassLoader</code> 612 * at the point the overridden method would normally throw an 613 * exception. 614 * 615 * @exception SecurityException if the calling thread does not 616 * have permission 617 * to create a new class loader. 618 * @see java.lang.ClassLoader#ClassLoader() 619 * @see #checkPermission(java.security.Permission) checkPermission 620 */ 621 public void checkCreateClassLoader() { 622 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION); 623 } 624 625 /** 626 * reference to the root thread group, used for the checkAccess 627 * methods. 628 */ 629 630 private static ThreadGroup rootGroup = getRootGroup(); 631 632 private static ThreadGroup getRootGroup() { 633 ThreadGroup root = Thread.currentThread().getThreadGroup(); 634 while (root.getParent() != null) { 635 root = root.getParent(); 636 } 637 return root; 638 } 639 640 /** 641 * Throws a <code>SecurityException</code> if the 642 * calling thread is not allowed to modify the thread argument. 643 * <p> 644 * This method is invoked for the current security manager by the 645 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, 646 * <code>setPriority</code>, <code>setName</code>, and 647 * <code>setDaemon</code> methods of class <code>Thread</code>. 648 * <p> 649 * If the thread argument is a system thread (belongs to 650 * the thread group with a <code>null</code> parent) then 651 * this method calls <code>checkPermission</code> with the 652 * <code>RuntimePermission("modifyThread")</code> permission. 653 * If the thread argument is <i>not</i> a system thread, 654 * this method just returns silently. 655 * <p> 656 * Applications that want a stricter policy should override this 657 * method. If this method is overridden, the method that overrides 658 * it should additionally check to see if the calling thread has the 659 * <code>RuntimePermission("modifyThread")</code> permission, and 660 * if so, return silently. This is to ensure that code granted 661 * that permission (such as the JDK itself) is allowed to 662 * manipulate any thread. 663 * <p> 664 * If this method is overridden, then 665 * <code>super.checkAccess</code> should 666 * be called by the first statement in the overridden method, or the 667 * equivalent security check should be placed in the overridden method. 668 * 669 * @param t the thread to be checked. 670 * @exception SecurityException if the calling thread does not have 671 * permission to modify the thread. 672 * @exception NullPointerException if the thread argument is 673 * <code>null</code>. 674 * @see java.lang.Thread#resume() resume 675 * @see java.lang.Thread#setDaemon(boolean) setDaemon 676 * @see java.lang.Thread#setName(java.lang.String) setName 677 * @see java.lang.Thread#setPriority(int) setPriority 678 * @see java.lang.Thread#stop() stop 679 * @see java.lang.Thread#suspend() suspend 680 * @see #checkPermission(java.security.Permission) checkPermission 681 */ 682 public void checkAccess(Thread t) { 683 if (t == null) { 684 throw new NullPointerException("thread can't be null"); 685 } 686 if (t.getThreadGroup() == rootGroup) { 687 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION); 688 } else { 689 // just return 690 } 691 } 692 /** 693 * Throws a <code>SecurityException</code> if the 694 * calling thread is not allowed to modify the thread group argument. 695 * <p> 696 * This method is invoked for the current security manager when a 697 * new child thread or child thread group is created, and by the 698 * <code>setDaemon</code>, <code>setMaxPriority</code>, 699 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and 700 * <code>destroy</code> methods of class <code>ThreadGroup</code>. 701 * <p> 702 * If the thread group argument is the system thread group ( 703 * has a <code>null</code> parent) then 704 * this method calls <code>checkPermission</code> with the 705 * <code>RuntimePermission("modifyThreadGroup")</code> permission. 706 * If the thread group argument is <i>not</i> the system thread group, 707 * this method just returns silently. 708 * <p> 709 * Applications that want a stricter policy should override this 710 * method. If this method is overridden, the method that overrides 711 * it should additionally check to see if the calling thread has the 712 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and 713 * if so, return silently. This is to ensure that code granted 714 * that permission (such as the JDK itself) is allowed to 715 * manipulate any thread. 716 * <p> 717 * If this method is overridden, then 718 * <code>super.checkAccess</code> should 719 * be called by the first statement in the overridden method, or the 720 * equivalent security check should be placed in the overridden method. 721 * 722 * @param g the thread group to be checked. 723 * @exception SecurityException if the calling thread does not have 724 * permission to modify the thread group. 725 * @exception NullPointerException if the thread group argument is 726 * <code>null</code>. 727 * @see java.lang.ThreadGroup#destroy() destroy 728 * @see java.lang.ThreadGroup#resume() resume 729 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon 730 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority 731 * @see java.lang.ThreadGroup#stop() stop 732 * @see java.lang.ThreadGroup#suspend() suspend 733 * @see #checkPermission(java.security.Permission) checkPermission 734 */ 735 public void checkAccess(ThreadGroup g) { 736 if (g == null) { 737 throw new NullPointerException("thread group can't be null"); 738 } 739 if (g == rootGroup) { 740 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION); 741 } else { 742 // just return 743 } 744 } 745 746 /** 747 * Throws a <code>SecurityException</code> if the 748 * calling thread is not allowed to cause the Java Virtual Machine to 749 * halt with the specified status code. 750 * <p> 751 * This method is invoked for the current security manager by the 752 * <code>exit</code> method of class <code>Runtime</code>. A status 753 * of <code>0</code> indicates success; other values indicate various 754 * errors. 755 * <p> 756 * This method calls <code>checkPermission</code> with the 757 * <code>RuntimePermission("exitVM."+status)</code> permission. 758 * <p> 759 * If you override this method, then you should make a call to 760 * <code>super.checkExit</code> 761 * at the point the overridden method would normally throw an 762 * exception. 763 * 764 * @param status the exit status. 765 * @exception SecurityException if the calling thread does not have 766 * permission to halt the Java Virtual Machine with 767 * the specified status. 768 * @see java.lang.Runtime#exit(int) exit 769 * @see #checkPermission(java.security.Permission) checkPermission 770 */ 771 public void checkExit(int status) { 772 checkPermission(new RuntimePermission("exitVM."+status)); 773 } 774 775 /** 776 * Throws a <code>SecurityException</code> if the 777 * calling thread is not allowed to create a subprocess. 778 * <p> 779 * This method is invoked for the current security manager by the 780 * <code>exec</code> methods of class <code>Runtime</code>. 781 * <p> 782 * This method calls <code>checkPermission</code> with the 783 * <code>FilePermission(cmd,"execute")</code> permission 784 * if cmd is an absolute path, otherwise it calls 785 * <code>checkPermission</code> with 786 * <code>FilePermission("<<ALL FILES>>","execute")</code>. 787 * <p> 788 * If you override this method, then you should make a call to 789 * <code>super.checkExec</code> 790 * at the point the overridden method would normally throw an 791 * exception. 792 * 793 * @param cmd the specified system command. 794 * @exception SecurityException if the calling thread does not have 795 * permission to create a subprocess. 796 * @exception NullPointerException if the <code>cmd</code> argument is 797 * <code>null</code>. 798 * @see java.lang.Runtime#exec(java.lang.String) 799 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[]) 800 * @see java.lang.Runtime#exec(java.lang.String[]) 801 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[]) 802 * @see #checkPermission(java.security.Permission) checkPermission 803 */ 804 public void checkExec(String cmd) { 805 File f = new File(cmd); 806 if (f.isAbsolute()) { 807 checkPermission(new FilePermission(cmd, 808 SecurityConstants.FILE_EXECUTE_ACTION)); 809 } else { 810 checkPermission(new FilePermission("<<ALL FILES>>", 811 SecurityConstants.FILE_EXECUTE_ACTION)); 812 } 813 } 814 815 /** 816 * Throws a <code>SecurityException</code> if the 817 * calling thread is not allowed to dynamic link the library code 818 * specified by the string argument file. The argument is either a 819 * simple library name or a complete filename. 820 * <p> 821 * This method is invoked for the current security manager by 822 * methods <code>load</code> and <code>loadLibrary</code> of class 823 * <code>Runtime</code>. 824 * <p> 825 * This method calls <code>checkPermission</code> with the 826 * <code>RuntimePermission("loadLibrary."+lib)</code> permission. 827 * <p> 828 * If you override this method, then you should make a call to 829 * <code>super.checkLink</code> 830 * at the point the overridden method would normally throw an 831 * exception. 832 * 833 * @param lib the name of the library. 834 * @exception SecurityException if the calling thread does not have 835 * permission to dynamically link the library. 836 * @exception NullPointerException if the <code>lib</code> argument is 837 * <code>null</code>. 838 * @see java.lang.Runtime#load(java.lang.String) 839 * @see java.lang.Runtime#loadLibrary(java.lang.String) 840 * @see #checkPermission(java.security.Permission) checkPermission 841 */ 842 public void checkLink(String lib) { 843 if (lib == null) { 844 throw new NullPointerException("library can't be null"); 845 } 846 checkPermission(new RuntimePermission("loadLibrary."+lib)); 847 } 848 849 /** 850 * Throws a <code>SecurityException</code> if the 851 * calling thread is not allowed to read from the specified file 852 * descriptor. 853 * <p> 854 * This method calls <code>checkPermission</code> with the 855 * <code>RuntimePermission("readFileDescriptor")</code> 856 * permission. 857 * <p> 858 * If you override this method, then you should make a call to 859 * <code>super.checkRead</code> 860 * at the point the overridden method would normally throw an 861 * exception. 862 * 863 * @param fd the system-dependent file descriptor. 864 * @exception SecurityException if the calling thread does not have 865 * permission to access the specified file descriptor. 866 * @exception NullPointerException if the file descriptor argument is 867 * <code>null</code>. 868 * @see java.io.FileDescriptor 869 * @see #checkPermission(java.security.Permission) checkPermission 870 */ 871 public void checkRead(FileDescriptor fd) { 872 if (fd == null) { 873 throw new NullPointerException("file descriptor can't be null"); 874 } 875 checkPermission(new RuntimePermission("readFileDescriptor")); 876 } 877 878 /** 879 * Throws a <code>SecurityException</code> if the 880 * calling thread is not allowed to read the file specified by the 881 * string argument. 882 * <p> 883 * This method calls <code>checkPermission</code> with the 884 * <code>FilePermission(file,"read")</code> permission. 885 * <p> 886 * If you override this method, then you should make a call to 887 * <code>super.checkRead</code> 888 * at the point the overridden method would normally throw an 889 * exception. 890 * 891 * @param file the system-dependent file name. 892 * @exception SecurityException if the calling thread does not have 893 * permission to access the specified file. 894 * @exception NullPointerException if the <code>file</code> argument is 895 * <code>null</code>. 896 * @see #checkPermission(java.security.Permission) checkPermission 897 */ 898 public void checkRead(String file) { 899 checkPermission(new FilePermission(file, 900 SecurityConstants.FILE_READ_ACTION)); 901 } 902 903 /** 904 * Throws a <code>SecurityException</code> if the 905 * specified security context is not allowed to read the file 906 * specified by the string argument. The context must be a security 907 * context returned by a previous call to 908 * <code>getSecurityContext</code>. 909 * <p> If <code>context</code> is an instance of 910 * <code>AccessControlContext</code> then the 911 * <code>AccessControlContext.checkPermission</code> method will 912 * be invoked with the <code>FilePermission(file,"read")</code> permission. 913 * <p> If <code>context</code> is not an instance of 914 * <code>AccessControlContext</code> then a 915 * <code>SecurityException</code> is thrown. 916 * <p> 917 * If you override this method, then you should make a call to 918 * <code>super.checkRead</code> 919 * at the point the overridden method would normally throw an 920 * exception. 921 * 922 * @param file the system-dependent filename. 923 * @param context a system-dependent security context. 924 * @exception SecurityException if the specified security context 925 * is not an instance of <code>AccessControlContext</code> 926 * (e.g., is <code>null</code>), or does not have permission 927 * to read the specified file. 928 * @exception NullPointerException if the <code>file</code> argument is 929 * <code>null</code>. 930 * @see java.lang.SecurityManager#getSecurityContext() 931 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 932 */ 933 public void checkRead(String file, Object context) { 934 checkPermission( 935 new FilePermission(file, SecurityConstants.FILE_READ_ACTION), 936 context); 937 } 938 939 /** 940 * Throws a <code>SecurityException</code> if the 941 * calling thread is not allowed to write to the specified file 942 * descriptor. 943 * <p> 944 * This method calls <code>checkPermission</code> with the 945 * <code>RuntimePermission("writeFileDescriptor")</code> 946 * permission. 947 * <p> 948 * If you override this method, then you should make a call to 949 * <code>super.checkWrite</code> 950 * at the point the overridden method would normally throw an 951 * exception. 952 * 953 * @param fd the system-dependent file descriptor. 954 * @exception SecurityException if the calling thread does not have 955 * permission to access the specified file descriptor. 956 * @exception NullPointerException if the file descriptor argument is 957 * <code>null</code>. 958 * @see java.io.FileDescriptor 959 * @see #checkPermission(java.security.Permission) checkPermission 960 */ 961 public void checkWrite(FileDescriptor fd) { 962 if (fd == null) { 963 throw new NullPointerException("file descriptor can't be null"); 964 } 965 checkPermission(new RuntimePermission("writeFileDescriptor")); 966 967 } 968 969 /** 970 * Throws a <code>SecurityException</code> if the 971 * calling thread is not allowed to write to the file specified by 972 * the string argument. 973 * <p> 974 * This method calls <code>checkPermission</code> with the 975 * <code>FilePermission(file,"write")</code> permission. 976 * <p> 977 * If you override this method, then you should make a call to 978 * <code>super.checkWrite</code> 979 * at the point the overridden method would normally throw an 980 * exception. 981 * 982 * @param file the system-dependent filename. 983 * @exception SecurityException if the calling thread does not 984 * have permission to access the specified file. 985 * @exception NullPointerException if the <code>file</code> argument is 986 * <code>null</code>. 987 * @see #checkPermission(java.security.Permission) checkPermission 988 */ 989 public void checkWrite(String file) { 990 checkPermission(new FilePermission(file, 991 SecurityConstants.FILE_WRITE_ACTION)); 992 } 993 994 /** 995 * Throws a <code>SecurityException</code> if the 996 * calling thread is not allowed to delete the specified file. 997 * <p> 998 * This method is invoked for the current security manager by the 999 * <code>delete</code> method of class <code>File</code>. 1000 * <p> 1001 * This method calls <code>checkPermission</code> with the 1002 * <code>FilePermission(file,"delete")</code> permission. 1003 * <p> 1004 * If you override this method, then you should make a call to 1005 * <code>super.checkDelete</code> 1006 * at the point the overridden method would normally throw an 1007 * exception. 1008 * 1009 * @param file the system-dependent filename. 1010 * @exception SecurityException if the calling thread does not 1011 * have permission to delete the file. 1012 * @exception NullPointerException if the <code>file</code> argument is 1013 * <code>null</code>. 1014 * @see java.io.File#delete() 1015 * @see #checkPermission(java.security.Permission) checkPermission 1016 */ 1017 public void checkDelete(String file) { 1018 checkPermission(new FilePermission(file, 1019 SecurityConstants.FILE_DELETE_ACTION)); 1020 } 1021 1022 /** 1023 * Throws a <code>SecurityException</code> if the 1024 * calling thread is not allowed to open a socket connection to the 1025 * specified host and port number. 1026 * <p> 1027 * A port number of <code>-1</code> indicates that the calling 1028 * method is attempting to determine the IP address of the specified 1029 * host name. 1030 * <p> 1031 * This method calls <code>checkPermission</code> with the 1032 * <code>SocketPermission(host+":"+port,"connect")</code> permission if 1033 * the port is not equal to -1. If the port is equal to -1, then 1034 * it calls <code>checkPermission</code> with the 1035 * <code>SocketPermission(host,"resolve")</code> permission. 1036 * <p> 1037 * If you override this method, then you should make a call to 1038 * <code>super.checkConnect</code> 1039 * at the point the overridden method would normally throw an 1040 * exception. 1041 * 1042 * @param host the host name port to connect to. 1043 * @param port the protocol port to connect to. 1044 * @exception SecurityException if the calling thread does not have 1045 * permission to open a socket connection to the specified 1046 * <code>host</code> and <code>port</code>. 1047 * @exception NullPointerException if the <code>host</code> argument is 1048 * <code>null</code>. 1049 * @see #checkPermission(java.security.Permission) checkPermission 1050 */ 1051 public void checkConnect(String host, int port) { 1052 if (host == null) { 1053 throw new NullPointerException("host can't be null"); 1054 } 1055 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1056 host = "[" + host + "]"; 1057 } 1058 if (port == -1) { 1059 checkPermission(new SocketPermission(host, 1060 SecurityConstants.SOCKET_RESOLVE_ACTION)); 1061 } else { 1062 checkPermission(new SocketPermission(host+":"+port, 1063 SecurityConstants.SOCKET_CONNECT_ACTION)); 1064 } 1065 } 1066 1067 /** 1068 * Throws a <code>SecurityException</code> if the 1069 * specified security context is not allowed to open a socket 1070 * connection to the specified host and port number. 1071 * <p> 1072 * A port number of <code>-1</code> indicates that the calling 1073 * method is attempting to determine the IP address of the specified 1074 * host name. 1075 * <p> If <code>context</code> is not an instance of 1076 * <code>AccessControlContext</code> then a 1077 * <code>SecurityException</code> is thrown. 1078 * <p> 1079 * Otherwise, the port number is checked. If it is not equal 1080 * to -1, the <code>context</code>'s <code>checkPermission</code> 1081 * method is called with a 1082 * <code>SocketPermission(host+":"+port,"connect")</code> permission. 1083 * If the port is equal to -1, then 1084 * the <code>context</code>'s <code>checkPermission</code> method 1085 * is called with a 1086 * <code>SocketPermission(host,"resolve")</code> permission. 1087 * <p> 1088 * If you override this method, then you should make a call to 1089 * <code>super.checkConnect</code> 1090 * at the point the overridden method would normally throw an 1091 * exception. 1092 * 1093 * @param host the host name port to connect to. 1094 * @param port the protocol port to connect to. 1095 * @param context a system-dependent security context. 1096 * @exception SecurityException if the specified security context 1097 * is not an instance of <code>AccessControlContext</code> 1098 * (e.g., is <code>null</code>), or does not have permission 1099 * to open a socket connection to the specified 1100 * <code>host</code> and <code>port</code>. 1101 * @exception NullPointerException if the <code>host</code> argument is 1102 * <code>null</code>. 1103 * @see java.lang.SecurityManager#getSecurityContext() 1104 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 1105 */ 1106 public void checkConnect(String host, int port, Object context) { 1107 if (host == null) { 1108 throw new NullPointerException("host can't be null"); 1109 } 1110 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1111 host = "[" + host + "]"; 1112 } 1113 if (port == -1) 1114 checkPermission(new SocketPermission(host, 1115 SecurityConstants.SOCKET_RESOLVE_ACTION), 1116 context); 1117 else 1118 checkPermission(new SocketPermission(host+":"+port, 1119 SecurityConstants.SOCKET_CONNECT_ACTION), 1120 context); 1121 } 1122 1123 /** 1124 * Throws a <code>SecurityException</code> if the 1125 * calling thread is not allowed to wait for a connection request on 1126 * the specified local port number. 1127 * <p> 1128 * This method calls <code>checkPermission</code> with the 1129 * <code>SocketPermission("localhost:"+port,"listen")</code>. 1130 * <p> 1131 * If you override this method, then you should make a call to 1132 * <code>super.checkListen</code> 1133 * at the point the overridden method would normally throw an 1134 * exception. 1135 * 1136 * @param port the local port. 1137 * @exception SecurityException if the calling thread does not have 1138 * permission to listen on the specified port. 1139 * @see #checkPermission(java.security.Permission) checkPermission 1140 */ 1141 public void checkListen(int port) { 1142 checkPermission(new SocketPermission("localhost:"+port, 1143 SecurityConstants.SOCKET_LISTEN_ACTION)); 1144 } 1145 1146 /** 1147 * Throws a <code>SecurityException</code> if the 1148 * calling thread is not permitted to accept a socket connection from 1149 * the specified host and port number. 1150 * <p> 1151 * This method is invoked for the current security manager by the 1152 * <code>accept</code> method of class <code>ServerSocket</code>. 1153 * <p> 1154 * This method calls <code>checkPermission</code> with the 1155 * <code>SocketPermission(host+":"+port,"accept")</code> permission. 1156 * <p> 1157 * If you override this method, then you should make a call to 1158 * <code>super.checkAccept</code> 1159 * at the point the overridden method would normally throw an 1160 * exception. 1161 * 1162 * @param host the host name of the socket connection. 1163 * @param port the port number of the socket connection. 1164 * @exception SecurityException if the calling thread does not have 1165 * permission to accept the connection. 1166 * @exception NullPointerException if the <code>host</code> argument is 1167 * <code>null</code>. 1168 * @see java.net.ServerSocket#accept() 1169 * @see #checkPermission(java.security.Permission) checkPermission 1170 */ 1171 public void checkAccept(String host, int port) { 1172 if (host == null) { 1173 throw new NullPointerException("host can't be null"); 1174 } 1175 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1176 host = "[" + host + "]"; 1177 } 1178 checkPermission(new SocketPermission(host+":"+port, 1179 SecurityConstants.SOCKET_ACCEPT_ACTION)); 1180 } 1181 1182 /** 1183 * Throws a <code>SecurityException</code> if the 1184 * calling thread is not allowed to use 1185 * (join/leave/send/receive) IP multicast. 1186 * <p> 1187 * This method calls <code>checkPermission</code> with the 1188 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1189 * "accept,connect")</code> permission. 1190 * <p> 1191 * If you override this method, then you should make a call to 1192 * <code>super.checkMulticast</code> 1193 * at the point the overridden method would normally throw an 1194 * exception. 1195 * 1196 * @param maddr Internet group address to be used. 1197 * @exception SecurityException if the calling thread is not allowed to 1198 * use (join/leave/send/receive) IP multicast. 1199 * @exception NullPointerException if the address argument is 1200 * <code>null</code>. 1201 * @since 1.1 1202 * @see #checkPermission(java.security.Permission) checkPermission 1203 */ 1204 public void checkMulticast(InetAddress maddr) { 1205 String host = maddr.getHostAddress(); 1206 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1207 host = "[" + host + "]"; 1208 } 1209 checkPermission(new SocketPermission(host, 1210 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1211 } 1212 1213 /** 1214 * Throws a <code>SecurityException</code> if the 1215 * calling thread is not allowed to use 1216 * (join/leave/send/receive) IP multicast. 1217 * <p> 1218 * This method calls <code>checkPermission</code> with the 1219 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1220 * "accept,connect")</code> permission. 1221 * <p> 1222 * If you override this method, then you should make a call to 1223 * <code>super.checkMulticast</code> 1224 * at the point the overridden method would normally throw an 1225 * exception. 1226 * 1227 * @param maddr Internet group address to be used. 1228 * @param ttl value in use, if it is multicast send. 1229 * Note: this particular implementation does not use the ttl 1230 * parameter. 1231 * @exception SecurityException if the calling thread is not allowed to 1232 * use (join/leave/send/receive) IP multicast. 1233 * @exception NullPointerException if the address argument is 1234 * <code>null</code>. 1235 * @since 1.1 1236 * @deprecated Use #checkPermission(java.security.Permission) instead 1237 * @see #checkPermission(java.security.Permission) checkPermission 1238 */ 1239 @Deprecated(since="1.4") 1240 public void checkMulticast(InetAddress maddr, byte ttl) { 1241 String host = maddr.getHostAddress(); 1242 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1243 host = "[" + host + "]"; 1244 } 1245 checkPermission(new SocketPermission(host, 1246 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1247 } 1248 1249 /** 1250 * Throws a <code>SecurityException</code> if the 1251 * calling thread is not allowed to access or modify the system 1252 * properties. 1253 * <p> 1254 * This method is used by the <code>getProperties</code> and 1255 * <code>setProperties</code> methods of class <code>System</code>. 1256 * <p> 1257 * This method calls <code>checkPermission</code> with the 1258 * <code>PropertyPermission("*", "read,write")</code> permission. 1259 * <p> 1260 * If you override this method, then you should make a call to 1261 * <code>super.checkPropertiesAccess</code> 1262 * at the point the overridden method would normally throw an 1263 * exception. 1264 * 1265 * @exception SecurityException if the calling thread does not have 1266 * permission to access or modify the system properties. 1267 * @see java.lang.System#getProperties() 1268 * @see java.lang.System#setProperties(java.util.Properties) 1269 * @see #checkPermission(java.security.Permission) checkPermission 1270 */ 1271 public void checkPropertiesAccess() { 1272 checkPermission(new PropertyPermission("*", 1273 SecurityConstants.PROPERTY_RW_ACTION)); 1274 } 1275 1276 /** 1277 * Throws a <code>SecurityException</code> if the 1278 * calling thread is not allowed to access the system property with 1279 * the specified <code>key</code> name. 1280 * <p> 1281 * This method is used by the <code>getProperty</code> method of 1282 * class <code>System</code>. 1283 * <p> 1284 * This method calls <code>checkPermission</code> with the 1285 * <code>PropertyPermission(key, "read")</code> permission. 1286 * <p> 1287 * If you override this method, then you should make a call to 1288 * <code>super.checkPropertyAccess</code> 1289 * at the point the overridden method would normally throw an 1290 * exception. 1291 * 1292 * @param key a system property key. 1293 * 1294 * @exception SecurityException if the calling thread does not have 1295 * permission to access the specified system property. 1296 * @exception NullPointerException if the <code>key</code> argument is 1297 * <code>null</code>. 1298 * @exception IllegalArgumentException if <code>key</code> is empty. 1299 * 1300 * @see java.lang.System#getProperty(java.lang.String) 1301 * @see #checkPermission(java.security.Permission) checkPermission 1302 */ 1303 public void checkPropertyAccess(String key) { 1304 checkPermission(new PropertyPermission(key, 1305 SecurityConstants.PROPERTY_READ_ACTION)); 1306 } 1307 1308 /** 1309 * Returns {@code true} if the calling thread has {@code AllPermission}. 1310 * 1311 * @param window not used except to check if it is {@code null}. 1312 * @return {@code true} if the calling thread has {@code AllPermission}. 1313 * @exception NullPointerException if the {@code window} argument is 1314 * {@code null}. 1315 * @deprecated This method was originally used to check if the calling thread 1316 * was trusted to bring up a top-level window. The method has been 1317 * obsoleted and code should instead use {@link #checkPermission} 1318 * to check {@code AWTPermission("showWindowWithoutWarningBanner")}. 1319 * This method is subject to removal in a future version of Java SE. 1320 * @see #checkPermission(java.security.Permission) checkPermission 1321 */ 1322 @Deprecated(since="1.8", forRemoval=true) 1323 public boolean checkTopLevelWindow(Object window) { 1324 if (window == null) { 1325 throw new NullPointerException("window can't be null"); 1326 } 1327 return hasAllPermission(); 1328 } 1329 1330 /** 1331 * Throws a <code>SecurityException</code> if the 1332 * calling thread is not allowed to initiate a print job request. 1333 * <p> 1334 * This method calls 1335 * <code>checkPermission</code> with the 1336 * <code>RuntimePermission("queuePrintJob")</code> permission. 1337 * <p> 1338 * If you override this method, then you should make a call to 1339 * <code>super.checkPrintJobAccess</code> 1340 * at the point the overridden method would normally throw an 1341 * exception. 1342 * 1343 * @exception SecurityException if the calling thread does not have 1344 * permission to initiate a print job request. 1345 * @since 1.1 1346 * @see #checkPermission(java.security.Permission) checkPermission 1347 */ 1348 public void checkPrintJobAccess() { 1349 checkPermission(new RuntimePermission("queuePrintJob")); 1350 } 1351 1352 /** 1353 * Throws {@code SecurityException} if the calling thread does 1354 * not have {@code AllPermission}. 1355 * 1356 * @since 1.1 1357 * @exception SecurityException if the calling thread does not have 1358 * {@code AllPermission} 1359 * @deprecated This method was originally used to check if the calling 1360 * thread could access the system clipboard. The method has been 1361 * obsoleted and code should instead use {@link #checkPermission} 1362 * to check {@code AWTPermission("accessClipboard")}. 1363 * This method is subject to removal in a future version of Java SE. 1364 * @see #checkPermission(java.security.Permission) checkPermission 1365 */ 1366 @Deprecated(since="1.8", forRemoval=true) 1367 public void checkSystemClipboardAccess() { 1368 checkPermission(SecurityConstants.ALL_PERMISSION); 1369 } 1370 1371 /** 1372 * Throws {@code SecurityException} if the calling thread does 1373 * not have {@code AllPermission}. 1374 * 1375 * @since 1.1 1376 * @exception SecurityException if the calling thread does not have 1377 * {@code AllPermission} 1378 * @deprecated This method was originally used to check if the calling 1379 * thread could access the AWT event queue. The method has been 1380 * obsoleted and code should instead use {@link #checkPermission} 1381 * to check {@code AWTPermission("accessEventQueue")}. 1382 * This method is subject to removal in a future version of Java SE. 1383 * @see #checkPermission(java.security.Permission) checkPermission 1384 */ 1385 @Deprecated(since="1.8", forRemoval=true) 1386 public void checkAwtEventQueueAccess() { 1387 checkPermission(SecurityConstants.ALL_PERMISSION); 1388 } 1389 1390 /* 1391 * We have an initial invalid bit (initially false) for the class 1392 * variables which tell if the cache is valid. If the underlying 1393 * java.security.Security property changes via setProperty(), the 1394 * Security class uses reflection to change the variable and thus 1395 * invalidate the cache. 1396 * 1397 * Locking is handled by synchronization to the 1398 * packageAccessLock/packageDefinitionLock objects. They are only 1399 * used in this class. 1400 * 1401 * Note that cache invalidation as a result of the property change 1402 * happens without using these locks, so there may be a delay between 1403 * when a thread updates the property and when other threads updates 1404 * the cache. 1405 */ 1406 private static boolean packageAccessValid = false; 1407 private static String[] packageAccess; 1408 private static final Object packageAccessLock = new Object(); 1409 1410 private static boolean packageDefinitionValid = false; 1411 private static String[] packageDefinition; 1412 private static final Object packageDefinitionLock = new Object(); 1413 1414 private static String[] getPackages(String p) { 1415 String packages[] = null; 1416 if (p != null && !p.equals("")) { 1417 java.util.StringTokenizer tok = 1418 new java.util.StringTokenizer(p, ","); 1419 int n = tok.countTokens(); 1420 if (n > 0) { 1421 packages = new String[n]; 1422 int i = 0; 1423 while (tok.hasMoreElements()) { 1424 String s = tok.nextToken().trim(); 1425 packages[i++] = s; 1426 } 1427 } 1428 } 1429 1430 if (packages == null) { 1431 packages = new String[0]; 1432 } 1433 return packages; 1434 } 1435 1436 // The non-exported packages of the modules in the boot layer that are 1437 // loaded by the platform class loader or its ancestors. A non-exported 1438 // package is a package that either is not exported at all by its containing 1439 // module or is exported in a qualified fashion by its containing module. 1440 private static final Set<String> nonExportedPkgs; 1441 1442 static { 1443 // Get the modules in the boot layer 1444 Stream<Module> bootLayerModules = Layer.boot().modules().stream(); 1445 1446 // Filter out the modules loaded by the boot or platform loader 1447 PrivilegedAction<Set<Module>> pa = () -> 1448 bootLayerModules.filter(SecurityManager::isBootOrPlatformModule) 1449 .collect(Collectors.toSet()); 1450 Set<Module> modules = AccessController.doPrivileged(pa); 1451 1452 // Filter out the non-exported packages 1453 nonExportedPkgs = modules.stream() 1454 .map(Module::getDescriptor) 1455 .map(SecurityManager::nonExportedPkgs) 1456 .flatMap(Set::stream) 1457 .collect(Collectors.toSet()); 1458 } 1459 1460 /** 1461 * Called by java.security.Security 1462 */ 1463 static void invalidatePackageAccessCache() { 1464 synchronized (packageAccessLock) { 1465 packageAccessValid = false; 1466 } 1467 synchronized (packageDefinitionLock) { 1468 packageDefinitionValid = false; 1469 } 1470 } 1471 1472 /** 1473 * Returns true if the module's loader is the boot or platform loader. 1474 */ 1475 private static boolean isBootOrPlatformModule(Module m) { 1476 return m.getClassLoader() == null || 1477 m.getClassLoader() == ClassLoader.getPlatformClassLoader(); 1478 } 1479 1480 /** 1481 * Returns the non-exported packages of the specified module. 1482 */ 1483 private static Set<String> nonExportedPkgs(ModuleDescriptor md) { 1484 // start with all packages in the module 1485 Set<String> pkgs = new HashSet<>(md.packages()); 1486 1487 // remove the non-qualified exported packages 1488 md.exports().stream() 1489 .filter(p -> !p.isQualified()) 1490 .map(Exports::source) 1491 .forEach(pkgs::remove); 1492 1493 // remove the non-qualified open packages 1494 md.opens().stream() 1495 .filter(p -> !p.isQualified()) 1496 .map(Opens::source) 1497 .forEach(pkgs::remove); 1498 1499 return pkgs; 1500 } 1501 1502 /** 1503 * Throws a {@code SecurityException} if the calling thread is not allowed 1504 * to access the specified package. 1505 * <p> 1506 * This method is called by the {@code loadClass} method of class loaders. 1507 * <p> 1508 * This method checks if the specified package starts with or equals 1509 * any of the packages in the {@code package.access} Security Property. 1510 * An implementation may also check the package against an additional 1511 * list of restricted packages as noted below. If the package is restricted, 1512 * {@link #checkPermission(Permission)} is called with a 1513 * {@code RuntimePermission("accessClassInPackage."+pkg)} permission. 1514 * <p> 1515 * If this method is overridden, then {@code super.checkPackageAccess} 1516 * should be called as the first line in the overridden method. 1517 * 1518 * @implNote 1519 * This implementation also restricts all non-exported packages of modules 1520 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1521 * the platform class loader} or its ancestors. A "non-exported package" 1522 * refers to a package that is not exported to all modules. Specifically, 1523 * it refers to a package that either is not exported at all by its 1524 * containing module or is exported in a qualified fashion by its 1525 * containing module. 1526 * 1527 * @param pkg the package name. 1528 * @throws SecurityException if the calling thread does not have 1529 * permission to access the specified package. 1530 * @throws NullPointerException if the package name argument is 1531 * {@code null}. 1532 * @see java.lang.ClassLoader#loadClass(String, boolean) loadClass 1533 * @see java.security.Security#getProperty getProperty 1534 * @see #checkPermission(Permission) checkPermission 1535 */ 1536 public void checkPackageAccess(String pkg) { 1537 Objects.requireNonNull(pkg, "package name can't be null"); 1538 1539 // check if pkg is not exported to all modules 1540 if (nonExportedPkgs.contains(pkg)) { 1541 checkPermission( 1542 new RuntimePermission("accessClassInPackage." + pkg)); 1543 return; 1544 } 1545 1546 String[] restrictedPkgs; 1547 synchronized (packageAccessLock) { 1548 /* 1549 * Do we need to update our property array? 1550 */ 1551 if (!packageAccessValid) { 1552 String tmpPropertyStr = 1553 AccessController.doPrivileged( 1554 new PrivilegedAction<>() { 1555 public String run() { 1556 return Security.getProperty("package.access"); 1557 } 1558 } 1559 ); 1560 packageAccess = getPackages(tmpPropertyStr); 1561 packageAccessValid = true; 1562 } 1563 1564 // Using a snapshot of packageAccess -- don't care if static field 1565 // changes afterwards; array contents won't change. 1566 restrictedPkgs = packageAccess; 1567 } 1568 1569 /* 1570 * Traverse the list of packages, check for any matches. 1571 */ 1572 final int plen = pkg.length(); 1573 for (String restrictedPkg : restrictedPkgs) { 1574 final int rlast = restrictedPkg.length() - 1; 1575 1576 // Optimizations: 1577 // 1578 // If rlast >= plen then restrictedPkg is longer than pkg by at 1579 // least one char. This means pkg cannot start with restrictedPkg, 1580 // since restrictedPkg will be longer than pkg. 1581 // 1582 // Similarly if rlast != plen, then pkg + "." cannot be the same 1583 // as restrictedPkg, since pkg + "." will have a different length 1584 // than restrictedPkg. 1585 // 1586 if (rlast < plen && pkg.startsWith(restrictedPkg) || 1587 // The following test is equivalent to 1588 // restrictedPkg.equals(pkg + ".") but is noticeably more 1589 // efficient: 1590 rlast == plen && restrictedPkg.startsWith(pkg) && 1591 restrictedPkg.charAt(rlast) == '.') 1592 { 1593 checkPermission( 1594 new RuntimePermission("accessClassInPackage." + pkg)); 1595 break; // No need to continue; only need to check this once 1596 } 1597 } 1598 } 1599 1600 /** 1601 * Throws a {@code SecurityException} if the calling thread is not 1602 * allowed to define classes in the specified package. 1603 * <p> 1604 * This method is called by the {@code loadClass} method of some 1605 * class loaders. 1606 * <p> 1607 * This method checks if the specified package starts with or equals 1608 * any of the packages in the {@code package.definition} Security 1609 * Property. An implementation may also check the package against an 1610 * additional list of restricted packages as noted below. If the package 1611 * is restricted, {@link #checkPermission(Permission)} is called with a 1612 * {@code RuntimePermission("defineClassInPackage."+pkg)} permission. 1613 * <p> 1614 * If this method is overridden, then {@code super.checkPackageDefinition} 1615 * should be called as the first line in the overridden method. 1616 * 1617 * @implNote 1618 * This implementation also restricts all non-exported packages of modules 1619 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1620 * the platform class loader} or its ancestors. A "non-exported package" 1621 * refers to a package that is not exported to all modules. Specifically, 1622 * it refers to a package that either is not exported at all by its 1623 * containing module or is exported in a qualified fashion by its 1624 * containing module. 1625 * 1626 * @param pkg the package name. 1627 * @throws SecurityException if the calling thread does not have 1628 * permission to define classes in the specified package. 1629 * @throws NullPointerException if the package name argument is 1630 * {@code null}. 1631 * @see java.lang.ClassLoader#loadClass(String, boolean) 1632 * @see java.security.Security#getProperty getProperty 1633 * @see #checkPermission(Permission) checkPermission 1634 */ 1635 public void checkPackageDefinition(String pkg) { 1636 Objects.requireNonNull(pkg, "package name can't be null"); 1637 1638 // check if pkg is not exported to all modules 1639 if (nonExportedPkgs.contains(pkg)) { 1640 checkPermission( 1641 new RuntimePermission("defineClassInPackage." + pkg)); 1642 return; 1643 } 1644 1645 String[] pkgs; 1646 synchronized (packageDefinitionLock) { 1647 /* 1648 * Do we need to update our property array? 1649 */ 1650 if (!packageDefinitionValid) { 1651 String tmpPropertyStr = 1652 AccessController.doPrivileged( 1653 new PrivilegedAction<>() { 1654 public String run() { 1655 return java.security.Security.getProperty( 1656 "package.definition"); 1657 } 1658 } 1659 ); 1660 packageDefinition = getPackages(tmpPropertyStr); 1661 packageDefinitionValid = true; 1662 } 1663 // Using a snapshot of packageDefinition -- don't care if static 1664 // field changes afterwards; array contents won't change. 1665 pkgs = packageDefinition; 1666 } 1667 1668 /* 1669 * Traverse the list of packages, check for any matches. 1670 */ 1671 for (String restrictedPkg : pkgs) { 1672 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) { 1673 checkPermission( 1674 new RuntimePermission("defineClassInPackage." + pkg)); 1675 break; // No need to continue; only need to check this once 1676 } 1677 } 1678 } 1679 1680 /** 1681 * Throws a <code>SecurityException</code> if the 1682 * calling thread is not allowed to set the socket factory used by 1683 * <code>ServerSocket</code> or <code>Socket</code>, or the stream 1684 * handler factory used by <code>URL</code>. 1685 * <p> 1686 * This method calls <code>checkPermission</code> with the 1687 * <code>RuntimePermission("setFactory")</code> permission. 1688 * <p> 1689 * If you override this method, then you should make a call to 1690 * <code>super.checkSetFactory</code> 1691 * at the point the overridden method would normally throw an 1692 * exception. 1693 * 1694 * @exception SecurityException if the calling thread does not have 1695 * permission to specify a socket factory or a stream 1696 * handler factory. 1697 * 1698 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory 1699 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory 1700 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory 1701 * @see #checkPermission(java.security.Permission) checkPermission 1702 */ 1703 public void checkSetFactory() { 1704 checkPermission(new RuntimePermission("setFactory")); 1705 } 1706 1707 /** 1708 * Throws a <code>SecurityException</code> if the 1709 * calling thread is not allowed to access members. 1710 * <p> 1711 * The default policy is to allow access to PUBLIC members, as well 1712 * as access to classes that have the same class loader as the caller. 1713 * In all other cases, this method calls <code>checkPermission</code> 1714 * with the <code>RuntimePermission("accessDeclaredMembers") 1715 * </code> permission. 1716 * <p> 1717 * If this method is overridden, then a call to 1718 * <code>super.checkMemberAccess</code> cannot be made, 1719 * as the default implementation of <code>checkMemberAccess</code> 1720 * relies on the code being checked being at a stack depth of 1721 * 4. 1722 * 1723 * @param clazz the class that reflection is to be performed on. 1724 * 1725 * @param which type of access, PUBLIC or DECLARED. 1726 * 1727 * @exception SecurityException if the caller does not have 1728 * permission to access members. 1729 * @exception NullPointerException if the <code>clazz</code> argument is 1730 * <code>null</code>. 1731 * 1732 * @deprecated This method relies on the caller being at a stack depth 1733 * of 4 which is error-prone and cannot be enforced by the runtime. 1734 * Users of this method should instead invoke {@link #checkPermission} 1735 * directly. 1736 * This method is subject to removal in a future version of Java SE. 1737 * 1738 * @see java.lang.reflect.Member 1739 * @since 1.1 1740 * @see #checkPermission(java.security.Permission) checkPermission 1741 */ 1742 @Deprecated(since="1.8", forRemoval=true) 1743 @CallerSensitive 1744 public void checkMemberAccess(Class<?> clazz, int which) { 1745 if (clazz == null) { 1746 throw new NullPointerException("class can't be null"); 1747 } 1748 if (which != Member.PUBLIC) { 1749 Class<?> stack[] = getClassContext(); 1750 /* 1751 * stack depth of 4 should be the caller of one of the 1752 * methods in java.lang.Class that invoke checkMember 1753 * access. The stack should look like: 1754 * 1755 * someCaller [3] 1756 * java.lang.Class.someReflectionAPI [2] 1757 * java.lang.Class.checkMemberAccess [1] 1758 * SecurityManager.checkMemberAccess [0] 1759 * 1760 */ 1761 if ((stack.length<4) || 1762 (stack[3].getClassLoader() != clazz.getClassLoader())) { 1763 checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION); 1764 } 1765 } 1766 } 1767 1768 /** 1769 * Determines whether the permission with the specified permission target 1770 * name should be granted or denied. 1771 * 1772 * <p> If the requested permission is allowed, this method returns 1773 * quietly. If denied, a SecurityException is raised. 1774 * 1775 * <p> This method creates a <code>SecurityPermission</code> object for 1776 * the given permission target name and calls <code>checkPermission</code> 1777 * with it. 1778 * 1779 * <p> See the documentation for 1780 * <code>{@link java.security.SecurityPermission}</code> for 1781 * a list of possible permission target names. 1782 * 1783 * <p> If you override this method, then you should make a call to 1784 * <code>super.checkSecurityAccess</code> 1785 * at the point the overridden method would normally throw an 1786 * exception. 1787 * 1788 * @param target the target name of the <code>SecurityPermission</code>. 1789 * 1790 * @exception SecurityException if the calling thread does not have 1791 * permission for the requested access. 1792 * @exception NullPointerException if <code>target</code> is null. 1793 * @exception IllegalArgumentException if <code>target</code> is empty. 1794 * 1795 * @since 1.1 1796 * @see #checkPermission(java.security.Permission) checkPermission 1797 */ 1798 public void checkSecurityAccess(String target) { 1799 checkPermission(new SecurityPermission(target)); 1800 } 1801 1802 private native Class<?> currentLoadedClass0(); 1803 1804 /** 1805 * Returns the thread group into which to instantiate any new 1806 * thread being created at the time this is being called. 1807 * By default, it returns the thread group of the current 1808 * thread. This should be overridden by a specific security 1809 * manager to return the appropriate thread group. 1810 * 1811 * @return ThreadGroup that new threads are instantiated into 1812 * @since 1.1 1813 * @see java.lang.ThreadGroup 1814 */ 1815 public ThreadGroup getThreadGroup() { 1816 return Thread.currentThread().getThreadGroup(); 1817 } 1818 1819 }