1 /*
2 * Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.lang;
27
28 import java.lang.RuntimePermission;
29 import java.lang.module.ModuleDescriptor;
30 import java.lang.module.ModuleDescriptor.Exports;
31 import java.lang.module.ModuleDescriptor.Opens;
32 import java.lang.reflect.Layer;
33 import java.lang.reflect.Member;
34 import java.lang.reflect.Module;
35 import java.io.FileDescriptor;
36 import java.io.File;
37 import java.io.FilePermission;
38 import java.net.InetAddress;
39 import java.net.SocketPermission;
40 import java.security.AccessControlContext;
41 import java.security.AccessController;
42 import java.security.Permission;
43 import java.security.PrivilegedAction;
44 import java.security.Security;
45 import java.security.SecurityPermission;
46 import java.util.HashSet;
47 import java.util.Objects;
48 import java.util.PropertyPermission;
49 import java.util.Set;
50 import java.util.stream.Collectors;
51 import java.util.stream.Stream;
52
53 import jdk.internal.reflect.CallerSensitive;
54 import sun.security.util.SecurityConstants;
55
56 /**
57 * The security manager is a class that allows
58 * applications to implement a security policy. It allows an
59 * application to determine, before performing a possibly unsafe or
60 * sensitive operation, what the operation is and whether
61 * it is being attempted in a security context that allows the
62 * operation to be performed. The
63 * application can allow or disallow the operation.
64 * <p>
65 * The <code>SecurityManager</code> class contains many methods with
66 * names that begin with the word <code>check</code>. These methods
67 * are called by various methods in the Java libraries before those
68 * methods perform certain potentially sensitive operations. The
69 * invocation of such a <code>check</code> method typically looks like this:
70 * <blockquote><pre>
71 * SecurityManager security = System.getSecurityManager();
72 * if (security != null) {
73 * security.check<i>XXX</i>(argument, . . . );
74 * }
75 * </pre></blockquote>
76 * <p>
77 * The security manager is thereby given an opportunity to prevent
78 * completion of the operation by throwing an exception. A security
79 * manager routine simply returns if the operation is permitted, but
80 * throws a <code>SecurityException</code> if the operation is not
81 * permitted.
82 * <p>
83 * The current security manager is set by the
84 * <code>setSecurityManager</code> method in class
85 * <code>System</code>. The current security manager is obtained
86 * by the <code>getSecurityManager</code> method.
87 * <p>
88 * The special method
89 * {@link SecurityManager#checkPermission(java.security.Permission)}
90 * determines whether an access request indicated by a specified
91 * permission should be granted or denied. The
92 * default implementation calls
93 *
94 * <pre>
95 * AccessController.checkPermission(perm);
96 * </pre>
97 *
98 * <p>
99 * If a requested access is allowed,
100 * <code>checkPermission</code> returns quietly. If denied, a
101 * <code>SecurityException</code> is thrown.
102 * <p>
103 * As of Java 2 SDK v1.2, the default implementation of each of the other
104 * <code>check</code> methods in <code>SecurityManager</code> is to
105 * call the <code>SecurityManager checkPermission</code> method
106 * to determine if the calling thread has permission to perform the requested
107 * operation.
108 * <p>
109 * Note that the <code>checkPermission</code> method with
110 * just a single permission argument always performs security checks
111 * within the context of the currently executing thread.
112 * Sometimes a security check that should be made within a given context
113 * will actually need to be done from within a
114 * <i>different</i> context (for example, from within a worker thread).
115 * The {@link SecurityManager#getSecurityContext getSecurityContext} method
116 * and the {@link SecurityManager#checkPermission(java.security.Permission,
117 * java.lang.Object) checkPermission}
118 * method that includes a context argument are provided
119 * for this situation. The
120 * <code>getSecurityContext</code> method returns a "snapshot"
121 * of the current calling context. (The default implementation
122 * returns an AccessControlContext object.) A sample call is
123 * the following:
124 *
125 * <pre>
126 * Object context = null;
127 * SecurityManager sm = System.getSecurityManager();
128 * if (sm != null) context = sm.getSecurityContext();
129 * </pre>
130 *
131 * <p>
132 * The <code>checkPermission</code> method
133 * that takes a context object in addition to a permission
134 * makes access decisions based on that context,
135 * rather than on that of the current execution thread.
136 * Code within a different context can thus call that method,
137 * passing the permission and the
138 * previously-saved context object. A sample call, using the
139 * SecurityManager <code>sm</code> obtained as in the previous example,
140 * is the following:
141 *
142 * <pre>
143 * if (sm != null) sm.checkPermission(permission, context);
144 * </pre>
145 *
146 * <p>Permissions fall into these categories: File, Socket, Net,
147 * Security, Runtime, Property, AWT, Reflect, and Serializable.
148 * The classes managing these various
149 * permission categories are <code>java.io.FilePermission</code>,
150 * <code>java.net.SocketPermission</code>,
151 * <code>java.net.NetPermission</code>,
152 * <code>java.security.SecurityPermission</code>,
153 * <code>java.lang.RuntimePermission</code>,
154 * <code>java.util.PropertyPermission</code>,
155 * <code>java.awt.AWTPermission</code>,
156 * <code>java.lang.reflect.ReflectPermission</code>, and
157 * <code>java.io.SerializablePermission</code>.
158 *
159 * <p>All but the first two (FilePermission and SocketPermission) are
160 * subclasses of <code>java.security.BasicPermission</code>, which itself
161 * is an abstract subclass of the
162 * top-level class for permissions, which is
163 * <code>java.security.Permission</code>. BasicPermission defines the
164 * functionality needed for all permissions that contain a name
165 * that follows the hierarchical property naming convention
166 * (for example, "exitVM", "setFactory", "queuePrintJob", etc).
167 * An asterisk
168 * may appear at the end of the name, following a ".", or by itself, to
169 * signify a wildcard match. For example: "a.*" or "*" is valid,
170 * "*a" or "a*b" is not valid.
171 *
172 * <p>FilePermission and SocketPermission are subclasses of the
173 * top-level class for permissions
174 * (<code>java.security.Permission</code>). Classes like these
175 * that have a more complicated name syntax than that used by
176 * BasicPermission subclass directly from Permission rather than from
177 * BasicPermission. For example,
178 * for a <code>java.io.FilePermission</code> object, the permission name is
179 * the path name of a file (or directory).
180 *
181 * <p>Some of the permission classes have an "actions" list that tells
182 * the actions that are permitted for the object. For example,
183 * for a <code>java.io.FilePermission</code> object, the actions list
184 * (such as "read, write") specifies which actions are granted for the
185 * specified file (or for files in the specified directory).
186 *
187 * <p>Other permission classes are for "named" permissions -
188 * ones that contain a name but no actions list; you either have the
189 * named permission or you don't.
190 *
191 * <p>Note: There is also a <code>java.security.AllPermission</code>
192 * permission that implies all permissions. It exists to simplify the work
193 * of system administrators who might need to perform multiple
194 * tasks that require all (or numerous) permissions.
195 * <p>
196 * See <a href ="../../../technotes/guides/security/permissions.html">
197 * Permissions in the JDK</a> for permission-related information.
198 * This document includes, for example, a table listing the various SecurityManager
199 * <code>check</code> methods and the permission(s) the default
200 * implementation of each such method requires.
201 * It also contains a table of all the version 1.2 methods
202 * that require permissions, and for each such method tells
203 * which permission it requires.
204 * <p>
205 * For more information about <code>SecurityManager</code> changes made in
206 * the JDK and advice regarding porting of 1.1-style security managers,
207 * see the <a href="../../../technotes/guides/security/index.html">security documentation</a>.
208 *
209 * @author Arthur van Hoff
210 * @author Roland Schemers
211 *
212 * @see java.lang.ClassLoader
213 * @see java.lang.SecurityException
214 * @see java.lang.System#getSecurityManager() getSecurityManager
215 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager)
216 * setSecurityManager
217 * @see java.security.AccessController AccessController
218 * @see java.security.AccessControlContext AccessControlContext
219 * @see java.security.AccessControlException AccessControlException
220 * @see java.security.Permission
221 * @see java.security.BasicPermission
222 * @see java.io.FilePermission
223 * @see java.net.SocketPermission
224 * @see java.util.PropertyPermission
225 * @see java.lang.RuntimePermission
226 * @see java.awt.AWTPermission
227 * @see java.security.Policy Policy
228 * @see java.security.SecurityPermission SecurityPermission
229 * @see java.security.ProtectionDomain
230 *
231 * @since 1.0
232 */
233 public
234 class SecurityManager {
235
236 /**
237 * This field is <code>true</code> if there is a security check in
238 * progress; <code>false</code> otherwise.
239 *
240 * @deprecated This type of security checking is not recommended.
241 * It is recommended that the <code>checkPermission</code>
242 * call be used instead. This field is subject to removal in a
243 * future version of Java SE.
244 */
245 @Deprecated(since="1.2", forRemoval=true)
246 protected boolean inCheck;
247
248 /*
249 * Have we been initialized. Effective against finalizer attacks.
250 */
251 private boolean initialized = false;
252
253
254 /**
255 * returns true if the current context has been granted AllPermission
256 */
257 private boolean hasAllPermission() {
258 try {
259 checkPermission(SecurityConstants.ALL_PERMISSION);
260 return true;
261 } catch (SecurityException se) {
262 return false;
263 }
264 }
265
266 /**
267 * Tests if there is a security check in progress.
268 *
269 * @return the value of the <code>inCheck</code> field. This field
270 * should contain <code>true</code> if a security check is
271 * in progress,
272 * <code>false</code> otherwise.
273 * @see java.lang.SecurityManager#inCheck
274 * @deprecated This type of security checking is not recommended.
275 * It is recommended that the <code>checkPermission</code>
276 * call be used instead. This method is subject to removal in a
277 * future version of Java SE.
278 */
279 @Deprecated(since="1.2", forRemoval=true)
280 public boolean getInCheck() {
281 return inCheck;
282 }
283
284 /**
285 * Constructs a new <code>SecurityManager</code>.
286 *
287 * <p> If there is a security manager already installed, this method first
288 * calls the security manager's <code>checkPermission</code> method
289 * with the <code>RuntimePermission("createSecurityManager")</code>
290 * permission to ensure the calling thread has permission to create a new
291 * security manager.
292 * This may result in throwing a <code>SecurityException</code>.
293 *
294 * @exception java.lang.SecurityException if a security manager already
295 * exists and its <code>checkPermission</code> method
296 * doesn't allow creation of a new security manager.
297 * @see java.lang.System#getSecurityManager()
298 * @see #checkPermission(java.security.Permission) checkPermission
299 * @see java.lang.RuntimePermission
300 */
301 public SecurityManager() {
302 synchronized(SecurityManager.class) {
303 SecurityManager sm = System.getSecurityManager();
304 if (sm != null) {
305 // ask the currently installed security manager if we
306 // can create a new one.
307 sm.checkPermission(new RuntimePermission
308 ("createSecurityManager"));
309 }
310 initialized = true;
311 }
312 }
313
314 /**
315 * Returns the current execution stack as an array of classes.
316 * <p>
317 * The length of the array is the number of methods on the execution
318 * stack. The element at index <code>0</code> is the class of the
319 * currently executing method, the element at index <code>1</code> is
320 * the class of that method's caller, and so on.
321 *
322 * @return the execution stack.
323 */
324 protected native Class<?>[] getClassContext();
325
326 /**
327 * Returns the class loader of the most recently executing method from
328 * a class defined using a non-system class loader. A non-system
329 * class loader is defined as being a class loader that is not equal to
330 * the system class loader (as returned
331 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
332 * <p>
333 * This method will return
334 * <code>null</code> in the following three cases:
335 * <ol>
336 * <li>All methods on the execution stack are from classes
337 * defined using the system class loader or one of its ancestors.
338 *
339 * <li>All methods on the execution stack up to the first
340 * "privileged" caller
341 * (see {@link java.security.AccessController#doPrivileged})
342 * are from classes
343 * defined using the system class loader or one of its ancestors.
344 *
345 * <li> A call to <code>checkPermission</code> with
346 * <code>java.security.AllPermission</code> does not
347 * result in a SecurityException.
348 *
349 * </ol>
350 *
351 * @return the class loader of the most recent occurrence on the stack
352 * of a method from a class defined using a non-system class
353 * loader.
354 *
355 * @deprecated This type of security checking is not recommended.
356 * It is recommended that the <code>checkPermission</code>
357 * call be used instead. This method is subject to removal in a
358 * future version of Java SE.
359 *
360 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
361 * @see #checkPermission(java.security.Permission) checkPermission
362 */
363 @Deprecated(since="1.2", forRemoval=true)
364 protected ClassLoader currentClassLoader() {
365 ClassLoader cl = currentClassLoader0();
366 if ((cl != null) && hasAllPermission())
367 cl = null;
368 return cl;
369 }
370
371 private native ClassLoader currentClassLoader0();
372
373 /**
374 * Returns the class of the most recently executing method from
375 * a class defined using a non-system class loader. A non-system
376 * class loader is defined as being a class loader that is not equal to
377 * the system class loader (as returned
378 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
379 * <p>
380 * This method will return
381 * <code>null</code> in the following three cases:
382 * <ol>
383 * <li>All methods on the execution stack are from classes
384 * defined using the system class loader or one of its ancestors.
385 *
386 * <li>All methods on the execution stack up to the first
387 * "privileged" caller
388 * (see {@link java.security.AccessController#doPrivileged})
389 * are from classes
390 * defined using the system class loader or one of its ancestors.
391 *
392 * <li> A call to <code>checkPermission</code> with
393 * <code>java.security.AllPermission</code> does not
394 * result in a SecurityException.
395 *
396 * </ol>
397 *
398 * @return the class of the most recent occurrence on the stack
399 * of a method from a class defined using a non-system class
400 * loader.
401 *
402 * @deprecated This type of security checking is not recommended.
403 * It is recommended that the <code>checkPermission</code>
404 * call be used instead. This method is subject to removal in a
405 * future version of Java SE.
406 *
407 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
408 * @see #checkPermission(java.security.Permission) checkPermission
409 */
410 @Deprecated(since="1.2", forRemoval=true)
411 protected Class<?> currentLoadedClass() {
412 Class<?> c = currentLoadedClass0();
413 if ((c != null) && hasAllPermission())
414 c = null;
415 return c;
416 }
417
418 /**
419 * Returns the stack depth of the specified class.
420 *
421 * @param name the fully qualified name of the class to search for.
422 * @return the depth on the stack frame of the first occurrence of a
423 * method from a class with the specified name;
424 * <code>-1</code> if such a frame cannot be found.
425 * @deprecated This type of security checking is not recommended.
426 * It is recommended that the <code>checkPermission</code>
427 * call be used instead. This method is subject to removal in a
428 * future version of Java SE.
429 */
430 @Deprecated(since="1.2", forRemoval=true)
431 protected native int classDepth(String name);
432
433 /**
434 * Returns the stack depth of the most recently executing method
435 * from a class defined using a non-system class loader. A non-system
436 * class loader is defined as being a class loader that is not equal to
437 * the system class loader (as returned
438 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
439 * <p>
440 * This method will return
441 * -1 in the following three cases:
442 * <ol>
443 * <li>All methods on the execution stack are from classes
444 * defined using the system class loader or one of its ancestors.
445 *
446 * <li>All methods on the execution stack up to the first
447 * "privileged" caller
448 * (see {@link java.security.AccessController#doPrivileged})
449 * are from classes
450 * defined using the system class loader or one of its ancestors.
451 *
452 * <li> A call to <code>checkPermission</code> with
453 * <code>java.security.AllPermission</code> does not
454 * result in a SecurityException.
455 *
456 * </ol>
457 *
458 * @return the depth on the stack frame of the most recent occurrence of
459 * a method from a class defined using a non-system class loader.
460 *
461 * @deprecated This type of security checking is not recommended.
462 * It is recommended that the <code>checkPermission</code>
463 * call be used instead. This method is subject to removal in a
464 * future version of Java SE.
465 *
466 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
467 * @see #checkPermission(java.security.Permission) checkPermission
468 */
469 @Deprecated(since="1.2", forRemoval=true)
470 protected int classLoaderDepth() {
471 int depth = classLoaderDepth0();
472 if (depth != -1) {
473 if (hasAllPermission())
474 depth = -1;
475 else
476 depth--; // make sure we don't include ourself
477 }
478 return depth;
479 }
480
481 private native int classLoaderDepth0();
482
483 /**
484 * Tests if a method from a class with the specified
485 * name is on the execution stack.
486 *
487 * @param name the fully qualified name of the class.
488 * @return <code>true</code> if a method from a class with the specified
489 * name is on the execution stack; <code>false</code> otherwise.
490 * @deprecated This type of security checking is not recommended.
491 * It is recommended that the <code>checkPermission</code>
492 * call be used instead. This method is subject to removal in a
493 * future version of Java SE.
494 */
495 @Deprecated(since="1.2", forRemoval=true)
496 protected boolean inClass(String name) {
497 return classDepth(name) >= 0;
498 }
499
500 /**
501 * Basically, tests if a method from a class defined using a
502 * class loader is on the execution stack.
503 *
504 * @return <code>true</code> if a call to <code>currentClassLoader</code>
505 * has a non-null return value.
506 *
507 * @deprecated This type of security checking is not recommended.
508 * It is recommended that the <code>checkPermission</code>
509 * call be used instead. This method is subject to removal in a
510 * future version of Java SE.
511 * @see #currentClassLoader() currentClassLoader
512 */
513 @Deprecated(since="1.2", forRemoval=true)
514 protected boolean inClassLoader() {
515 return currentClassLoader() != null;
516 }
517
518 /**
519 * Creates an object that encapsulates the current execution
520 * environment. The result of this method is used, for example, by the
521 * three-argument <code>checkConnect</code> method and by the
522 * two-argument <code>checkRead</code> method.
523 * These methods are needed because a trusted method may be called
524 * on to read a file or open a socket on behalf of another method.
525 * The trusted method needs to determine if the other (possibly
526 * untrusted) method would be allowed to perform the operation on its
527 * own.
528 * <p> The default implementation of this method is to return
529 * an <code>AccessControlContext</code> object.
530 *
531 * @return an implementation-dependent object that encapsulates
532 * sufficient information about the current execution environment
533 * to perform some security checks later.
534 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int,
535 * java.lang.Object) checkConnect
536 * @see java.lang.SecurityManager#checkRead(java.lang.String,
537 * java.lang.Object) checkRead
538 * @see java.security.AccessControlContext AccessControlContext
539 */
540 public Object getSecurityContext() {
541 return AccessController.getContext();
542 }
543
544 /**
545 * Throws a <code>SecurityException</code> if the requested
546 * access, specified by the given permission, is not permitted based
547 * on the security policy currently in effect.
548 * <p>
549 * This method calls <code>AccessController.checkPermission</code>
550 * with the given permission.
551 *
552 * @param perm the requested permission.
553 * @exception SecurityException if access is not permitted based on
554 * the current security policy.
555 * @exception NullPointerException if the permission argument is
556 * <code>null</code>.
557 * @since 1.2
558 */
559 public void checkPermission(Permission perm) {
560 java.security.AccessController.checkPermission(perm);
561 }
562
563 /**
564 * Throws a <code>SecurityException</code> if the
565 * specified security context is denied access to the resource
566 * specified by the given permission.
567 * The context must be a security
568 * context returned by a previous call to
569 * <code>getSecurityContext</code> and the access control
570 * decision is based upon the configured security policy for
571 * that security context.
572 * <p>
573 * If <code>context</code> is an instance of
574 * <code>AccessControlContext</code> then the
575 * <code>AccessControlContext.checkPermission</code> method is
576 * invoked with the specified permission.
577 * <p>
578 * If <code>context</code> is not an instance of
579 * <code>AccessControlContext</code> then a
580 * <code>SecurityException</code> is thrown.
581 *
582 * @param perm the specified permission
583 * @param context a system-dependent security context.
584 * @exception SecurityException if the specified security context
585 * is not an instance of <code>AccessControlContext</code>
586 * (e.g., is <code>null</code>), or is denied access to the
587 * resource specified by the given permission.
588 * @exception NullPointerException if the permission argument is
589 * <code>null</code>.
590 * @see java.lang.SecurityManager#getSecurityContext()
591 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
592 * @since 1.2
593 */
594 public void checkPermission(Permission perm, Object context) {
595 if (context instanceof AccessControlContext) {
596 ((AccessControlContext)context).checkPermission(perm);
597 } else {
598 throw new SecurityException();
599 }
600 }
601
602 /**
603 * Throws a <code>SecurityException</code> if the
604 * calling thread is not allowed to create a new class loader.
605 * <p>
606 * This method calls <code>checkPermission</code> with the
607 * <code>RuntimePermission("createClassLoader")</code>
608 * permission.
609 * <p>
610 * If you override this method, then you should make a call to
611 * <code>super.checkCreateClassLoader</code>
612 * at the point the overridden method would normally throw an
613 * exception.
614 *
615 * @exception SecurityException if the calling thread does not
616 * have permission
617 * to create a new class loader.
618 * @see java.lang.ClassLoader#ClassLoader()
619 * @see #checkPermission(java.security.Permission) checkPermission
620 */
621 public void checkCreateClassLoader() {
622 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);
623 }
624
625 /**
626 * reference to the root thread group, used for the checkAccess
627 * methods.
628 */
629
630 private static ThreadGroup rootGroup = getRootGroup();
631
632 private static ThreadGroup getRootGroup() {
633 ThreadGroup root = Thread.currentThread().getThreadGroup();
634 while (root.getParent() != null) {
635 root = root.getParent();
636 }
637 return root;
638 }
639
640 /**
641 * Throws a <code>SecurityException</code> if the
642 * calling thread is not allowed to modify the thread argument.
643 * <p>
644 * This method is invoked for the current security manager by the
645 * <code>stop</code>, <code>suspend</code>, <code>resume</code>,
646 * <code>setPriority</code>, <code>setName</code>, and
647 * <code>setDaemon</code> methods of class <code>Thread</code>.
648 * <p>
649 * If the thread argument is a system thread (belongs to
650 * the thread group with a <code>null</code> parent) then
651 * this method calls <code>checkPermission</code> with the
652 * <code>RuntimePermission("modifyThread")</code> permission.
653 * If the thread argument is <i>not</i> a system thread,
654 * this method just returns silently.
655 * <p>
656 * Applications that want a stricter policy should override this
657 * method. If this method is overridden, the method that overrides
658 * it should additionally check to see if the calling thread has the
659 * <code>RuntimePermission("modifyThread")</code> permission, and
660 * if so, return silently. This is to ensure that code granted
661 * that permission (such as the JDK itself) is allowed to
662 * manipulate any thread.
663 * <p>
664 * If this method is overridden, then
665 * <code>super.checkAccess</code> should
666 * be called by the first statement in the overridden method, or the
667 * equivalent security check should be placed in the overridden method.
668 *
669 * @param t the thread to be checked.
670 * @exception SecurityException if the calling thread does not have
671 * permission to modify the thread.
672 * @exception NullPointerException if the thread argument is
673 * <code>null</code>.
674 * @see java.lang.Thread#resume() resume
675 * @see java.lang.Thread#setDaemon(boolean) setDaemon
676 * @see java.lang.Thread#setName(java.lang.String) setName
677 * @see java.lang.Thread#setPriority(int) setPriority
678 * @see java.lang.Thread#stop() stop
679 * @see java.lang.Thread#suspend() suspend
680 * @see #checkPermission(java.security.Permission) checkPermission
681 */
682 public void checkAccess(Thread t) {
683 if (t == null) {
684 throw new NullPointerException("thread can't be null");
685 }
686 if (t.getThreadGroup() == rootGroup) {
687 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION);
688 } else {
689 // just return
690 }
691 }
692 /**
693 * Throws a <code>SecurityException</code> if the
694 * calling thread is not allowed to modify the thread group argument.
695 * <p>
696 * This method is invoked for the current security manager when a
697 * new child thread or child thread group is created, and by the
698 * <code>setDaemon</code>, <code>setMaxPriority</code>,
699 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and
700 * <code>destroy</code> methods of class <code>ThreadGroup</code>.
701 * <p>
702 * If the thread group argument is the system thread group (
703 * has a <code>null</code> parent) then
704 * this method calls <code>checkPermission</code> with the
705 * <code>RuntimePermission("modifyThreadGroup")</code> permission.
706 * If the thread group argument is <i>not</i> the system thread group,
707 * this method just returns silently.
708 * <p>
709 * Applications that want a stricter policy should override this
710 * method. If this method is overridden, the method that overrides
711 * it should additionally check to see if the calling thread has the
712 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and
713 * if so, return silently. This is to ensure that code granted
714 * that permission (such as the JDK itself) is allowed to
715 * manipulate any thread.
716 * <p>
717 * If this method is overridden, then
718 * <code>super.checkAccess</code> should
719 * be called by the first statement in the overridden method, or the
720 * equivalent security check should be placed in the overridden method.
721 *
722 * @param g the thread group to be checked.
723 * @exception SecurityException if the calling thread does not have
724 * permission to modify the thread group.
725 * @exception NullPointerException if the thread group argument is
726 * <code>null</code>.
727 * @see java.lang.ThreadGroup#destroy() destroy
728 * @see java.lang.ThreadGroup#resume() resume
729 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon
730 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority
731 * @see java.lang.ThreadGroup#stop() stop
732 * @see java.lang.ThreadGroup#suspend() suspend
733 * @see #checkPermission(java.security.Permission) checkPermission
734 */
735 public void checkAccess(ThreadGroup g) {
736 if (g == null) {
737 throw new NullPointerException("thread group can't be null");
738 }
739 if (g == rootGroup) {
740 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION);
741 } else {
742 // just return
743 }
744 }
745
746 /**
747 * Throws a <code>SecurityException</code> if the
748 * calling thread is not allowed to cause the Java Virtual Machine to
749 * halt with the specified status code.
750 * <p>
751 * This method is invoked for the current security manager by the
752 * <code>exit</code> method of class <code>Runtime</code>. A status
753 * of <code>0</code> indicates success; other values indicate various
754 * errors.
755 * <p>
756 * This method calls <code>checkPermission</code> with the
757 * <code>RuntimePermission("exitVM."+status)</code> permission.
758 * <p>
759 * If you override this method, then you should make a call to
760 * <code>super.checkExit</code>
761 * at the point the overridden method would normally throw an
762 * exception.
763 *
764 * @param status the exit status.
765 * @exception SecurityException if the calling thread does not have
766 * permission to halt the Java Virtual Machine with
767 * the specified status.
768 * @see java.lang.Runtime#exit(int) exit
769 * @see #checkPermission(java.security.Permission) checkPermission
770 */
771 public void checkExit(int status) {
772 checkPermission(new RuntimePermission("exitVM."+status));
773 }
774
775 /**
776 * Throws a <code>SecurityException</code> if the
777 * calling thread is not allowed to create a subprocess.
778 * <p>
779 * This method is invoked for the current security manager by the
780 * <code>exec</code> methods of class <code>Runtime</code>.
781 * <p>
782 * This method calls <code>checkPermission</code> with the
783 * <code>FilePermission(cmd,"execute")</code> permission
784 * if cmd is an absolute path, otherwise it calls
785 * <code>checkPermission</code> with
786 * <code>FilePermission("<<ALL FILES>>","execute")</code>.
787 * <p>
788 * If you override this method, then you should make a call to
789 * <code>super.checkExec</code>
790 * at the point the overridden method would normally throw an
791 * exception.
792 *
793 * @param cmd the specified system command.
794 * @exception SecurityException if the calling thread does not have
795 * permission to create a subprocess.
796 * @exception NullPointerException if the <code>cmd</code> argument is
797 * <code>null</code>.
798 * @see java.lang.Runtime#exec(java.lang.String)
799 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[])
800 * @see java.lang.Runtime#exec(java.lang.String[])
801 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[])
802 * @see #checkPermission(java.security.Permission) checkPermission
803 */
804 public void checkExec(String cmd) {
805 File f = new File(cmd);
806 if (f.isAbsolute()) {
807 checkPermission(new FilePermission(cmd,
808 SecurityConstants.FILE_EXECUTE_ACTION));
809 } else {
810 checkPermission(new FilePermission("<<ALL FILES>>",
811 SecurityConstants.FILE_EXECUTE_ACTION));
812 }
813 }
814
815 /**
816 * Throws a <code>SecurityException</code> if the
817 * calling thread is not allowed to dynamic link the library code
818 * specified by the string argument file. The argument is either a
819 * simple library name or a complete filename.
820 * <p>
821 * This method is invoked for the current security manager by
822 * methods <code>load</code> and <code>loadLibrary</code> of class
823 * <code>Runtime</code>.
824 * <p>
825 * This method calls <code>checkPermission</code> with the
826 * <code>RuntimePermission("loadLibrary."+lib)</code> permission.
827 * <p>
828 * If you override this method, then you should make a call to
829 * <code>super.checkLink</code>
830 * at the point the overridden method would normally throw an
831 * exception.
832 *
833 * @param lib the name of the library.
834 * @exception SecurityException if the calling thread does not have
835 * permission to dynamically link the library.
836 * @exception NullPointerException if the <code>lib</code> argument is
837 * <code>null</code>.
838 * @see java.lang.Runtime#load(java.lang.String)
839 * @see java.lang.Runtime#loadLibrary(java.lang.String)
840 * @see #checkPermission(java.security.Permission) checkPermission
841 */
842 public void checkLink(String lib) {
843 if (lib == null) {
844 throw new NullPointerException("library can't be null");
845 }
846 checkPermission(new RuntimePermission("loadLibrary."+lib));
847 }
848
849 /**
850 * Throws a <code>SecurityException</code> if the
851 * calling thread is not allowed to read from the specified file
852 * descriptor.
853 * <p>
854 * This method calls <code>checkPermission</code> with the
855 * <code>RuntimePermission("readFileDescriptor")</code>
856 * permission.
857 * <p>
858 * If you override this method, then you should make a call to
859 * <code>super.checkRead</code>
860 * at the point the overridden method would normally throw an
861 * exception.
862 *
863 * @param fd the system-dependent file descriptor.
864 * @exception SecurityException if the calling thread does not have
865 * permission to access the specified file descriptor.
866 * @exception NullPointerException if the file descriptor argument is
867 * <code>null</code>.
868 * @see java.io.FileDescriptor
869 * @see #checkPermission(java.security.Permission) checkPermission
870 */
871 public void checkRead(FileDescriptor fd) {
872 if (fd == null) {
873 throw new NullPointerException("file descriptor can't be null");
874 }
875 checkPermission(new RuntimePermission("readFileDescriptor"));
876 }
877
878 /**
879 * Throws a <code>SecurityException</code> if the
880 * calling thread is not allowed to read the file specified by the
881 * string argument.
882 * <p>
883 * This method calls <code>checkPermission</code> with the
884 * <code>FilePermission(file,"read")</code> permission.
885 * <p>
886 * If you override this method, then you should make a call to
887 * <code>super.checkRead</code>
888 * at the point the overridden method would normally throw an
889 * exception.
890 *
891 * @param file the system-dependent file name.
892 * @exception SecurityException if the calling thread does not have
893 * permission to access the specified file.
894 * @exception NullPointerException if the <code>file</code> argument is
895 * <code>null</code>.
896 * @see #checkPermission(java.security.Permission) checkPermission
897 */
898 public void checkRead(String file) {
899 checkPermission(new FilePermission(file,
900 SecurityConstants.FILE_READ_ACTION));
901 }
902
903 /**
904 * Throws a <code>SecurityException</code> if the
905 * specified security context is not allowed to read the file
906 * specified by the string argument. The context must be a security
907 * context returned by a previous call to
908 * <code>getSecurityContext</code>.
909 * <p> If <code>context</code> is an instance of
910 * <code>AccessControlContext</code> then the
911 * <code>AccessControlContext.checkPermission</code> method will
912 * be invoked with the <code>FilePermission(file,"read")</code> permission.
913 * <p> If <code>context</code> is not an instance of
914 * <code>AccessControlContext</code> then a
915 * <code>SecurityException</code> is thrown.
916 * <p>
917 * If you override this method, then you should make a call to
918 * <code>super.checkRead</code>
919 * at the point the overridden method would normally throw an
920 * exception.
921 *
922 * @param file the system-dependent filename.
923 * @param context a system-dependent security context.
924 * @exception SecurityException if the specified security context
925 * is not an instance of <code>AccessControlContext</code>
926 * (e.g., is <code>null</code>), or does not have permission
927 * to read the specified file.
928 * @exception NullPointerException if the <code>file</code> argument is
929 * <code>null</code>.
930 * @see java.lang.SecurityManager#getSecurityContext()
931 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
932 */
933 public void checkRead(String file, Object context) {
934 checkPermission(
935 new FilePermission(file, SecurityConstants.FILE_READ_ACTION),
936 context);
937 }
938
939 /**
940 * Throws a <code>SecurityException</code> if the
941 * calling thread is not allowed to write to the specified file
942 * descriptor.
943 * <p>
944 * This method calls <code>checkPermission</code> with the
945 * <code>RuntimePermission("writeFileDescriptor")</code>
946 * permission.
947 * <p>
948 * If you override this method, then you should make a call to
949 * <code>super.checkWrite</code>
950 * at the point the overridden method would normally throw an
951 * exception.
952 *
953 * @param fd the system-dependent file descriptor.
954 * @exception SecurityException if the calling thread does not have
955 * permission to access the specified file descriptor.
956 * @exception NullPointerException if the file descriptor argument is
957 * <code>null</code>.
958 * @see java.io.FileDescriptor
959 * @see #checkPermission(java.security.Permission) checkPermission
960 */
961 public void checkWrite(FileDescriptor fd) {
962 if (fd == null) {
963 throw new NullPointerException("file descriptor can't be null");
964 }
965 checkPermission(new RuntimePermission("writeFileDescriptor"));
966
967 }
968
969 /**
970 * Throws a <code>SecurityException</code> if the
971 * calling thread is not allowed to write to the file specified by
972 * the string argument.
973 * <p>
974 * This method calls <code>checkPermission</code> with the
975 * <code>FilePermission(file,"write")</code> permission.
976 * <p>
977 * If you override this method, then you should make a call to
978 * <code>super.checkWrite</code>
979 * at the point the overridden method would normally throw an
980 * exception.
981 *
982 * @param file the system-dependent filename.
983 * @exception SecurityException if the calling thread does not
984 * have permission to access the specified file.
985 * @exception NullPointerException if the <code>file</code> argument is
986 * <code>null</code>.
987 * @see #checkPermission(java.security.Permission) checkPermission
988 */
989 public void checkWrite(String file) {
990 checkPermission(new FilePermission(file,
991 SecurityConstants.FILE_WRITE_ACTION));
992 }
993
994 /**
995 * Throws a <code>SecurityException</code> if the
996 * calling thread is not allowed to delete the specified file.
997 * <p>
998 * This method is invoked for the current security manager by the
999 * <code>delete</code> method of class <code>File</code>.
1000 * <p>
1001 * This method calls <code>checkPermission</code> with the
1002 * <code>FilePermission(file,"delete")</code> permission.
1003 * <p>
1004 * If you override this method, then you should make a call to
1005 * <code>super.checkDelete</code>
1006 * at the point the overridden method would normally throw an
1007 * exception.
1008 *
1009 * @param file the system-dependent filename.
1010 * @exception SecurityException if the calling thread does not
1011 * have permission to delete the file.
1012 * @exception NullPointerException if the <code>file</code> argument is
1013 * <code>null</code>.
1014 * @see java.io.File#delete()
1015 * @see #checkPermission(java.security.Permission) checkPermission
1016 */
1017 public void checkDelete(String file) {
1018 checkPermission(new FilePermission(file,
1019 SecurityConstants.FILE_DELETE_ACTION));
1020 }
1021
1022 /**
1023 * Throws a <code>SecurityException</code> if the
1024 * calling thread is not allowed to open a socket connection to the
1025 * specified host and port number.
1026 * <p>
1027 * A port number of <code>-1</code> indicates that the calling
1028 * method is attempting to determine the IP address of the specified
1029 * host name.
1030 * <p>
1031 * This method calls <code>checkPermission</code> with the
1032 * <code>SocketPermission(host+":"+port,"connect")</code> permission if
1033 * the port is not equal to -1. If the port is equal to -1, then
1034 * it calls <code>checkPermission</code> with the
1035 * <code>SocketPermission(host,"resolve")</code> permission.
1036 * <p>
1037 * If you override this method, then you should make a call to
1038 * <code>super.checkConnect</code>
1039 * at the point the overridden method would normally throw an
1040 * exception.
1041 *
1042 * @param host the host name port to connect to.
1043 * @param port the protocol port to connect to.
1044 * @exception SecurityException if the calling thread does not have
1045 * permission to open a socket connection to the specified
1046 * <code>host</code> and <code>port</code>.
1047 * @exception NullPointerException if the <code>host</code> argument is
1048 * <code>null</code>.
1049 * @see #checkPermission(java.security.Permission) checkPermission
1050 */
1051 public void checkConnect(String host, int port) {
1052 if (host == null) {
1053 throw new NullPointerException("host can't be null");
1054 }
1055 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1056 host = "[" + host + "]";
1057 }
1058 if (port == -1) {
1059 checkPermission(new SocketPermission(host,
1060 SecurityConstants.SOCKET_RESOLVE_ACTION));
1061 } else {
1062 checkPermission(new SocketPermission(host+":"+port,
1063 SecurityConstants.SOCKET_CONNECT_ACTION));
1064 }
1065 }
1066
1067 /**
1068 * Throws a <code>SecurityException</code> if the
1069 * specified security context is not allowed to open a socket
1070 * connection to the specified host and port number.
1071 * <p>
1072 * A port number of <code>-1</code> indicates that the calling
1073 * method is attempting to determine the IP address of the specified
1074 * host name.
1075 * <p> If <code>context</code> is not an instance of
1076 * <code>AccessControlContext</code> then a
1077 * <code>SecurityException</code> is thrown.
1078 * <p>
1079 * Otherwise, the port number is checked. If it is not equal
1080 * to -1, the <code>context</code>'s <code>checkPermission</code>
1081 * method is called with a
1082 * <code>SocketPermission(host+":"+port,"connect")</code> permission.
1083 * If the port is equal to -1, then
1084 * the <code>context</code>'s <code>checkPermission</code> method
1085 * is called with a
1086 * <code>SocketPermission(host,"resolve")</code> permission.
1087 * <p>
1088 * If you override this method, then you should make a call to
1089 * <code>super.checkConnect</code>
1090 * at the point the overridden method would normally throw an
1091 * exception.
1092 *
1093 * @param host the host name port to connect to.
1094 * @param port the protocol port to connect to.
1095 * @param context a system-dependent security context.
1096 * @exception SecurityException if the specified security context
1097 * is not an instance of <code>AccessControlContext</code>
1098 * (e.g., is <code>null</code>), or does not have permission
1099 * to open a socket connection to the specified
1100 * <code>host</code> and <code>port</code>.
1101 * @exception NullPointerException if the <code>host</code> argument is
1102 * <code>null</code>.
1103 * @see java.lang.SecurityManager#getSecurityContext()
1104 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
1105 */
1106 public void checkConnect(String host, int port, Object context) {
1107 if (host == null) {
1108 throw new NullPointerException("host can't be null");
1109 }
1110 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1111 host = "[" + host + "]";
1112 }
1113 if (port == -1)
1114 checkPermission(new SocketPermission(host,
1115 SecurityConstants.SOCKET_RESOLVE_ACTION),
1116 context);
1117 else
1118 checkPermission(new SocketPermission(host+":"+port,
1119 SecurityConstants.SOCKET_CONNECT_ACTION),
1120 context);
1121 }
1122
1123 /**
1124 * Throws a <code>SecurityException</code> if the
1125 * calling thread is not allowed to wait for a connection request on
1126 * the specified local port number.
1127 * <p>
1128 * This method calls <code>checkPermission</code> with the
1129 * <code>SocketPermission("localhost:"+port,"listen")</code>.
1130 * <p>
1131 * If you override this method, then you should make a call to
1132 * <code>super.checkListen</code>
1133 * at the point the overridden method would normally throw an
1134 * exception.
1135 *
1136 * @param port the local port.
1137 * @exception SecurityException if the calling thread does not have
1138 * permission to listen on the specified port.
1139 * @see #checkPermission(java.security.Permission) checkPermission
1140 */
1141 public void checkListen(int port) {
1142 checkPermission(new SocketPermission("localhost:"+port,
1143 SecurityConstants.SOCKET_LISTEN_ACTION));
1144 }
1145
1146 /**
1147 * Throws a <code>SecurityException</code> if the
1148 * calling thread is not permitted to accept a socket connection from
1149 * the specified host and port number.
1150 * <p>
1151 * This method is invoked for the current security manager by the
1152 * <code>accept</code> method of class <code>ServerSocket</code>.
1153 * <p>
1154 * This method calls <code>checkPermission</code> with the
1155 * <code>SocketPermission(host+":"+port,"accept")</code> permission.
1156 * <p>
1157 * If you override this method, then you should make a call to
1158 * <code>super.checkAccept</code>
1159 * at the point the overridden method would normally throw an
1160 * exception.
1161 *
1162 * @param host the host name of the socket connection.
1163 * @param port the port number of the socket connection.
1164 * @exception SecurityException if the calling thread does not have
1165 * permission to accept the connection.
1166 * @exception NullPointerException if the <code>host</code> argument is
1167 * <code>null</code>.
1168 * @see java.net.ServerSocket#accept()
1169 * @see #checkPermission(java.security.Permission) checkPermission
1170 */
1171 public void checkAccept(String host, int port) {
1172 if (host == null) {
1173 throw new NullPointerException("host can't be null");
1174 }
1175 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1176 host = "[" + host + "]";
1177 }
1178 checkPermission(new SocketPermission(host+":"+port,
1179 SecurityConstants.SOCKET_ACCEPT_ACTION));
1180 }
1181
1182 /**
1183 * Throws a <code>SecurityException</code> if the
1184 * calling thread is not allowed to use
1185 * (join/leave/send/receive) IP multicast.
1186 * <p>
1187 * This method calls <code>checkPermission</code> with the
1188 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1189 * "accept,connect")</code> permission.
1190 * <p>
1191 * If you override this method, then you should make a call to
1192 * <code>super.checkMulticast</code>
1193 * at the point the overridden method would normally throw an
1194 * exception.
1195 *
1196 * @param maddr Internet group address to be used.
1197 * @exception SecurityException if the calling thread is not allowed to
1198 * use (join/leave/send/receive) IP multicast.
1199 * @exception NullPointerException if the address argument is
1200 * <code>null</code>.
1201 * @since 1.1
1202 * @see #checkPermission(java.security.Permission) checkPermission
1203 */
1204 public void checkMulticast(InetAddress maddr) {
1205 String host = maddr.getHostAddress();
1206 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1207 host = "[" + host + "]";
1208 }
1209 checkPermission(new SocketPermission(host,
1210 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1211 }
1212
1213 /**
1214 * Throws a <code>SecurityException</code> if the
1215 * calling thread is not allowed to use
1216 * (join/leave/send/receive) IP multicast.
1217 * <p>
1218 * This method calls <code>checkPermission</code> with the
1219 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1220 * "accept,connect")</code> permission.
1221 * <p>
1222 * If you override this method, then you should make a call to
1223 * <code>super.checkMulticast</code>
1224 * at the point the overridden method would normally throw an
1225 * exception.
1226 *
1227 * @param maddr Internet group address to be used.
1228 * @param ttl value in use, if it is multicast send.
1229 * Note: this particular implementation does not use the ttl
1230 * parameter.
1231 * @exception SecurityException if the calling thread is not allowed to
1232 * use (join/leave/send/receive) IP multicast.
1233 * @exception NullPointerException if the address argument is
1234 * <code>null</code>.
1235 * @since 1.1
1236 * @deprecated Use #checkPermission(java.security.Permission) instead
1237 * @see #checkPermission(java.security.Permission) checkPermission
1238 */
1239 @Deprecated(since="1.4")
1240 public void checkMulticast(InetAddress maddr, byte ttl) {
1241 String host = maddr.getHostAddress();
1242 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1243 host = "[" + host + "]";
1244 }
1245 checkPermission(new SocketPermission(host,
1246 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1247 }
1248
1249 /**
1250 * Throws a <code>SecurityException</code> if the
1251 * calling thread is not allowed to access or modify the system
1252 * properties.
1253 * <p>
1254 * This method is used by the <code>getProperties</code> and
1255 * <code>setProperties</code> methods of class <code>System</code>.
1256 * <p>
1257 * This method calls <code>checkPermission</code> with the
1258 * <code>PropertyPermission("*", "read,write")</code> permission.
1259 * <p>
1260 * If you override this method, then you should make a call to
1261 * <code>super.checkPropertiesAccess</code>
1262 * at the point the overridden method would normally throw an
1263 * exception.
1264 *
1265 * @exception SecurityException if the calling thread does not have
1266 * permission to access or modify the system properties.
1267 * @see java.lang.System#getProperties()
1268 * @see java.lang.System#setProperties(java.util.Properties)
1269 * @see #checkPermission(java.security.Permission) checkPermission
1270 */
1271 public void checkPropertiesAccess() {
1272 checkPermission(new PropertyPermission("*",
1273 SecurityConstants.PROPERTY_RW_ACTION));
1274 }
1275
1276 /**
1277 * Throws a <code>SecurityException</code> if the
1278 * calling thread is not allowed to access the system property with
1279 * the specified <code>key</code> name.
1280 * <p>
1281 * This method is used by the <code>getProperty</code> method of
1282 * class <code>System</code>.
1283 * <p>
1284 * This method calls <code>checkPermission</code> with the
1285 * <code>PropertyPermission(key, "read")</code> permission.
1286 * <p>
1287 * If you override this method, then you should make a call to
1288 * <code>super.checkPropertyAccess</code>
1289 * at the point the overridden method would normally throw an
1290 * exception.
1291 *
1292 * @param key a system property key.
1293 *
1294 * @exception SecurityException if the calling thread does not have
1295 * permission to access the specified system property.
1296 * @exception NullPointerException if the <code>key</code> argument is
1297 * <code>null</code>.
1298 * @exception IllegalArgumentException if <code>key</code> is empty.
1299 *
1300 * @see java.lang.System#getProperty(java.lang.String)
1301 * @see #checkPermission(java.security.Permission) checkPermission
1302 */
1303 public void checkPropertyAccess(String key) {
1304 checkPermission(new PropertyPermission(key,
1305 SecurityConstants.PROPERTY_READ_ACTION));
1306 }
1307
1308 /**
1309 * Returns {@code true} if the calling thread has {@code AllPermission}.
1310 *
1311 * @param window not used except to check if it is {@code null}.
1312 * @return {@code true} if the calling thread has {@code AllPermission}.
1313 * @exception NullPointerException if the {@code window} argument is
1314 * {@code null}.
1315 * @deprecated This method was originally used to check if the calling thread
1316 * was trusted to bring up a top-level window. The method has been
1317 * obsoleted and code should instead use {@link #checkPermission}
1318 * to check {@code AWTPermission("showWindowWithoutWarningBanner")}.
1319 * This method is subject to removal in a future version of Java SE.
1320 * @see #checkPermission(java.security.Permission) checkPermission
1321 */
1322 @Deprecated(since="1.8", forRemoval=true)
1323 public boolean checkTopLevelWindow(Object window) {
1324 if (window == null) {
1325 throw new NullPointerException("window can't be null");
1326 }
1327 return hasAllPermission();
1328 }
1329
1330 /**
1331 * Throws a <code>SecurityException</code> if the
1332 * calling thread is not allowed to initiate a print job request.
1333 * <p>
1334 * This method calls
1335 * <code>checkPermission</code> with the
1336 * <code>RuntimePermission("queuePrintJob")</code> permission.
1337 * <p>
1338 * If you override this method, then you should make a call to
1339 * <code>super.checkPrintJobAccess</code>
1340 * at the point the overridden method would normally throw an
1341 * exception.
1342 *
1343 * @exception SecurityException if the calling thread does not have
1344 * permission to initiate a print job request.
1345 * @since 1.1
1346 * @see #checkPermission(java.security.Permission) checkPermission
1347 */
1348 public void checkPrintJobAccess() {
1349 checkPermission(new RuntimePermission("queuePrintJob"));
1350 }
1351
1352 /**
1353 * Throws {@code SecurityException} if the calling thread does
1354 * not have {@code AllPermission}.
1355 *
1356 * @since 1.1
1357 * @exception SecurityException if the calling thread does not have
1358 * {@code AllPermission}
1359 * @deprecated This method was originally used to check if the calling
1360 * thread could access the system clipboard. The method has been
1361 * obsoleted and code should instead use {@link #checkPermission}
1362 * to check {@code AWTPermission("accessClipboard")}.
1363 * This method is subject to removal in a future version of Java SE.
1364 * @see #checkPermission(java.security.Permission) checkPermission
1365 */
1366 @Deprecated(since="1.8", forRemoval=true)
1367 public void checkSystemClipboardAccess() {
1368 checkPermission(SecurityConstants.ALL_PERMISSION);
1369 }
1370
1371 /**
1372 * Throws {@code SecurityException} if the calling thread does
1373 * not have {@code AllPermission}.
1374 *
1375 * @since 1.1
1376 * @exception SecurityException if the calling thread does not have
1377 * {@code AllPermission}
1378 * @deprecated This method was originally used to check if the calling
1379 * thread could access the AWT event queue. The method has been
1380 * obsoleted and code should instead use {@link #checkPermission}
1381 * to check {@code AWTPermission("accessEventQueue")}.
1382 * This method is subject to removal in a future version of Java SE.
1383 * @see #checkPermission(java.security.Permission) checkPermission
1384 */
1385 @Deprecated(since="1.8", forRemoval=true)
1386 public void checkAwtEventQueueAccess() {
1387 checkPermission(SecurityConstants.ALL_PERMISSION);
1388 }
1389
1390 /*
1391 * We have an initial invalid bit (initially false) for the class
1392 * variables which tell if the cache is valid. If the underlying
1393 * java.security.Security property changes via setProperty(), the
1394 * Security class uses reflection to change the variable and thus
1395 * invalidate the cache.
1396 *
1397 * Locking is handled by synchronization to the
1398 * packageAccessLock/packageDefinitionLock objects. They are only
1399 * used in this class.
1400 *
1401 * Note that cache invalidation as a result of the property change
1402 * happens without using these locks, so there may be a delay between
1403 * when a thread updates the property and when other threads updates
1404 * the cache.
1405 */
1406 private static boolean packageAccessValid = false;
1407 private static String[] packageAccess;
1408 private static final Object packageAccessLock = new Object();
1409
1410 private static boolean packageDefinitionValid = false;
1411 private static String[] packageDefinition;
1412 private static final Object packageDefinitionLock = new Object();
1413
1414 private static String[] getPackages(String p) {
1415 String packages[] = null;
1416 if (p != null && !p.equals("")) {
1417 java.util.StringTokenizer tok =
1418 new java.util.StringTokenizer(p, ",");
1419 int n = tok.countTokens();
1420 if (n > 0) {
1421 packages = new String[n];
1422 int i = 0;
1423 while (tok.hasMoreElements()) {
1424 String s = tok.nextToken().trim();
1425 packages[i++] = s;
1426 }
1427 }
1428 }
1429
1430 if (packages == null) {
1431 packages = new String[0];
1432 }
1433 return packages;
1434 }
1435
1436 // The non-exported packages of the modules in the boot layer that are
1437 // loaded by the platform class loader or its ancestors. A non-exported
1438 // package is a package that either is not exported at all by its containing
1439 // module or is exported in a qualified fashion by its containing module.
1440 private static final Set<String> nonExportedPkgs;
1441
1442 static {
1443 // Get the modules in the boot layer
1444 Stream<Module> bootLayerModules = Layer.boot().modules().stream();
1445
1446 // Filter out the modules loaded by the boot or platform loader
1447 PrivilegedAction<Set<Module>> pa = () ->
1448 bootLayerModules.filter(SecurityManager::isBootOrPlatformModule)
1449 .collect(Collectors.toSet());
1450 Set<Module> modules = AccessController.doPrivileged(pa);
1451
1452 // Filter out the non-exported packages
1453 nonExportedPkgs = modules.stream()
1454 .map(Module::getDescriptor)
1455 .map(SecurityManager::nonExportedPkgs)
1456 .flatMap(Set::stream)
1457 .collect(Collectors.toSet());
1458 }
1459
1460 /**
1461 * Called by java.security.Security
1462 */
1463 static void invalidatePackageAccessCache() {
1464 synchronized (packageAccessLock) {
1465 packageAccessValid = false;
1466 }
1467 synchronized (packageDefinitionLock) {
1468 packageDefinitionValid = false;
1469 }
1470 }
1471
1472 /**
1473 * Returns true if the module's loader is the boot or platform loader.
1474 */
1475 private static boolean isBootOrPlatformModule(Module m) {
1476 return m.getClassLoader() == null ||
1477 m.getClassLoader() == ClassLoader.getPlatformClassLoader();
1478 }
1479
1480 /**
1481 * Returns the non-exported packages of the specified module.
1482 */
1483 private static Set<String> nonExportedPkgs(ModuleDescriptor md) {
1484 // start with all packages in the module
1485 Set<String> pkgs = new HashSet<>(md.packages());
1486
1487 // remove the non-qualified exported packages
1488 md.exports().stream()
1489 .filter(p -> !p.isQualified())
1490 .map(Exports::source)
1491 .forEach(pkgs::remove);
1492
1493 // remove the non-qualified open packages
1494 md.opens().stream()
1495 .filter(p -> !p.isQualified())
1496 .map(Opens::source)
1497 .forEach(pkgs::remove);
1498
1499 return pkgs;
1500 }
1501
1502 /**
1503 * Throws a {@code SecurityException} if the calling thread is not allowed
1504 * to access the specified package.
1505 * <p>
1506 * This method is called by the {@code loadClass} method of class loaders.
1507 * <p>
1508 * This method checks if the specified package starts with or equals
1509 * any of the packages in the {@code package.access} Security Property.
1510 * An implementation may also check the package against an additional
1511 * list of restricted packages as noted below. If the package is restricted,
1512 * {@link #checkPermission(Permission)} is called with a
1513 * {@code RuntimePermission("accessClassInPackage."+pkg)} permission.
1514 * <p>
1515 * If this method is overridden, then {@code super.checkPackageAccess}
1516 * should be called as the first line in the overridden method.
1517 *
1518 * @implNote
1519 * This implementation also restricts all non-exported packages of modules
1520 * loaded by {@linkplain ClassLoader#getPlatformClassLoader
1521 * the platform class loader} or its ancestors. A "non-exported package"
1522 * refers to a package that is not exported to all modules. Specifically,
1523 * it refers to a package that either is not exported at all by its
1524 * containing module or is exported in a qualified fashion by its
1525 * containing module.
1526 *
1527 * @param pkg the package name.
1528 * @throws SecurityException if the calling thread does not have
1529 * permission to access the specified package.
1530 * @throws NullPointerException if the package name argument is
1531 * {@code null}.
1532 * @see java.lang.ClassLoader#loadClass(String, boolean) loadClass
1533 * @see java.security.Security#getProperty getProperty
1534 * @see #checkPermission(Permission) checkPermission
1535 */
1536 public void checkPackageAccess(String pkg) {
1537 Objects.requireNonNull(pkg, "package name can't be null");
1538
1539 // check if pkg is not exported to all modules
1540 if (nonExportedPkgs.contains(pkg)) {
1541 checkPermission(
1542 new RuntimePermission("accessClassInPackage." + pkg));
1543 return;
1544 }
1545
1546 String[] restrictedPkgs;
1547 synchronized (packageAccessLock) {
1548 /*
1549 * Do we need to update our property array?
1550 */
1551 if (!packageAccessValid) {
1552 String tmpPropertyStr =
1553 AccessController.doPrivileged(
1554 new PrivilegedAction<>() {
1555 public String run() {
1556 return Security.getProperty("package.access");
1557 }
1558 }
1559 );
1560 packageAccess = getPackages(tmpPropertyStr);
1561 packageAccessValid = true;
1562 }
1563
1564 // Using a snapshot of packageAccess -- don't care if static field
1565 // changes afterwards; array contents won't change.
1566 restrictedPkgs = packageAccess;
1567 }
1568
1569 /*
1570 * Traverse the list of packages, check for any matches.
1571 */
1572 final int plen = pkg.length();
1573 for (String restrictedPkg : restrictedPkgs) {
1574 final int rlast = restrictedPkg.length() - 1;
1575
1576 // Optimizations:
1577 //
1578 // If rlast >= plen then restrictedPkg is longer than pkg by at
1579 // least one char. This means pkg cannot start with restrictedPkg,
1580 // since restrictedPkg will be longer than pkg.
1581 //
1582 // Similarly if rlast != plen, then pkg + "." cannot be the same
1583 // as restrictedPkg, since pkg + "." will have a different length
1584 // than restrictedPkg.
1585 //
1586 if (rlast < plen && pkg.startsWith(restrictedPkg) ||
1587 // The following test is equivalent to
1588 // restrictedPkg.equals(pkg + ".") but is noticeably more
1589 // efficient:
1590 rlast == plen && restrictedPkg.startsWith(pkg) &&
1591 restrictedPkg.charAt(rlast) == '.')
1592 {
1593 checkPermission(
1594 new RuntimePermission("accessClassInPackage." + pkg));
1595 break; // No need to continue; only need to check this once
1596 }
1597 }
1598 }
1599
1600 /**
1601 * Throws a {@code SecurityException} if the calling thread is not
1602 * allowed to define classes in the specified package.
1603 * <p>
1604 * This method is called by the {@code loadClass} method of some
1605 * class loaders.
1606 * <p>
1607 * This method checks if the specified package starts with or equals
1608 * any of the packages in the {@code package.definition} Security
1609 * Property. An implementation may also check the package against an
1610 * additional list of restricted packages as noted below. If the package
1611 * is restricted, {@link #checkPermission(Permission)} is called with a
1612 * {@code RuntimePermission("defineClassInPackage."+pkg)} permission.
1613 * <p>
1614 * If this method is overridden, then {@code super.checkPackageDefinition}
1615 * should be called as the first line in the overridden method.
1616 *
1617 * @implNote
1618 * This implementation also restricts all non-exported packages of modules
1619 * loaded by {@linkplain ClassLoader#getPlatformClassLoader
1620 * the platform class loader} or its ancestors. A "non-exported package"
1621 * refers to a package that is not exported to all modules. Specifically,
1622 * it refers to a package that either is not exported at all by its
1623 * containing module or is exported in a qualified fashion by its
1624 * containing module.
1625 *
1626 * @param pkg the package name.
1627 * @throws SecurityException if the calling thread does not have
1628 * permission to define classes in the specified package.
1629 * @throws NullPointerException if the package name argument is
1630 * {@code null}.
1631 * @see java.lang.ClassLoader#loadClass(String, boolean)
1632 * @see java.security.Security#getProperty getProperty
1633 * @see #checkPermission(Permission) checkPermission
1634 */
1635 public void checkPackageDefinition(String pkg) {
1636 Objects.requireNonNull(pkg, "package name can't be null");
1637
1638 // check if pkg is not exported to all modules
1639 if (nonExportedPkgs.contains(pkg)) {
1640 checkPermission(
1641 new RuntimePermission("defineClassInPackage." + pkg));
1642 return;
1643 }
1644
1645 String[] pkgs;
1646 synchronized (packageDefinitionLock) {
1647 /*
1648 * Do we need to update our property array?
1649 */
1650 if (!packageDefinitionValid) {
1651 String tmpPropertyStr =
1652 AccessController.doPrivileged(
1653 new PrivilegedAction<>() {
1654 public String run() {
1655 return java.security.Security.getProperty(
1656 "package.definition");
1657 }
1658 }
1659 );
1660 packageDefinition = getPackages(tmpPropertyStr);
1661 packageDefinitionValid = true;
1662 }
1663 // Using a snapshot of packageDefinition -- don't care if static
1664 // field changes afterwards; array contents won't change.
1665 pkgs = packageDefinition;
1666 }
1667
1668 /*
1669 * Traverse the list of packages, check for any matches.
1670 */
1671 for (String restrictedPkg : pkgs) {
1672 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) {
1673 checkPermission(
1674 new RuntimePermission("defineClassInPackage." + pkg));
1675 break; // No need to continue; only need to check this once
1676 }
1677 }
1678 }
1679
1680 /**
1681 * Throws a <code>SecurityException</code> if the
1682 * calling thread is not allowed to set the socket factory used by
1683 * <code>ServerSocket</code> or <code>Socket</code>, or the stream
1684 * handler factory used by <code>URL</code>.
1685 * <p>
1686 * This method calls <code>checkPermission</code> with the
1687 * <code>RuntimePermission("setFactory")</code> permission.
1688 * <p>
1689 * If you override this method, then you should make a call to
1690 * <code>super.checkSetFactory</code>
1691 * at the point the overridden method would normally throw an
1692 * exception.
1693 *
1694 * @exception SecurityException if the calling thread does not have
1695 * permission to specify a socket factory or a stream
1696 * handler factory.
1697 *
1698 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory
1699 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory
1700 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory
1701 * @see #checkPermission(java.security.Permission) checkPermission
1702 */
1703 public void checkSetFactory() {
1704 checkPermission(new RuntimePermission("setFactory"));
1705 }
1706
1707 /**
1708 * Throws a <code>SecurityException</code> if the
1709 * calling thread is not allowed to access members.
1710 * <p>
1711 * The default policy is to allow access to PUBLIC members, as well
1712 * as access to classes that have the same class loader as the caller.
1713 * In all other cases, this method calls <code>checkPermission</code>
1714 * with the <code>RuntimePermission("accessDeclaredMembers")
1715 * </code> permission.
1716 * <p>
1717 * If this method is overridden, then a call to
1718 * <code>super.checkMemberAccess</code> cannot be made,
1719 * as the default implementation of <code>checkMemberAccess</code>
1720 * relies on the code being checked being at a stack depth of
1721 * 4.
1722 *
1723 * @param clazz the class that reflection is to be performed on.
1724 *
1725 * @param which type of access, PUBLIC or DECLARED.
1726 *
1727 * @exception SecurityException if the caller does not have
1728 * permission to access members.
1729 * @exception NullPointerException if the <code>clazz</code> argument is
1730 * <code>null</code>.
1731 *
1732 * @deprecated This method relies on the caller being at a stack depth
1733 * of 4 which is error-prone and cannot be enforced by the runtime.
1734 * Users of this method should instead invoke {@link #checkPermission}
1735 * directly.
1736 * This method is subject to removal in a future version of Java SE.
1737 *
1738 * @see java.lang.reflect.Member
1739 * @since 1.1
1740 * @see #checkPermission(java.security.Permission) checkPermission
1741 */
1742 @Deprecated(since="1.8", forRemoval=true)
1743 @CallerSensitive
1744 public void checkMemberAccess(Class<?> clazz, int which) {
1745 if (clazz == null) {
1746 throw new NullPointerException("class can't be null");
1747 }
1748 if (which != Member.PUBLIC) {
1749 Class<?> stack[] = getClassContext();
1750 /*
1751 * stack depth of 4 should be the caller of one of the
1752 * methods in java.lang.Class that invoke checkMember
1753 * access. The stack should look like:
1754 *
1755 * someCaller [3]
1756 * java.lang.Class.someReflectionAPI [2]
1757 * java.lang.Class.checkMemberAccess [1]
1758 * SecurityManager.checkMemberAccess [0]
1759 *
1760 */
1761 if ((stack.length<4) ||
1762 (stack[3].getClassLoader() != clazz.getClassLoader())) {
1763 checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION);
1764 }
1765 }
1766 }
1767
1768 /**
1769 * Determines whether the permission with the specified permission target
1770 * name should be granted or denied.
1771 *
1772 * <p> If the requested permission is allowed, this method returns
1773 * quietly. If denied, a SecurityException is raised.
1774 *
1775 * <p> This method creates a <code>SecurityPermission</code> object for
1776 * the given permission target name and calls <code>checkPermission</code>
1777 * with it.
1778 *
1779 * <p> See the documentation for
1780 * <code>{@link java.security.SecurityPermission}</code> for
1781 * a list of possible permission target names.
1782 *
1783 * <p> If you override this method, then you should make a call to
1784 * <code>super.checkSecurityAccess</code>
1785 * at the point the overridden method would normally throw an
1786 * exception.
1787 *
1788 * @param target the target name of the <code>SecurityPermission</code>.
1789 *
1790 * @exception SecurityException if the calling thread does not have
1791 * permission for the requested access.
1792 * @exception NullPointerException if <code>target</code> is null.
1793 * @exception IllegalArgumentException if <code>target</code> is empty.
1794 *
1795 * @since 1.1
1796 * @see #checkPermission(java.security.Permission) checkPermission
1797 */
1798 public void checkSecurityAccess(String target) {
1799 checkPermission(new SecurityPermission(target));
1800 }
1801
1802 private native Class<?> currentLoadedClass0();
1803
1804 /**
1805 * Returns the thread group into which to instantiate any new
1806 * thread being created at the time this is being called.
1807 * By default, it returns the thread group of the current
1808 * thread. This should be overridden by a specific security
1809 * manager to return the appropriate thread group.
1810 *
1811 * @return ThreadGroup that new threads are instantiated into
1812 * @since 1.1
1813 * @see java.lang.ThreadGroup
1814 */
1815 public ThreadGroup getThreadGroup() {
1816 return Thread.currentThread().getThreadGroup();
1817 }
1818
1819 }