134 * The second example specifies one request method and two headers. The third
135 * example specifies two request methods, and two headers.
136 * <p>
137 * The colon separator need not be present if the request headers list is empty.
138 * No white-space is permitted in the actions string. The action strings supplied to
139 * the URLPermission constructors are case-insensitive and are normalized by converting
140 * method names to upper-case and header names to the form defines in RFC2616 (lower case
141 * with initial letter of each word capitalized). Either list can contain a wild-card '*'
142 * character which signifies all request methods or headers respectively.
143 * <p>
144 * Note. Depending on the context of use, some request methods and headers may be permitted
145 * at all times, and others may not be permitted at any time. For example, the
146 * HTTP protocol handler might disallow certain headers such as Content-Length
147 * from being set by application code, regardless of whether the security policy
148 * in force, permits it.
149 *
150 * @since 1.8
151 */
152 public final class URLPermission extends Permission {
153
154 private static final long serialVersionUID = -2702463814894478682L;
155
156 private transient String scheme;
157 private transient String ssp; // scheme specific part
158 private transient String path;
159 private transient List<String> methods;
160 private transient List<String> requestHeaders;
161 private transient Authority authority;
162
163 // serialized field
164 private String actions;
165
166 /**
167 * Creates a new URLPermission from a url string and which permits the given
168 * request methods and user-settable request headers.
169 * The name of the permission is the url string it was created with. Only the scheme,
170 * authority and path components of the url are used internally. Any fragment or query
171 * components are ignored. The permissions action string is as specified above.
172 *
173 * @param url the url string
488 if (delim == -1) {
489 this.path = "";
490 auth = authpath;
491 } else {
492 auth = authpath.substring(0, delim);
493 this.path = authpath.substring(delim);
494 }
495 this.authority = new Authority(scheme, auth.toLowerCase());
496 }
497
498 private String actions() {
499 // The colon separator is optional when the request headers list is
500 // empty.This implementation chooses to include it even when the request
501 // headers list is empty.
502 return String.join(",", methods) + ":" + String.join(",", requestHeaders);
503 }
504
505 /**
506 * restore the state of this object from stream
507 */
508 private void readObject(ObjectInputStream s)
509 throws IOException, ClassNotFoundException {
510 ObjectInputStream.GetField fields = s.readFields();
511 String actions = (String)fields.get("actions", null);
512
513 init(actions);
514 }
515
516 static class Authority {
517 HostPortrange p;
518
519 Authority(String scheme, String authority) {
520 int at = authority.indexOf('@');
521 if (at == -1) {
522 p = new HostPortrange(scheme, authority);
523 } else {
524 p = new HostPortrange(scheme, authority.substring(at+1));
525 }
526 }
527
|
134 * The second example specifies one request method and two headers. The third
135 * example specifies two request methods, and two headers.
136 * <p>
137 * The colon separator need not be present if the request headers list is empty.
138 * No white-space is permitted in the actions string. The action strings supplied to
139 * the URLPermission constructors are case-insensitive and are normalized by converting
140 * method names to upper-case and header names to the form defines in RFC2616 (lower case
141 * with initial letter of each word capitalized). Either list can contain a wild-card '*'
142 * character which signifies all request methods or headers respectively.
143 * <p>
144 * Note. Depending on the context of use, some request methods and headers may be permitted
145 * at all times, and others may not be permitted at any time. For example, the
146 * HTTP protocol handler might disallow certain headers such as Content-Length
147 * from being set by application code, regardless of whether the security policy
148 * in force, permits it.
149 *
150 * @since 1.8
151 */
152 public final class URLPermission extends Permission {
153
154 @java.io.Serial
155 private static final long serialVersionUID = -2702463814894478682L;
156
157 private transient String scheme;
158 private transient String ssp; // scheme specific part
159 private transient String path;
160 private transient List<String> methods;
161 private transient List<String> requestHeaders;
162 private transient Authority authority;
163
164 // serialized field
165 private String actions;
166
167 /**
168 * Creates a new URLPermission from a url string and which permits the given
169 * request methods and user-settable request headers.
170 * The name of the permission is the url string it was created with. Only the scheme,
171 * authority and path components of the url are used internally. Any fragment or query
172 * components are ignored. The permissions action string is as specified above.
173 *
174 * @param url the url string
489 if (delim == -1) {
490 this.path = "";
491 auth = authpath;
492 } else {
493 auth = authpath.substring(0, delim);
494 this.path = authpath.substring(delim);
495 }
496 this.authority = new Authority(scheme, auth.toLowerCase());
497 }
498
499 private String actions() {
500 // The colon separator is optional when the request headers list is
501 // empty.This implementation chooses to include it even when the request
502 // headers list is empty.
503 return String.join(",", methods) + ":" + String.join(",", requestHeaders);
504 }
505
506 /**
507 * restore the state of this object from stream
508 */
509 @java.io.Serial
510 private void readObject(ObjectInputStream s)
511 throws IOException, ClassNotFoundException {
512 ObjectInputStream.GetField fields = s.readFields();
513 String actions = (String)fields.get("actions", null);
514
515 init(actions);
516 }
517
518 static class Authority {
519 HostPortrange p;
520
521 Authority(String scheme, String authority) {
522 int at = authority.indexOf('@');
523 if (at == -1) {
524 p = new HostPortrange(scheme, authority);
525 } else {
526 p = new HostPortrange(scheme, authority.substring(at+1));
527 }
528 }
529
|