< prev index next >

src/java.base/share/classes/java/net/URLPermission.java

Print this page 







 134  * The second example specifies one request method and two headers. The third
 135  * example specifies two request methods, and two headers.
 136  * <p>
 137  * The colon separator need not be present if the request headers list is empty.
 138  * No white-space is permitted in the actions string. The action strings supplied to
 139  * the URLPermission constructors are case-insensitive and are normalized by converting
 140  * method names to upper-case and header names to the form defines in RFC2616 (lower case
 141  * with initial letter of each word capitalized). Either list can contain a wild-card '*'
 142  * character which signifies all request methods or headers respectively.
 143  * <p>
 144  * Note. Depending on the context of use, some request methods and headers may be permitted
 145  * at all times, and others may not be permitted at any time. For example, the
 146  * HTTP protocol handler might disallow certain headers such as Content-Length
 147  * from being set by application code, regardless of whether the security policy
 148  * in force, permits it.
 149  *
 150  * @since 1.8
 151  */
 152 public final class URLPermission extends Permission {
 153 

 154     private static final long serialVersionUID = -2702463814894478682L;
 155 
 156     private transient String scheme;
 157     private transient String ssp;                 // scheme specific part
 158     private transient String path;
 159     private transient List<String> methods;
 160     private transient List<String> requestHeaders;
 161     private transient Authority authority;
 162 
 163     // serialized field
 164     private String actions;
 165 
 166     /**
 167      * Creates a new URLPermission from a url string and which permits the given
 168      * request methods and user-settable request headers.
 169      * The name of the permission is the url string it was created with. Only the scheme,
 170      * authority and path components of the url are used internally. Any fragment or query
 171      * components are ignored. The permissions action string is as specified above.
 172      *
 173      * @param url the url string


 488         if (delim == -1) {
 489             this.path = "";
 490             auth = authpath;
 491         } else {
 492             auth = authpath.substring(0, delim);
 493             this.path = authpath.substring(delim);
 494         }
 495         this.authority = new Authority(scheme, auth.toLowerCase());
 496     }
 497 
 498     private String actions() {
 499         // The colon separator is optional when the request headers list is
 500         // empty.This implementation chooses to include it even when the request
 501         // headers list is empty.
 502         return String.join(",", methods) + ":" + String.join(",", requestHeaders);
 503     }
 504 
 505     /**
 506      * restore the state of this object from stream
 507      */

 508     private void readObject(ObjectInputStream s)
 509         throws IOException, ClassNotFoundException {
 510         ObjectInputStream.GetField fields = s.readFields();
 511         String actions = (String)fields.get("actions", null);
 512 
 513         init(actions);
 514     }
 515 
 516     static class Authority {
 517         HostPortrange p;
 518 
 519         Authority(String scheme, String authority) {
 520             int at = authority.indexOf('@');
 521             if (at == -1) {
 522                     p = new HostPortrange(scheme, authority);
 523             } else {
 524                     p = new HostPortrange(scheme, authority.substring(at+1));
 525             }
 526         }
 527 






 134  * The second example specifies one request method and two headers. The third
 135  * example specifies two request methods, and two headers.
 136  * <p>
 137  * The colon separator need not be present if the request headers list is empty.
 138  * No white-space is permitted in the actions string. The action strings supplied to
 139  * the URLPermission constructors are case-insensitive and are normalized by converting
 140  * method names to upper-case and header names to the form defines in RFC2616 (lower case
 141  * with initial letter of each word capitalized). Either list can contain a wild-card '*'
 142  * character which signifies all request methods or headers respectively.
 143  * <p>
 144  * Note. Depending on the context of use, some request methods and headers may be permitted
 145  * at all times, and others may not be permitted at any time. For example, the
 146  * HTTP protocol handler might disallow certain headers such as Content-Length
 147  * from being set by application code, regardless of whether the security policy
 148  * in force, permits it.
 149  *
 150  * @since 1.8
 151  */
 152 public final class URLPermission extends Permission {
 153 
 154     @java.io.Serial
 155     private static final long serialVersionUID = -2702463814894478682L;
 156 
 157     private transient String scheme;
 158     private transient String ssp;                 // scheme specific part
 159     private transient String path;
 160     private transient List<String> methods;
 161     private transient List<String> requestHeaders;
 162     private transient Authority authority;
 163 
 164     // serialized field
 165     private String actions;
 166 
 167     /**
 168      * Creates a new URLPermission from a url string and which permits the given
 169      * request methods and user-settable request headers.
 170      * The name of the permission is the url string it was created with. Only the scheme,
 171      * authority and path components of the url are used internally. Any fragment or query
 172      * components are ignored. The permissions action string is as specified above.
 173      *
 174      * @param url the url string


 489         if (delim == -1) {
 490             this.path = "";
 491             auth = authpath;
 492         } else {
 493             auth = authpath.substring(0, delim);
 494             this.path = authpath.substring(delim);
 495         }
 496         this.authority = new Authority(scheme, auth.toLowerCase());
 497     }
 498 
 499     private String actions() {
 500         // The colon separator is optional when the request headers list is
 501         // empty.This implementation chooses to include it even when the request
 502         // headers list is empty.
 503         return String.join(",", methods) + ":" + String.join(",", requestHeaders);
 504     }
 505 
 506     /**
 507      * restore the state of this object from stream
 508      */
 509     @java.io.Serial
 510     private void readObject(ObjectInputStream s)
 511         throws IOException, ClassNotFoundException {
 512         ObjectInputStream.GetField fields = s.readFields();
 513         String actions = (String)fields.get("actions", null);
 514 
 515         init(actions);
 516     }
 517 
 518     static class Authority {
 519         HostPortrange p;
 520 
 521         Authority(String scheme, String authority) {
 522             int at = authority.indexOf('@');
 523             if (at == -1) {
 524                     p = new HostPortrange(scheme, authority);
 525             } else {
 526                     p = new HostPortrange(scheme, authority.substring(at+1));
 527             }
 528         }
 529 







< prev index next >