1 /* 2 * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security; 27 28 import java.io.IOException; 29 import java.io.ObjectInputStream; 30 import java.io.ObjectOutputStream; 31 import java.io.ObjectStreamField; 32 import java.util.Enumeration; 33 import java.util.Hashtable; 34 import java.util.concurrent.ConcurrentHashMap; 35 36 /** 37 * The BasicPermission class extends the Permission class, and 38 * can be used as the base class for permissions that want to 39 * follow the same naming convention as BasicPermission. 40 * <P> 41 * The name for a BasicPermission is the name of the given permission 42 * (for example, "exit", 43 * "setFactory", "print.queueJob", etc). The naming 44 * convention follows the hierarchical property naming convention. 45 * An asterisk may appear by itself, or if immediately preceded by a "." 46 * may appear at the end of the name, to signify a wildcard match. 47 * For example, "*" and "java.*" signify a wildcard match, while "*java", "a*b", 48 * and "java*" do not. 49 * <P> 50 * The action string (inherited from Permission) is unused. 51 * Thus, BasicPermission is commonly used as the base class for 52 * "named" permissions 53 * (ones that contain a name but no actions list; you either have the 54 * named permission or you don't.) 55 * Subclasses may implement actions on top of BasicPermission, 56 * if desired. 57 * 58 * @see java.security.Permission 59 * @see java.security.Permissions 60 * @see java.security.PermissionCollection 61 * @see java.lang.SecurityManager 62 * 63 * @author Marianne Mueller 64 * @author Roland Schemers 65 * @since 1.2 66 */ 67 68 public abstract class BasicPermission extends Permission 69 implements java.io.Serializable 70 { 71 72 @java.io.Serial 73 private static final long serialVersionUID = 6279438298436773498L; 74 75 // does this permission have a wildcard at the end? 76 private transient boolean wildcard; 77 78 // the name without the wildcard on the end 79 private transient String path; 80 81 // is this permission the old-style exitVM permission (pre JDK 1.6)? 82 private transient boolean exitVM; 83 84 /** 85 * initialize a BasicPermission object. Common to all constructors. 86 */ 87 private void init(String name) { 88 if (name == null) 89 throw new NullPointerException("name can't be null"); 90 91 int len = name.length(); 92 93 if (len == 0) { 94 throw new IllegalArgumentException("name can't be empty"); 95 } 96 97 char last = name.charAt(len - 1); 98 99 // Is wildcard or ends with ".*"? 100 if (last == '*' && (len == 1 || name.charAt(len - 2) == '.')) { 101 wildcard = true; 102 if (len == 1) { 103 path = ""; 104 } else { 105 path = name.substring(0, len - 1); 106 } 107 } else { 108 if (name.equals("exitVM")) { 109 wildcard = true; 110 path = "exitVM."; 111 exitVM = true; 112 } else { 113 path = name; 114 } 115 } 116 } 117 118 /** 119 * Creates a new BasicPermission with the specified name. 120 * Name is the symbolic name of the permission, such as 121 * "setFactory", 122 * "print.queueJob", or "topLevelWindow", etc. 123 * 124 * @param name the name of the BasicPermission. 125 * 126 * @throws NullPointerException if {@code name} is {@code null}. 127 * @throws IllegalArgumentException if {@code name} is empty. 128 */ 129 public BasicPermission(String name) { 130 super(name); 131 init(name); 132 } 133 134 135 /** 136 * Creates a new BasicPermission object with the specified name. 137 * The name is the symbolic name of the BasicPermission, and the 138 * actions String is currently unused. 139 * 140 * @param name the name of the BasicPermission. 141 * @param actions ignored. 142 * 143 * @throws NullPointerException if {@code name} is {@code null}. 144 * @throws IllegalArgumentException if {@code name} is empty. 145 */ 146 public BasicPermission(String name, String actions) { 147 super(name); 148 init(name); 149 } 150 151 /** 152 * Checks if the specified permission is "implied" by 153 * this object. 154 * <P> 155 * More specifically, this method returns true if: 156 * <ul> 157 * <li> {@code p}'s class is the same as this object's class, and 158 * <li> {@code p}'s name equals or (in the case of wildcards) 159 * is implied by this object's 160 * name. For example, "a.b.*" implies "a.b.c". 161 * </ul> 162 * 163 * @param p the permission to check against. 164 * 165 * @return true if the passed permission is equal to or 166 * implied by this permission, false otherwise. 167 */ 168 @Override 169 public boolean implies(Permission p) { 170 if ((p == null) || (p.getClass() != getClass())) 171 return false; 172 173 BasicPermission that = (BasicPermission) p; 174 175 if (this.wildcard) { 176 if (that.wildcard) { 177 // one wildcard can imply another 178 return that.path.startsWith(path); 179 } else { 180 // make sure ap.path is longer so a.b.* doesn't imply a.b 181 return (that.path.length() > this.path.length()) && 182 that.path.startsWith(this.path); 183 } 184 } else { 185 if (that.wildcard) { 186 // a non-wildcard can't imply a wildcard 187 return false; 188 } 189 else { 190 return this.path.equals(that.path); 191 } 192 } 193 } 194 195 /** 196 * Checks two BasicPermission objects for equality. 197 * Checks that {@code obj}'s class is the same as this object's class 198 * and has the same name as this object. 199 * 200 * @param obj the object we are testing for equality with this object. 201 * @return true if {@code obj}'s class is the same as this object's class 202 * and has the same name as this BasicPermission object, false otherwise. 203 */ 204 @Override 205 public boolean equals(Object obj) { 206 if (obj == this) 207 return true; 208 209 if ((obj == null) || (obj.getClass() != getClass())) 210 return false; 211 212 BasicPermission bp = (BasicPermission) obj; 213 214 return getName().equals(bp.getName()); 215 } 216 217 218 /** 219 * Returns the hash code value for this object. 220 * The hash code used is the hash code of the name, that is, 221 * {@code getName().hashCode()}, where {@code getName} is 222 * from the Permission superclass. 223 * 224 * @return a hash code value for this object. 225 */ 226 @Override 227 public int hashCode() { 228 return this.getName().hashCode(); 229 } 230 231 /** 232 * Returns the canonical string representation of the actions, 233 * which currently is the empty string "", since there are no actions for 234 * a BasicPermission. 235 * 236 * @return the empty string "". 237 */ 238 @Override 239 public String getActions() { 240 return ""; 241 } 242 243 /** 244 * Returns a new PermissionCollection object for storing BasicPermission 245 * objects. 246 * 247 * <p>BasicPermission objects must be stored in a manner that allows them 248 * to be inserted in any order, but that also enables the 249 * PermissionCollection {@code implies} method 250 * to be implemented in an efficient (and consistent) manner. 251 * 252 * @return a new PermissionCollection object suitable for 253 * storing BasicPermissions. 254 */ 255 @Override 256 public PermissionCollection newPermissionCollection() { 257 return new BasicPermissionCollection(this.getClass()); 258 } 259 260 /** 261 * readObject is called to restore the state of the BasicPermission from 262 * a stream. 263 */ 264 @java.io.Serial 265 private void readObject(ObjectInputStream s) 266 throws IOException, ClassNotFoundException 267 { 268 s.defaultReadObject(); 269 // init is called to initialize the rest of the values. 270 init(getName()); 271 } 272 273 /** 274 * Returns the canonical name of this BasicPermission. 275 * All internal invocations of getName should invoke this method, so 276 * that the pre-JDK 1.6 "exitVM" and current "exitVM.*" permission are 277 * equivalent in equals/hashCode methods. 278 * 279 * @return the canonical name of this BasicPermission. 280 */ 281 final String getCanonicalName() { 282 return exitVM ? "exitVM.*" : getName(); 283 } 284 } 285 286 /** 287 * A BasicPermissionCollection stores a collection 288 * of BasicPermission permissions. BasicPermission objects 289 * must be stored in a manner that allows them to be inserted in any 290 * order, but enable the implies function to evaluate the implies 291 * method in an efficient (and consistent) manner. 292 * 293 * A BasicPermissionCollection handles comparing a permission like "a.b.c.d.e" 294 * with a Permission such as "a.b.*", or "*". 295 * 296 * @see java.security.Permission 297 * @see java.security.Permissions 298 * 299 * 300 * @author Roland Schemers 301 * 302 * @serial include 303 */ 304 305 final class BasicPermissionCollection 306 extends PermissionCollection 307 implements java.io.Serializable 308 { 309 310 @java.io.Serial 311 private static final long serialVersionUID = 739301742472979399L; 312 313 /** 314 * Key is name, value is permission. All permission objects in 315 * collection must be of the same type. 316 * Not serialized; see serialization section at end of class. 317 */ 318 private transient ConcurrentHashMap<String, Permission> perms; 319 320 /** 321 * This is set to {@code true} if this BasicPermissionCollection 322 * contains a BasicPermission with '*' as its permission name. 323 * 324 * @see #serialPersistentFields 325 */ 326 private boolean all_allowed; 327 328 /** 329 * The class to which all BasicPermissions in this 330 * BasicPermissionCollection belong. 331 * 332 * @see #serialPersistentFields 333 */ 334 private Class<?> permClass; 335 336 /** 337 * Create an empty BasicPermissionCollection object. 338 * 339 */ 340 public BasicPermissionCollection(Class<?> clazz) { 341 perms = new ConcurrentHashMap<>(11); 342 all_allowed = false; 343 permClass = clazz; 344 } 345 346 /** 347 * Adds a permission to the BasicPermissions. The key for the hash is 348 * permission.path. 349 * 350 * @param permission the Permission object to add. 351 * 352 * @exception IllegalArgumentException - if the permission is not a 353 * BasicPermission, or if 354 * the permission is not of the 355 * same Class as the other 356 * permissions in this collection. 357 * 358 * @exception SecurityException - if this BasicPermissionCollection object 359 * has been marked readonly 360 */ 361 @Override 362 public void add(Permission permission) { 363 if (! (permission instanceof BasicPermission)) 364 throw new IllegalArgumentException("invalid permission: "+ 365 permission); 366 if (isReadOnly()) 367 throw new SecurityException("attempt to add a Permission to a readonly PermissionCollection"); 368 369 BasicPermission bp = (BasicPermission) permission; 370 371 // make sure we only add new BasicPermissions of the same class 372 // Also check null for compatibility with deserialized form from 373 // previous versions. 374 if (permClass == null) { 375 // adding first permission 376 permClass = bp.getClass(); 377 } else { 378 if (bp.getClass() != permClass) 379 throw new IllegalArgumentException("invalid permission: " + 380 permission); 381 } 382 383 String canonName = bp.getCanonicalName(); 384 perms.put(canonName, permission); 385 386 // No sync on all_allowed; staleness OK 387 if (!all_allowed) { 388 if (canonName.equals("*")) 389 all_allowed = true; 390 } 391 } 392 393 /** 394 * Check and see if this set of permissions implies the permissions 395 * expressed in "permission". 396 * 397 * @param permission the Permission object to compare 398 * 399 * @return true if "permission" is a proper subset of a permission in 400 * the set, false if not. 401 */ 402 @Override 403 public boolean implies(Permission permission) { 404 if (! (permission instanceof BasicPermission)) 405 return false; 406 407 BasicPermission bp = (BasicPermission) permission; 408 409 // random subclasses of BasicPermission do not imply each other 410 if (bp.getClass() != permClass) 411 return false; 412 413 // short circuit if the "*" Permission was added 414 if (all_allowed) 415 return true; 416 417 // strategy: 418 // Check for full match first. Then work our way up the 419 // path looking for matches on a.b..* 420 421 String path = bp.getCanonicalName(); 422 //System.out.println("check "+path); 423 424 Permission x = perms.get(path); 425 426 if (x != null) { 427 // we have a direct hit! 428 return x.implies(permission); 429 } 430 431 // work our way up the tree... 432 int last, offset; 433 434 offset = path.length()-1; 435 436 while ((last = path.lastIndexOf('.', offset)) != -1) { 437 438 path = path.substring(0, last+1) + "*"; 439 //System.out.println("check "+path); 440 441 x = perms.get(path); 442 443 if (x != null) { 444 return x.implies(permission); 445 } 446 offset = last -1; 447 } 448 449 // we don't have to check for "*" as it was already checked 450 // at the top (all_allowed), so we just return false 451 return false; 452 } 453 454 /** 455 * Returns an enumeration of all the BasicPermission objects in the 456 * container. 457 * 458 * @return an enumeration of all the BasicPermission objects. 459 */ 460 @Override 461 public Enumeration<Permission> elements() { 462 return perms.elements(); 463 } 464 465 // Need to maintain serialization interoperability with earlier releases, 466 // which had the serializable field: 467 // 468 // @serial the Hashtable is indexed by the BasicPermission name 469 // 470 // private Hashtable permissions; 471 /** 472 * @serialField permissions java.util.Hashtable 473 * The BasicPermissions in this BasicPermissionCollection. 474 * All BasicPermissions in the collection must belong to the same class. 475 * The Hashtable is indexed by the BasicPermission name; the value 476 * of the Hashtable entry is the permission. 477 * @serialField all_allowed boolean 478 * This is set to {@code true} if this BasicPermissionCollection 479 * contains a BasicPermission with '*' as its permission name. 480 * @serialField permClass java.lang.Class 481 * The class to which all BasicPermissions in this 482 * BasicPermissionCollection belongs. 483 */ 484 @java.io.Serial 485 private static final ObjectStreamField[] serialPersistentFields = { 486 new ObjectStreamField("permissions", Hashtable.class), 487 new ObjectStreamField("all_allowed", Boolean.TYPE), 488 new ObjectStreamField("permClass", Class.class), 489 }; 490 491 /** 492 * @serialData Default fields. 493 */ 494 /* 495 * Writes the contents of the perms field out as a Hashtable for 496 * serialization compatibility with earlier releases. all_allowed 497 * and permClass unchanged. 498 */ 499 @java.io.Serial 500 private void writeObject(ObjectOutputStream out) throws IOException { 501 // Don't call out.defaultWriteObject() 502 503 // Copy perms into a Hashtable 504 Hashtable<String, Permission> permissions = 505 new Hashtable<>(perms.size()*2); 506 507 permissions.putAll(perms); 508 509 // Write out serializable fields 510 ObjectOutputStream.PutField pfields = out.putFields(); 511 pfields.put("all_allowed", all_allowed); 512 pfields.put("permissions", permissions); 513 pfields.put("permClass", permClass); 514 out.writeFields(); 515 } 516 517 /** 518 * readObject is called to restore the state of the 519 * BasicPermissionCollection from a stream. 520 */ 521 @java.io.Serial 522 private void readObject(java.io.ObjectInputStream in) 523 throws IOException, ClassNotFoundException 524 { 525 // Don't call defaultReadObject() 526 527 // Read in serialized fields 528 ObjectInputStream.GetField gfields = in.readFields(); 529 530 // Get permissions 531 // writeObject writes a Hashtable<String, Permission> for the 532 // permissions key, so this cast is safe, unless the data is corrupt. 533 @SuppressWarnings("unchecked") 534 Hashtable<String, Permission> permissions = 535 (Hashtable<String, Permission>)gfields.get("permissions", null); 536 perms = new ConcurrentHashMap<>(permissions.size()*2); 537 perms.putAll(permissions); 538 539 // Get all_allowed 540 all_allowed = gfields.get("all_allowed", false); 541 542 // Get permClass 543 permClass = (Class<?>) gfields.get("permClass", null); 544 545 if (permClass == null) { 546 // set permClass 547 Enumeration<Permission> e = permissions.elements(); 548 if (e.hasMoreElements()) { 549 Permission p = e.nextElement(); 550 permClass = p.getClass(); 551 } 552 } 553 } 554 }