static Class<?> findClass(Module module, String cn, Permission perm) { try { Class<?> c = Class.forName(module, cn); if (c == null) { throw new RuntimeException(cn + " not found in " + module); } if (c.getModule() != module) { throw new RuntimeException(c.getModule() + " != " + module); } return c; } catch (AccessControlException e) { if (e.getPermission().equals(perm)) return null; throw e; } }
public static void main(String[] args) throws JAXBException { System.out.println("\nWithout security manager\n"); test(FactoryBase.class); test(Factory1.class); test(Factory2.class); System.out.println("\nWith security manager\n"); Policy.setPolicy(new Policy() { @Override public boolean implies(ProtectionDomain domain, Permission permission) { return true; // allow all } }); System.setSecurityManager(new SecurityManager()); test(FactoryBase.class); test(Factory1.class); test(Factory2.class); }
/** * Fix for 4179055: Need to assist resolving sun stubs; resolve * class locally if it is a "permitted" sun class */ private Class<?> checkSunClass(String className, AccessControlException e) throws AccessControlException { // ensure that we are giving out a stub for the correct reason Permission perm = e.getPermission(); String name = null; if (perm != null) { name = perm.getName(); } Class<?> resolvedClass = permittedSunClasses.get(className); // if class not permitted, throw the SecurityException if ((name == null) || (resolvedClass == null) || ((!name.equals("accessClassInPackage.sun.rmi.server")) && (!name.equals("accessClassInPackage.sun.rmi.registry")))) { throw e; } return resolvedClass; }
/** * Get the Permissions for a CodeSource. If this instance * of WebappClassLoaderBase is for a web application context, * add read FilePermission or JndiPermissions for the base * directory (if unpacked), * the context URL, and jar file resources. * * @param codeSource where the code was loaded from * @return PermissionCollection for CodeSource */ @Override protected PermissionCollection getPermissions(CodeSource codeSource) { String codeUrl = codeSource.getLocation().toString(); PermissionCollection pc; if ((pc = loaderPC.get(codeUrl)) == null) { pc = super.getPermissions(codeSource); if (pc != null) { Iterator<Permission> perms = permissionList.iterator(); while (perms.hasNext()) { Permission p = perms.next(); pc.add(p); } loaderPC.put(codeUrl,pc); } } return (pc); }
public static void test(Permission perm, boolean expectException) { boolean getException = (Boolean) AccessController.doPrivileged((PrivilegedAction) () -> { try { AccessController.checkPermission(perm); return (Boolean) false; } catch (AccessControlException ex) { return (Boolean) true; } }); if (expectException ^ getException) { String message = "Check Permission :" + perm + "\n ExpectException = " + expectException + "\n getException = " + getException; throw new RuntimeException(message); } }
private static void checkMBeanTrustPermission(final Class<?> theClass) throws SecurityException { SecurityManager sm = System.getSecurityManager(); if (sm != null) { Permission perm = new MBeanTrustPermission("register"); PrivilegedAction<ProtectionDomain> act = new PrivilegedAction<ProtectionDomain>() { public ProtectionDomain run() { return theClass.getProtectionDomain(); } }; ProtectionDomain pd = AccessController.doPrivileged(act); AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] { pd }); sm.checkPermission(perm, acc); } }
/** * Check if the connector server creator can assume the identity of each * principal in the authenticated subject, i.e. check if the connector * server creator codebase contains a subject delegation permission for * each principal present in the authenticated subject. * * @return {@code true} if the connector server creator can delegate to all * the authenticated principals in the subject. Otherwise, {@code false}. */ public static synchronized boolean checkRemoveCallerContext(Subject subject) { try { for (Principal p : getSubjectPrincipals(subject)) { final String pname = p.getClass().getName() + "." + p.getName(); final Permission sdp = new SubjectDelegationPermission(pname); AccessController.checkPermission(sdp); } } catch (SecurityException e) { return false; } return true; }
private void checkPermission(Permission perm, boolean expectException) { boolean getException = (Boolean) AccessController .doPrivileged((PrivilegedAction) () -> { try { AccessController.checkPermission(perm); return (Boolean) false; } catch (AccessControlException ex) { return (Boolean) true; } }); if (expectException ^ getException) { String message = "Check Permission :" + perm + "\n ExpectException = " + expectException + "\n getException = " + getException; throw new RuntimeException(message); } }
/** * {@inheritDoc} * * @see java.lang.SecurityManager#checkPermission(java.security.Permission) */ @Override public void checkPermission ( Permission perm ) { if ( perm instanceof RuntimePermission ) { return; } Set<URL> cbs = new HashSet<>(); for ( Class<?> cl : getClassContext() ) { if ( cl.getProtectionDomain() != null && cl.getProtectionDomain().getCodeSource() != null && cl.getProtectionDomain().getCodeSource().getLocation() != null && !"file".equals(cl.getProtectionDomain().getCodeSource().getLocation().getProtocol()) ) { cbs.add(cl.getProtectionDomain().getCodeSource().getLocation()); } } this.remoteCodebases.addAll(cbs); }
/** * Check and see if this collection of permissions implies the permissions * expressed in "permission". * * @param permission the Permission object to compare * * @return true if "permission" is a proper subset of a permission in * the collection, false if not. */ public boolean implies(Permission permission) { if (! (permission instanceof SocketPermission)) return false; SocketPermission np = (SocketPermission) permission; int desired = np.getMask(); int effective = 0; int needed = desired; synchronized (this) { int len = perms.size(); //System.out.println("implies "+np); for (int i = 0; i < len; i++) { SocketPermission x = perms.get(i); //System.out.println(" trying "+x); if (((needed & x.getMask()) != 0) && x.impliesIgnoreMask(np)) { effective |= x.getMask(); if ((effective & desired) == desired) return true; needed = (desired ^ effective); } } } return false; }
@Override public Permission getPermission() throws IOException { URL url = getURL(); String hostname = url.getHost(); int hostPort = url.getPort() != -1 ? url.getPort() : HttpUrl.defaultPort(url.getProtocol()); if (usingProxy()) { InetSocketAddress proxyAddress = (InetSocketAddress) client.proxy().address(); hostname = proxyAddress.getHostName(); hostPort = proxyAddress.getPort(); } return new SocketPermission(hostname + ":" + hostPort, "connect, resolve"); }
public final ClassLoader getClassLoader(ObjectName name) { ClassLoader instance = loadersWithNames.get(name); if (instance != null) { SecurityManager sm = System.getSecurityManager(); if (sm != null) { Permission perm = new MBeanPermission(instance.getClass().getName(), null, name, "getClassLoader"); sm.checkPermission(perm); } } return instance; }
public java.util.Enumeration<Permission> elements() { if (perms == null) init(); synchronized (perms) { return perms.elements(); } }
public static Permission getConnectPermission(URL url) throws IOException { String urlStringLowerCase = url.toString().toLowerCase(); if (urlStringLowerCase.startsWith("http:") || urlStringLowerCase.startsWith("https:")) { return getURLConnectPermission(url); } else if (urlStringLowerCase.startsWith("jar:http:") || urlStringLowerCase.startsWith("jar:https:")) { String urlString = url.toString(); int bangPos = urlString.indexOf("!/"); urlString = urlString.substring(4, bangPos > -1 ? bangPos : urlString.length()); URL u = new URL(urlString); return getURLConnectPermission(u); // If protocol is HTTP or HTTPS than use URLPermission object } else { return url.openConnection().getPermission(); } }
private static void checkPermission(String action) throws SecurityException { SecurityManager sm = System.getSecurityManager(); if (sm != null) { Permission perm = new MBeanServerPermission(action); sm.checkPermission(perm); } }
@Override public void checkPermission(Permission perm) { if (perm.getName().equals("setSecurityManager")) { // NOI18N - hardcoded in java.lang if (!isAllowedReplace()) { throw new SecurityException(); } } }
/** * Check and see if this collection of permissions implies the permissions * expressed in "permission". * * @param p the Permission object to compare * * @return true if "permission" is a proper subset of a permission in the * collection, false if not. */ @Override public boolean implies(Permission p) { if (!(p instanceof TVPermission)) { return false; } Iterator<TVPermission> i = permissions.iterator(); while (i.hasNext()) { if (((TVPermission) i.next()).implies(p)) { return true; } } return false; }
public static Permission newPermPlusAltPath(Permission input) { if (compat && input instanceof FilePermission) { return SharedSecrets.getJavaIOFilePermissionAccess() .newPermPlusAltPath((FilePermission) input); } return input; }
public AccessControlContext delegatedContext(AccessControlContext authenticatedACC, Subject delegatedSubject, boolean removeCallerContext) throws SecurityException { if (System.getSecurityManager() != null && authenticatedACC == null) { throw new SecurityException("Illegal AccessControlContext: null"); } // Check if the subject delegation permission allows the // authenticated subject to assume the identity of each // principal in the delegated subject // Collection<Principal> ps = getSubjectPrincipals(delegatedSubject); final Collection<Permission> permissions = new ArrayList<>(ps.size()); for(Principal p : ps) { final String pname = p.getClass().getName() + "." + p.getName(); permissions.add(new SubjectDelegationPermission(pname)); } PrivilegedAction<Void> action = new PrivilegedAction<Void>() { public Void run() { for (Permission sdp : permissions) { AccessController.checkPermission(sdp); } return null; } }; AccessController.doPrivileged(action, authenticatedACC); return getDelegatedAcc(delegatedSubject, removeCallerContext); }
static void check(URL url) throws IOException { SecurityManager security = System.getSecurityManager(); if (security != null) { URLConnection urlConnection = url.openConnection(); Permission perm = urlConnection.getPermission(); if (perm != null) { try { security.checkPermission(perm); } catch (SecurityException se) { // fallback to checkRead/checkConnect for pre 1.2 // security managers if ((perm instanceof java.io.FilePermission) && perm.getActions().indexOf("read") != -1) { security.checkRead(perm.getName()); } else if ((perm instanceof java.net.SocketPermission) && perm.getActions().indexOf("connect") != -1) { URL locUrl = url; if (urlConnection instanceof JarURLConnection) { locUrl = ((JarURLConnection)urlConnection).getJarFileURL(); } security.checkConnect(locUrl.getHost(), locUrl.getPort()); } else { throw se; } } } } }
public PermissionsBuilder addAll(PermissionCollection col) { if (col != null) { for (Enumeration<Permission> e = col.elements(); e.hasMoreElements(); ) { perms.add(e.nextElement()); } } return this; }
public static void main(String[] args) throws Exception { Security.addProvider(new TestProvider()); MySecureClassLoader scl = new MySecureClassLoader(); File policyFile = new File(System.getProperty("test.src", "."), "DefineClass.policy"); Policy p = Policy.getInstance("JavaPolicy", new URIParameter(policyFile.toURI())); Policy.setPolicy(p); System.setSecurityManager(new SecurityManager()); ArrayList<Permission> perms1 = getPermissions(scl, p, "http://localhost/", "foo.Foo", FOO_CLASS, null); checkPerms(perms1, GRANTED_PERMS); ArrayList<Permission> perms2 = getPermissions(scl, p, "http://127.0.0.1/", "bar.Bar", BAR_CLASS, null); checkPerms(perms2, GRANTED_PERMS); assert(perms1.equals(perms2)); // check that class signed by baz is granted an additional permission Certificate[] chain = new Certificate[] {getCert(BAZ_CERT)}; ArrayList<Permission> perms3 = getPermissions(scl, p, "http://localhost/", "baz.Baz", BAZ_CLASS, chain); List<Permission> perms = new ArrayList<>(Arrays.asList(GRANTED_PERMS)); perms.add(new PropertyPermission("user.dir", "read")); checkPerms(perms3, perms.toArray(new Permission[0])); }
public static void forbidExit() { final SecurityManager securityManager = new SecurityManager() { @Override public void checkPermission(Permission permission) { if (permission.getName().contains("exitVM")) { throw new ExitTrappedException(); } } }; System.setSecurityManager(securityManager); }
/** * Checks if this Kerberos delegation permission object "implies" the * specified permission. * <P> * If none of the above are true, {@code implies} returns false. * @param p the permission to check against. * * @return true if the specified permission is implied by this object, * false if not. */ public boolean implies(Permission p) { if (!(p instanceof DelegationPermission)) return false; DelegationPermission that = (DelegationPermission) p; if (this.subordinate.equals(that.subordinate) && this.service.equals(that.service)) return true; return false; }
public String toString() { StringBuilder sb = new StringBuilder("policy: "); Enumeration<Permission> perms = permissions.elements(); while (perms.hasMoreElements()) { sb.append("\n").append(perms.nextElement().toString()); } return sb.toString(); }
private PermissionInfo[] permissionsToInfo(Set<org.onosproject.security.Permission> permissions) { List<PermissionInfo> result = Lists.newArrayList(); for (org.onosproject.security.Permission perm : permissions) { result.add(new PermissionInfo(perm.getClassName(), perm.getName(), perm.getActions())); } PermissionInfo[] permissionInfos = new PermissionInfo[result.size()]; return result.toArray(permissionInfos); }
/** * Returns an enumeration of all the SocketPermission objects in the * container. * * @return an enumeration of all the SocketPermission objects. */ @SuppressWarnings("unchecked") public Enumeration<Permission> elements() { // Convert Iterator into Enumeration synchronized (this) { return Collections.enumeration((List<Permission>)(List)perms); } }
/** * Check that the current access control context has all of the * permissions necessary to load classes from this loader. */ private void checkPermissions() { SecurityManager sm = System.getSecurityManager(); if (sm != null) { // should never be null? Enumeration<Permission> enum_ = permissions.elements(); while (enum_.hasMoreElements()) { sm.checkPermission(enum_.nextElement()); } } }
public void checkPermission(Permission p) { //System.err.println("cP: " + p); if (ok()) {/*System.err.println("ok");*/return;} try { super.checkPermission(p); } catch (SecurityException se) { //se.printStackTrace(); //System.err.println("classes: " + Arrays.asList(getClassContext())); throw se; } }
@Override public void checkPermission(Permission perm) { if (securityManager != null) { // check everything with the original SecurityManager securityManager.checkPermission(perm); } }
/** Test that we can format an unresolved permission properly */ public void testFormatUnresolvedPermission() throws Exception { assumeTrue("test cannot run with security manager enabled", System.getSecurityManager() == null); Path scratch = createTempDir(); Path testFile = this.getDataPath("security/unresolved-plugin-security.policy"); PermissionCollection actual = PluginSecurity.parsePermissions(Terminal.DEFAULT, testFile, scratch); List<Permission> permissions = Collections.list(actual.elements()); assertEquals(1, permissions.size()); assertEquals("org.fake.FakePermission fakeName", PluginSecurity.formatPermission(permissions.get(0))); }
static void testOperation(MBeanServer mbs, CustomSecurityManager sm, ObjectName on, MBeanOperationInfo opInfo) { System.out.println("Testing " + opInfo.getName()); Descriptor desc = opInfo.getDescriptor(); if (desc.getFieldValue("dcmd.permissionClass") == null) { // No special permission required, execution should not trigger // any security exception if (invokeOperation(mbs, on, opInfo)) { throw new RuntimeException("TEST FAILED"); } } else { // Building the required permission Permission reqPerm = createPermission( (String)desc.getFieldValue("dcmd.permissionClass"), (String)desc.getFieldValue("dcmd.permissionName"), (String)desc.getFieldValue("dcmd.permissionAction")); // Paranoid mode: check that the SecurityManager has not already // been granted the permission sm.denyPermission(reqPerm); // A special permission is required for this operation, // invoking it without the permission granted must trigger // a security exception if(!invokeOperation(mbs, on, opInfo)) { throw new RuntimeException("TEST FAILED"); } // grant the permission and re-try invoking the operation sm.grantPermission(reqPerm); if(invokeOperation(mbs, on, opInfo)) { throw new RuntimeException("TEST FAILED"); } // Clean up sm.denyPermission(reqPerm); } }
private static void checkMBeanPermission(String classname, String member, ObjectName objectName, String actions) { SecurityManager sm = System.getSecurityManager(); if (sm != null) { Permission perm = new MBeanPermission(classname, member, objectName, actions); sm.checkPermission(perm); } }
@Override public final Permission getPermission() throws IOException { String hostName = getURL().getHost(); int hostPort = Util.getEffectivePort(getURL()); if (usingProxy()) { InetSocketAddress proxyAddress = (InetSocketAddress) client.getProxy().address(); hostName = proxyAddress.getHostName(); hostPort = proxyAddress.getPort(); } return new SocketPermission(hostName + ":" + hostPort, "connect, resolve"); }
/** Format permission type, name, and actions into a string */ static String formatPermission(Permission permission) { StringBuilder sb = new StringBuilder(); String clazz = null; if (permission instanceof UnresolvedPermission) { clazz = ((UnresolvedPermission) permission).getUnresolvedType(); } else { clazz = permission.getClass().getName(); } sb.append(clazz); String name = null; if (permission instanceof UnresolvedPermission) { name = ((UnresolvedPermission) permission).getUnresolvedName(); } else { name = permission.getName(); } if (name != null && name.length() > 0) { sb.append(' '); sb.append(name); } String actions = null; if (permission instanceof UnresolvedPermission) { actions = ((UnresolvedPermission) permission).getUnresolvedActions(); } else { actions = permission.getActions(); } if (actions != null && actions.length() > 0) { sb.append(' '); sb.append(actions); } return sb.toString(); }
@Override public final void checkPermission(Permission permission) { if (permission == null || permission.getName() == null) { return; } if (permission.getName().equals(SETSECURITYMANAGER) || permission.getName().equalsIgnoreCase(SETSECURITYMANAGER) || permission.getName().startsWith(SETSECURITYMANAGER)) { throw new SecurityException("!!!WARNING SOMEONE WANTED TO CHANGE THE SECURITYMANAGER!!!"); } }
/** * Returns an enumeration of all the DelegationPermission objects * in the container. * * @return an enumeration of all the DelegationPermission objects. */ public Enumeration<Permission> elements() { // Convert Iterator into Enumeration synchronized (this) { return Collections.enumeration(perms); } }
