/** * Get the Permissions for a CodeSource. If this instance of * WebappClassLoaderBase is for a web application context, add read * FilePermission or JndiPermissions for the base directory (if unpacked), * the context URL, and jar file resources. * * @param codeSource * where the code was loaded from * @return PermissionCollection for CodeSource */ @Override protected PermissionCollection getPermissions(CodeSource codeSource) { String codeUrl = codeSource.getLocation().toString(); PermissionCollection pc; if ((pc = loaderPC.get(codeUrl)) == null) { pc = super.getPermissions(codeSource); if (pc != null) { Iterator<Permission> perms = permissionList.iterator(); while (perms.hasNext()) { Permission p = perms.next(); pc.add(p); } loaderPC.put(codeUrl, pc); } } return (pc); }
/** * checks exact file permissions, meaning those and only those for that path. */ static void assertExactPermissions(FilePermission expected, PermissionCollection actual) { String target = expected.getName(); // see javadocs Set<String> permissionSet = asSet(expected.getActions().split(",")); boolean read = permissionSet.remove("read"); boolean readlink = permissionSet.remove("readlink"); boolean write = permissionSet.remove("write"); boolean delete = permissionSet.remove("delete"); boolean execute = permissionSet.remove("execute"); assertTrue("unrecognized permission: " + permissionSet, permissionSet.isEmpty()); assertEquals(read, actual.implies(new FilePermission(target, "read"))); assertEquals(readlink, actual.implies(new FilePermission(target, "readlink"))); assertEquals(write, actual.implies(new FilePermission(target, "write"))); assertEquals(delete, actual.implies(new FilePermission(target, "delete"))); assertEquals(execute, actual.implies(new FilePermission(target, "execute"))); }
/** * Get the Permissions for a CodeSource. If this instance * of WebappClassLoaderBase is for a web application context, * add read FilePermission or JndiPermissions for the base * directory (if unpacked), * the context URL, and jar file resources. * * @param codeSource where the code was loaded from * @return PermissionCollection for CodeSource */ @Override protected PermissionCollection getPermissions(CodeSource codeSource) { String codeUrl = codeSource.getLocation().toString(); PermissionCollection pc; if ((pc = loaderPC.get(codeUrl)) == null) { pc = super.getPermissions(codeSource); if (pc != null) { Iterator<Permission> perms = permissionList.iterator(); while (perms.hasNext()) { Permission p = perms.next(); pc.add(p); } loaderPC.put(codeUrl,pc); } } return (pc); }
private static PermissionCollection getExecPermissions() { /* * The approach used here is taken from the similar method * getLoaderAccessControlContext() in the class * sun.rmi.server.LoaderHandler. */ // obtain permissions granted to all code in current policy PermissionCollection perms = AccessController.doPrivileged( new PrivilegedAction<PermissionCollection>() { public PermissionCollection run() { CodeSource codesource = new CodeSource(null, (Certificate[]) null); Policy p = Policy.getPolicy(); if (p != null) { return p.getPermissions(codesource); } else { return new Permissions(); } } }); return perms; }
/** * Get the Permissions for a CodeSource. If this instance * of StandardClassLoader is for a web application context, * add read FilePermissions for the base directory (if unpacked), * the context URL, and jar file resources. * * @param CodeSource where the code was loaded from * @return PermissionCollection for CodeSource */ protected final PermissionCollection getPermissions(CodeSource codeSource) { if (!policy_refresh) { // Refresh the security policies Policy policy = Policy.getPolicy(); policy.refresh(); policy_refresh = true; } String codeUrl = codeSource.getLocation().toString(); PermissionCollection pc; if ((pc = (PermissionCollection)loaderPC.get(codeUrl)) == null) { pc = super.getPermissions(codeSource); if (pc != null) { Iterator perms = permissionList.iterator(); while (perms.hasNext()) { Permission p = (Permission)perms.next(); pc.add(p); } loaderPC.put(codeUrl,pc); } } return (pc); }
/** * Get the Permissions for a CodeSource. If this instance * of WebappClassLoader is for a web application context, * add read FilePermission or JndiPermissions for the base * directory (if unpacked), * the context URL, and jar file resources. * // * @param CodeSource where the code was loaded from * @return PermissionCollection for CodeSource */ protected PermissionCollection getPermissions(CodeSource codeSource) { String codeUrl = codeSource.getLocation().toString(); PermissionCollection pc; if ((pc = (PermissionCollection)loaderPC.get(codeUrl)) == null) { pc = super.getPermissions(codeSource); if (pc != null) { Iterator perms = permissionList.iterator(); while (perms.hasNext()) { Permission p = (Permission)perms.next(); pc.add(p); } loaderPC.put(codeUrl,pc); } } return (pc); }
@Override public boolean check(Permission permission) { if (!Globals.IS_SECURITY_ENABLED) { return true; } Policy currentPolicy = Policy.getPolicy(); if (currentPolicy != null) { ResourceEntry entry = findResourceInternal("/", "/", false); if (entry != null) { CodeSource cs = new CodeSource( entry.codeBase, (java.security.cert.Certificate[]) null); PermissionCollection pc = currentPolicy.getPermissions(cs); if (pc.implies(permission)) { return true; } } } return false; }
/** * Prints warning message if installed Policy is the default Policy * implementation and globally granted permissions do not include * AllPermission or any ExecPermissions/ExecOptionPermissions. */ static void checkConfiguration() { Policy policy = AccessController.doPrivileged(new PrivilegedAction<Policy>() { public Policy run() { return Policy.getPolicy(); } }); if (!(policy instanceof PolicyFile)) { return; } PermissionCollection perms = getExecPermissions(); for (Enumeration<Permission> e = perms.elements(); e.hasMoreElements();) { Permission p = e.nextElement(); if (p instanceof AllPermission || p instanceof ExecPermission || p instanceof ExecOptionPermission) { return; } } System.err.println(getTextResource("rmid.exec.perms.inadequate")); }
public PermissionsBuilder addAll(PermissionCollection col) { if (col != null) { for (Enumeration<Permission> e = col.elements(); e.hasMoreElements(); ) { perms.add(e.nextElement()); } } return this; }
public PermissionCollection permissions() { PermissionsBuilder builder = new PermissionsBuilder(); if (allowAll.get().get()) { builder.addAll(all); } else { builder.addAll(basic); if (allowControl.get().get()) { builder.addAll(control); } } return builder.toPermissions(); }
protected PermissionCollection getPermissions(CodeSource codesource) { Permissions permissions = new Permissions(); permissions.add(new AllPermission()); permissions.setReadOnly(); return permissions; }
@Override protected PermissionCollection getPermissions(CodeSource codeSource) { Permissions perms = new Permissions(); perms.add(new AllPermission()); perms.setReadOnly(); return perms; }
/** * test with null location * <p> * its unclear when/if this happens, see https://bugs.openjdk.java.net/browse/JDK-8129972 */ public void testNullLocation() throws Exception { assumeTrue("test cannot run with security manager", System.getSecurityManager() == null); PermissionCollection noPermissions = new Permissions(); ESPolicy policy = new ESPolicy(noPermissions, Collections.emptyMap(), true); assertFalse(policy.implies(new ProtectionDomain(new CodeSource(null, (Certificate[]) null), noPermissions), new FilePermission("foo", "read"))); }
@Override public PermissionCollection getPermissions(CodeSource codesource) { // code should not rely on this method, or at least use it correctly: // https://bugs.openjdk.java.net/browse/JDK-8014008 // return them a new empty permissions object so jvisualvm etc work for (StackTraceElement element : Thread.currentThread().getStackTrace()) { if ("sun.rmi.server.LoaderHandler".equals(element.getClassName()) && "loadClass".equals(element.getMethodName())) { return new Permissions(); } } // return UNSUPPORTED_EMPTY_COLLECTION since it is safe. return super.getPermissions(codesource); }
/** * Generates an AccessControlContext with minimal permissions. * The approach used here is taken from the similar method * getAccessControlContext() in the sun.applet.AppletPanel class. */ private static AccessControlContext getAccessControlContext(int port) { // begin with permissions granted to all code in current policy PermissionCollection perms = AccessController.doPrivileged( new java.security.PrivilegedAction<PermissionCollection>() { public PermissionCollection run() { CodeSource codesource = new CodeSource(null, (java.security.cert.Certificate[]) null); Policy p = java.security.Policy.getPolicy(); if (p != null) { return p.getPermissions(codesource); } else { return new Permissions(); } } }); /* * Anyone can connect to the registry and the registry can connect * to and possibly download stubs from anywhere. Downloaded stubs and * related classes themselves are more tightly limited by RMI. */ perms.add(new SocketPermission("*", "connect,accept")); perms.add(new SocketPermission("localhost:"+port, "listen,accept")); perms.add(new RuntimePermission("accessClassInPackage.sun.jvmstat.*")); perms.add(new RuntimePermission("accessClassInPackage.sun.jvm.hotspot.*")); perms.add(new FilePermission("<<ALL FILES>>", "read")); /* * Create an AccessControlContext that consists of a single * protection domain with only the permissions calculated above. */ ProtectionDomain pd = new ProtectionDomain( new CodeSource(null, (java.security.cert.Certificate[]) null), perms); return new AccessControlContext(new ProtectionDomain[] { pd }); }
public void testPermissionCollectionWildcards() { ClassPermission lang = new ClassPermission("java.lang.*"); PermissionCollection collection = lang.newPermissionCollection(); collection.add(lang); assertTrue(collection.implies(new ClassPermission("java.lang.Math"))); assertFalse(collection.implies(new ClassPermission("pkg.MyClass"))); }
/** * test restricting privileges to no permissions actually works */ public void testRestrictPrivileges() { assumeTrue("test requires security manager", System.getSecurityManager() != null); try { System.getProperty("user.home"); } catch (SecurityException e) { fail("this test needs to be fixed: user.home not available by policy"); } PermissionCollection noPermissions = new Permissions(); AccessControlContext noPermissionsAcc = new AccessControlContext( new ProtectionDomain[] { new ProtectionDomain(null, noPermissions) } ); try { AccessController.doPrivileged(new PrivilegedAction<Void>() { public Void run() { System.getProperty("user.home"); fail("access should have been denied"); return null; } }, noPermissionsAcc); } catch (SecurityException expected) { // expected exception } }
/** * Return the permissions to be granted to code loaded from the * given code source. */ protected PermissionCollection getPermissions(CodeSource codesource) { PermissionCollection perms = super.getPermissions(codesource); /* * Grant the same permissions that URLClassLoader would grant. */ return perms; }
public static void main(String[] args) throws Exception { String userDir = System.getProperty("user.dir"); String jarURL = "jar:file:" + userDir + File.separator + "foo.jar!/"; URL codeSourceURL = new URL(jarURL); CodeSource cs = new CodeSource(codeSourceURL, new Certificate[0]); PermissionCollection perms = Policy.getPolicy().getPermissions(cs); if (!perms.implies(new AllPermission())) throw new Exception("FAILED: " + codeSourceURL + " not granted AllPermission"); }
private static void checkPermission(PermissionCollection perms, Permission p) throws AccessControlException { if (!perms.implies(p)) { throw new AccessControlException( "access denied " + p.toString()); } }
@Override public PermissionCollection getPermissions(ProtectionDomain domain) { return new PermissionsBuilder().addAll(permissions()).toPermissions(); }
@Override public PermissionCollection getPermissions(ProtectionDomain pd) { return perms; }
public JasperLoader(URL[] urls, ClassLoader parent, PermissionCollection permissionCollection) { super(urls, parent); this.permissionCollection = permissionCollection; this.parent = parent; this.securityManager = System.getSecurityManager(); }
@Override public PermissionCollection getPermissions(ProtectionDomain domain) { return new PermissionsBuilder().addAll(getPermissions()).toPermissions(); }
public static void main(String[] args) throws Exception { int testFail = 0; TestPermission perm = new TestPermission("foo"); PermissionCollection perms = perm.newPermissionCollection(); // test 1 System.out.println("test 1: add throws IllegalArgumentExc"); try { perms.add(new SecurityPermission("createAccessControlContext")); System.err.println("Expected IllegalArgumentException"); testFail++; } catch (IllegalArgumentException iae) {} // test 2 System.out.println("test 2: implies returns false for wrong class"); if (perms.implies(new SecurityPermission("getPolicy"))) { System.err.println("Expected false, returned true"); testFail++; } // test 3 System.out.println("test 3: implies returns true for match on name"); perms.add(new TestPermission("foo")); if (!perms.implies(new TestPermission("foo"))) { System.err.println("Expected true, returned false"); testFail++; } // test 4 System.out.println("test 4: implies returns true for wildcard match"); perms.add(new TestPermission("bar.*")); if (!perms.implies(new TestPermission("bar.foo"))) { System.err.println("Expected true, returned false"); testFail++; } // test 5 System.out.println ("test 5: implies returns false for invalid wildcard"); perms.add(new TestPermission("baz*")); if (perms.implies(new TestPermission("baz.foo"))) { System.err.println("Expected false, returned true"); testFail++; } // test 6 System.out.println ("test 6: implies returns true for deep wildcard match"); if (!perms.implies(new TestPermission("bar.foo.baz"))) { System.err.println("Expected true, returned false"); testFail++; } // test 7 System.out.println ("test 7: implies returns true for all wildcard match"); perms.add(new TestPermission("*")); if (!perms.implies(new TestPermission("yes"))) { System.err.println("Expected true, returned false"); testFail++; } // test 8 System.out.println("test 8: elements returns correct number of perms"); int numPerms = 0; Enumeration<Permission> e = perms.elements(); while (e.hasMoreElements()) { numPerms++; System.out.println(e.nextElement()); } if (numPerms != 4) { System.err.println("Expected 4, got " + numPerms); testFail++; } if (testFail > 0) { throw new Exception(testFail + " test(s) failed"); } }
@Override public PermissionCollection getPermissions(CodeSource codesource) { return new PermissionsBuilder().addAll(allowAll.get().get() ? allPermissions : permissions).toPermissions(); }
/** Creates new PermissionCollection for given CodeSource and given PermissionCollection. * @param cs a CodeSource * @param io an InputOutput * @return PermissionCollection for given CodeSource and InputOutput */ protected final PermissionCollection createPermissions(CodeSource cs, InputOutput io) { PermissionCollection pc = Policy.getPolicy().getPermissions(cs); ThreadGroup grp = Thread.currentThread().getThreadGroup(); return new IOPermissionCollection(io, pc, (grp instanceof TaskThreadGroup ? (TaskThreadGroup) grp: null)); }
@Override @NonNull protected PermissionCollection getPermissions(final CodeSource codesource) { return allPermission; }
