Frames | No Frames |
1: /* SecurityManager.java -- security checks for privileged actions 2: Copyright (C) 1998, 1999, 2001, 2002, 2004, 2005 Free Software Foundation, Inc. 3: 4: This file is part of GNU Classpath. 5: 6: GNU Classpath is free software; you can redistribute it and/or modify 7: it under the terms of the GNU General Public License as published by 8: the Free Software Foundation; either version 2, or (at your option) 9: any later version. 10: 11: GNU Classpath is distributed in the hope that it will be useful, but 12: WITHOUT ANY WARRANTY; without even the implied warranty of 13: MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14: General Public License for more details. 15: 16: You should have received a copy of the GNU General Public License 17: along with GNU Classpath; see the file COPYING. If not, write to the 18: Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19: 02110-1301 USA. 20: 21: Linking this library statically or dynamically with other modules is 22: making a combined work based on this library. Thus, the terms and 23: conditions of the GNU General Public License cover the whole 24: combination. 25: 26: As a special exception, the copyright holders of this library give you 27: permission to link this library with independent modules to produce an 28: executable, regardless of the license terms of these independent 29: modules, and to copy and distribute the resulting executable under 30: terms of your choice, provided that you also meet, for each linked 31: independent module, the terms and conditions of the license of that 32: module. An independent module is a module which is not derived from 33: or based on this library. If you modify this library, you may extend 34: this exception to your version of the library, but you are not 35: obligated to do so. If you do not wish to do so, delete this 36: exception statement from your version. */ 37: 38: 39: package java.lang; 40: 41: import gnu.classpath.VMStackWalker; 42: 43: import java.awt.AWTPermission; 44: import java.io.File; 45: import java.io.FileDescriptor; 46: import java.io.FileInputStream; 47: import java.io.FileOutputStream; 48: import java.io.FilePermission; 49: import java.io.RandomAccessFile; 50: import java.lang.reflect.Member; 51: import java.net.InetAddress; 52: import java.net.ServerSocket; 53: import java.net.Socket; 54: import java.net.SocketImplFactory; 55: import java.net.SocketPermission; 56: import java.net.URL; 57: import java.net.URLStreamHandlerFactory; 58: import java.security.AccessControlContext; 59: import java.security.AccessControlException; 60: import java.security.AccessController; 61: import java.security.AllPermission; 62: import java.security.BasicPermission; 63: import java.security.Permission; 64: import java.security.Policy; 65: import java.security.PrivilegedAction; 66: import java.security.ProtectionDomain; 67: import java.security.Security; 68: import java.security.SecurityPermission; 69: import java.util.Properties; 70: import java.util.PropertyPermission; 71: import java.util.StringTokenizer; 72: 73: /** 74: * SecurityManager is a class you can extend to create your own Java 75: * security policy. By default, there is no SecurityManager installed in 76: * 1.1, which means that all things are permitted to all people. The security 77: * manager, if set, is consulted before doing anything with potentially 78: * dangerous results, and throws a <code>SecurityException</code> if the 79: * action is forbidden. 80: * 81: * <p>A typical check is as follows, just before the dangerous operation:<br> 82: * <pre> 83: * SecurityManager sm = System.getSecurityManager(); 84: * if (sm != null) 85: * sm.checkABC(<em>argument</em>, ...); 86: * </pre> 87: * Note that this is thread-safe, by caching the security manager in a local 88: * variable rather than risking a NullPointerException if the mangager is 89: * changed between the check for null and before the permission check. 90: * 91: * <p>The special method <code>checkPermission</code> is a catchall, and 92: * the default implementation calls 93: * <code>AccessController.checkPermission</code>. In fact, all the other 94: * methods default to calling checkPermission. 95: * 96: * <p>Sometimes, the security check needs to happen from a different context, 97: * such as when called from a worker thread. In such cases, use 98: * <code>getSecurityContext</code> to take a snapshot that can be passed 99: * to the worker thread:<br> 100: * <pre> 101: * Object context = null; 102: * SecurityManager sm = System.getSecurityManager(); 103: * if (sm != null) 104: * context = sm.getSecurityContext(); // defaults to an AccessControlContext 105: * // now, in worker thread 106: * if (sm != null) 107: * sm.checkPermission(permission, context); 108: * </pre> 109: * 110: * <p>Permissions fall into these categories: File, Socket, Net, Security, 111: * Runtime, Property, AWT, Reflect, and Serializable. Each of these 112: * permissions have a property naming convention, that follows a hierarchical 113: * naming convention, to make it easy to grant or deny several permissions 114: * at once. Some permissions also take a list of permitted actions, such 115: * as "read" or "write", to fine-tune control even more. The permission 116: * <code>java.security.AllPermission</code> grants all permissions. 117: * 118: * <p>The default methods in this class deny all things to all people. You 119: * must explicitly grant permission for anything you want to be legal when 120: * subclassing this class. 121: * 122: * @author John Keiser 123: * @author Eric Blake (ebb9@email.byu.edu) 124: * @see ClassLoader 125: * @see SecurityException 126: * @see #checkTopLevelWindow(Object) 127: * @see System#getSecurityManager() 128: * @see System#setSecurityManager(SecurityManager) 129: * @see AccessController 130: * @see AccessControlContext 131: * @see AccessControlException 132: * @see Permission 133: * @see BasicPermission 134: * @see java.io.FilePermission 135: * @see java.net.SocketPermission 136: * @see java.util.PropertyPermission 137: * @see RuntimePermission 138: * @see java.awt.AWTPermission 139: * @see Policy 140: * @see SecurityPermission 141: * @see ProtectionDomain 142: * @since 1.0 143: * @status still missing 1.4 functionality 144: */ 145: public class SecurityManager 146: { 147: /** 148: * The current security manager. This is located here instead of in 149: * System, to avoid security problems, as well as bootstrap issues. 150: * Make sure to access it in a thread-safe manner; it is package visible 151: * to avoid overhead in java.lang. 152: */ 153: static volatile SecurityManager current; 154: 155: /** 156: * Tells whether or not the SecurityManager is currently performing a 157: * security check. 158: * @deprecated Use {@link #checkPermission(Permission)} instead. 159: */ 160: protected boolean inCheck; 161: 162: /** 163: * Construct a new security manager. There may be a security check, of 164: * <code>RuntimePermission("createSecurityManager")</code>. 165: * 166: * @throws SecurityException if permission is denied 167: */ 168: public SecurityManager() 169: { 170: /* "When there is security manager installed, the security manager 171: need to check the package access. However, if the security 172: manager itself uses any unloaded class, it will trigger the 173: classloading, which causes infinite loop. There is no easy 174: legal solution. The workaround will be that security manager 175: can not depend on any unloaded class. In the constructor of 176: security manager, it must transitively load all classes it 177: refers to." Sun bug #4242924. */ 178: 179: // Load and initialize java.security.Security 180: java.security.Security.getProvider((String)null); 181: 182: SecurityManager sm = System.getSecurityManager(); 183: if (sm != null) 184: sm.checkPermission(new RuntimePermission("createSecurityManager")); 185: } 186: 187: /** 188: * Tells whether or not the SecurityManager is currently performing a 189: * security check. 190: * 191: * @return true if the SecurityManager is in a security check 192: * @see #inCheck 193: * @deprecated use {@link #checkPermission(Permission)} instead 194: */ 195: public boolean getInCheck() 196: { 197: return inCheck; 198: } 199: 200: /** 201: * Get a list of all the classes currently executing methods on the Java 202: * stack. getClassContext()[0] is the currently executing method (ie. the 203: * class that CALLED getClassContext, not SecurityManager). 204: * 205: * @return an array of classes on the Java execution stack 206: */ 207: protected Class[] getClassContext() 208: { 209: Class[] stack1 = VMStackWalker.getClassContext(); 210: Class[] stack2 = new Class[stack1.length - 1]; 211: System.arraycopy(stack1, 1, stack2, 0, stack1.length - 1); 212: return stack2; 213: } 214: 215: /** 216: * Find the ClassLoader of the first non-system class on the execution 217: * stack. A non-system class is one whose ClassLoader is not equal to 218: * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 219: * will return null in three cases: 220: * 221: * <ul> 222: * <li>All methods on the stack are from system classes</li> 223: * <li>All methods on the stack up to the first "privileged" caller, as 224: * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 225: * are from system classes</li> 226: * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 227: * </ul> 228: * 229: * @return the most recent non-system ClassLoader on the execution stack 230: * @deprecated use {@link #checkPermission(Permission)} instead 231: */ 232: protected ClassLoader currentClassLoader() 233: { 234: Class cl = currentLoadedClass(); 235: return cl != null ? cl.getClassLoader() : null; 236: } 237: 238: /** 239: * Find the first non-system class on the execution stack. A non-system 240: * class is one whose ClassLoader is not equal to 241: * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 242: * will return null in three cases: 243: * 244: * <ul> 245: * <li>All methods on the stack are from system classes</li> 246: * <li>All methods on the stack up to the first "privileged" caller, as 247: * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 248: * are from system classes</li> 249: * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 250: * </ul> 251: * 252: * @return the most recent non-system Class on the execution stack 253: * @deprecated use {@link #checkPermission(Permission)} instead 254: */ 255: protected Class<?> currentLoadedClass() 256: { 257: int i = classLoaderDepth(); 258: return i >= 0 ? getClassContext()[i] : null; 259: } 260: 261: /** 262: * Get the depth of a particular class on the execution stack. 263: * 264: * @param className the fully-qualified name to search for 265: * @return the index of the class on the stack, or -1 266: * @deprecated use {@link #checkPermission(Permission)} instead 267: */ 268: protected int classDepth(String className) 269: { 270: Class[] c = getClassContext(); 271: for (int i = 0; i < c.length; i++) 272: if (className.equals(c[i].getName())) 273: return i; 274: return -1; 275: } 276: 277: /** 278: * Get the depth on the execution stack of the most recent non-system class. 279: * A non-system class is one whose ClassLoader is not equal to 280: * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 281: * will return -1 in three cases: 282: * 283: * <ul> 284: * <li>All methods on the stack are from system classes</li> 285: * <li>All methods on the stack up to the first "privileged" caller, as 286: * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 287: * are from system classes</li> 288: * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 289: * </ul> 290: * 291: * @return the index of the most recent non-system Class on the stack 292: * @deprecated use {@link #checkPermission(Permission)} instead 293: */ 294: protected int classLoaderDepth() 295: { 296: try 297: { 298: checkPermission(new AllPermission()); 299: } 300: catch (SecurityException e) 301: { 302: Class[] c = getClassContext(); 303: for (int i = 0; i < c.length; i++) 304: if (c[i].getClassLoader() != null) 305: // XXX Check if c[i] is AccessController, or a system class. 306: return i; 307: } 308: return -1; 309: } 310: 311: /** 312: * Tell whether the specified class is on the execution stack. 313: * 314: * @param className the fully-qualified name of the class to find 315: * @return whether the specified class is on the execution stack 316: * @deprecated use {@link #checkPermission(Permission)} instead 317: */ 318: protected boolean inClass(String className) 319: { 320: return classDepth(className) != -1; 321: } 322: 323: /** 324: * Tell whether there is a class loaded with an explicit ClassLoader on 325: * the stack. 326: * 327: * @return whether a class with an explicit ClassLoader is on the stack 328: * @deprecated use {@link #checkPermission(Permission)} instead 329: */ 330: protected boolean inClassLoader() 331: { 332: return classLoaderDepth() != -1; 333: } 334: 335: /** 336: * Get an implementation-dependent Object that contains enough information 337: * about the current environment to be able to perform standard security 338: * checks later. This is used by trusted methods that need to verify that 339: * their callers have sufficient access to perform certain operations. 340: * 341: * <p>Currently the only methods that use this are checkRead() and 342: * checkConnect(). The default implementation returns an 343: * <code>AccessControlContext</code>. 344: * 345: * @return a security context 346: * @see #checkConnect(String, int, Object) 347: * @see #checkRead(String, Object) 348: * @see AccessControlContext 349: * @see AccessController#getContext() 350: */ 351: public Object getSecurityContext() 352: { 353: return AccessController.getContext(); 354: } 355: 356: /** 357: * Check if the current thread is allowed to perform an operation that 358: * requires the specified <code>Permission</code>. This defaults to 359: * <code>AccessController.checkPermission</code>. 360: * 361: * @param perm the <code>Permission</code> required 362: * @throws SecurityException if permission is denied 363: * @throws NullPointerException if perm is null 364: * @since 1.2 365: */ 366: public void checkPermission(Permission perm) 367: { 368: AccessController.checkPermission(perm); 369: } 370: 371: /** 372: * Check if the current thread is allowed to perform an operation that 373: * requires the specified <code>Permission</code>. This is done in a 374: * context previously returned by <code>getSecurityContext()</code>. The 375: * default implementation expects context to be an AccessControlContext, 376: * and it calls <code>AccessControlContext.checkPermission(perm)</code>. 377: * 378: * @param perm the <code>Permission</code> required 379: * @param context a security context 380: * @throws SecurityException if permission is denied, or if context is 381: * not an AccessControlContext 382: * @throws NullPointerException if perm is null 383: * @see #getSecurityContext() 384: * @see AccessControlContext#checkPermission(Permission) 385: * @since 1.2 386: */ 387: public void checkPermission(Permission perm, Object context) 388: { 389: if (! (context instanceof AccessControlContext)) 390: throw new SecurityException("Missing context"); 391: ((AccessControlContext) context).checkPermission(perm); 392: } 393: 394: /** 395: * Check if the current thread is allowed to create a ClassLoader. This 396: * method is called from ClassLoader.ClassLoader(), and checks 397: * <code>RuntimePermission("createClassLoader")</code>. If you override 398: * this, you should call <code>super.checkCreateClassLoader()</code> rather 399: * than throwing an exception. 400: * 401: * @throws SecurityException if permission is denied 402: * @see ClassLoader#ClassLoader() 403: */ 404: public void checkCreateClassLoader() 405: { 406: checkPermission(new RuntimePermission("createClassLoader")); 407: } 408: 409: /** 410: * Check if the current thread is allowed to modify another Thread. This is 411: * called by Thread.stop(), suspend(), resume(), interrupt(), destroy(), 412: * setPriority(), setName(), and setDaemon(). The default implementation 413: * checks <code>RuntimePermission("modifyThread")</code> on system threads 414: * (ie. threads in ThreadGroup with a null parent), and returns silently on 415: * other threads. 416: * 417: * <p>If you override this, you must do two things. First, call 418: * <code>super.checkAccess(t)</code>, to make sure you are not relaxing 419: * requirements. Second, if the calling thread has 420: * <code>RuntimePermission("modifyThread")</code>, return silently, so that 421: * core classes (the Classpath library!) can modify any thread. 422: * 423: * @param thread the other Thread to check 424: * @throws SecurityException if permission is denied 425: * @throws NullPointerException if thread is null 426: * @see Thread#stop() 427: * @see Thread#suspend() 428: * @see Thread#resume() 429: * @see Thread#setPriority(int) 430: * @see Thread#setName(String) 431: * @see Thread#setDaemon(boolean) 432: */ 433: public void checkAccess(Thread thread) 434: { 435: if (thread.getThreadGroup() != null 436: && thread.getThreadGroup().parent == null) 437: checkPermission(new RuntimePermission("modifyThread")); 438: } 439: 440: /** 441: * Check if the current thread is allowed to modify a ThreadGroup. This is 442: * called by Thread.Thread() (to add a thread to the ThreadGroup), 443: * ThreadGroup.ThreadGroup() (to add this ThreadGroup to a parent), 444: * ThreadGroup.stop(), suspend(), resume(), interrupt(), destroy(), 445: * setDaemon(), and setMaxPriority(). The default implementation 446: * checks <code>RuntimePermission("modifyThread")</code> on the system group 447: * (ie. the one with a null parent), and returns silently on other groups. 448: * 449: * <p>If you override this, you must do two things. First, call 450: * <code>super.checkAccess(t)</code>, to make sure you are not relaxing 451: * requirements. Second, if the calling thread has 452: * <code>RuntimePermission("modifyThreadGroup")</code>, return silently, 453: * so that core classes (the Classpath library!) can modify any thread. 454: * 455: * @param g the ThreadGroup to check 456: * @throws SecurityException if permission is denied 457: * @throws NullPointerException if g is null 458: * @see Thread#Thread() 459: * @see ThreadGroup#ThreadGroup(String) 460: * @see ThreadGroup#stop() 461: * @see ThreadGroup#suspend() 462: * @see ThreadGroup#resume() 463: * @see ThreadGroup#interrupt() 464: * @see ThreadGroup#setDaemon(boolean) 465: * @see ThreadGroup#setMaxPriority(int) 466: */ 467: public void checkAccess(ThreadGroup g) 468: { 469: if (g.parent == null) 470: checkPermission(new RuntimePermission("modifyThreadGroup")); 471: } 472: 473: /** 474: * Check if the current thread is allowed to exit the JVM with the given 475: * status. This method is called from Runtime.exit() and Runtime.halt(). 476: * The default implementation checks 477: * <code>RuntimePermission("exitVM")</code>. If you override this, call 478: * <code>super.checkExit</code> rather than throwing an exception. 479: * 480: * @param status the status to exit with 481: * @throws SecurityException if permission is denied 482: * @see Runtime#exit(int) 483: * @see Runtime#halt(int) 484: */ 485: public void checkExit(int status) 486: { 487: checkPermission(new RuntimePermission("exitVM")); 488: } 489: 490: /** 491: * Check if the current thread is allowed to execute the given program. This 492: * method is called from Runtime.exec(). If the name is an absolute path, 493: * the default implementation checks 494: * <code>FilePermission(program, "execute")</code>, otherwise it checks 495: * <code>FilePermission("<<ALL FILES>>", "execute")</code>. If 496: * you override this, call <code>super.checkExec</code> rather than 497: * throwing an exception. 498: * 499: * @param program the name of the program to exec 500: * @throws SecurityException if permission is denied 501: * @throws NullPointerException if program is null 502: * @see Runtime#exec(String[], String[], File) 503: */ 504: public void checkExec(String program) 505: { 506: if (! program.equals(new File(program).getAbsolutePath())) 507: program = "<<ALL FILES>>"; 508: checkPermission(new FilePermission(program, "execute")); 509: } 510: 511: /** 512: * Check if the current thread is allowed to link in the given native 513: * library. This method is called from Runtime.load() (and hence, by 514: * loadLibrary() as well). The default implementation checks 515: * <code>RuntimePermission("loadLibrary." + filename)</code>. If you 516: * override this, call <code>super.checkLink</code> rather than throwing 517: * an exception. 518: * 519: * @param filename the full name of the library to load 520: * @throws SecurityException if permission is denied 521: * @throws NullPointerException if filename is null 522: * @see Runtime#load(String) 523: */ 524: public void checkLink(String filename) 525: { 526: // Use the toString() hack to do the null check. 527: checkPermission(new RuntimePermission("loadLibrary." 528: + filename.toString())); 529: } 530: 531: /** 532: * Check if the current thread is allowed to read the given file using the 533: * FileDescriptor. This method is called from 534: * FileInputStream.FileInputStream(). The default implementation checks 535: * <code>RuntimePermission("readFileDescriptor")</code>. If you override 536: * this, call <code>super.checkRead</code> rather than throwing an 537: * exception. 538: * 539: * @param desc the FileDescriptor representing the file to access 540: * @throws SecurityException if permission is denied 541: * @throws NullPointerException if desc is null 542: * @see FileInputStream#FileInputStream(FileDescriptor) 543: */ 544: public void checkRead(FileDescriptor desc) 545: { 546: if (desc == null) 547: throw new NullPointerException(); 548: checkPermission(new RuntimePermission("readFileDescriptor")); 549: } 550: 551: /** 552: * Check if the current thread is allowed to read the given file. This 553: * method is called from FileInputStream.FileInputStream(), 554: * RandomAccessFile.RandomAccessFile(), File.exists(), canRead(), isFile(), 555: * isDirectory(), lastModified(), length() and list(). The default 556: * implementation checks <code>FilePermission(filename, "read")</code>. If 557: * you override this, call <code>super.checkRead</code> rather than 558: * throwing an exception. 559: * 560: * @param filename the full name of the file to access 561: * @throws SecurityException if permission is denied 562: * @throws NullPointerException if filename is null 563: * @see File 564: * @see FileInputStream#FileInputStream(String) 565: * @see RandomAccessFile#RandomAccessFile(String, String) 566: */ 567: public void checkRead(String filename) 568: { 569: checkPermission(new FilePermission(filename, "read")); 570: } 571: 572: /** 573: * Check if the current thread is allowed to read the given file. using the 574: * given security context. The context must be a result of a previous call 575: * to <code>getSecurityContext()</code>. The default implementation checks 576: * <code>AccessControlContext.checkPermission(new FilePermission(filename, 577: * "read"))</code>. If you override this, call <code>super.checkRead</code> 578: * rather than throwing an exception. 579: * 580: * @param filename the full name of the file to access 581: * @param context the context to determine access for 582: * @throws SecurityException if permission is denied, or if context is 583: * not an AccessControlContext 584: * @throws NullPointerException if filename is null 585: * @see #getSecurityContext() 586: * @see AccessControlContext#checkPermission(Permission) 587: */ 588: public void checkRead(String filename, Object context) 589: { 590: if (! (context instanceof AccessControlContext)) 591: throw new SecurityException("Missing context"); 592: AccessControlContext ac = (AccessControlContext) context; 593: ac.checkPermission(new FilePermission(filename, "read")); 594: } 595: 596: /** 597: * Check if the current thread is allowed to write the given file using the 598: * FileDescriptor. This method is called from 599: * FileOutputStream.FileOutputStream(). The default implementation checks 600: * <code>RuntimePermission("writeFileDescriptor")</code>. If you override 601: * this, call <code>super.checkWrite</code> rather than throwing an 602: * exception. 603: * 604: * @param desc the FileDescriptor representing the file to access 605: * @throws SecurityException if permission is denied 606: * @throws NullPointerException if desc is null 607: * @see FileOutputStream#FileOutputStream(FileDescriptor) 608: */ 609: public void checkWrite(FileDescriptor desc) 610: { 611: if (desc == null) 612: throw new NullPointerException(); 613: checkPermission(new RuntimePermission("writeFileDescriptor")); 614: } 615: 616: /** 617: * Check if the current thread is allowed to write the given file. This 618: * method is called from FileOutputStream.FileOutputStream(), 619: * RandomAccessFile.RandomAccessFile(), File.canWrite(), mkdir(), and 620: * renameTo(). The default implementation checks 621: * <code>FilePermission(filename, "write")</code>. If you override this, 622: * call <code>super.checkWrite</code> rather than throwing an exception. 623: * 624: * @param filename the full name of the file to access 625: * @throws SecurityException if permission is denied 626: * @throws NullPointerException if filename is null 627: * @see File 628: * @see File#canWrite() 629: * @see File#mkdir() 630: * @see File#renameTo(File) 631: * @see FileOutputStream#FileOutputStream(String) 632: * @see RandomAccessFile#RandomAccessFile(String, String) 633: */ 634: public void checkWrite(String filename) 635: { 636: checkPermission(new FilePermission(filename, "write")); 637: } 638: 639: /** 640: * Check if the current thread is allowed to delete the given file. This 641: * method is called from File.delete(). The default implementation checks 642: * <code>FilePermission(filename, "delete")</code>. If you override this, 643: * call <code>super.checkDelete</code> rather than throwing an exception. 644: * 645: * @param filename the full name of the file to delete 646: * @throws SecurityException if permission is denied 647: * @throws NullPointerException if filename is null 648: * @see File#delete() 649: */ 650: public void checkDelete(String filename) 651: { 652: checkPermission(new FilePermission(filename, "delete")); 653: } 654: 655: /** 656: * Check if the current thread is allowed to connect to a given host on a 657: * given port. This method is called from Socket.Socket(). A port number 658: * of -1 indicates the caller is attempting to determine an IP address, so 659: * the default implementation checks 660: * <code>SocketPermission(host, "resolve")</code>. Otherwise, the default 661: * implementation checks 662: * <code>SocketPermission(host + ":" + port, "connect")</code>. If you 663: * override this, call <code>super.checkConnect</code> rather than throwing 664: * an exception. 665: * 666: * @param host the host to connect to 667: * @param port the port to connect on 668: * @throws SecurityException if permission is denied 669: * @throws NullPointerException if host is null 670: * @see Socket#Socket() 671: */ 672: public void checkConnect(String host, int port) 673: { 674: if (port == -1) 675: checkPermission(new SocketPermission(host, "resolve")); 676: else 677: // Use the toString() hack to do the null check. 678: checkPermission(new SocketPermission(host.toString() + ":" + port, 679: "connect")); 680: } 681: 682: /** 683: * Check if the current thread is allowed to connect to a given host on a 684: * given port, using the given security context. The context must be a 685: * result of a previous call to <code>getSecurityContext</code>. A port 686: * number of -1 indicates the caller is attempting to determine an IP 687: * address, so the default implementation checks 688: * <code>AccessControlContext.checkPermission(new SocketPermission(host, 689: * "resolve"))</code>. Otherwise, the default implementation checks 690: * <code>AccessControlContext.checkPermission(new SocketPermission(host 691: * + ":" + port, "connect"))</code>. If you override this, call 692: * <code>super.checkConnect</code> rather than throwing an exception. 693: * 694: * @param host the host to connect to 695: * @param port the port to connect on 696: * @param context the context to determine access for 697: * 698: * @throws SecurityException if permission is denied, or if context is 699: * not an AccessControlContext 700: * @throws NullPointerException if host is null 701: * 702: * @see #getSecurityContext() 703: * @see AccessControlContext#checkPermission(Permission) 704: */ 705: public void checkConnect(String host, int port, Object context) 706: { 707: if (! (context instanceof AccessControlContext)) 708: throw new SecurityException("Missing context"); 709: AccessControlContext ac = (AccessControlContext) context; 710: if (port == -1) 711: ac.checkPermission(new SocketPermission(host, "resolve")); 712: else 713: // Use the toString() hack to do the null check. 714: ac.checkPermission(new SocketPermission(host.toString() + ":" + port, 715: "connect")); 716: } 717: 718: /** 719: * Check if the current thread is allowed to listen to a specific port for 720: * data. This method is called by ServerSocket.ServerSocket(). The default 721: * implementation checks 722: * <code>SocketPermission("localhost:" + (port == 0 ? "1024-" : "" + port), 723: * "listen")</code>. If you override this, call 724: * <code>super.checkListen</code> rather than throwing an exception. 725: * 726: * @param port the port to listen on 727: * @throws SecurityException if permission is denied 728: * @see ServerSocket#ServerSocket(int) 729: */ 730: public void checkListen(int port) 731: { 732: checkPermission(new SocketPermission("localhost:" 733: + (port == 0 ? "1024-" : "" +port), 734: "listen")); 735: } 736: 737: /** 738: * Check if the current thread is allowed to accept a connection from a 739: * particular host on a particular port. This method is called by 740: * ServerSocket.implAccept(). The default implementation checks 741: * <code>SocketPermission(host + ":" + port, "accept")</code>. If you 742: * override this, call <code>super.checkAccept</code> rather than throwing 743: * an exception. 744: * 745: * @param host the host which wishes to connect 746: * @param port the port the connection will be on 747: * @throws SecurityException if permission is denied 748: * @throws NullPointerException if host is null 749: * @see ServerSocket#accept() 750: */ 751: public void checkAccept(String host, int port) 752: { 753: // Use the toString() hack to do the null check. 754: checkPermission(new SocketPermission(host.toString() + ":" + port, 755: "accept")); 756: } 757: 758: /** 759: * Check if the current thread is allowed to read and write multicast to 760: * a particular address. The default implementation checks 761: * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>. 762: * If you override this, call <code>super.checkMulticast</code> rather than 763: * throwing an exception. 764: * 765: * @param addr the address to multicast to 766: * @throws SecurityException if permission is denied 767: * @throws NullPointerException if host is null 768: * @since 1.1 769: */ 770: public void checkMulticast(InetAddress addr) 771: { 772: checkPermission(new SocketPermission(addr.getHostAddress(), 773: "accept,connect")); 774: } 775: 776: /** 777: *Check if the current thread is allowed to read and write multicast to 778: * a particular address with a particular ttl (time-to-live) value. The 779: * default implementation ignores ttl, and checks 780: * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>. 781: * If you override this, call <code>super.checkMulticast</code> rather than 782: * throwing an exception. 783: * 784: * @param addr the address to multicast to 785: * @param ttl value in use for multicast send 786: * @throws SecurityException if permission is denied 787: * @throws NullPointerException if host is null 788: * @since 1.1 789: * @deprecated use {@link #checkPermission(Permission)} instead 790: */ 791: public void checkMulticast(InetAddress addr, byte ttl) 792: { 793: checkPermission(new SocketPermission(addr.getHostAddress(), 794: "accept,connect")); 795: } 796: 797: /** 798: * Check if the current thread is allowed to read or write all the system 799: * properties at once. This method is called by System.getProperties() 800: * and setProperties(). The default implementation checks 801: * <code>PropertyPermission("*", "read,write")</code>. If you override 802: * this, call <code>super.checkPropertiesAccess</code> rather than 803: * throwing an exception. 804: * 805: * @throws SecurityException if permission is denied 806: * @see System#getProperties() 807: * @see System#setProperties(Properties) 808: */ 809: public void checkPropertiesAccess() 810: { 811: checkPermission(new PropertyPermission("*", "read,write")); 812: } 813: 814: /** 815: * Check if the current thread is allowed to read a particular system 816: * property (writes are checked directly via checkPermission). This method 817: * is called by System.getProperty() and setProperty(). The default 818: * implementation checks <code>PropertyPermission(key, "read")</code>. If 819: * you override this, call <code>super.checkPropertyAccess</code> rather 820: * than throwing an exception. 821: * 822: * @param key the key of the property to check 823: * 824: * @throws SecurityException if permission is denied 825: * @throws NullPointerException if key is null 826: * @throws IllegalArgumentException if key is "" 827: * 828: * @see System#getProperty(String) 829: */ 830: public void checkPropertyAccess(String key) 831: { 832: checkPermission(new PropertyPermission(key, "read")); 833: } 834: 835: /** 836: * Check if the current thread is allowed to create a top-level window. If 837: * it is not, the operation should still go through, but some sort of 838: * nonremovable warning should be placed on the window to show that it 839: * is untrusted. This method is called by Window.Window(). The default 840: * implementation checks 841: * <code>AWTPermission("showWindowWithoutWarningBanner")</code>, and returns 842: * true if no exception was thrown. If you override this, use 843: * <code>return super.checkTopLevelWindow</code> rather than returning 844: * false. 845: * 846: * @param window the window to create 847: * @return true if there is permission to show the window without warning 848: * @throws NullPointerException if window is null 849: * @see java.awt.Window#Window(java.awt.Frame) 850: */ 851: public boolean checkTopLevelWindow(Object window) 852: { 853: if (window == null) 854: throw new NullPointerException(); 855: try 856: { 857: checkPermission(new AWTPermission("showWindowWithoutWarningBanner")); 858: return true; 859: } 860: catch (SecurityException e) 861: { 862: return false; 863: } 864: } 865: 866: /** 867: * Check if the current thread is allowed to create a print job. This 868: * method is called by Toolkit.getPrintJob(). The default implementation 869: * checks <code>RuntimePermission("queuePrintJob")</code>. If you override 870: * this, call <code>super.checkPrintJobAccess</code> rather than throwing 871: * an exception. 872: * 873: * @throws SecurityException if permission is denied 874: * @see java.awt.Toolkit#getPrintJob(java.awt.Frame, String, Properties) 875: * @since 1.1 876: */ 877: public void checkPrintJobAccess() 878: { 879: checkPermission(new RuntimePermission("queuePrintJob")); 880: } 881: 882: /** 883: * Check if the current thread is allowed to use the system clipboard. This 884: * method is called by Toolkit.getSystemClipboard(). The default 885: * implementation checks <code>AWTPermission("accessClipboard")</code>. If 886: * you override this, call <code>super.checkSystemClipboardAccess</code> 887: * rather than throwing an exception. 888: * 889: * @throws SecurityException if permission is denied 890: * @see java.awt.Toolkit#getSystemClipboard() 891: * @since 1.1 892: */ 893: public void checkSystemClipboardAccess() 894: { 895: checkPermission(new AWTPermission("accessClipboard")); 896: } 897: 898: /** 899: * Check if the current thread is allowed to use the AWT event queue. This 900: * method is called by Toolkit.getSystemEventQueue(). The default 901: * implementation checks <code>AWTPermission("accessEventQueue")</code>. 902: * you override this, call <code>super.checkAwtEventQueueAccess</code> 903: * rather than throwing an exception. 904: * 905: * @throws SecurityException if permission is denied 906: * @see java.awt.Toolkit#getSystemEventQueue() 907: * @since 1.1 908: */ 909: public void checkAwtEventQueueAccess() 910: { 911: checkPermission(new AWTPermission("accessEventQueue")); 912: } 913: 914: /** 915: * Check if the current thread is allowed to access the specified package 916: * at all. This method is called by ClassLoader.loadClass() in user-created 917: * ClassLoaders. The default implementation gets a list of all restricted 918: * packages, via <code>Security.getProperty("package.access")</code>. Then, 919: * if packageName starts with or equals any restricted package, it checks 920: * <code>RuntimePermission("accessClassInPackage." + packageName)</code>. 921: * If you override this, you should call 922: * <code>super.checkPackageAccess</code> before doing anything else. 923: * 924: * @param packageName the package name to check access to 925: * @throws SecurityException if permission is denied 926: * @throws NullPointerException if packageName is null 927: * @see ClassLoader#loadClass(String, boolean) 928: * @see Security#getProperty(String) 929: */ 930: public void checkPackageAccess(String packageName) 931: { 932: checkPackageList(packageName, "package.access", "accessClassInPackage."); 933: } 934: 935: /** 936: * Check if the current thread is allowed to define a class into the 937: * specified package. This method is called by ClassLoader.loadClass() in 938: * user-created ClassLoaders. The default implementation gets a list of all 939: * restricted packages, via 940: * <code>Security.getProperty("package.definition")</code>. Then, if 941: * packageName starts with or equals any restricted package, it checks 942: * <code>RuntimePermission("defineClassInPackage." + packageName)</code>. 943: * If you override this, you should call 944: * <code>super.checkPackageDefinition</code> before doing anything else. 945: * 946: * @param packageName the package name to check access to 947: * @throws SecurityException if permission is denied 948: * @throws NullPointerException if packageName is null 949: * @see ClassLoader#loadClass(String, boolean) 950: * @see Security#getProperty(String) 951: */ 952: public void checkPackageDefinition(String packageName) 953: { 954: checkPackageList(packageName, "package.definition", "defineClassInPackage."); 955: } 956: 957: /** 958: * Check if the current thread is allowed to set the current socket factory. 959: * This method is called by Socket.setSocketImplFactory(), 960: * ServerSocket.setSocketFactory(), and URL.setURLStreamHandlerFactory(). 961: * The default implementation checks 962: * <code>RuntimePermission("setFactory")</code>. If you override this, call 963: * <code>super.checkSetFactory</code> rather than throwing an exception. 964: * 965: * @throws SecurityException if permission is denied 966: * @see Socket#setSocketImplFactory(SocketImplFactory) 967: * @see ServerSocket#setSocketFactory(SocketImplFactory) 968: * @see URL#setURLStreamHandlerFactory(URLStreamHandlerFactory) 969: */ 970: public void checkSetFactory() 971: { 972: checkPermission(new RuntimePermission("setFactory")); 973: } 974: 975: /** 976: * Check if the current thread is allowed to get certain types of Methods, 977: * Fields and Constructors from a Class object. This method is called by 978: * Class.getMethod[s](), Class.getField[s](), Class.getConstructor[s], 979: * Class.getDeclaredMethod[s](), Class.getDeclaredField[s](), and 980: * Class.getDeclaredConstructor[s](). The default implementation allows 981: * PUBLIC access, and access to classes defined by the same classloader as 982: * the code performing the reflection. Otherwise, it checks 983: * <code>RuntimePermission("accessDeclaredMembers")</code>. If you override 984: * this, do not call <code>super.checkMemberAccess</code>, as this would 985: * mess up the stack depth check that determines the ClassLoader requesting 986: * the access. 987: * 988: * @param c the Class to check 989: * @param memberType either DECLARED or PUBLIC 990: * @throws SecurityException if permission is denied, including when 991: * memberType is not DECLARED or PUBLIC 992: * @throws NullPointerException if c is null 993: * @see Class 994: * @see Member#DECLARED 995: * @see Member#PUBLIC 996: * @since 1.1 997: */ 998: public void checkMemberAccess(Class<?> c, int memberType) 999: { 1000: if (c == null) 1001: throw new NullPointerException(); 1002: if (memberType == Member.PUBLIC) 1003: return; 1004: // XXX Allow access to classes created by same classloader before next 1005: // check. 1006: checkPermission(new RuntimePermission("accessDeclaredMembers")); 1007: } 1008: 1009: /** 1010: * Test whether a particular security action may be taken. The default 1011: * implementation checks <code>SecurityPermission(action)</code>. If you 1012: * override this, call <code>super.checkSecurityAccess</code> rather than 1013: * throwing an exception. 1014: * 1015: * @param action the desired action to take 1016: * @throws SecurityException if permission is denied 1017: * @throws NullPointerException if action is null 1018: * @throws IllegalArgumentException if action is "" 1019: * @since 1.1 1020: */ 1021: public void checkSecurityAccess(String action) 1022: { 1023: checkPermission(new SecurityPermission(action)); 1024: } 1025: 1026: /** 1027: * Get the ThreadGroup that a new Thread should belong to by default. Called 1028: * by Thread.Thread(). The default implementation returns the current 1029: * ThreadGroup of the current Thread. <STRONG>Spec Note:</STRONG> it is not 1030: * clear whether the new Thread is guaranteed to pass the 1031: * checkAccessThreadGroup() test when using this ThreadGroup, but I presume 1032: * so. 1033: * 1034: * @return the ThreadGroup to put the new Thread into 1035: * @since 1.1 1036: */ 1037: public ThreadGroup getThreadGroup() 1038: { 1039: return Thread.currentThread().getThreadGroup(); 1040: } 1041: 1042: /** 1043: * Helper that checks a comma-separated list of restricted packages, from 1044: * <code>Security.getProperty("package.definition")</code>, for the given 1045: * package access permission. If packageName starts with or equals any 1046: * restricted package, it checks 1047: * <code>RuntimePermission(permission + packageName)</code>. 1048: * 1049: * @param packageName the package name to check access to 1050: * @param restriction "package.access" or "package.definition" 1051: * @param permission the base permission, including the '.' 1052: * @throws SecurityException if permission is denied 1053: * @throws NullPointerException if packageName is null 1054: * @see #checkPackageAccess(String) 1055: * @see #checkPackageDefinition(String) 1056: */ 1057: void checkPackageList(String packageName, final String restriction, 1058: String permission) 1059: { 1060: if (packageName == null) 1061: throw new NullPointerException(); 1062: 1063: String list = (String)AccessController.doPrivileged(new PrivilegedAction() 1064: { 1065: public Object run() 1066: { 1067: return Security.getProperty(restriction); 1068: } 1069: }); 1070: 1071: if (list == null || list.equals("")) 1072: return; 1073: 1074: String packageNamePlusDot = packageName + "."; 1075: 1076: StringTokenizer st = new StringTokenizer(list, ","); 1077: while (st.hasMoreTokens()) 1078: { 1079: if (packageNamePlusDot.startsWith(st.nextToken())) 1080: { 1081: Permission p = new RuntimePermission(permission + packageName); 1082: checkPermission(p); 1083: return; 1084: } 1085: } 1086: } 1087: }