Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/javax/security/auth/Policy.java
38918 views
/*1* Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package javax.security.auth;2627import java.security.Security;28import java.security.AccessController;29import java.security.PrivilegedAction;30import java.security.PrivilegedExceptionAction;31import java.util.Objects;32import sun.security.util.Debug;3334/**35* <p> This is an abstract class for representing the system policy for36* Subject-based authorization. A subclass implementation37* of this class provides a means to specify a Subject-based38* access control {@code Policy}.39*40* <p> A {@code Policy} object can be queried for the set of41* Permissions granted to code running as a42* {@code Principal} in the following manner:43*44* <pre>45* policy = Policy.getPolicy();46* PermissionCollection perms = policy.getPermissions(subject,47* codeSource);48* </pre>49*50* The {@code Policy} object consults the local policy and returns51* and appropriate {@code Permissions} object with the52* Permissions granted to the Principals associated with the53* provided <i>subject</i>, and granted to the code specified54* by the provided <i>codeSource</i>.55*56* <p> A {@code Policy} contains the following information.57* Note that this example only represents the syntax for the default58* {@code Policy} implementation. Subclass implementations of this class59* may implement alternative syntaxes and may retrieve the60* {@code Policy} from any source such as files, databases,61* or servers.62*63* <p> Each entry in the {@code Policy} is represented as64* a <b><i>grant</i></b> entry. Each <b><i>grant</i></b> entry65* specifies a codebase, code signers, and Principals triplet,66* as well as the Permissions granted to that triplet.67*68* <pre>69* grant CodeBase ["URL"], Signedby ["signers"],70* Principal [Principal_Class] "Principal_Name" {71* Permission Permission_Class ["Target_Name"]72* [, "Permission_Actions"]73* [, signedBy "SignerName"];74* };75* </pre>76*77* The CodeBase and Signedby components of the triplet name/value pairs78* are optional. If they are not present, then any any codebase will match,79* and any signer (including unsigned code) will match.80* For Example,81*82* <pre>83* grant CodeBase "foo.com", Signedby "foo",84* Principal com.sun.security.auth.SolarisPrincipal "duke" {85* permission java.io.FilePermission "/home/duke", "read, write";86* };87* </pre>88*89* This <b><i>grant</i></b> entry specifies that code from "foo.com",90* signed by "foo', and running as a {@code SolarisPrincipal} with the91* name, duke, has one {@code Permission}. This {@code Permission}92* permits the executing code to read and write files in the directory,93* "/home/duke".94*95* <p> To "run" as a particular {@code Principal},96* code invokes the {@code Subject.doAs(subject, ...)} method.97* After invoking that method, the code runs as all the Principals98* associated with the specified {@code Subject}.99* Note that this {@code Policy} (and the Permissions100* granted in this {@code Policy}) only become effective101* after the call to {@code Subject.doAs} has occurred.102*103* <p> Multiple Principals may be listed within one <b><i>grant</i></b> entry.104* All the Principals in the grant entry must be associated with105* the {@code Subject} provided to {@code Subject.doAs}106* for that {@code Subject} to be granted the specified Permissions.107*108* <pre>109* grant Principal com.sun.security.auth.SolarisPrincipal "duke",110* Principal com.sun.security.auth.SolarisNumericUserPrincipal "0" {111* permission java.io.FilePermission "/home/duke", "read, write";112* permission java.net.SocketPermission "duke.com", "connect";113* };114* </pre>115*116* This entry grants any code running as both "duke" and "0"117* permission to read and write files in duke's home directory,118* as well as permission to make socket connections to "duke.com".119*120* <p> Note that non Principal-based grant entries are not permitted121* in this {@code Policy}. Therefore, grant entries such as:122*123* <pre>124* grant CodeBase "foo.com", Signedby "foo" {125* permission java.io.FilePermission "/tmp/scratch", "read, write";126* };127* </pre>128*129* are rejected. Such permission must be listed in the130* {@code java.security.Policy}.131*132* <p> The default {@code Policy} implementation can be changed by133* setting the value of the {@code auth.policy.provider} security property to134* the fully qualified name of the desired {@code Policy} implementation class.135*136* @deprecated as of JDK version 1.4 -- Replaced by java.security.Policy.137* java.security.Policy has a method:138* <pre>139* public PermissionCollection getPermissions140* (java.security.ProtectionDomain pd)141*142* </pre>143* and ProtectionDomain has a constructor:144* <pre>145* public ProtectionDomain146* (CodeSource cs,147* PermissionCollection permissions,148* ClassLoader loader,149* Principal[] principals)150* </pre>151*152* These two APIs provide callers the means to query the153* Policy for Principal-based Permission entries.154*155* @see java.security.Security security properties156*/157@Deprecated158public abstract class Policy {159160private static Policy policy;161private final static String AUTH_POLICY =162"sun.security.provider.AuthPolicyFile";163164private final java.security.AccessControlContext acc =165java.security.AccessController.getContext();166167// true if a custom (not AUTH_POLICY) system-wide policy object is set168private static boolean isCustomPolicy;169170/**171* Sole constructor. (For invocation by subclass constructors, typically172* implicit.)173*/174protected Policy() { }175176/**177* Returns the installed Policy object.178* This method first calls179* {@code SecurityManager.checkPermission} with the180* {@code AuthPermission("getPolicy")} permission181* to ensure the caller has permission to get the Policy object.182*183* <p>184*185* @return the installed Policy. The return value cannot be186* {@code null}.187*188* @exception java.lang.SecurityException if the current thread does not189* have permission to get the Policy object.190*191* @see #setPolicy192*/193public static Policy getPolicy() {194java.lang.SecurityManager sm = System.getSecurityManager();195if (sm != null) sm.checkPermission(new AuthPermission("getPolicy"));196return getPolicyNoCheck();197}198199/**200* Returns the installed Policy object, skipping the security check.201*202* @return the installed Policy.203*204*/205static Policy getPolicyNoCheck() {206if (policy == null) {207208synchronized(Policy.class) {209210if (policy == null) {211String policy_class = null;212policy_class = AccessController.doPrivileged213(new PrivilegedAction<String>() {214public String run() {215return java.security.Security.getProperty216("auth.policy.provider");217}218});219if (policy_class == null) {220policy_class = AUTH_POLICY;221}222223try {224final String finalClass = policy_class;225226Policy untrustedImpl = AccessController.doPrivileged(227new PrivilegedExceptionAction<Policy>() {228public Policy run() throws ClassNotFoundException,229InstantiationException,230IllegalAccessException {231Class<? extends Policy> implClass = Class.forName(232finalClass, false,233Thread.currentThread().getContextClassLoader()234).asSubclass(Policy.class);235return implClass.newInstance();236}237});238AccessController.doPrivileged(239new PrivilegedExceptionAction<Void>() {240public Void run() {241setPolicy(untrustedImpl);242isCustomPolicy = !finalClass.equals(AUTH_POLICY);243return null;244}245}, Objects.requireNonNull(untrustedImpl.acc)246);247} catch (Exception e) {248throw new SecurityException249(sun.security.util.ResourcesMgr.getString250("unable.to.instantiate.Subject.based.policy"));251}252}253}254}255return policy;256}257258259/**260* Sets the system-wide Policy object. This method first calls261* {@code SecurityManager.checkPermission} with the262* {@code AuthPermission("setPolicy")}263* permission to ensure the caller has permission to set the Policy.264*265* <p>266*267* @param policy the new system Policy object.268*269* @exception java.lang.SecurityException if the current thread does not270* have permission to set the Policy.271*272* @see #getPolicy273*/274public static void setPolicy(Policy policy) {275java.lang.SecurityManager sm = System.getSecurityManager();276if (sm != null) sm.checkPermission(new AuthPermission("setPolicy"));277Policy.policy = policy;278// all non-null policy objects are assumed to be custom279isCustomPolicy = policy != null ? true : false;280}281282/**283* Returns true if a custom (not AUTH_POLICY) system-wide policy object284* has been set or installed. This method is called by285* SubjectDomainCombiner to provide backwards compatibility for286* developers that provide their own javax.security.auth.Policy287* implementations.288*289* @return true if a custom (not AUTH_POLICY) system-wide policy object290* has been set; false otherwise291*/292static boolean isCustomPolicySet(Debug debug) {293if (policy != null) {294if (debug != null && isCustomPolicy) {295debug.println("Providing backwards compatibility for " +296"javax.security.auth.policy implementation: " +297policy.toString());298}299return isCustomPolicy;300}301// check if custom policy has been set using auth.policy.provider prop302String policyClass = java.security.AccessController.doPrivileged303(new java.security.PrivilegedAction<String>() {304public String run() {305return Security.getProperty("auth.policy.provider");306}307});308if (policyClass != null && !policyClass.equals(AUTH_POLICY)) {309if (debug != null) {310debug.println("Providing backwards compatibility for " +311"javax.security.auth.policy implementation: " +312policyClass);313}314return true;315}316return false;317}318319/**320* Retrieve the Permissions granted to the Principals associated with321* the specified {@code CodeSource}.322*323* <p>324*325* @param subject the {@code Subject}326* whose associated Principals,327* in conjunction with the provided328* {@code CodeSource}, determines the Permissions329* returned by this method. This parameter330* may be {@code null}. <p>331*332* @param cs the code specified by its {@code CodeSource}333* that determines, in conjunction with the provided334* {@code Subject}, the Permissions335* returned by this method. This parameter may be336* {@code null}.337*338* @return the Collection of Permissions granted to all the339* {@code Subject} and code specified in340* the provided <i>subject</i> and <i>cs</i>341* parameters.342*/343public abstract java.security.PermissionCollection getPermissions344(Subject subject,345java.security.CodeSource cs);346347/**348* Refresh and reload the Policy.349*350* <p>This method causes this object to refresh/reload its current351* Policy. This is implementation-dependent.352* For example, if the Policy object is stored in353* a file, calling {@code refresh} will cause the file to be re-read.354*355* <p>356*357* @exception SecurityException if the caller does not have permission358* to refresh the Policy.359*/360public abstract void refresh();361}362363364