identity/security/ISSecurityPermission.java

a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington/*
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Copyright (c) 2005 Sun Microsystems Inc. All Rights Reserved
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * The contents of this file are subject to the terms
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * of the Common Development and Distribution License
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * (the License). You may not use this file except in
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * compliance with the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * You can obtain a copy of the License at
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * opensso/legal/CDDLv1.0.txt
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * See the License for the specific language governing
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * permission and limitations under the License.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * When distributing Covered Code, include this CDDL
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Header Notice in each file and include the License file
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * at opensso/legal/CDDLv1.0.txt.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * If applicable, add the following below the CDDL Header,
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * with the fields enclosed by brackets [] replaced by
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * your own identifying information:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * $Id: ISSecurityPermission.java,v 1.4 2008/08/19 19:14:56 veiming Exp $
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington * Portions Copyrighted 2015 ForgeRock AS.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpackage com.sun.identity.security;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.security.Permission;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.HashSet;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.Iterator;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.Random;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.Set;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterimport java.util.StringTokenizer;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster/**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * This class <code>ISSecurityPermission</code> is used to protect the Access
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Manager resources which should be accessed only by trusted application. The
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * resources this Permission is used to protect are: OpenAM
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * administrator DN and password, and access to the encryption and decryption
8d3140b524c0e28c0a49dc7c7d481123ef3cfe11Chris Lee * methods used to encrypt all passwords in OpenAM services. The
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * supported permissions is <code>"access"</code> and supported actions are
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <code>"adminpassword"</code> and <code>"crypt"</code>. So in the Java
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * security policy file which will define the security options to grant this
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * permission to code bases, it should be done as below:
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * <pre>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * grant codeBase "file:{directory where jars are located}/-" {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * com.sun.identity.security.ISSecurityPermission "access",
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * "adminpassword,crypt"; };
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *</pre>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Note: The property <code>com.sun.identity.security.checkcaller</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * should be set to true in <code>AMConfig.properties</code> file to enable the
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * Java security permissions check.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster * @supported.all.api
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Fosterpublic class ISSecurityPermission extends Permission {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private static Random rnd = new Random();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private String perm;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private Set actions = new HashSet();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private int hashCode;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * Constructs <code>ISSecurityPermission</code> object.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @param access
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            Has to be string "access"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @param action
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            Can be <code>adminpassword</code> or <code>crypt</code>.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public ISSecurityPermission(String access, String action) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        super(access);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        perm = access;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        this.actions = convertActionStringToSet(action);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        hashCode = rnd.nextInt();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * Constructs <code>ISSecurityPermission</code> object. This constructor
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * sets the action to <code>"adminpassword"</code> by default.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @param access
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            Has to be string "access"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public ISSecurityPermission(String access) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        super(access);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        perm = access;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        actions = convertActionStringToSet("adminpassword");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        hashCode = rnd.nextInt();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * This method checks to see if this instance of
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * <code>ISSecurityPermission</code> implies the Permission being passed
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * as the argument. For more information on this, see the Javadocs of
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * <code>java.security.Permission</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @param p
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            Instance of
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            <code>com.sun.identity.security.ISSecurityPermission</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @return true if this instance of <code>ISSecurityPermission</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *         implies the actions of the argument p. False otherwise
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *         <code>java.security.Permission</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public boolean implies(Permission p) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        if (!(p instanceof ISSecurityPermission)) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            return false;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        Set pActions = convertActionStringToSet(p.getActions());
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        // Action "crypt" is implied by the action "adminpassword"
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        if (actions.contains("adminpassword")
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster                && (pActions.contains("adminpassword") || pActions
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster                        .contains("crypt"))) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            return true;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        } else {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            if (pActions.contains("crypt") && actions.contains("crypt")) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster                return true;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return false;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * Returns hash code for this object.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @see java.security.Permission#hashCode()
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @return hash code representing this object
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public int hashCode() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return hashCode;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * Returns true if this object is equals to <code>o</code>.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @param o
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *            object fro comparison.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @return true if both object are similar.
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public boolean equals(Object o) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        if (o instanceof ISSecurityPermission) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            ISSecurityPermission p = (ISSecurityPermission) o;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            if (p.hashCode() == hashCode) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster                return true;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return false;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    /**
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @see java.security.Permission#getActions()
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     * @return String representation of actions supported by
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     *         <code>ISSecurityPermission</code>
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster     */
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    public String getActions() {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return convertSetToActionString(actions);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private Set convertActionStringToSet(String ac) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        StringTokenizer tzer = new StringTokenizer(ac, ",");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        Set res = new HashSet();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        while (tzer.hasMoreTokens()) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            String tmp = tzer.nextToken();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            res.add(tmp);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return res;
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    private String convertSetToActionString(Set a) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        StringBuffer sb = new StringBuffer();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        Iterator it = a.iterator();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        while (it.hasNext()) {
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            String t = (String) it.next();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster            sb.append(t).append(",");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        String s = sb.toString();
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        int lastComma = s.lastIndexOf(",");
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster        return s.substring(0, lastComma);
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster    }
5c099afa7c9361afc2f4477fec0e3018588d7840Allan Foster}