PolicyFile.java revision 0
0N/A * Copyright 1999-2006 Sun Microsystems, Inc. All Rights Reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 0N/A * published by the Free Software Foundation. Sun designates this 0N/A * particular file as subject to the "Classpath" exception as provided 0N/A * by Sun in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 0N/A * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 0N/A * CA 95054 USA or visit www.sun.com if you need additional information or 0N/A * have any questions. 0N/A * This class represents a default implementation for 0N/A * <code>javax.security.auth.Policy</code>. 0N/A * <p> This object stores the policy for entire Java runtime, 0N/A * and is the amalgamation of multiple static policy 0N/A * configurations that resides in files. 0N/A * The algorithm for locating the policy file(s) and reading their 0N/A * information into this <code>Policy</code> object is: 0N/A * Loop through the <code>java.security.Security</code> properties, 0N/A * <i>auth.policy.url.1</i>, <i>auth.policy.url.2</i>, ..., 0N/A * <i>auth.policy.url.X</i>". These properties are set 0N/A * in the Java security properties file, which is located in the file named 0N/A * <JAVA_HOME> refers to the value of the java.home system property, 0N/A * and specifies the directory where the JRE is installed. 0N/A * Each property value specifies a <code>URL</code> pointing to a 0N/A * policy file to be loaded. Read in and load each policy. 0N/A * The <code>java.lang.System</code> property <i>java.security.auth.policy</i> 0N/A * may also be set to a <code>URL</code> pointing to another policy file 0N/A * (which is the case when a user uses the -D switch at runtime). 0N/A * If this property is defined, and its use is allowed by the 0N/A * security property file (the Security property, 0N/A * <i>policy.allowSystemProperty</i> is set to <i>true</i>), 0N/A * also load that policy. 0N/A * If the <i>java.security.auth.policy</i> property is defined using 0N/A * "==" (rather than "="), then ignore all other specified 0N/A * policies and only load this policy. 0N/A * Each policy file consists of one or more grant entries, each of 0N/A * which consists of a number of permission entries. 0N/A * grant signedBy "<b>alias</b>", codeBase "<b>URL</b>", 0N/A * principal <b>principalClass</b> "<b>principalName</b>", 0N/A * principal <b>principalClass</b> "<b>principalName</b>", 0N/A * permission <b>Type</b> "<b>name</b> "<b>action</b>", 0N/A * signedBy "<b>alias</b>"; 0N/A * permission <b>Type</b> "<b>name</b> "<b>action</b>", 0N/A * signedBy "<b>alias</b>"; 0N/A * All non-bold items above must appear as is (although case 0N/A * doesn't matter and some are optional, as noted below). 0N/A * Italicized items represent variable values. 0N/A * <p> A grant entry must begin with the word <code>grant</code>. 0N/A * The <code>signedBy</code> and <code>codeBase</code> 0N/A * If they are not present, then any signer (including unsigned code) 0N/A * will match, and any codeBase will match. Note that the 0N/A * This <code>Policy</code> implementation only permits 0N/A * Principal-based grant entries. Note that the <i>principalClass</i> 0N/A * may be set to the wildcard value, *, which allows it to match 0N/A * any <code>Principal</code> class. In addition, the <i>principalName</i> 0N/A * may also be set to the wildcard value, *, allowing it to match 0N/A * any <code>Principal</code> name. When setting the <i>principalName</i> 0N/A * to the *, do not surround the * with quotes. 0N/A * <p> A permission entry must begin with the word <code>permission</code>. 0N/A * The word <code><i>Type</i></code> in the template above is 0N/A * a specific permission type, such as <code>java.io.FilePermission</code> 0N/A * or <code>java.lang.RuntimePermission</code>. 0N/A * <p> The "<i>action</i>" is required for 0N/A * many permission types, such as <code>java.io.FilePermission</code> 0N/A * (where it specifies what type of file access that is permitted). 0N/A * It is not required for categories such as 0N/A * <code>java.lang.RuntimePermission</code> 0N/A * where it is not necessary - you either have the 0N/A * permission specified by the <code>"<i>name</i>"</code> 0N/A * value following the type name or you don't. 0N/A * <p> The <code>signedBy</code> name/value pair for a permission entry 0N/A * is optional. If present, it indicates a signed permission. That is, 0N/A * the permission class itself must be signed by the given alias in 0N/A * order for it to be granted. For example, 0N/A * suppose you have the following grant entry: 0N/A * grant principal foo.com.Principal "Duke" { 0N/A * permission Foo "foobar", signedBy "FooSoft"; 0N/A * <p> Then this permission of type <i>Foo</i> is granted if the 0N/A * <code>Foo.class</code> permission has been signed by the 0N/A * "FooSoft" alias, or if <code>Foo.class</code> is a 0N/A * system class (i.e., is found on the CLASSPATH). 0N/A * <p> Items that appear in an entry must appear in the specified order 0N/A * (<code>permission</code>, <i>Type</i>, "<i>name</i>", and 0N/A * "<i>action</i>"). An entry is terminated with a semicolon. 0N/A * <p> Case is unimportant for the identifiers (<code>permission</code>, 0N/A * <code>signedBy</code>, <code>codeBase</code>, etc.) but is 0N/A * significant for the <i>Type</i> 0N/A * or for any string that is passed in as a value. <p> 0N/A * <p> An example of two entries in a policy configuration file is 0N/A * // if the code is comes from "foo.com" and is running as "Duke", 0N/A * grant codeBase "foo.com", principal foo.com.Principal "Duke" { 0N/A * permission java.io.FilePermission "/tmp/*", "read,write"; 0N/A * // grant any code running as "Duke" permission to read 0N/A * // the "java.vendor" Property. 0N/A * grant principal foo.com.Principal "Duke" { 0N/A * permission java.util.PropertyPermission "java.vendor"; 0N/A * <p> This <code>Policy</code> implementation supports 0N/A * special handling for PrivateCredentialPermissions. 0N/A * If a grant entry is configured with a 0N/A * <code>PrivateCredentialPermission</code>, 0N/A * <code>PrivateCredentialPermission</code> is "self", 0N/A * then the entry grants the specified <code>Subject</code> permission to 0N/A * access its own private Credential. For example, 0N/A * the following grants the <code>Subject</code> "Duke" 0N/A * access to its own a.b.Credential. 0N/A * grant principal foo.com.Principal "Duke" { 0N/A * permission javax.security.auth.PrivateCredentialPermission 0N/A * "a.b.Credential self", 0N/A * The following grants the <code>Subject</code> "Duke" 0N/A * access to all of its own private Credentials: 0N/A * grant principal foo.com.Principal "Duke" { 0N/A * permission javax.security.auth.PrivateCredentialPermission 0N/A * The following grants all Subjects authenticated as a 0N/A * <code>SolarisPrincipal</code> (regardless of their respective names) 0N/A * permission to access their own private Credentials: 0N/A * grant principal com.sun.security.auth.SolarisPrincipal * { 0N/A * permission javax.security.auth.PrivateCredentialPermission 0N/A * The following grants all Subjects permission to access their own 0N/A * private Credentials: 0N/A * grant principal * * { 0N/A * permission javax.security.auth.PrivateCredentialPermission 0N/A * @deprecated As of JDK 1.4, replaced by 0N/A * <code>sun.security.provider.PolicyFile</code>. 0N/A * This class is entirely deprecated. 0N/A * @see java.security.CodeSource 0N/A * @see java.security.Permissions 0N/A * @see java.security.ProtectionDomain 0N/A (
"sun.security.util.AuthResources"));
0N/A // needs to be package private 0N/A // for use with the reflection API 0N/A * Initializes the Policy object and reads the default policy 0N/A * configuration file(s) into the Policy object. 0N/A // initialize Policy if either the AUTH_POLICY or 0N/A // SECURITY_MANAGER properties are set 0N/A * Refreshes the policy object by re-reading all the policy files. 0N/A * @exception SecurityException if the caller doesn't have permission 0N/A * to refresh the <code>Policy</code>. 0N/A // 1) if code instantiates PolicyFile directly, then it will need 0N/A // all the permissions required for the PolicyFile initialization 0N/A // 2) if code calls Policy.getPolicy, then it simply needs 0N/A // AuthPermission(getPolicy), and the javax.security.auth.Policy 0N/A // implementation instantiates PolicyFile in a doPrivileged block 0N/A // 3) if after instantiating a Policy (either via #1 or #2), 0N/A // code calls refresh, it simply needs 0N/A // AuthPermission(refreshPolicy). then PolicyFile wraps 0N/A // the refresh in a doPrivileged block. 0N/A * location of keystore is specified as absolute URL in policy 0N/A * file, or is relative to URL of policy file 0N/A // ignore, treat it like we have no keystore 0N/A // ignore that policy 0N/A // do not load a static policy 0N/A /** the scope to check */ 0N/A * Checks public key. If it is marked as trusted in 0N/A * the identity database, add it to the policy 0N/A * with the AllPermission. 0N/A // XXX JAAS has no way to access the SUN package. 0N/A // we'll add this back in when JAAS goes into core. 0N/A * Reads a policy configuration into the Policy object using a 0N/A * @param policyFile the policy Reader object. 0N/A * Fast path reading from file urls in order to avoid calling 0N/A * FileURLConnection.connect() which can be quite slow the first time 0N/A * it is called. We really should clean up FileURLConnection so that 0N/A * this is not a problem but in the meantime this fix helps reduce 0N/A * start up time noticeably for the new launcher. -- DAC 0N/A * Given a PermissionEntry, create a codeSource. 0N/A * @return null if signedBy alias is not recognized 0N/A // we don't have a key for this alias, 0N/A * Add one policy entry to the vector. 0N/A // skip if signedBy alias was unknown... 0N/A // XXX special case PrivateCredentialPermission-SELF 0N/A (
"javax.security.auth.PrivateCredentialPermission") &&
0N/A // only add if we had no signer or we had a 0N/A // a signer and found the keys for it. 0N/A * Returns a new Permission object of the given Type. The Permission is 0N/A * created by getting the 0N/A * Class object using the <code>Class.forName</code> method, and using 0N/A * the reflection API to invoke the (String name, String actions) 0N/A * constructor on the 0N/A * @param type the type of Permission being created. 0N/A * @param name the name of the Permission being created. 0N/A * @param actions the actions of the Permission being created. 0N/A * @exception ClassNotFoundException if the particular Permission 0N/A * class could not be found. 0N/A * @exception IllegalAccessException if the class or initializer is 0N/A * @exception InstantiationException if getInstance tries to 0N/A * instantiate an abstract class or an interface, or if the 0N/A * instantiation fails for some other reason. 0N/A * @exception NoSuchMethodException if the (String, String) constructor 0N/A * @exception InvocationTargetException if the underlying Permission 0N/A * constructor throws an exception. 0N/A //XXX we might want to keep a hash of created factories... 0N/A * Fetch all certs associated with this alias. 0N/A //See if this alias's cert has already been cached 0N/A // never happens, because keystore has already been loaded 0N/A // when we call this 0N/A // make sure n == vcerts.size, since we are doing a logical *and* 0N/A * Enumerate all the entries in the global policy object. 0N/A * This method is used by policy admin tools. The tools 0N/A * should use the Enumeration methods on the returned object 0N/A * to fetch the elements sequentially. 0N/A * Examines this <code>Policy</code> and returns the Permissions granted 0N/A * to the specified <code>Subject</code> and <code>CodeSource</code>. 0N/A * <p> Permissions for a particular <i>grant</i> entry are returned 0N/A * if the <code>CodeSource</code> constructed using the codebase and 0N/A * signedby values specified in the entry <code>implies</code> 0N/A * the <code>CodeSource</code> provided to this method, and if the 0N/A * <code>Subject</code> provided to this method contains all of the 0N/A * Principals specified in the entry. 0N/A * <p> The <code>Subject</code> provided to this method contains all 0N/A * of the Principals specified in the entry if, for each 0N/A * <code>Principal</code>, "P1", specified in the <i>grant</i> entry 0N/A * one of the following two conditions is met: 0N/A * <li> the <code>Subject</code> has a 0N/A * <code>Principal</code>, "P2", where 0N/A * <code>P2.getClass().getName()</code> equals the 0N/A * P1's class name, and where 0N/A * <code>P2.getName()</code> equals the P1's name. 0N/A * <li> P1 implements 0N/A * <code>com.sun.security.auth.PrincipalComparator</code>, 0N/A * and <code>P1.implies</code> the provided <code>Subject</code>. 0N/A * <p> Note that this <code>Policy</code> implementation has 0N/A * special handling for PrivateCredentialPermissions. 0N/A * When this method encounters a <code>PrivateCredentialPermission</code> 0N/A * which specifies "self" as the <code>Principal</code> class and name, 0N/A * it does not add that <code>Permission</code> to the returned 0N/A * <code>PermissionCollection</code>. Instead, it builds 0N/A * a new <code>PrivateCredentialPermission</code> 0N/A * for each <code>Principal</code> associated with the provided 0N/A * <code>Subject</code>. Each new <code>PrivateCredentialPermission</code> 0N/A * contains the same Credential class as specified in the 0N/A * originally granted permission, as well as the Class and name 0N/A * for the respective <code>Principal</code>. 0N/A * @param subject the Permissions granted to this <code>Subject</code> 0N/A * and the additionally provided <code>CodeSource</code> 0N/A * @param codesource the Permissions granted to this <code>CodeSource</code> 0N/A * and the additionally provided <code>Subject</code> 0N/A * @return the Permissions granted to the provided <code>Subject</code> 0N/A * <code>CodeSource</code>. 0N/A // XXX when JAAS goes into the JDK core, 0N/A // we can remove this method and simply 0N/A // rely on the getPermissions variant that takes a codesource, 0N/A // which no one can use at this point in time. 0N/A // at that time, we can also make SubjectCodeSource a public 0N/A // 1) if code instantiates PolicyFile directly, then it will need 0N/A // all the permissions required for the PolicyFile initialization 0N/A // 2) if code calls Policy.getPolicy, then it simply needs 0N/A // AuthPermission(getPolicy), and the javax.security.auth.Policy 0N/A // implementation instantiates PolicyFile in a doPrivileged block 0N/A // 3) if after instantiating a Policy (either via #1 or #2), 0N/A // code calls getPermissions, PolicyFile wraps the call 0N/A // in a doPrivileged block. 0N/A * Examines the global policy for the specified CodeSource, and 0N/A * creates a PermissionCollection object with 0N/A * the set of permissions for that principal's protection domain. 0N/A * @param CodeSource the codesource associated with the caller. 0N/A * This encapsulates the original location of the code (where the code 0N/A * came from) and the public key(s) of its signer. 0N/A * @return the set of permissions according to the policy. 0N/A * Examines the global policy for the specified CodeSource, and 0N/A * creates a PermissionCollection object with 0N/A * the set of permissions for that principal's protection domain. 0N/A * @param permissions the permissions to populate 0N/A * @param codesource the codesource associated with the caller. 0N/A * This encapsulates the original location of the code (where the code 0N/A * came from) and the public key(s) of its signer. 0N/A * @return the set of permissions according to the policy. 0N/A // codesource.implies calls URL.equals which does an 0N/A // InetAddress lookup 0N/A // we could check for duplicates 0N/A // before adding new permissions, 0N/A // but the SubjectDomainCombiner 0N/A // already checks for duplicates later 0N/A // now see if any of the keys are trusted ids. 0N/A // checkForTrustedIdentity added it 0N/A // to the policy for us. next time 0N/A // around we'll find it. This time 0N/A // around we need to add it. 0N/A * Returns true if 'Self' permissions were added to the provided 0N/A * 'perms', and false otherwise. 0N/A * @param p check to see if this Permission is a "SELF" 0N/A * PrivateCredentialPermission. <p> 0N/A * @param entryCs the codesource for the Policy entry. 0N/A * @param accCs the codesource for from the current AccessControlContext. 0N/A * @param perms the PermissionCollection where the individual 0N/A * PrivateCredentialPermissions will be added. 0N/A // see if it is a SELF permission 0N/A // regular PrivateCredentialPermission 0N/A // granted a SELF permission - create a 0N/A // PrivateCredentialPermission for each 0N/A // of the Policy entry's CodeSource Principals 0N/A // XXX SubjectCodeSource has no Subject??? 0N/A // if the Policy entry's Principal does not contain a 0N/A // WILDCARD for the Principal name, then a 0N/A // new PrivateCredentialPermission is created 0N/A // for the Principal listed in the Policy entry. 0N/A // if the Policy entry's Principal contains a WILDCARD 0N/A // for the Principal name, then a new 0N/A // PrivateCredentialPermission is created 0N/A // for each Principal associated with the Subject 0N/A // in the current ACC. 0N/A // here's the new PrivateCredentialPermission 0N/A * array[x][y]: x corresponds to the array length. 0N/A * if (y == 0), it's the principal class. 0N/A * if (y == 1), it's the principal name. 0N/A // there are 3 possibilities: 0N/A // 1) the entry's Principal class and name are not wildcarded 0N/A // 2) the entry's Principal name is wildcarded only 0N/A // 3) the entry's Principal class and name are wildcarded 0N/A // build a PrivateCredentialPermission for the principal 0N/A // from the Policy entry 0N/A // build a PrivateCredentialPermission for all 0N/A // the Subject's principals that are instances of principalClass 0N/A // the accCs is guaranteed to be a SubjectCodeSource 0N/A // because the earlier CodeSource.implies succeeded 0N/A "when expanding SELF permission: " +
0N/A // build a PrivateCredentialPermission for every 0N/A // one of the current Subject's principals 0N/A // the accCs is guaranteed to be a SubjectCodeSource 0N/A // because the earlier CodeSource.implies succeeded 0N/A * Returns the signer certificates from the list of certificates associated 0N/A * with the given code source. 0N/A * The signer certificates are those certificates that were used to verify 0N/A * signed code originating from the codesource location. 0N/A * This method assumes that in the given code source, each signer 0N/A * certificate is followed by its supporting certificate chain 0N/A * (which may be empty), and that the signer certificate and its 0N/A * supporting certificate chain are ordered bottom-to-top (i.e., with the 0N/A * signer certificate first and the (root) certificate authority last). 0N/A // Do we have to do anything? 0N/A // remove trailing '*' because it causes canonicalization 0N/A // reappend '*' to canonicalized filename (note that 0N/A // canonicalization may have removed trailing file 0N/A // separator, so we have to check for that, too) 0N/A // leave codesource as it is, unless we have to extract its 0N/A // signer certificates 0N/A * Each entry in the policy configuration file is represented by a 0N/A * PolicyEntry object. <p> 0N/A * A PolicyEntry is a (CodeSource,Permission) pair. The 0N/A * CodeSource contains the (URL, PublicKey) that together identify 0N/A * where the Java bytecodes come from and who (if anyone) signed 0N/A * them. The URL could refer to localhost. The URL could also be 0N/A * null, meaning that this policy entry is given to all comers, as 0N/A * long as they match the signer field. The signer could be null, 0N/A * meaning the code is not signed. <p> 0N/A * The Permission contains the (Type, Name, Action) triplet. <p> 0N/A * For now, the Policy object retrieves the public key from the 0N/A * X.509 certificate on disk that corresponds to the signedBy 0N/A * alias specified in the Policy config file. For reasons of 0N/A * efficiency, the Policy object keeps a hashtable of certs already 0N/A * read in. This could be replaced by a secure internal key 0N/A * For example, the entry 0N/A * permission java.io.File "/tmp", "read,write", 0N/A * is represented internally 0N/A * FilePermission f = new FilePermission("/tmp", "read,write"); 0N/A * PublicKey p = publickeys.get("Duke"); 0N/A * URL u = InetAddress.getLocalHost(); 0N/A * CodeBase c = new CodeBase( p, u ); 0N/A * pe = new PolicyEntry(f, c); 0N/A * @author Marianne Mueller 0N/A * @author Roland Schemers 0N/A * @see java.security.CodeSource 0N/A * @see java.security.Policy 0N/A * @see java.security.Permissions 0N/A * @see java.security.ProtectionDomain 0N/A * Given a Permission and a CodeSource, create a policy entry. 0N/A * XXX Decide if/how to add validity fields and "purpose" fields to 0N/A * XXX policy entries 0N/A * @param cs the CodeSource, which encapsulates the URL and the public 0N/A * attributes from the policy config file. Validity checks are 0N/A * performed on the public key before PolicyEntry is called. 0N/A * add a Permission object to this entry. 0N/A * Return the CodeSource for this policy entry 0N/A private boolean notInit;
// have we pulled in the policy permissions yet? 0N/A (
"attempt to add a Permission to a readonly PermissionCollection"));