ServicePermission.java revision 3909
3909N/A * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. 0N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 0N/A * This code is free software; you can redistribute it and/or modify it 0N/A * under the terms of the GNU General Public License version 2 only, as 2362N/A * published by the Free Software Foundation. Oracle designates this 0N/A * particular file as subject to the "Classpath" exception as provided 2362N/A * by Oracle in the LICENSE file that accompanied this code. 0N/A * This code is distributed in the hope that it will be useful, but WITHOUT 0N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 0N/A * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 0N/A * version 2 for more details (a copy is included in the LICENSE file that 0N/A * accompanied this code). 0N/A * You should have received a copy of the GNU General Public License version 0N/A * 2 along with this work; if not, write to the Free Software Foundation, 0N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 2362N/A * or visit www.oracle.com if you need additional information or have any 0N/A * This class is used to protect Kerberos services and the 0N/A * credentials necessary to access those services. There is a one to 0N/A * one mapping of a service principal and the credentials necessary 0N/A * to access the service. Therefore granting access to a service 0N/A * principal implicitly grants access to the credential necessary to 0N/A * establish a security context with the service principal. This 0N/A * applies regardless of whether the credentials are in a cache 0N/A * or acquired via an exchange with the KDC. The credential can 0N/A * be either a ticket granting ticket, a service ticket or a secret 0N/A * key from a key table. 0N/A * A ServicePermission contains a service principal name and 0N/A * a list of actions which specify the context the credential can be 0N/A * The service principal name is the canonical name of the 0N/A * <code>KereberosPrincipal</code> supplying the service, that is 0N/A * the KerberosPrincipal represents a Kerberos service 0N/A * principal. This name is treated in a case sensitive manner. 0N/A * An asterisk may appear by itself, to signify any service principal. 0N/A * Granting this permission implies that the caller can use a cached 0N/A * credential (TGT, service ticket or secret key) within the context 0N/A * designated by the action. In the case of the TGT, granting this 0N/A * permission also implies that the TGT can be obtained by an 0N/A * Authentication Service exchange. 0N/A * The possible actions are: 0N/A * initiate - allow the caller to use the credential to 0N/A * initiate a security context with a service 0N/A * accept - allow the caller to use the credential to 0N/A * accept security context as a particular 0N/A * For example, to specify the permission to access to the TGT to 0N/A * initiate a security context the permission is constructed as follows: 0N/A * To obtain a service ticket to initiate a context with the "host" 0N/A * service the permission is constructed as follows: 0N/A * For a Kerberized server the action is "accept". For example, the permission 0N/A * necessary to access and use the secret key of the Kerberized "host" 0N/A * service (telnet and the likes) would be constructed as follows: 0N/A * Initiate a security context to the specified service 0N/A * Accept a security context 0N/A private final static int NONE =
0x0;
0N/A * the actions string. 0N/A // created and re-used in the getAction function. 0N/A * Create a new <code>ServicePermission</code> 0N/A * with the specified <code>servicePrincipal</code> 0N/A * and <code>action</code>. 0N/A * @param servicePrincipal the name of the service principal. 0N/A * An asterisk may appear by itself, to signify any service principal. 0N/A * @param action the action string 0N/A * Initialize the ServicePermission object. 0N/A * Checks if this Kerberos service permission object "implies" the 0N/A * specified permission. 0N/A * If none of the above are true, <code>implies</code> returns false. 0N/A * @param p the permission to check against. 0N/A * @return true if the specified permission is implied by this object, 0N/A * Checks two ServicePermission objects for equality. 0N/A * @param obj the object to test for equality with this object. 0N/A * @return true if <i>obj</i> is a ServicePermission, and has the 0N/A * same service principal, and actions as this 0N/A * ServicePermission object. 0N/A * Returns the hash code value for this object. 0N/A * @return a hash code value for this object. 0N/A * Returns the "canonical string representation" of the actions in the 0N/A * Always returns present actions in the following order: 0N/A * @param mask a specific integer action mask to translate into a string 0N/A * @return the canonical string representation of the actions 0N/A * Returns the canonical string representation of the actions. 0N/A * Always returns present actions in the following order: 0N/A * Returns a PermissionCollection object for storing 0N/A * ServicePermission objects. 0N/A * ServicePermission objects must be stored in a manner that 0N/A * allows them to be inserted into the collection in any order, but 0N/A * that also enables the PermissionCollection implies method to 0N/A * be implemented in an efficient (and consistent) manner. 0N/A * @return a new PermissionCollection object suitable for storing 0N/A * ServicePermissions. 0N/A * Return the current action mask. 0N/A * @return the actions mask. 0N/A * Convert an action string to an integer actions mask. 0N/A * @param action the action string 0N/A * @return the action mask 0N/A while ((i!=-
1) && ((c = a[i]) ==
' ' ||
0N/A // check for the known strings 0N/A if (i >=
7 && (a[i-
7] ==
'i' || a[i-
7] ==
'I') &&
0N/A (a[i-
6] ==
'n' || a[i-
6] ==
'N') &&
0N/A (a[i-
5] ==
'i' || a[i-
5] ==
'I') &&
0N/A (a[i-
4] ==
't' || a[i-
4] ==
'T') &&
0N/A (a[i-
3] ==
'i' || a[i-
3] ==
'I') &&
0N/A (a[i-
2] ==
'a' || a[i-
2] ==
'A') &&
0N/A (a[i-
1] ==
't' || a[i-
1] ==
'T') &&
0N/A (a[i] ==
'e' || a[i] ==
'E'))
0N/A }
else if (i >=
5 && (a[i-
5] ==
'a' || a[i-
5] ==
'A') &&
0N/A (a[i-
4] ==
'c' || a[i-
4] ==
'C') &&
0N/A (a[i-
3] ==
'c' || a[i-
3] ==
'C') &&
0N/A (a[i-
2] ==
'e' || a[i-
2] ==
'E') &&
0N/A (a[i-
1] ==
'p' || a[i-
1] ==
'P') &&
0N/A (a[i] ==
't' || a[i] ==
'T'))
0N/A // make sure we didn't just match the tail of a word 0N/A // like "ackbarfaccept". Also, skip to the comma. 0N/A case ' ':
case '\r':
case '\n':
0N/A case '\f':
case '\t':
0N/A // point i at the location of the comma minus one (or -1). 0N/A * WriteObject is called to save the state of the ServicePermission 0N/A * to a stream. The actions are serialized, and the superclass 0N/A * takes care of the name. 0N/A // Write out the actions. The superclass takes care of the name 0N/A // call getActions to make sure actions field is initialized 0N/A * readObject is called to restore the state of the 0N/A * ServicePermission from a stream. 0N/A // Read in the action, then initialize the rest 0N/A public static void main(String args[]) throws Exception { 0N/A ServicePermission this_ = 0N/A new ServicePermission(args[0], "accept"); 0N/A ServicePermission that_ = 0N/A new ServicePermission(args[1], "accept,initiate"); 0N/A System.out.println("-----\n"); 0N/A System.out.println("this.implies(that) = " + this_.implies(that_)); 0N/A System.out.println("-----\n"); 0N/A System.out.println("this = "+this_); 0N/A System.out.println("-----\n"); 0N/A System.out.println("that = "+that_); 0N/A System.out.println("-----\n"); 0N/A KrbServicePermissionCollection nps = 0N/A new KrbServicePermissionCollection(); 0N/A System.out.println("nps.implies(that) = " + nps.implies(that_)); 0N/A System.out.println("-----\n"); 0N/A Enumeration e = nps.elements(); 0N/A while (e.hasMoreElements()) { 0N/A ServicePermission x = 0N/A (ServicePermission) e.nextElement(); 0N/A System.out.println("nps.e = " + x); 0N/A // Not serialized; see serialization section at end of class 0N/A * Check and see if this collection of permissions implies the permissions 0N/A * expressed in "permission". 0N/A * @param p the Permission object to compare 0N/A * @return true if "permission" is a proper subset of a permission in 0N/A * the collection, false if not. 0N/A synchronized (
this) {
0N/A // need to deal with the case where the needed permission has 0N/A // more than one action and the collection has individual permissions 0N/A // that sum up to the needed. 0N/A for (
int i =
0; i <
len; i++) {
0N/A //System.out.println(" trying "+x); 0N/A * Adds a permission to the ServicePermissions. The key for 0N/A * the hash is the name. 0N/A * @param permission the Permission object to add. 0N/A * @exception IllegalArgumentException - if the permission is not a 0N/A * @exception SecurityException - if this PermissionCollection object 0N/A * has been marked readonly 0N/A synchronized (
this) {
0N/A * Returns an enumeration of all the ServicePermission objects 0N/A * @return an enumeration of all the ServicePermission objects. 0N/A // Convert Iterator into Enumeration 0N/A synchronized (
this) {
0N/A // Need to maintain serialization interoperability with earlier releases, 0N/A // which had the serializable field: 0N/A // private Vector permissions; 0N/A * @serialField permissions java.util.Vector 0N/A * A list of ServicePermission objects. 0N/A * @serialData "permissions" field (a Vector containing the ServicePermissions). 0N/A * Writes the contents of the perms field out as a Vector for 0N/A * serialization compatibility with earlier releases. 0N/A // Don't call out.defaultWriteObject() 0N/A synchronized (
this) {
0N/A * Reads in a Vector of ServicePermissions and saves them in the perms field. 0N/A // Don't call defaultReadObject() 0N/A // Read in serialized fields 0N/A // Get the one we want