1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/rt/emul/compact/src/main/java/java/security/AccessController.java Thu Oct 03 15:40:35 2013 +0200
1.3 @@ -0,0 +1,557 @@
1.4 +/*
1.5 + * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
1.6 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
1.7 + *
1.8 + * This code is free software; you can redistribute it and/or modify it
1.9 + * under the terms of the GNU General Public License version 2 only, as
1.10 + * published by the Free Software Foundation. Oracle designates this
1.11 + * particular file as subject to the "Classpath" exception as provided
1.12 + * by Oracle in the LICENSE file that accompanied this code.
1.13 + *
1.14 + * This code is distributed in the hope that it will be useful, but WITHOUT
1.15 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
1.16 + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
1.17 + * version 2 for more details (a copy is included in the LICENSE file that
1.18 + * accompanied this code).
1.19 + *
1.20 + * You should have received a copy of the GNU General Public License version
1.21 + * 2 along with this work; if not, write to the Free Software Foundation,
1.22 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
1.23 + *
1.24 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
1.25 + * or visit www.oracle.com if you need additional information or have any
1.26 + * questions.
1.27 + */
1.28 +
1.29 +package java.security;
1.30 +
1.31 +import sun.security.util.Debug;
1.32 +
1.33 +/**
1.34 + * <p> The AccessController class is used for access control operations
1.35 + * and decisions.
1.36 + *
1.37 + * <p> More specifically, the AccessController class is used for
1.38 + * three purposes:
1.39 + *
1.40 + * <ul>
1.41 + * <li> to decide whether an access to a critical system
1.42 + * resource is to be allowed or denied, based on the security policy
1.43 + * currently in effect,<p>
1.44 + * <li>to mark code as being "privileged", thus affecting subsequent
1.45 + * access determinations, and<p>
1.46 + * <li>to obtain a "snapshot" of the current calling context so
1.47 + * access-control decisions from a different context can be made with
1.48 + * respect to the saved context. </ul>
1.49 + *
1.50 + * <p> The {@link #checkPermission(Permission) checkPermission} method
1.51 + * determines whether the access request indicated by a specified
1.52 + * permission should be granted or denied. A sample call appears
1.53 + * below. In this example, <code>checkPermission</code> will determine
1.54 + * whether or not to grant "read" access to the file named "testFile" in
1.55 + * the "/temp" directory.
1.56 + *
1.57 + * <pre>
1.58 + *
1.59 + * FilePermission perm = new FilePermission("/temp/testFile", "read");
1.60 + * AccessController.checkPermission(perm);
1.61 + *
1.62 + * </pre>
1.63 + *
1.64 + * <p> If a requested access is allowed,
1.65 + * <code>checkPermission</code> returns quietly. If denied, an
1.66 + * AccessControlException is
1.67 + * thrown. AccessControlException can also be thrown if the requested
1.68 + * permission is of an incorrect type or contains an invalid value.
1.69 + * Such information is given whenever possible.
1.70 + *
1.71 + * Suppose the current thread traversed m callers, in the order of caller 1
1.72 + * to caller 2 to caller m. Then caller m invoked the
1.73 + * <code>checkPermission</code> method.
1.74 + * The <code>checkPermission </code>method determines whether access
1.75 + * is granted or denied based on the following algorithm:
1.76 + *
1.77 + * <pre> {@code
1.78 + * for (int i = m; i > 0; i--) {
1.79 + *
1.80 + * if (caller i's domain does not have the permission)
1.81 + * throw AccessControlException
1.82 + *
1.83 + * else if (caller i is marked as privileged) {
1.84 + * if (a context was specified in the call to doPrivileged)
1.85 + * context.checkPermission(permission)
1.86 + * return;
1.87 + * }
1.88 + * };
1.89 + *
1.90 + * // Next, check the context inherited when the thread was created.
1.91 + * // Whenever a new thread is created, the AccessControlContext at
1.92 + * // that time is stored and associated with the new thread, as the
1.93 + * // "inherited" context.
1.94 + *
1.95 + * inheritedContext.checkPermission(permission);
1.96 + * }</pre>
1.97 + *
1.98 + * <p> A caller can be marked as being "privileged"
1.99 + * (see {@link #doPrivileged(PrivilegedAction) doPrivileged} and below).
1.100 + * When making access control decisions, the <code>checkPermission</code>
1.101 + * method stops checking if it reaches a caller that
1.102 + * was marked as "privileged" via a <code>doPrivileged</code>
1.103 + * call without a context argument (see below for information about a
1.104 + * context argument). If that caller's domain has the
1.105 + * specified permission, no further checking is done and
1.106 + * <code>checkPermission</code>
1.107 + * returns quietly, indicating that the requested access is allowed.
1.108 + * If that domain does not have the specified permission, an exception
1.109 + * is thrown, as usual.
1.110 + *
1.111 + * <p> The normal use of the "privileged" feature is as follows. If you
1.112 + * don't need to return a value from within the "privileged" block, do
1.113 + * the following:
1.114 + *
1.115 + * <pre> {@code
1.116 + * somemethod() {
1.117 + * ...normal code here...
1.118 + * AccessController.doPrivileged(new PrivilegedAction<Void>() {
1.119 + * public Void run() {
1.120 + * // privileged code goes here, for example:
1.121 + * System.loadLibrary("awt");
1.122 + * return null; // nothing to return
1.123 + * }
1.124 + * });
1.125 + * ...normal code here...
1.126 + * }}</pre>
1.127 + *
1.128 + * <p>
1.129 + * PrivilegedAction is an interface with a single method, named
1.130 + * <code>run</code>.
1.131 + * The above example shows creation of an implementation
1.132 + * of that interface; a concrete implementation of the
1.133 + * <code>run</code> method is supplied.
1.134 + * When the call to <code>doPrivileged</code> is made, an
1.135 + * instance of the PrivilegedAction implementation is passed
1.136 + * to it. The <code>doPrivileged</code> method calls the
1.137 + * <code>run</code> method from the PrivilegedAction
1.138 + * implementation after enabling privileges, and returns the
1.139 + * <code>run</code> method's return value as the
1.140 + * <code>doPrivileged</code> return value (which is
1.141 + * ignored in this example).
1.142 + *
1.143 + * <p> If you need to return a value, you can do something like the following:
1.144 + *
1.145 + * <pre> {@code
1.146 + * somemethod() {
1.147 + * ...normal code here...
1.148 + * String user = AccessController.doPrivileged(
1.149 + * new PrivilegedAction<String>() {
1.150 + * public String run() {
1.151 + * return System.getProperty("user.name");
1.152 + * }
1.153 + * });
1.154 + * ...normal code here...
1.155 + * }}</pre>
1.156 + *
1.157 + * <p>If the action performed in your <code>run</code> method could
1.158 + * throw a "checked" exception (those listed in the <code>throws</code> clause
1.159 + * of a method), then you need to use the
1.160 + * <code>PrivilegedExceptionAction</code> interface instead of the
1.161 + * <code>PrivilegedAction</code> interface:
1.162 + *
1.163 + * <pre> {@code
1.164 + * somemethod() throws FileNotFoundException {
1.165 + * ...normal code here...
1.166 + * try {
1.167 + * FileInputStream fis = AccessController.doPrivileged(
1.168 + * new PrivilegedExceptionAction<FileInputStream>() {
1.169 + * public FileInputStream run() throws FileNotFoundException {
1.170 + * return new FileInputStream("someFile");
1.171 + * }
1.172 + * });
1.173 + * } catch (PrivilegedActionException e) {
1.174 + * // e.getException() should be an instance of FileNotFoundException,
1.175 + * // as only "checked" exceptions will be "wrapped" in a
1.176 + * // PrivilegedActionException.
1.177 + * throw (FileNotFoundException) e.getException();
1.178 + * }
1.179 + * ...normal code here...
1.180 + * }}</pre>
1.181 + *
1.182 + * <p> Be *very* careful in your use of the "privileged" construct, and
1.183 + * always remember to make the privileged code section as small as possible.
1.184 + *
1.185 + * <p> Note that <code>checkPermission</code> always performs security checks
1.186 + * within the context of the currently executing thread.
1.187 + * Sometimes a security check that should be made within a given context
1.188 + * will actually need to be done from within a
1.189 + * <i>different</i> context (for example, from within a worker thread).
1.190 + * The {@link #getContext() getContext} method and
1.191 + * AccessControlContext class are provided
1.192 + * for this situation. The <code>getContext</code> method takes a "snapshot"
1.193 + * of the current calling context, and places
1.194 + * it in an AccessControlContext object, which it returns. A sample call is
1.195 + * the following:
1.196 + *
1.197 + * <pre>
1.198 + *
1.199 + * AccessControlContext acc = AccessController.getContext()
1.200 + *
1.201 + * </pre>
1.202 + *
1.203 + * <p>
1.204 + * AccessControlContext itself has a <code>checkPermission</code> method
1.205 + * that makes access decisions based on the context <i>it</i> encapsulates,
1.206 + * rather than that of the current execution thread.
1.207 + * Code within a different context can thus call that method on the
1.208 + * previously-saved AccessControlContext object. A sample call is the
1.209 + * following:
1.210 + *
1.211 + * <pre>
1.212 + *
1.213 + * acc.checkPermission(permission)
1.214 + *
1.215 + * </pre>
1.216 + *
1.217 + * <p> There are also times where you don't know a priori which permissions
1.218 + * to check the context against. In these cases you can use the
1.219 + * doPrivileged method that takes a context:
1.220 + *
1.221 + * <pre> {@code
1.222 + * somemethod() {
1.223 + * AccessController.doPrivileged(new PrivilegedAction<Object>() {
1.224 + * public Object run() {
1.225 + * // Code goes here. Any permission checks within this
1.226 + * // run method will require that the intersection of the
1.227 + * // callers protection domain and the snapshot's
1.228 + * // context have the desired permission.
1.229 + * }
1.230 + * }, acc);
1.231 + * ...normal code here...
1.232 + * }}</pre>
1.233 + *
1.234 + * @see AccessControlContext
1.235 + *
1.236 + * @author Li Gong
1.237 + * @author Roland Schemers
1.238 + */
1.239 +
1.240 +public final class AccessController {
1.241 +
1.242 + /**
1.243 + * Don't allow anyone to instantiate an AccessController
1.244 + */
1.245 + private AccessController() { }
1.246 +
1.247 + /**
1.248 + * Performs the specified <code>PrivilegedAction</code> with privileges
1.249 + * enabled. The action is performed with <i>all</i> of the permissions
1.250 + * possessed by the caller's protection domain.
1.251 + *
1.252 + * <p> If the action's <code>run</code> method throws an (unchecked)
1.253 + * exception, it will propagate through this method.
1.254 + *
1.255 + * <p> Note that any DomainCombiner associated with the current
1.256 + * AccessControlContext will be ignored while the action is performed.
1.257 + *
1.258 + * @param action the action to be performed.
1.259 + *
1.260 + * @return the value returned by the action's <code>run</code> method.
1.261 + *
1.262 + * @exception NullPointerException if the action is <code>null</code>
1.263 + *
1.264 + * @see #doPrivileged(PrivilegedAction,AccessControlContext)
1.265 + * @see #doPrivileged(PrivilegedExceptionAction)
1.266 + * @see #doPrivilegedWithCombiner(PrivilegedAction)
1.267 + * @see java.security.DomainCombiner
1.268 + */
1.269 +
1.270 + public static native <T> T doPrivileged(PrivilegedAction<T> action);
1.271 +
1.272 + /**
1.273 + * Performs the specified <code>PrivilegedAction</code> with privileges
1.274 + * enabled. The action is performed with <i>all</i> of the permissions
1.275 + * possessed by the caller's protection domain.
1.276 + *
1.277 + * <p> If the action's <code>run</code> method throws an (unchecked)
1.278 + * exception, it will propagate through this method.
1.279 + *
1.280 + * <p> This method preserves the current AccessControlContext's
1.281 + * DomainCombiner (which may be null) while the action is performed.
1.282 + *
1.283 + * @param action the action to be performed.
1.284 + *
1.285 + * @return the value returned by the action's <code>run</code> method.
1.286 + *
1.287 + * @exception NullPointerException if the action is <code>null</code>
1.288 + *
1.289 + * @see #doPrivileged(PrivilegedAction)
1.290 + * @see java.security.DomainCombiner
1.291 + *
1.292 + * @since 1.6
1.293 + */
1.294 + public static <T> T doPrivilegedWithCombiner(PrivilegedAction<T> action) {
1.295 +
1.296 + DomainCombiner dc = null;
1.297 + AccessControlContext acc = getStackAccessControlContext();
1.298 + if (acc == null || (dc = acc.getAssignedCombiner()) == null) {
1.299 + return AccessController.doPrivileged(action);
1.300 + }
1.301 + return AccessController.doPrivileged(action, preserveCombiner(dc));
1.302 + }
1.303 +
1.304 +
1.305 + /**
1.306 + * Performs the specified <code>PrivilegedAction</code> with privileges
1.307 + * enabled and restricted by the specified
1.308 + * <code>AccessControlContext</code>.
1.309 + * The action is performed with the intersection of the permissions
1.310 + * possessed by the caller's protection domain, and those possessed
1.311 + * by the domains represented by the specified
1.312 + * <code>AccessControlContext</code>.
1.313 + * <p>
1.314 + * If the action's <code>run</code> method throws an (unchecked) exception,
1.315 + * it will propagate through this method.
1.316 + *
1.317 + * @param action the action to be performed.
1.318 + * @param context an <i>access control context</i>
1.319 + * representing the restriction to be applied to the
1.320 + * caller's domain's privileges before performing
1.321 + * the specified action. If the context is
1.322 + * <code>null</code>,
1.323 + * then no additional restriction is applied.
1.324 + *
1.325 + * @return the value returned by the action's <code>run</code> method.
1.326 + *
1.327 + * @exception NullPointerException if the action is <code>null</code>
1.328 + *
1.329 + * @see #doPrivileged(PrivilegedAction)
1.330 + * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
1.331 + */
1.332 + public static native <T> T doPrivileged(PrivilegedAction<T> action,
1.333 + AccessControlContext context);
1.334 +
1.335 + /**
1.336 + * Performs the specified <code>PrivilegedExceptionAction</code> with
1.337 + * privileges enabled. The action is performed with <i>all</i> of the
1.338 + * permissions possessed by the caller's protection domain.
1.339 + *
1.340 + * <p> If the action's <code>run</code> method throws an <i>unchecked</i>
1.341 + * exception, it will propagate through this method.
1.342 + *
1.343 + * <p> Note that any DomainCombiner associated with the current
1.344 + * AccessControlContext will be ignored while the action is performed.
1.345 + *
1.346 + * @param action the action to be performed
1.347 + *
1.348 + * @return the value returned by the action's <code>run</code> method
1.349 + *
1.350 + * @exception PrivilegedActionException if the specified action's
1.351 + * <code>run</code> method threw a <i>checked</i> exception
1.352 + * @exception NullPointerException if the action is <code>null</code>
1.353 + *
1.354 + * @see #doPrivileged(PrivilegedAction)
1.355 + * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
1.356 + * @see #doPrivilegedWithCombiner(PrivilegedExceptionAction)
1.357 + * @see java.security.DomainCombiner
1.358 + */
1.359 + public static native <T> T
1.360 + doPrivileged(PrivilegedExceptionAction<T> action)
1.361 + throws PrivilegedActionException;
1.362 +
1.363 +
1.364 + /**
1.365 + * Performs the specified <code>PrivilegedExceptionAction</code> with
1.366 + * privileges enabled. The action is performed with <i>all</i> of the
1.367 + * permissions possessed by the caller's protection domain.
1.368 + *
1.369 + * <p> If the action's <code>run</code> method throws an <i>unchecked</i>
1.370 + * exception, it will propagate through this method.
1.371 + *
1.372 + * <p> This method preserves the current AccessControlContext's
1.373 + * DomainCombiner (which may be null) while the action is performed.
1.374 + *
1.375 + * @param action the action to be performed.
1.376 + *
1.377 + * @return the value returned by the action's <code>run</code> method
1.378 + *
1.379 + * @exception PrivilegedActionException if the specified action's
1.380 + * <code>run</code> method threw a <i>checked</i> exception
1.381 + * @exception NullPointerException if the action is <code>null</code>
1.382 + *
1.383 + * @see #doPrivileged(PrivilegedAction)
1.384 + * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
1.385 + * @see java.security.DomainCombiner
1.386 + *
1.387 + * @since 1.6
1.388 + */
1.389 + public static <T> T doPrivilegedWithCombiner
1.390 + (PrivilegedExceptionAction<T> action) throws PrivilegedActionException {
1.391 +
1.392 + DomainCombiner dc = null;
1.393 + AccessControlContext acc = getStackAccessControlContext();
1.394 + if (acc == null || (dc = acc.getAssignedCombiner()) == null) {
1.395 + return AccessController.doPrivileged(action);
1.396 + }
1.397 + return AccessController.doPrivileged(action, preserveCombiner(dc));
1.398 + }
1.399 +
1.400 + /**
1.401 + * preserve the combiner across the doPrivileged call
1.402 + */
1.403 + private static AccessControlContext preserveCombiner
1.404 + (DomainCombiner combiner) {
1.405 +
1.406 + /**
1.407 + * callerClass[0] = Reflection.getCallerClass
1.408 + * callerClass[1] = AccessController.preserveCombiner
1.409 + * callerClass[2] = AccessController.doPrivileged
1.410 + * callerClass[3] = caller
1.411 + */
1.412 + final Class callerClass = sun.reflect.Reflection.getCallerClass(3);
1.413 + ProtectionDomain callerPd = doPrivileged
1.414 + (new PrivilegedAction<ProtectionDomain>() {
1.415 + public ProtectionDomain run() {
1.416 + return callerClass.getProtectionDomain();
1.417 + }
1.418 + });
1.419 +
1.420 + // perform 'combine' on the caller of doPrivileged,
1.421 + // even if the caller is from the bootclasspath
1.422 + ProtectionDomain[] pds = new ProtectionDomain[] {callerPd};
1.423 + return new AccessControlContext(combiner.combine(pds, null), combiner);
1.424 + }
1.425 +
1.426 +
1.427 + /**
1.428 + * Performs the specified <code>PrivilegedExceptionAction</code> with
1.429 + * privileges enabled and restricted by the specified
1.430 + * <code>AccessControlContext</code>. The action is performed with the
1.431 + * intersection of the permissions possessed by the caller's
1.432 + * protection domain, and those possessed by the domains represented by the
1.433 + * specified <code>AccessControlContext</code>.
1.434 + * <p>
1.435 + * If the action's <code>run</code> method throws an <i>unchecked</i>
1.436 + * exception, it will propagate through this method.
1.437 + *
1.438 + * @param action the action to be performed
1.439 + * @param context an <i>access control context</i>
1.440 + * representing the restriction to be applied to the
1.441 + * caller's domain's privileges before performing
1.442 + * the specified action. If the context is
1.443 + * <code>null</code>,
1.444 + * then no additional restriction is applied.
1.445 + *
1.446 + * @return the value returned by the action's <code>run</code> method
1.447 + *
1.448 + * @exception PrivilegedActionException if the specified action's
1.449 + * <code>run</code> method
1.450 + * threw a <i>checked</i> exception
1.451 + * @exception NullPointerException if the action is <code>null</code>
1.452 + *
1.453 + * @see #doPrivileged(PrivilegedAction)
1.454 + * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
1.455 + */
1.456 + public static native <T> T
1.457 + doPrivileged(PrivilegedExceptionAction<T> action,
1.458 + AccessControlContext context)
1.459 + throws PrivilegedActionException;
1.460 +
1.461 + /**
1.462 + * Returns the AccessControl context. i.e., it gets
1.463 + * the protection domains of all the callers on the stack,
1.464 + * starting at the first class with a non-null
1.465 + * ProtectionDomain.
1.466 + *
1.467 + * @return the access control context based on the current stack or
1.468 + * null if there was only privileged system code.
1.469 + */
1.470 +
1.471 + private static native AccessControlContext getStackAccessControlContext();
1.472 +
1.473 + /**
1.474 + * Returns the "inherited" AccessControl context. This is the context
1.475 + * that existed when the thread was created. Package private so
1.476 + * AccessControlContext can use it.
1.477 + */
1.478 +
1.479 + static native AccessControlContext getInheritedAccessControlContext();
1.480 +
1.481 + /**
1.482 + * This method takes a "snapshot" of the current calling context, which
1.483 + * includes the current Thread's inherited AccessControlContext,
1.484 + * and places it in an AccessControlContext object. This context may then
1.485 + * be checked at a later point, possibly in another thread.
1.486 + *
1.487 + * @see AccessControlContext
1.488 + *
1.489 + * @return the AccessControlContext based on the current context.
1.490 + */
1.491 +
1.492 + public static AccessControlContext getContext()
1.493 + {
1.494 + AccessControlContext acc = getStackAccessControlContext();
1.495 + if (acc == null) {
1.496 + // all we had was privileged system code. We don't want
1.497 + // to return null though, so we construct a real ACC.
1.498 + return new AccessControlContext(null, true);
1.499 + } else {
1.500 + return acc.optimize();
1.501 + }
1.502 + }
1.503 +
1.504 + /**
1.505 + * Determines whether the access request indicated by the
1.506 + * specified permission should be allowed or denied, based on
1.507 + * the current AccessControlContext and security policy.
1.508 + * This method quietly returns if the access request
1.509 + * is permitted, or throws an AccessControlException otherwise. The
1.510 + * getPermission method of the AccessControlException returns the
1.511 + * <code>perm</code> Permission object instance.
1.512 + *
1.513 + * @param perm the requested permission.
1.514 + *
1.515 + * @exception AccessControlException if the specified permission
1.516 + * is not permitted, based on the current security policy.
1.517 + * @exception NullPointerException if the specified permission
1.518 + * is <code>null</code> and is checked based on the
1.519 + * security policy currently in effect.
1.520 + */
1.521 +
1.522 + public static void checkPermission(Permission perm)
1.523 + throws AccessControlException
1.524 + {
1.525 + //System.err.println("checkPermission "+perm);
1.526 + //Thread.currentThread().dumpStack();
1.527 +
1.528 + if (perm == null) {
1.529 + throw new NullPointerException("permission can't be null");
1.530 + }
1.531 +
1.532 + AccessControlContext stack = getStackAccessControlContext();
1.533 + // if context is null, we had privileged system code on the stack.
1.534 + if (stack == null) {
1.535 + Debug debug = AccessControlContext.getDebug();
1.536 + boolean dumpDebug = false;
1.537 + if (debug != null) {
1.538 + dumpDebug = !Debug.isOn("codebase=");
1.539 + dumpDebug &= !Debug.isOn("permission=") ||
1.540 + Debug.isOn("permission=" + perm.getClass().getCanonicalName());
1.541 + }
1.542 +
1.543 + if (dumpDebug && Debug.isOn("stack")) {
1.544 + Thread.currentThread().dumpStack();
1.545 + }
1.546 +
1.547 + if (dumpDebug && Debug.isOn("domain")) {
1.548 + debug.println("domain (context is null)");
1.549 + }
1.550 +
1.551 + if (dumpDebug) {
1.552 + debug.println("access allowed "+perm);
1.553 + }
1.554 + return;
1.555 + }
1.556 +
1.557 + AccessControlContext acc = stack.optimize();
1.558 + acc.checkPermission(perm);
1.559 + }
1.560 +}