jtulach@1334: /* jtulach@1334: * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. jtulach@1334: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. jtulach@1334: * jtulach@1334: * This code is free software; you can redistribute it and/or modify it jtulach@1334: * under the terms of the GNU General Public License version 2 only, as jtulach@1334: * published by the Free Software Foundation. Oracle designates this jtulach@1334: * particular file as subject to the "Classpath" exception as provided jtulach@1334: * by Oracle in the LICENSE file that accompanied this code. jtulach@1334: * jtulach@1334: * This code is distributed in the hope that it will be useful, but WITHOUT jtulach@1334: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or jtulach@1334: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License jtulach@1334: * version 2 for more details (a copy is included in the LICENSE file that jtulach@1334: * accompanied this code). jtulach@1334: * jtulach@1334: * You should have received a copy of the GNU General Public License version jtulach@1334: * 2 along with this work; if not, write to the Free Software Foundation, jtulach@1334: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. jtulach@1334: * jtulach@1334: * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA jtulach@1334: * or visit www.oracle.com if you need additional information or have any jtulach@1334: * questions. jtulach@1334: */ jtulach@1334: jtulach@1334: package java.security; jtulach@1334: jtulach@1334: /** jtulach@1334: *

The AccessController class is used for access control operations jtulach@1334: * and decisions. jtulach@1334: * jtulach@1334: *

More specifically, the AccessController class is used for jtulach@1334: * three purposes: jtulach@1334: * jtulach@1334: *

jtulach@1334: * jtulach@1334: *

The {@link #checkPermission(Permission) checkPermission} method jtulach@1334: * determines whether the access request indicated by a specified jtulach@1334: * permission should be granted or denied. A sample call appears jtulach@1334: * below. In this example, checkPermission will determine jtulach@1334: * whether or not to grant "read" access to the file named "testFile" in jtulach@1334: * the "/temp" directory. jtulach@1334: * jtulach@1334: * 

jtulach@1334:  *
jtulach@1334:  * FilePermission perm = new FilePermission("/temp/testFile", "read");
jtulach@1334:  * AccessController.checkPermission(perm);
jtulach@1334:  *
jtulach@1334:  *
jtulach@1334: * jtulach@1334: *

If a requested access is allowed, jtulach@1334: * checkPermission returns quietly. If denied, an jtulach@1334: * AccessControlException is jtulach@1334: * thrown. AccessControlException can also be thrown if the requested jtulach@1334: * permission is of an incorrect type or contains an invalid value. jtulach@1334: * Such information is given whenever possible. jtulach@1334: * jtulach@1334: * Suppose the current thread traversed m callers, in the order of caller 1 jtulach@1334: * to caller 2 to caller m. Then caller m invoked the jtulach@1334: * checkPermission method. jtulach@1334: * The checkPermission method determines whether access jtulach@1334: * is granted or denied based on the following algorithm: jtulach@1334: * jtulach@1334: * 

 {@code
jtulach@1334:  * for (int i = m; i > 0; i--) {
jtulach@1334:  *
jtulach@1334:  *     if (caller i's domain does not have the permission)
jtulach@1334:  *         throw AccessControlException
jtulach@1334:  *
jtulach@1334:  *     else if (caller i is marked as privileged) {
jtulach@1334:  *         if (a context was specified in the call to doPrivileged)
jtulach@1334:  *             context.checkPermission(permission)
jtulach@1334:  *         return;
jtulach@1334:  *     }
jtulach@1334:  * };
jtulach@1334:  *
jtulach@1334:  * // Next, check the context inherited when the thread was created.
jtulach@1334:  * // Whenever a new thread is created, the AccessControlContext at
jtulach@1334:  * // that time is stored and associated with the new thread, as the
jtulach@1334:  * // "inherited" context.
jtulach@1334:  *
jtulach@1334:  * inheritedContext.checkPermission(permission);
jtulach@1334:  * }
jtulach@1334: * jtulach@1334: *

A caller can be marked as being "privileged" jtulach@1334: * (see {@link #doPrivileged(PrivilegedAction) doPrivileged} and below). jtulach@1334: * When making access control decisions, the checkPermission jtulach@1334: * method stops checking if it reaches a caller that jtulach@1334: * was marked as "privileged" via a doPrivileged jtulach@1334: * call without a context argument (see below for information about a jtulach@1334: * context argument). If that caller's domain has the jtulach@1334: * specified permission, no further checking is done and jtulach@1334: * checkPermission jtulach@1334: * returns quietly, indicating that the requested access is allowed. jtulach@1334: * If that domain does not have the specified permission, an exception jtulach@1334: * is thrown, as usual. jtulach@1334: * jtulach@1334: *

The normal use of the "privileged" feature is as follows. If you jtulach@1334: * don't need to return a value from within the "privileged" block, do jtulach@1334: * the following: jtulach@1334: * jtulach@1334: * 

 {@code
jtulach@1334:  * somemethod() {
jtulach@1334:  *     ...normal code here...
jtulach@1334:  *     AccessController.doPrivileged(new PrivilegedAction() {
jtulach@1334:  *         public Void run() {
jtulach@1334:  *             // privileged code goes here, for example:
jtulach@1334:  *             System.loadLibrary("awt");
jtulach@1334:  *             return null; // nothing to return
jtulach@1334:  *         }
jtulach@1334:  *     });
jtulach@1334:  *     ...normal code here...
jtulach@1334:  * }}
jtulach@1334: * jtulach@1334: *

jtulach@1334: * PrivilegedAction is an interface with a single method, named jtulach@1334: * run. jtulach@1334: * The above example shows creation of an implementation jtulach@1334: * of that interface; a concrete implementation of the jtulach@1334: * run method is supplied. jtulach@1334: * When the call to doPrivileged is made, an jtulach@1334: * instance of the PrivilegedAction implementation is passed jtulach@1334: * to it. The doPrivileged method calls the jtulach@1334: * run method from the PrivilegedAction jtulach@1334: * implementation after enabling privileges, and returns the jtulach@1334: * run method's return value as the jtulach@1334: * doPrivileged return value (which is jtulach@1334: * ignored in this example). jtulach@1334: * jtulach@1334: *

If you need to return a value, you can do something like the following: jtulach@1334: * jtulach@1334: * 

 {@code
jtulach@1334:  * somemethod() {
jtulach@1334:  *     ...normal code here...
jtulach@1334:  *     String user = AccessController.doPrivileged(
jtulach@1334:  *         new PrivilegedAction() {
jtulach@1334:  *         public String run() {
jtulach@1334:  *             return System.getProperty("user.name");
jtulach@1334:  *             }
jtulach@1334:  *         });
jtulach@1334:  *     ...normal code here...
jtulach@1334:  * }}
jtulach@1334: * jtulach@1334: *

If the action performed in your run method could jtulach@1334: * throw a "checked" exception (those listed in the throws clause jtulach@1334: * of a method), then you need to use the jtulach@1334: * PrivilegedExceptionAction interface instead of the jtulach@1334: * PrivilegedAction interface: jtulach@1334: * jtulach@1334: * 

 {@code
jtulach@1334:  * somemethod() throws FileNotFoundException {
jtulach@1334:  *     ...normal code here...
jtulach@1334:  *     try {
jtulach@1334:  *         FileInputStream fis = AccessController.doPrivileged(
jtulach@1334:  *         new PrivilegedExceptionAction() {
jtulach@1334:  *             public FileInputStream run() throws FileNotFoundException {
jtulach@1334:  *                 return new FileInputStream("someFile");
jtulach@1334:  *             }
jtulach@1334:  *         });
jtulach@1334:  *     } catch (PrivilegedActionException e) {
jtulach@1334:  *         // e.getException() should be an instance of FileNotFoundException,
jtulach@1334:  *         // as only "checked" exceptions will be "wrapped" in a
jtulach@1334:  *         // PrivilegedActionException.
jtulach@1334:  *         throw (FileNotFoundException) e.getException();
jtulach@1334:  *     }
jtulach@1334:  *     ...normal code here...
jtulach@1334:  *  }}
jtulach@1334: * jtulach@1334: *

Be *very* careful in your use of the "privileged" construct, and jtulach@1334: * always remember to make the privileged code section as small as possible. jtulach@1334: * jtulach@1334: *

Note that checkPermission always performs security checks jtulach@1334: * within the context of the currently executing thread. jtulach@1334: * Sometimes a security check that should be made within a given context jtulach@1334: * will actually need to be done from within a jtulach@1334: * different context (for example, from within a worker thread). jtulach@1334: * The {@link #getContext() getContext} method and jtulach@1334: * AccessControlContext class are provided jtulach@1334: * for this situation. The getContext method takes a "snapshot" jtulach@1334: * of the current calling context, and places jtulach@1334: * it in an AccessControlContext object, which it returns. A sample call is jtulach@1334: * the following: jtulach@1334: * jtulach@1334: * 

jtulach@1334:  *
jtulach@1334:  * AccessControlContext acc = AccessController.getContext()
jtulach@1334:  *
jtulach@1334:  *
jtulach@1334: * jtulach@1334: *

jtulach@1334: * AccessControlContext itself has a checkPermission method jtulach@1334: * that makes access decisions based on the context it encapsulates, jtulach@1334: * rather than that of the current execution thread. jtulach@1334: * Code within a different context can thus call that method on the jtulach@1334: * previously-saved AccessControlContext object. A sample call is the jtulach@1334: * following: jtulach@1334: * jtulach@1334: * 

jtulach@1334:  *
jtulach@1334:  * acc.checkPermission(permission)
jtulach@1334:  *
jtulach@1334:  *
jtulach@1334: * jtulach@1334: *

There are also times where you don't know a priori which permissions jtulach@1334: * to check the context against. In these cases you can use the jtulach@1334: * doPrivileged method that takes a context: jtulach@1334: * jtulach@1334: * 

 {@code
jtulach@1334:  * somemethod() {
jtulach@1334:  *     AccessController.doPrivileged(new PrivilegedAction() {
jtulach@1334:  *         public Object run() {
jtulach@1334:  *             // Code goes here. Any permission checks within this
jtulach@1334:  *             // run method will require that the intersection of the
jtulach@1334:  *             // callers protection domain and the snapshot's
jtulach@1334:  *             // context have the desired permission.
jtulach@1334:  *         }
jtulach@1334:  *     }, acc);
jtulach@1334:  *     ...normal code here...
jtulach@1334:  * }}
jtulach@1334:  *
jtulach@1334:  * @see AccessControlContext
jtulach@1334:  *
jtulach@1334:  * @author Li Gong
jtulach@1334:  * @author Roland Schemers
jtulach@1334:  */
jtulach@1334: 
jtulach@1334: public final class AccessController {
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Don't allow anyone to instantiate an AccessController
jtulach@1334:      */
jtulach@1334:     private AccessController() { }
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedAction with privileges
jtulach@1334:      * enabled. The action is performed with all of the permissions
jtulach@1334:      * possessed by the caller's protection domain.
jtulach@1334:      *
jtulach@1334:      * 
 If the action's run method throws an (unchecked)
jtulach@1334:      * exception, it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * 
 Note that any DomainCombiner associated with the current
jtulach@1334:      * AccessControlContext will be ignored while the action is performed.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed.
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method.
jtulach@1334:      *
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction,AccessControlContext)
jtulach@1334:      * @see #doPrivileged(PrivilegedExceptionAction)
jtulach@1334:      * @see #doPrivilegedWithCombiner(PrivilegedAction)
jtulach@1334:      * @see java.security.DomainCombiner
jtulach@1334:      */
jtulach@1334: 
jaroslav@1341:     public static  T doPrivileged(PrivilegedAction action) {
jaroslav@1341:         return action.run();
jaroslav@1341:     }
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedAction with privileges
jtulach@1334:      * enabled. The action is performed with all of the permissions
jtulach@1334:      * possessed by the caller's protection domain.
jtulach@1334:      *
jtulach@1334:      * 
 If the action's run method throws an (unchecked)
jtulach@1334:      * exception, it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * 
 This method preserves the current AccessControlContext's
jtulach@1334:      * DomainCombiner (which may be null) while the action is performed.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed.
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method.
jtulach@1334:      *
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction)
jtulach@1334:      * @see java.security.DomainCombiner
jtulach@1334:      *
jtulach@1334:      * @since 1.6
jtulach@1334:      */
jtulach@1334:     public static  T doPrivilegedWithCombiner(PrivilegedAction action) {
jaroslav@1341:         return action.run();
jtulach@1334:     }
jtulach@1334: 
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedAction with privileges
jtulach@1334:      * enabled and restricted by the specified
jtulach@1334:      * AccessControlContext.
jtulach@1334:      * The action is performed with the intersection of the permissions
jtulach@1334:      * possessed by the caller's protection domain, and those possessed
jtulach@1334:      * by the domains represented by the specified
jtulach@1334:      * AccessControlContext.
jtulach@1334:      * 

jtulach@1334:      * If the action's run method throws an (unchecked) exception,
jtulach@1334:      * it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed.
jtulach@1334:      * @param context an access control context
jtulach@1334:      *                representing the restriction to be applied to the
jtulach@1334:      *                caller's domain's privileges before performing
jtulach@1334:      *                the specified action.  If the context is
jtulach@1334:      *                null,
jtulach@1334:      *                then no additional restriction is applied.
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method.
jtulach@1334:      *
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction)
jtulach@1334:      * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334:      */
jaroslav@1341: //    public static native  T doPrivileged(PrivilegedAction action,
jaroslav@1341: //                                            AccessControlContext context);
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedExceptionAction with
jtulach@1334:      * privileges enabled.  The action is performed with all of the
jtulach@1334:      * permissions possessed by the caller's protection domain.
jtulach@1334:      *
jtulach@1334:      * 
 If the action's run method throws an unchecked
jtulach@1334:      * exception, it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * 
 Note that any DomainCombiner associated with the current
jtulach@1334:      * AccessControlContext will be ignored while the action is performed.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method
jtulach@1334:      *
jtulach@1334:      * @exception PrivilegedActionException if the specified action's
jtulach@1334:      *         run method threw a checked exception
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction)
jtulach@1334:      * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334:      * @see #doPrivilegedWithCombiner(PrivilegedExceptionAction)
jtulach@1334:      * @see java.security.DomainCombiner
jtulach@1334:      */
jaroslav@1341:     public static  T
jtulach@1334:         doPrivileged(PrivilegedExceptionAction action)
jaroslav@1341:         throws PrivilegedActionException {
jaroslav@1341:         try {
jaroslav@1341:             return action.run();
jaroslav@1341:         } catch (Exception ex) {
jaroslav@1341:             throw new PrivilegedActionException(ex);
jaroslav@1341:         }
jaroslav@1341:     }
jtulach@1334: 
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedExceptionAction with
jtulach@1334:      * privileges enabled.  The action is performed with all of the
jtulach@1334:      * permissions possessed by the caller's protection domain.
jtulach@1334:      *
jtulach@1334:      * 
 If the action's run method throws an unchecked
jtulach@1334:      * exception, it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * 
 This method preserves the current AccessControlContext's
jtulach@1334:      * DomainCombiner (which may be null) while the action is performed.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed.
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method
jtulach@1334:      *
jtulach@1334:      * @exception PrivilegedActionException if the specified action's
jtulach@1334:      *         run method threw a checked exception
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction)
jtulach@1334:      * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334:      * @see java.security.DomainCombiner
jtulach@1334:      *
jtulach@1334:      * @since 1.6
jtulach@1334:      */
jtulach@1334:     public static  T doPrivilegedWithCombiner
jtulach@1334:         (PrivilegedExceptionAction action) throws PrivilegedActionException {
jaroslav@1341:         return doPrivileged(action);
jtulach@1334:     }
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Performs the specified PrivilegedExceptionAction with
jtulach@1334:      * privileges enabled and restricted by the specified
jtulach@1334:      * AccessControlContext.  The action is performed with the
jtulach@1334:      * intersection of the permissions possessed by the caller's
jtulach@1334:      * protection domain, and those possessed by the domains represented by the
jtulach@1334:      * specified AccessControlContext.
jtulach@1334:      * 

jtulach@1334:      * If the action's run method throws an unchecked
jtulach@1334:      * exception, it will propagate through this method.
jtulach@1334:      *
jtulach@1334:      * @param action the action to be performed
jtulach@1334:      * @param context an access control context
jtulach@1334:      *                representing the restriction to be applied to the
jtulach@1334:      *                caller's domain's privileges before performing
jtulach@1334:      *                the specified action.  If the context is
jtulach@1334:      *                null,
jtulach@1334:      *                then no additional restriction is applied.
jtulach@1334:      *
jtulach@1334:      * @return the value returned by the action's run method
jtulach@1334:      *
jtulach@1334:      * @exception PrivilegedActionException if the specified action's
jtulach@1334:      *         run method
jtulach@1334:      *         threw a checked exception
jtulach@1334:      * @exception NullPointerException if the action is null
jtulach@1334:      *
jtulach@1334:      * @see #doPrivileged(PrivilegedAction)
jtulach@1334:      * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334:      */
jaroslav@1341: //    public static native  T
jaroslav@1341: //        doPrivileged(PrivilegedExceptionAction action,
jaroslav@1341: //                     AccessControlContext context)
jaroslav@1341: //        throws PrivilegedActionException;
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * This method takes a "snapshot" of the current calling context, which
jtulach@1334:      * includes the current Thread's inherited AccessControlContext,
jtulach@1334:      * and places it in an AccessControlContext object. This context may then
jtulach@1334:      * be checked at a later point, possibly in another thread.
jtulach@1334:      *
jtulach@1334:      * @see AccessControlContext
jtulach@1334:      *
jtulach@1334:      * @return the AccessControlContext based on the current context.
jtulach@1334:      */
jtulach@1334: 
jaroslav@1341: //    public static AccessControlContext getContext()
jaroslav@1341: //    {
jaroslav@1341: //        AccessControlContext acc = getStackAccessControlContext();
jaroslav@1341: //        if (acc == null) {
jaroslav@1341: //            // all we had was privileged system code. We don't want
jaroslav@1341: //            // to return null though, so we construct a real ACC.
jaroslav@1341: //            return new AccessControlContext(null, true);
jaroslav@1341: //        } else {
jaroslav@1341: //            return acc.optimize();
jaroslav@1341: //        }
jaroslav@1341: //    }
jtulach@1334: 
jtulach@1334:     /**
jtulach@1334:      * Determines whether the access request indicated by the
jtulach@1334:      * specified permission should be allowed or denied, based on
jtulach@1334:      * the current AccessControlContext and security policy.
jtulach@1334:      * This method quietly returns if the access request
jtulach@1334:      * is permitted, or throws an AccessControlException otherwise. The
jtulach@1334:      * getPermission method of the AccessControlException returns the
jtulach@1334:      * perm Permission object instance.
jtulach@1334:      *
jtulach@1334:      * @param perm the requested permission.
jtulach@1334:      *
jtulach@1334:      * @exception AccessControlException if the specified permission
jtulach@1334:      *            is not permitted, based on the current security policy.
jtulach@1334:      * @exception NullPointerException if the specified permission
jtulach@1334:      *            is null and is checked based on the
jtulach@1334:      *            security policy currently in effect.
jtulach@1334:      */
jtulach@1334: 
jaroslav@1341: //    public static void checkPermission(Permission perm)
jaroslav@1341: //                 throws AccessControlException
jaroslav@1341: //    {
jaroslav@1341: //        //System.err.println("checkPermission "+perm);
jaroslav@1341: //        //Thread.currentThread().dumpStack();
jaroslav@1341: //
jaroslav@1341: //        if (perm == null) {
jaroslav@1341: //            throw new NullPointerException("permission can't be null");
jaroslav@1341: //        }
jaroslav@1341: //
jaroslav@1341: //        AccessControlContext stack = getStackAccessControlContext();
jaroslav@1341: //        // if context is null, we had privileged system code on the stack.
jaroslav@1341: //        if (stack == null) {
jaroslav@1341: //            Debug debug = AccessControlContext.getDebug();
jaroslav@1341: //            boolean dumpDebug = false;
jaroslav@1341: //            if (debug != null) {
jaroslav@1341: //                dumpDebug = !Debug.isOn("codebase=");
jaroslav@1341: //                dumpDebug &= !Debug.isOn("permission=") ||
jaroslav@1341: //                    Debug.isOn("permission=" + perm.getClass().getCanonicalName());
jaroslav@1341: //            }
jaroslav@1341: //
jaroslav@1341: //            if (dumpDebug && Debug.isOn("stack")) {
jaroslav@1341: //                Thread.currentThread().dumpStack();
jaroslav@1341: //            }
jaroslav@1341: //
jaroslav@1341: //            if (dumpDebug && Debug.isOn("domain")) {
jaroslav@1341: //                debug.println("domain (context is null)");
jaroslav@1341: //            }
jaroslav@1341: //
jaroslav@1341: //            if (dumpDebug) {
jaroslav@1341: //                debug.println("access allowed "+perm);
jaroslav@1341: //            }
jaroslav@1341: //            return;
jaroslav@1341: //        }
jaroslav@1341: //
jaroslav@1341: //        AccessControlContext acc = stack.optimize();
jaroslav@1341: //        acc.checkPermission(perm);
jaroslav@1341: //    }
jtulach@1334: }