jtulach@1334: /* jtulach@1334: * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. jtulach@1334: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. jtulach@1334: * jtulach@1334: * This code is free software; you can redistribute it and/or modify it jtulach@1334: * under the terms of the GNU General Public License version 2 only, as jtulach@1334: * published by the Free Software Foundation. Oracle designates this jtulach@1334: * particular file as subject to the "Classpath" exception as provided jtulach@1334: * by Oracle in the LICENSE file that accompanied this code. jtulach@1334: * jtulach@1334: * This code is distributed in the hope that it will be useful, but WITHOUT jtulach@1334: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or jtulach@1334: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License jtulach@1334: * version 2 for more details (a copy is included in the LICENSE file that jtulach@1334: * accompanied this code). jtulach@1334: * jtulach@1334: * You should have received a copy of the GNU General Public License version jtulach@1334: * 2 along with this work; if not, write to the Free Software Foundation, jtulach@1334: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. jtulach@1334: * jtulach@1334: * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA jtulach@1334: * or visit www.oracle.com if you need additional information or have any jtulach@1334: * questions. jtulach@1334: */ jtulach@1334: jtulach@1334: package java.security; jtulach@1334: jtulach@1334: /** jtulach@1334: *
The AccessController class is used for access control operations jtulach@1334: * and decisions. jtulach@1334: * jtulach@1334: *
More specifically, the AccessController class is used for jtulach@1334: * three purposes: jtulach@1334: * jtulach@1334: *
jtulach@1334: *
jtulach@1334: *
The {@link #checkPermission(Permission) checkPermission} method
jtulach@1334: * determines whether the access request indicated by a specified
jtulach@1334: * permission should be granted or denied. A sample call appears
jtulach@1334: * below. In this example, checkPermission
will determine
jtulach@1334: * whether or not to grant "read" access to the file named "testFile" in
jtulach@1334: * the "/temp" directory.
jtulach@1334: *
jtulach@1334: *
jtulach@1334: * jtulach@1334: * FilePermission perm = new FilePermission("/temp/testFile", "read"); jtulach@1334: * AccessController.checkPermission(perm); jtulach@1334: * jtulach@1334: *jtulach@1334: * jtulach@1334: *
If a requested access is allowed,
jtulach@1334: * checkPermission
returns quietly. If denied, an
jtulach@1334: * AccessControlException is
jtulach@1334: * thrown. AccessControlException can also be thrown if the requested
jtulach@1334: * permission is of an incorrect type or contains an invalid value.
jtulach@1334: * Such information is given whenever possible.
jtulach@1334: *
jtulach@1334: * Suppose the current thread traversed m callers, in the order of caller 1
jtulach@1334: * to caller 2 to caller m. Then caller m invoked the
jtulach@1334: * checkPermission
method.
jtulach@1334: * The checkPermission
method determines whether access
jtulach@1334: * is granted or denied based on the following algorithm:
jtulach@1334: *
jtulach@1334: *
{@code jtulach@1334: * for (int i = m; i > 0; i--) { jtulach@1334: * jtulach@1334: * if (caller i's domain does not have the permission) jtulach@1334: * throw AccessControlException jtulach@1334: * jtulach@1334: * else if (caller i is marked as privileged) { jtulach@1334: * if (a context was specified in the call to doPrivileged) jtulach@1334: * context.checkPermission(permission) jtulach@1334: * return; jtulach@1334: * } jtulach@1334: * }; jtulach@1334: * jtulach@1334: * // Next, check the context inherited when the thread was created. jtulach@1334: * // Whenever a new thread is created, the AccessControlContext at jtulach@1334: * // that time is stored and associated with the new thread, as the jtulach@1334: * // "inherited" context. jtulach@1334: * jtulach@1334: * inheritedContext.checkPermission(permission); jtulach@1334: * }jtulach@1334: * jtulach@1334: *
A caller can be marked as being "privileged"
jtulach@1334: * (see {@link #doPrivileged(PrivilegedAction) doPrivileged} and below).
jtulach@1334: * When making access control decisions, the checkPermission
jtulach@1334: * method stops checking if it reaches a caller that
jtulach@1334: * was marked as "privileged" via a doPrivileged
jtulach@1334: * call without a context argument (see below for information about a
jtulach@1334: * context argument). If that caller's domain has the
jtulach@1334: * specified permission, no further checking is done and
jtulach@1334: * checkPermission
jtulach@1334: * returns quietly, indicating that the requested access is allowed.
jtulach@1334: * If that domain does not have the specified permission, an exception
jtulach@1334: * is thrown, as usual.
jtulach@1334: *
jtulach@1334: *
The normal use of the "privileged" feature is as follows. If you jtulach@1334: * don't need to return a value from within the "privileged" block, do jtulach@1334: * the following: jtulach@1334: * jtulach@1334: *
{@code jtulach@1334: * somemethod() { jtulach@1334: * ...normal code here... jtulach@1334: * AccessController.doPrivileged(new PrivilegedActionjtulach@1334: * jtulach@1334: *() { jtulach@1334: * public Void run() { jtulach@1334: * // privileged code goes here, for example: jtulach@1334: * System.loadLibrary("awt"); jtulach@1334: * return null; // nothing to return jtulach@1334: * } jtulach@1334: * }); jtulach@1334: * ...normal code here... jtulach@1334: * }}
jtulach@1334: * PrivilegedAction is an interface with a single method, named
jtulach@1334: * run
.
jtulach@1334: * The above example shows creation of an implementation
jtulach@1334: * of that interface; a concrete implementation of the
jtulach@1334: * run
method is supplied.
jtulach@1334: * When the call to doPrivileged
is made, an
jtulach@1334: * instance of the PrivilegedAction implementation is passed
jtulach@1334: * to it. The doPrivileged
method calls the
jtulach@1334: * run
method from the PrivilegedAction
jtulach@1334: * implementation after enabling privileges, and returns the
jtulach@1334: * run
method's return value as the
jtulach@1334: * doPrivileged
return value (which is
jtulach@1334: * ignored in this example).
jtulach@1334: *
jtulach@1334: *
If you need to return a value, you can do something like the following: jtulach@1334: * jtulach@1334: *
{@code jtulach@1334: * somemethod() { jtulach@1334: * ...normal code here... jtulach@1334: * String user = AccessController.doPrivileged( jtulach@1334: * new PrivilegedActionjtulach@1334: * jtulach@1334: *() { jtulach@1334: * public String run() { jtulach@1334: * return System.getProperty("user.name"); jtulach@1334: * } jtulach@1334: * }); jtulach@1334: * ...normal code here... jtulach@1334: * }}
If the action performed in your run
method could
jtulach@1334: * throw a "checked" exception (those listed in the throws
clause
jtulach@1334: * of a method), then you need to use the
jtulach@1334: * PrivilegedExceptionAction
interface instead of the
jtulach@1334: * PrivilegedAction
interface:
jtulach@1334: *
jtulach@1334: *
{@code jtulach@1334: * somemethod() throws FileNotFoundException { jtulach@1334: * ...normal code here... jtulach@1334: * try { jtulach@1334: * FileInputStream fis = AccessController.doPrivileged( jtulach@1334: * new PrivilegedExceptionActionjtulach@1334: * jtulach@1334: *() { jtulach@1334: * public FileInputStream run() throws FileNotFoundException { jtulach@1334: * return new FileInputStream("someFile"); jtulach@1334: * } jtulach@1334: * }); jtulach@1334: * } catch (PrivilegedActionException e) { jtulach@1334: * // e.getException() should be an instance of FileNotFoundException, jtulach@1334: * // as only "checked" exceptions will be "wrapped" in a jtulach@1334: * // PrivilegedActionException. jtulach@1334: * throw (FileNotFoundException) e.getException(); jtulach@1334: * } jtulach@1334: * ...normal code here... jtulach@1334: * }}
Be *very* careful in your use of the "privileged" construct, and jtulach@1334: * always remember to make the privileged code section as small as possible. jtulach@1334: * jtulach@1334: *
Note that checkPermission
always performs security checks
jtulach@1334: * within the context of the currently executing thread.
jtulach@1334: * Sometimes a security check that should be made within a given context
jtulach@1334: * will actually need to be done from within a
jtulach@1334: * different context (for example, from within a worker thread).
jtulach@1334: * The {@link #getContext() getContext} method and
jtulach@1334: * AccessControlContext class are provided
jtulach@1334: * for this situation. The getContext
method takes a "snapshot"
jtulach@1334: * of the current calling context, and places
jtulach@1334: * it in an AccessControlContext object, which it returns. A sample call is
jtulach@1334: * the following:
jtulach@1334: *
jtulach@1334: *
jtulach@1334: * jtulach@1334: * AccessControlContext acc = AccessController.getContext() jtulach@1334: * jtulach@1334: *jtulach@1334: * jtulach@1334: *
jtulach@1334: * AccessControlContext itself has a checkPermission
method
jtulach@1334: * that makes access decisions based on the context it encapsulates,
jtulach@1334: * rather than that of the current execution thread.
jtulach@1334: * Code within a different context can thus call that method on the
jtulach@1334: * previously-saved AccessControlContext object. A sample call is the
jtulach@1334: * following:
jtulach@1334: *
jtulach@1334: *
jtulach@1334: * jtulach@1334: * acc.checkPermission(permission) jtulach@1334: * jtulach@1334: *jtulach@1334: * jtulach@1334: *
There are also times where you don't know a priori which permissions jtulach@1334: * to check the context against. In these cases you can use the jtulach@1334: * doPrivileged method that takes a context: jtulach@1334: * jtulach@1334: *
{@code jtulach@1334: * somemethod() { jtulach@1334: * AccessController.doPrivileged(new PrivilegedActionjtulach@1334: * jtulach@1334: * @see AccessControlContext jtulach@1334: * jtulach@1334: * @author Li Gong jtulach@1334: * @author Roland Schemers jtulach@1334: */ jtulach@1334: jtulach@1334: public final class AccessController { jtulach@1334: jtulach@1334: /** jtulach@1334: * Don't allow anyone to instantiate an AccessController jtulach@1334: */ jtulach@1334: private AccessController() { } jtulach@1334: jtulach@1334: /** jtulach@1334: * Performs the specified
PrivilegedAction
with privileges
jtulach@1334: * enabled. The action is performed with all of the permissions
jtulach@1334: * possessed by the caller's protection domain.
jtulach@1334: *
jtulach@1334: * If the action's run
method throws an (unchecked)
jtulach@1334: * exception, it will propagate through this method.
jtulach@1334: *
jtulach@1334: *
Note that any DomainCombiner associated with the current
jtulach@1334: * AccessControlContext will be ignored while the action is performed.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed.
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's If the action's This method preserves the current AccessControlContext's
jtulach@1334: * DomainCombiner (which may be null) while the action is performed.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed.
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's
jtulach@1334: * If the action's If the action's Note that any DomainCombiner associated with the current
jtulach@1334: * AccessControlContext will be ignored while the action is performed.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's If the action's This method preserves the current AccessControlContext's
jtulach@1334: * DomainCombiner (which may be null) while the action is performed.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed.
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's
jtulach@1334: * If the action's run
method.
jtulach@1334: *
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction,AccessControlContext)
jtulach@1334: * @see #doPrivileged(PrivilegedExceptionAction)
jtulach@1334: * @see #doPrivilegedWithCombiner(PrivilegedAction)
jtulach@1334: * @see java.security.DomainCombiner
jtulach@1334: */
jtulach@1334:
jaroslav@1341: public static PrivilegedAction
with privileges
jtulach@1334: * enabled. The action is performed with all of the permissions
jtulach@1334: * possessed by the caller's protection domain.
jtulach@1334: *
jtulach@1334: * run
method throws an (unchecked)
jtulach@1334: * exception, it will propagate through this method.
jtulach@1334: *
jtulach@1334: * run
method.
jtulach@1334: *
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction)
jtulach@1334: * @see java.security.DomainCombiner
jtulach@1334: *
jtulach@1334: * @since 1.6
jtulach@1334: */
jtulach@1334: public static PrivilegedAction
with privileges
jtulach@1334: * enabled and restricted by the specified
jtulach@1334: * AccessControlContext
.
jtulach@1334: * The action is performed with the intersection of the permissions
jtulach@1334: * possessed by the caller's protection domain, and those possessed
jtulach@1334: * by the domains represented by the specified
jtulach@1334: * AccessControlContext
.
jtulach@1334: * run
method throws an (unchecked) exception,
jtulach@1334: * it will propagate through this method.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed.
jtulach@1334: * @param context an access control context
jtulach@1334: * representing the restriction to be applied to the
jtulach@1334: * caller's domain's privileges before performing
jtulach@1334: * the specified action. If the context is
jtulach@1334: * null
,
jtulach@1334: * then no additional restriction is applied.
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's run
method.
jtulach@1334: *
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction)
jtulach@1334: * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334: */
jaroslav@1341: // public static native PrivilegedExceptionAction
with
jtulach@1334: * privileges enabled. The action is performed with all of the
jtulach@1334: * permissions possessed by the caller's protection domain.
jtulach@1334: *
jtulach@1334: * run
method throws an unchecked
jtulach@1334: * exception, it will propagate through this method.
jtulach@1334: *
jtulach@1334: * run
method
jtulach@1334: *
jtulach@1334: * @exception PrivilegedActionException if the specified action's
jtulach@1334: * run
method threw a checked exception
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction)
jtulach@1334: * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334: * @see #doPrivilegedWithCombiner(PrivilegedExceptionAction)
jtulach@1334: * @see java.security.DomainCombiner
jtulach@1334: */
jaroslav@1341: public static PrivilegedExceptionAction
with
jtulach@1334: * privileges enabled. The action is performed with all of the
jtulach@1334: * permissions possessed by the caller's protection domain.
jtulach@1334: *
jtulach@1334: * run
method throws an unchecked
jtulach@1334: * exception, it will propagate through this method.
jtulach@1334: *
jtulach@1334: * run
method
jtulach@1334: *
jtulach@1334: * @exception PrivilegedActionException if the specified action's
jtulach@1334: * run
method threw a checked exception
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction)
jtulach@1334: * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334: * @see java.security.DomainCombiner
jtulach@1334: *
jtulach@1334: * @since 1.6
jtulach@1334: */
jtulach@1334: public static PrivilegedExceptionAction
with
jtulach@1334: * privileges enabled and restricted by the specified
jtulach@1334: * AccessControlContext
. The action is performed with the
jtulach@1334: * intersection of the permissions possessed by the caller's
jtulach@1334: * protection domain, and those possessed by the domains represented by the
jtulach@1334: * specified AccessControlContext
.
jtulach@1334: * run
method throws an unchecked
jtulach@1334: * exception, it will propagate through this method.
jtulach@1334: *
jtulach@1334: * @param action the action to be performed
jtulach@1334: * @param context an access control context
jtulach@1334: * representing the restriction to be applied to the
jtulach@1334: * caller's domain's privileges before performing
jtulach@1334: * the specified action. If the context is
jtulach@1334: * null
,
jtulach@1334: * then no additional restriction is applied.
jtulach@1334: *
jtulach@1334: * @return the value returned by the action's run
method
jtulach@1334: *
jtulach@1334: * @exception PrivilegedActionException if the specified action's
jtulach@1334: * run
method
jtulach@1334: * threw a checked exception
jtulach@1334: * @exception NullPointerException if the action is null
jtulach@1334: *
jtulach@1334: * @see #doPrivileged(PrivilegedAction)
jtulach@1334: * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
jtulach@1334: */
jaroslav@1341: // public static native perm
Permission object instance.
jtulach@1334: *
jtulach@1334: * @param perm the requested permission.
jtulach@1334: *
jtulach@1334: * @exception AccessControlException if the specified permission
jtulach@1334: * is not permitted, based on the current security policy.
jtulach@1334: * @exception NullPointerException if the specified permission
jtulach@1334: * is null
and is checked based on the
jtulach@1334: * security policy currently in effect.
jtulach@1334: */
jtulach@1334:
jaroslav@1341: // public static void checkPermission(Permission perm)
jaroslav@1341: // throws AccessControlException
jaroslav@1341: // {
jaroslav@1341: // //System.err.println("checkPermission "+perm);
jaroslav@1341: // //Thread.currentThread().dumpStack();
jaroslav@1341: //
jaroslav@1341: // if (perm == null) {
jaroslav@1341: // throw new NullPointerException("permission can't be null");
jaroslav@1341: // }
jaroslav@1341: //
jaroslav@1341: // AccessControlContext stack = getStackAccessControlContext();
jaroslav@1341: // // if context is null, we had privileged system code on the stack.
jaroslav@1341: // if (stack == null) {
jaroslav@1341: // Debug debug = AccessControlContext.getDebug();
jaroslav@1341: // boolean dumpDebug = false;
jaroslav@1341: // if (debug != null) {
jaroslav@1341: // dumpDebug = !Debug.isOn("codebase=");
jaroslav@1341: // dumpDebug &= !Debug.isOn("permission=") ||
jaroslav@1341: // Debug.isOn("permission=" + perm.getClass().getCanonicalName());
jaroslav@1341: // }
jaroslav@1341: //
jaroslav@1341: // if (dumpDebug && Debug.isOn("stack")) {
jaroslav@1341: // Thread.currentThread().dumpStack();
jaroslav@1341: // }
jaroslav@1341: //
jaroslav@1341: // if (dumpDebug && Debug.isOn("domain")) {
jaroslav@1341: // debug.println("domain (context is null)");
jaroslav@1341: // }
jaroslav@1341: //
jaroslav@1341: // if (dumpDebug) {
jaroslav@1341: // debug.println("access allowed "+perm);
jaroslav@1341: // }
jaroslav@1341: // return;
jaroslav@1341: // }
jaroslav@1341: //
jaroslav@1341: // AccessControlContext acc = stack.optimize();
jaroslav@1341: // acc.checkPermission(perm);
jaroslav@1341: // }
jtulach@1334: }