1 /* SecurityManager.java -- security checks for privileged actions 2 Copyright (C) 1998, 1999, 2001, 2002, 2004, 2005 Free Software Foundation, Inc. 3 4 This file is part of GNU Classpath. 5 6 GNU Classpath is free software; you can redistribute it and/or modify 7 it under the terms of the GNU General Public License as published by 8 the Free Software Foundation; either version 2, or (at your option) 9 any later version. 10 11 GNU Classpath is distributed in the hope that it will be useful, but 12 WITHOUT ANY WARRANTY; without even the implied warranty of 13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 General Public License for more details. 15 16 You should have received a copy of the GNU General Public License 17 along with GNU Classpath; see the file COPYING. If not, write to the 18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 19 02110-1301 USA. 20 21 Linking this library statically or dynamically with other modules is 22 making a combined work based on this library. Thus, the terms and 23 conditions of the GNU General Public License cover the whole 24 combination. 25 26 As a special exception, the copyright holders of this library give you 27 permission to link this library with independent modules to produce an 28 executable, regardless of the license terms of these independent 29 modules, and to copy and distribute the resulting executable under 30 terms of your choice, provided that you also meet, for each linked 31 independent module, the terms and conditions of the license of that 32 module. An independent module is a module which is not derived from 33 or based on this library. If you modify this library, you may extend 34 this exception to your version of the library, but you are not 35 obligated to do so. If you do not wish to do so, delete this 36 exception statement from your version. */ 37 38 39 package java.lang; 40 41 import gnu.classpath.VMStackWalker; 42 43 import java.awt.AWTPermission; 44 import java.io.File; 45 import java.io.FileDescriptor; 46 import java.io.FileInputStream; 47 import java.io.FileOutputStream; 48 import java.io.FilePermission; 49 import java.io.RandomAccessFile; 50 import java.lang.reflect.Member; 51 import java.net.InetAddress; 52 import java.net.ServerSocket; 53 import java.net.Socket; 54 import java.net.SocketImplFactory; 55 import java.net.SocketPermission; 56 import java.net.URL; 57 import java.net.URLStreamHandlerFactory; 58 import java.security.AccessControlContext; 59 import java.security.AccessControlException; 60 import java.security.AccessController; 61 import java.security.AllPermission; 62 import java.security.BasicPermission; 63 import java.security.Permission; 64 import java.security.Policy; 65 import java.security.PrivilegedAction; 66 import java.security.ProtectionDomain; 67 import java.security.Security; 68 import java.security.SecurityPermission; 69 import java.util.Properties; 70 import java.util.PropertyPermission; 71 import java.util.StringTokenizer; 72 73 /** 74 * SecurityManager is a class you can extend to create your own Java 75 * security policy. By default, there is no SecurityManager installed in 76 * 1.1, which means that all things are permitted to all people. The security 77 * manager, if set, is consulted before doing anything with potentially 78 * dangerous results, and throws a <code>SecurityException</code> if the 79 * action is forbidden. 80 * 81 * <p>A typical check is as follows, just before the dangerous operation:<br> 82 * <pre> 83 * SecurityManager sm = System.getSecurityManager(); 84 * if (sm != null) 85 * sm.checkABC(<em>argument</em>, ...); 86 * </pre> 87 * Note that this is thread-safe, by caching the security manager in a local 88 * variable rather than risking a NullPointerException if the mangager is 89 * changed between the check for null and before the permission check. 90 * 91 * <p>The special method <code>checkPermission</code> is a catchall, and 92 * the default implementation calls 93 * <code>AccessController.checkPermission</code>. In fact, all the other 94 * methods default to calling checkPermission. 95 * 96 * <p>Sometimes, the security check needs to happen from a different context, 97 * such as when called from a worker thread. In such cases, use 98 * <code>getSecurityContext</code> to take a snapshot that can be passed 99 * to the worker thread:<br> 100 * <pre> 101 * Object context = null; 102 * SecurityManager sm = System.getSecurityManager(); 103 * if (sm != null) 104 * context = sm.getSecurityContext(); // defaults to an AccessControlContext 105 * // now, in worker thread 106 * if (sm != null) 107 * sm.checkPermission(permission, context); 108 * </pre> 109 * 110 * <p>Permissions fall into these categories: File, Socket, Net, Security, 111 * Runtime, Property, AWT, Reflect, and Serializable. Each of these 112 * permissions have a property naming convention, that follows a hierarchical 113 * naming convention, to make it easy to grant or deny several permissions 114 * at once. Some permissions also take a list of permitted actions, such 115 * as "read" or "write", to fine-tune control even more. The permission 116 * <code>java.security.AllPermission</code> grants all permissions. 117 * 118 * <p>The default methods in this class deny all things to all people. You 119 * must explicitly grant permission for anything you want to be legal when 120 * subclassing this class. 121 * 122 * @author John Keiser 123 * @author Eric Blake (ebb9@email.byu.edu) 124 * @see ClassLoader 125 * @see SecurityException 126 * @see #checkTopLevelWindow(Object) 127 * @see System#getSecurityManager() 128 * @see System#setSecurityManager(SecurityManager) 129 * @see AccessController 130 * @see AccessControlContext 131 * @see AccessControlException 132 * @see Permission 133 * @see BasicPermission 134 * @see java.io.FilePermission 135 * @see java.net.SocketPermission 136 * @see java.util.PropertyPermission 137 * @see RuntimePermission 138 * @see java.awt.AWTPermission 139 * @see Policy 140 * @see SecurityPermission 141 * @see ProtectionDomain 142 * @since 1.0 143 * @status still missing 1.4 functionality 144 */ 145 public class SecurityManager 146 { 147 /** 148 * The current security manager. This is located here instead of in 149 * System, to avoid security problems, as well as bootstrap issues. 150 * Make sure to access it in a thread-safe manner; it is package visible 151 * to avoid overhead in java.lang. 152 */ 153 static volatile SecurityManager current; 154 155 /** 156 * Tells whether or not the SecurityManager is currently performing a 157 * security check. 158 * @deprecated Use {@link #checkPermission(Permission)} instead. 159 */ 160 protected boolean inCheck; 161 162 /** 163 * Construct a new security manager. There may be a security check, of 164 * <code>RuntimePermission("createSecurityManager")</code>. 165 * 166 * @throws SecurityException if permission is denied 167 */ SecurityManager()168 public SecurityManager() 169 { 170 /* "When there is security manager installed, the security manager 171 need to check the package access. However, if the security 172 manager itself uses any unloaded class, it will trigger the 173 classloading, which causes infinite loop. There is no easy 174 legal solution. The workaround will be that security manager 175 can not depend on any unloaded class. In the constructor of 176 security manager, it must transitively load all classes it 177 refers to." Sun bug #4242924. */ 178 179 // Load and initialize java.security.Security 180 java.security.Security.getProvider((String)null); 181 182 SecurityManager sm = System.getSecurityManager(); 183 if (sm != null) 184 sm.checkPermission(new RuntimePermission("createSecurityManager")); 185 } 186 187 /** 188 * Tells whether or not the SecurityManager is currently performing a 189 * security check. 190 * 191 * @return true if the SecurityManager is in a security check 192 * @see #inCheck 193 * @deprecated use {@link #checkPermission(Permission)} instead 194 */ getInCheck()195 public boolean getInCheck() 196 { 197 return inCheck; 198 } 199 200 /** 201 * Get a list of all the classes currently executing methods on the Java 202 * stack. getClassContext()[0] is the currently executing method (ie. the 203 * class that CALLED getClassContext, not SecurityManager). 204 * 205 * @return an array of classes on the Java execution stack 206 */ getClassContext()207 protected Class[] getClassContext() 208 { 209 Class[] stack1 = VMStackWalker.getClassContext(); 210 Class[] stack2 = new Class[stack1.length - 1]; 211 System.arraycopy(stack1, 1, stack2, 0, stack1.length - 1); 212 return stack2; 213 } 214 215 /** 216 * Find the ClassLoader of the first non-system class on the execution 217 * stack. A non-system class is one whose ClassLoader is not equal to 218 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 219 * will return null in three cases: 220 * 221 * <ul> 222 * <li>All methods on the stack are from system classes</li> 223 * <li>All methods on the stack up to the first "privileged" caller, as 224 * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 225 * are from system classes</li> 226 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 227 * </ul> 228 * 229 * @return the most recent non-system ClassLoader on the execution stack 230 * @deprecated use {@link #checkPermission(Permission)} instead 231 */ currentClassLoader()232 protected ClassLoader currentClassLoader() 233 { 234 Class cl = currentLoadedClass(); 235 return cl != null ? cl.getClassLoader() : null; 236 } 237 238 /** 239 * Find the first non-system class on the execution stack. A non-system 240 * class is one whose ClassLoader is not equal to 241 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 242 * will return null in three cases: 243 * 244 * <ul> 245 * <li>All methods on the stack are from system classes</li> 246 * <li>All methods on the stack up to the first "privileged" caller, as 247 * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 248 * are from system classes</li> 249 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 250 * </ul> 251 * 252 * @return the most recent non-system Class on the execution stack 253 * @deprecated use {@link #checkPermission(Permission)} instead 254 */ currentLoadedClass()255 protected Class<?> currentLoadedClass() 256 { 257 int i = classLoaderDepth(); 258 return i >= 0 ? getClassContext()[i] : null; 259 } 260 261 /** 262 * Get the depth of a particular class on the execution stack. 263 * 264 * @param className the fully-qualified name to search for 265 * @return the index of the class on the stack, or -1 266 * @deprecated use {@link #checkPermission(Permission)} instead 267 */ classDepth(String className)268 protected int classDepth(String className) 269 { 270 Class[] c = getClassContext(); 271 for (int i = 0; i < c.length; i++) 272 if (className.equals(c[i].getName())) 273 return i; 274 return -1; 275 } 276 277 /** 278 * Get the depth on the execution stack of the most recent non-system class. 279 * A non-system class is one whose ClassLoader is not equal to 280 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This 281 * will return -1 in three cases: 282 * 283 * <ul> 284 * <li>All methods on the stack are from system classes</li> 285 * <li>All methods on the stack up to the first "privileged" caller, as 286 * created by {@link AccessController#doPrivileged(PrivilegedAction)}, 287 * are from system classes</li> 288 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li> 289 * </ul> 290 * 291 * @return the index of the most recent non-system Class on the stack 292 * @deprecated use {@link #checkPermission(Permission)} instead 293 */ classLoaderDepth()294 protected int classLoaderDepth() 295 { 296 try 297 { 298 checkPermission(new AllPermission()); 299 } 300 catch (SecurityException e) 301 { 302 Class[] c = getClassContext(); 303 for (int i = 0; i < c.length; i++) 304 if (c[i].getClassLoader() != null) 305 // XXX Check if c[i] is AccessController, or a system class. 306 return i; 307 } 308 return -1; 309 } 310 311 /** 312 * Tell whether the specified class is on the execution stack. 313 * 314 * @param className the fully-qualified name of the class to find 315 * @return whether the specified class is on the execution stack 316 * @deprecated use {@link #checkPermission(Permission)} instead 317 */ inClass(String className)318 protected boolean inClass(String className) 319 { 320 return classDepth(className) != -1; 321 } 322 323 /** 324 * Tell whether there is a class loaded with an explicit ClassLoader on 325 * the stack. 326 * 327 * @return whether a class with an explicit ClassLoader is on the stack 328 * @deprecated use {@link #checkPermission(Permission)} instead 329 */ inClassLoader()330 protected boolean inClassLoader() 331 { 332 return classLoaderDepth() != -1; 333 } 334 335 /** 336 * Get an implementation-dependent Object that contains enough information 337 * about the current environment to be able to perform standard security 338 * checks later. This is used by trusted methods that need to verify that 339 * their callers have sufficient access to perform certain operations. 340 * 341 * <p>Currently the only methods that use this are checkRead() and 342 * checkConnect(). The default implementation returns an 343 * <code>AccessControlContext</code>. 344 * 345 * @return a security context 346 * @see #checkConnect(String, int, Object) 347 * @see #checkRead(String, Object) 348 * @see AccessControlContext 349 * @see AccessController#getContext() 350 */ getSecurityContext()351 public Object getSecurityContext() 352 { 353 return AccessController.getContext(); 354 } 355 356 /** 357 * Check if the current thread is allowed to perform an operation that 358 * requires the specified <code>Permission</code>. This defaults to 359 * <code>AccessController.checkPermission</code>. 360 * 361 * @param perm the <code>Permission</code> required 362 * @throws SecurityException if permission is denied 363 * @throws NullPointerException if perm is null 364 * @since 1.2 365 */ checkPermission(Permission perm)366 public void checkPermission(Permission perm) 367 { 368 AccessController.checkPermission(perm); 369 } 370 371 /** 372 * Check if the current thread is allowed to perform an operation that 373 * requires the specified <code>Permission</code>. This is done in a 374 * context previously returned by <code>getSecurityContext()</code>. The 375 * default implementation expects context to be an AccessControlContext, 376 * and it calls <code>AccessControlContext.checkPermission(perm)</code>. 377 * 378 * @param perm the <code>Permission</code> required 379 * @param context a security context 380 * @throws SecurityException if permission is denied, or if context is 381 * not an AccessControlContext 382 * @throws NullPointerException if perm is null 383 * @see #getSecurityContext() 384 * @see AccessControlContext#checkPermission(Permission) 385 * @since 1.2 386 */ checkPermission(Permission perm, Object context)387 public void checkPermission(Permission perm, Object context) 388 { 389 if (! (context instanceof AccessControlContext)) 390 throw new SecurityException("Missing context"); 391 ((AccessControlContext) context).checkPermission(perm); 392 } 393 394 /** 395 * Check if the current thread is allowed to create a ClassLoader. This 396 * method is called from ClassLoader.ClassLoader(), and checks 397 * <code>RuntimePermission("createClassLoader")</code>. If you override 398 * this, you should call <code>super.checkCreateClassLoader()</code> rather 399 * than throwing an exception. 400 * 401 * @throws SecurityException if permission is denied 402 * @see ClassLoader#ClassLoader() 403 */ checkCreateClassLoader()404 public void checkCreateClassLoader() 405 { 406 checkPermission(new RuntimePermission("createClassLoader")); 407 } 408 409 /** 410 * Check if the current thread is allowed to modify another Thread. This is 411 * called by Thread.stop(), suspend(), resume(), interrupt(), destroy(), 412 * setPriority(), setName(), and setDaemon(). The default implementation 413 * checks <code>RuntimePermission("modifyThread")</code> on system threads 414 * (ie. threads in ThreadGroup with a null parent), and returns silently on 415 * other threads. 416 * 417 * <p>If you override this, you must do two things. First, call 418 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing 419 * requirements. Second, if the calling thread has 420 * <code>RuntimePermission("modifyThread")</code>, return silently, so that 421 * core classes (the Classpath library!) can modify any thread. 422 * 423 * @param thread the other Thread to check 424 * @throws SecurityException if permission is denied 425 * @throws NullPointerException if thread is null 426 * @see Thread#stop() 427 * @see Thread#suspend() 428 * @see Thread#resume() 429 * @see Thread#setPriority(int) 430 * @see Thread#setName(String) 431 * @see Thread#setDaemon(boolean) 432 */ checkAccess(Thread thread)433 public void checkAccess(Thread thread) 434 { 435 if (thread.getThreadGroup() != null 436 && thread.getThreadGroup().parent == null) 437 checkPermission(new RuntimePermission("modifyThread")); 438 } 439 440 /** 441 * Check if the current thread is allowed to modify a ThreadGroup. This is 442 * called by Thread.Thread() (to add a thread to the ThreadGroup), 443 * ThreadGroup.ThreadGroup() (to add this ThreadGroup to a parent), 444 * ThreadGroup.stop(), suspend(), resume(), interrupt(), destroy(), 445 * setDaemon(), and setMaxPriority(). The default implementation 446 * checks <code>RuntimePermission("modifyThread")</code> on the system group 447 * (ie. the one with a null parent), and returns silently on other groups. 448 * 449 * <p>If you override this, you must do two things. First, call 450 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing 451 * requirements. Second, if the calling thread has 452 * <code>RuntimePermission("modifyThreadGroup")</code>, return silently, 453 * so that core classes (the Classpath library!) can modify any thread. 454 * 455 * @param g the ThreadGroup to check 456 * @throws SecurityException if permission is denied 457 * @throws NullPointerException if g is null 458 * @see Thread#Thread() 459 * @see ThreadGroup#ThreadGroup(String) 460 * @see ThreadGroup#stop() 461 * @see ThreadGroup#suspend() 462 * @see ThreadGroup#resume() 463 * @see ThreadGroup#interrupt() 464 * @see ThreadGroup#setDaemon(boolean) 465 * @see ThreadGroup#setMaxPriority(int) 466 */ checkAccess(ThreadGroup g)467 public void checkAccess(ThreadGroup g) 468 { 469 if (g.parent == null) 470 checkPermission(new RuntimePermission("modifyThreadGroup")); 471 } 472 473 /** 474 * Check if the current thread is allowed to exit the JVM with the given 475 * status. This method is called from Runtime.exit() and Runtime.halt(). 476 * The default implementation checks 477 * <code>RuntimePermission("exitVM")</code>. If you override this, call 478 * <code>super.checkExit</code> rather than throwing an exception. 479 * 480 * @param status the status to exit with 481 * @throws SecurityException if permission is denied 482 * @see Runtime#exit(int) 483 * @see Runtime#halt(int) 484 */ checkExit(int status)485 public void checkExit(int status) 486 { 487 checkPermission(new RuntimePermission("exitVM")); 488 } 489 490 /** 491 * Check if the current thread is allowed to execute the given program. This 492 * method is called from Runtime.exec(). If the name is an absolute path, 493 * the default implementation checks 494 * <code>FilePermission(program, "execute")</code>, otherwise it checks 495 * <code>FilePermission("<<ALL FILES>>", "execute")</code>. If 496 * you override this, call <code>super.checkExec</code> rather than 497 * throwing an exception. 498 * 499 * @param program the name of the program to exec 500 * @throws SecurityException if permission is denied 501 * @throws NullPointerException if program is null 502 * @see Runtime#exec(String[], String[], File) 503 */ checkExec(String program)504 public void checkExec(String program) 505 { 506 if (! program.equals(new File(program).getAbsolutePath())) 507 program = "<<ALL FILES>>"; 508 checkPermission(new FilePermission(program, "execute")); 509 } 510 511 /** 512 * Check if the current thread is allowed to link in the given native 513 * library. This method is called from Runtime.load() (and hence, by 514 * loadLibrary() as well). The default implementation checks 515 * <code>RuntimePermission("loadLibrary." + filename)</code>. If you 516 * override this, call <code>super.checkLink</code> rather than throwing 517 * an exception. 518 * 519 * @param filename the full name of the library to load 520 * @throws SecurityException if permission is denied 521 * @throws NullPointerException if filename is null 522 * @see Runtime#load(String) 523 */ checkLink(String filename)524 public void checkLink(String filename) 525 { 526 // Use the toString() hack to do the null check. 527 checkPermission(new RuntimePermission("loadLibrary." 528 + filename.toString())); 529 } 530 531 /** 532 * Check if the current thread is allowed to read the given file using the 533 * FileDescriptor. This method is called from 534 * FileInputStream.FileInputStream(). The default implementation checks 535 * <code>RuntimePermission("readFileDescriptor")</code>. If you override 536 * this, call <code>super.checkRead</code> rather than throwing an 537 * exception. 538 * 539 * @param desc the FileDescriptor representing the file to access 540 * @throws SecurityException if permission is denied 541 * @throws NullPointerException if desc is null 542 * @see FileInputStream#FileInputStream(FileDescriptor) 543 */ checkRead(FileDescriptor desc)544 public void checkRead(FileDescriptor desc) 545 { 546 if (desc == null) 547 throw new NullPointerException(); 548 checkPermission(new RuntimePermission("readFileDescriptor")); 549 } 550 551 /** 552 * Check if the current thread is allowed to read the given file. This 553 * method is called from FileInputStream.FileInputStream(), 554 * RandomAccessFile.RandomAccessFile(), File.exists(), canRead(), isFile(), 555 * isDirectory(), lastModified(), length() and list(). The default 556 * implementation checks <code>FilePermission(filename, "read")</code>. If 557 * you override this, call <code>super.checkRead</code> rather than 558 * throwing an exception. 559 * 560 * @param filename the full name of the file to access 561 * @throws SecurityException if permission is denied 562 * @throws NullPointerException if filename is null 563 * @see File 564 * @see FileInputStream#FileInputStream(String) 565 * @see RandomAccessFile#RandomAccessFile(String, String) 566 */ checkRead(String filename)567 public void checkRead(String filename) 568 { 569 checkPermission(new FilePermission(filename, "read")); 570 } 571 572 /** 573 * Check if the current thread is allowed to read the given file. using the 574 * given security context. The context must be a result of a previous call 575 * to <code>getSecurityContext()</code>. The default implementation checks 576 * <code>AccessControlContext.checkPermission(new FilePermission(filename, 577 * "read"))</code>. If you override this, call <code>super.checkRead</code> 578 * rather than throwing an exception. 579 * 580 * @param filename the full name of the file to access 581 * @param context the context to determine access for 582 * @throws SecurityException if permission is denied, or if context is 583 * not an AccessControlContext 584 * @throws NullPointerException if filename is null 585 * @see #getSecurityContext() 586 * @see AccessControlContext#checkPermission(Permission) 587 */ checkRead(String filename, Object context)588 public void checkRead(String filename, Object context) 589 { 590 if (! (context instanceof AccessControlContext)) 591 throw new SecurityException("Missing context"); 592 AccessControlContext ac = (AccessControlContext) context; 593 ac.checkPermission(new FilePermission(filename, "read")); 594 } 595 596 /** 597 * Check if the current thread is allowed to write the given file using the 598 * FileDescriptor. This method is called from 599 * FileOutputStream.FileOutputStream(). The default implementation checks 600 * <code>RuntimePermission("writeFileDescriptor")</code>. If you override 601 * this, call <code>super.checkWrite</code> rather than throwing an 602 * exception. 603 * 604 * @param desc the FileDescriptor representing the file to access 605 * @throws SecurityException if permission is denied 606 * @throws NullPointerException if desc is null 607 * @see FileOutputStream#FileOutputStream(FileDescriptor) 608 */ checkWrite(FileDescriptor desc)609 public void checkWrite(FileDescriptor desc) 610 { 611 if (desc == null) 612 throw new NullPointerException(); 613 checkPermission(new RuntimePermission("writeFileDescriptor")); 614 } 615 616 /** 617 * Check if the current thread is allowed to write the given file. This 618 * method is called from FileOutputStream.FileOutputStream(), 619 * RandomAccessFile.RandomAccessFile(), File.canWrite(), mkdir(), and 620 * renameTo(). The default implementation checks 621 * <code>FilePermission(filename, "write")</code>. If you override this, 622 * call <code>super.checkWrite</code> rather than throwing an exception. 623 * 624 * @param filename the full name of the file to access 625 * @throws SecurityException if permission is denied 626 * @throws NullPointerException if filename is null 627 * @see File 628 * @see File#canWrite() 629 * @see File#mkdir() 630 * @see File#renameTo(File) 631 * @see FileOutputStream#FileOutputStream(String) 632 * @see RandomAccessFile#RandomAccessFile(String, String) 633 */ checkWrite(String filename)634 public void checkWrite(String filename) 635 { 636 checkPermission(new FilePermission(filename, "write")); 637 } 638 639 /** 640 * Check if the current thread is allowed to delete the given file. This 641 * method is called from File.delete(). The default implementation checks 642 * <code>FilePermission(filename, "delete")</code>. If you override this, 643 * call <code>super.checkDelete</code> rather than throwing an exception. 644 * 645 * @param filename the full name of the file to delete 646 * @throws SecurityException if permission is denied 647 * @throws NullPointerException if filename is null 648 * @see File#delete() 649 */ checkDelete(String filename)650 public void checkDelete(String filename) 651 { 652 checkPermission(new FilePermission(filename, "delete")); 653 } 654 655 /** 656 * Check if the current thread is allowed to connect to a given host on a 657 * given port. This method is called from Socket.Socket(). A port number 658 * of -1 indicates the caller is attempting to determine an IP address, so 659 * the default implementation checks 660 * <code>SocketPermission(host, "resolve")</code>. Otherwise, the default 661 * implementation checks 662 * <code>SocketPermission(host + ":" + port, "connect")</code>. If you 663 * override this, call <code>super.checkConnect</code> rather than throwing 664 * an exception. 665 * 666 * @param host the host to connect to 667 * @param port the port to connect on 668 * @throws SecurityException if permission is denied 669 * @throws NullPointerException if host is null 670 * @see Socket#Socket() 671 */ checkConnect(String host, int port)672 public void checkConnect(String host, int port) 673 { 674 if (port == -1) 675 checkPermission(new SocketPermission(host, "resolve")); 676 else 677 // Use the toString() hack to do the null check. 678 checkPermission(new SocketPermission(host.toString() + ":" + port, 679 "connect")); 680 } 681 682 /** 683 * Check if the current thread is allowed to connect to a given host on a 684 * given port, using the given security context. The context must be a 685 * result of a previous call to <code>getSecurityContext</code>. A port 686 * number of -1 indicates the caller is attempting to determine an IP 687 * address, so the default implementation checks 688 * <code>AccessControlContext.checkPermission(new SocketPermission(host, 689 * "resolve"))</code>. Otherwise, the default implementation checks 690 * <code>AccessControlContext.checkPermission(new SocketPermission(host 691 * + ":" + port, "connect"))</code>. If you override this, call 692 * <code>super.checkConnect</code> rather than throwing an exception. 693 * 694 * @param host the host to connect to 695 * @param port the port to connect on 696 * @param context the context to determine access for 697 * 698 * @throws SecurityException if permission is denied, or if context is 699 * not an AccessControlContext 700 * @throws NullPointerException if host is null 701 * 702 * @see #getSecurityContext() 703 * @see AccessControlContext#checkPermission(Permission) 704 */ checkConnect(String host, int port, Object context)705 public void checkConnect(String host, int port, Object context) 706 { 707 if (! (context instanceof AccessControlContext)) 708 throw new SecurityException("Missing context"); 709 AccessControlContext ac = (AccessControlContext) context; 710 if (port == -1) 711 ac.checkPermission(new SocketPermission(host, "resolve")); 712 else 713 // Use the toString() hack to do the null check. 714 ac.checkPermission(new SocketPermission(host.toString() + ":" + port, 715 "connect")); 716 } 717 718 /** 719 * Check if the current thread is allowed to listen to a specific port for 720 * data. This method is called by ServerSocket.ServerSocket(). The default 721 * implementation checks 722 * <code>SocketPermission("localhost:" + (port == 0 ? "1024-" : "" + port), 723 * "listen")</code>. If you override this, call 724 * <code>super.checkListen</code> rather than throwing an exception. 725 * 726 * @param port the port to listen on 727 * @throws SecurityException if permission is denied 728 * @see ServerSocket#ServerSocket(int) 729 */ checkListen(int port)730 public void checkListen(int port) 731 { 732 checkPermission(new SocketPermission("localhost:" 733 + (port == 0 ? "1024-" : "" +port), 734 "listen")); 735 } 736 737 /** 738 * Check if the current thread is allowed to accept a connection from a 739 * particular host on a particular port. This method is called by 740 * ServerSocket.implAccept(). The default implementation checks 741 * <code>SocketPermission(host + ":" + port, "accept")</code>. If you 742 * override this, call <code>super.checkAccept</code> rather than throwing 743 * an exception. 744 * 745 * @param host the host which wishes to connect 746 * @param port the port the connection will be on 747 * @throws SecurityException if permission is denied 748 * @throws NullPointerException if host is null 749 * @see ServerSocket#accept() 750 */ checkAccept(String host, int port)751 public void checkAccept(String host, int port) 752 { 753 // Use the toString() hack to do the null check. 754 checkPermission(new SocketPermission(host.toString() + ":" + port, 755 "accept")); 756 } 757 758 /** 759 * Check if the current thread is allowed to read and write multicast to 760 * a particular address. The default implementation checks 761 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>. 762 * If you override this, call <code>super.checkMulticast</code> rather than 763 * throwing an exception. 764 * 765 * @param addr the address to multicast to 766 * @throws SecurityException if permission is denied 767 * @throws NullPointerException if host is null 768 * @since 1.1 769 */ checkMulticast(InetAddress addr)770 public void checkMulticast(InetAddress addr) 771 { 772 checkPermission(new SocketPermission(addr.getHostAddress(), 773 "accept,connect")); 774 } 775 776 /** 777 *Check if the current thread is allowed to read and write multicast to 778 * a particular address with a particular ttl (time-to-live) value. The 779 * default implementation ignores ttl, and checks 780 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>. 781 * If you override this, call <code>super.checkMulticast</code> rather than 782 * throwing an exception. 783 * 784 * @param addr the address to multicast to 785 * @param ttl value in use for multicast send 786 * @throws SecurityException if permission is denied 787 * @throws NullPointerException if host is null 788 * @since 1.1 789 * @deprecated use {@link #checkPermission(Permission)} instead 790 */ checkMulticast(InetAddress addr, byte ttl)791 public void checkMulticast(InetAddress addr, byte ttl) 792 { 793 checkPermission(new SocketPermission(addr.getHostAddress(), 794 "accept,connect")); 795 } 796 797 /** 798 * Check if the current thread is allowed to read or write all the system 799 * properties at once. This method is called by System.getProperties() 800 * and setProperties(). The default implementation checks 801 * <code>PropertyPermission("*", "read,write")</code>. If you override 802 * this, call <code>super.checkPropertiesAccess</code> rather than 803 * throwing an exception. 804 * 805 * @throws SecurityException if permission is denied 806 * @see System#getProperties() 807 * @see System#setProperties(Properties) 808 */ checkPropertiesAccess()809 public void checkPropertiesAccess() 810 { 811 checkPermission(new PropertyPermission("*", "read,write")); 812 } 813 814 /** 815 * Check if the current thread is allowed to read a particular system 816 * property (writes are checked directly via checkPermission). This method 817 * is called by System.getProperty() and setProperty(). The default 818 * implementation checks <code>PropertyPermission(key, "read")</code>. If 819 * you override this, call <code>super.checkPropertyAccess</code> rather 820 * than throwing an exception. 821 * 822 * @param key the key of the property to check 823 * 824 * @throws SecurityException if permission is denied 825 * @throws NullPointerException if key is null 826 * @throws IllegalArgumentException if key is "" 827 * 828 * @see System#getProperty(String) 829 */ checkPropertyAccess(String key)830 public void checkPropertyAccess(String key) 831 { 832 checkPermission(new PropertyPermission(key, "read")); 833 } 834 835 /** 836 * Check if the current thread is allowed to create a top-level window. If 837 * it is not, the operation should still go through, but some sort of 838 * nonremovable warning should be placed on the window to show that it 839 * is untrusted. This method is called by Window.Window(). The default 840 * implementation checks 841 * <code>AWTPermission("showWindowWithoutWarningBanner")</code>, and returns 842 * true if no exception was thrown. If you override this, use 843 * <code>return super.checkTopLevelWindow</code> rather than returning 844 * false. 845 * 846 * @param window the window to create 847 * @return true if there is permission to show the window without warning 848 * @throws NullPointerException if window is null 849 * @see java.awt.Window#Window(java.awt.Frame) 850 */ checkTopLevelWindow(Object window)851 public boolean checkTopLevelWindow(Object window) 852 { 853 if (window == null) 854 throw new NullPointerException(); 855 try 856 { 857 checkPermission(new AWTPermission("showWindowWithoutWarningBanner")); 858 return true; 859 } 860 catch (SecurityException e) 861 { 862 return false; 863 } 864 } 865 866 /** 867 * Check if the current thread is allowed to create a print job. This 868 * method is called by Toolkit.getPrintJob(). The default implementation 869 * checks <code>RuntimePermission("queuePrintJob")</code>. If you override 870 * this, call <code>super.checkPrintJobAccess</code> rather than throwing 871 * an exception. 872 * 873 * @throws SecurityException if permission is denied 874 * @see java.awt.Toolkit#getPrintJob(java.awt.Frame, String, Properties) 875 * @since 1.1 876 */ checkPrintJobAccess()877 public void checkPrintJobAccess() 878 { 879 checkPermission(new RuntimePermission("queuePrintJob")); 880 } 881 882 /** 883 * Check if the current thread is allowed to use the system clipboard. This 884 * method is called by Toolkit.getSystemClipboard(). The default 885 * implementation checks <code>AWTPermission("accessClipboard")</code>. If 886 * you override this, call <code>super.checkSystemClipboardAccess</code> 887 * rather than throwing an exception. 888 * 889 * @throws SecurityException if permission is denied 890 * @see java.awt.Toolkit#getSystemClipboard() 891 * @since 1.1 892 */ checkSystemClipboardAccess()893 public void checkSystemClipboardAccess() 894 { 895 checkPermission(new AWTPermission("accessClipboard")); 896 } 897 898 /** 899 * Check if the current thread is allowed to use the AWT event queue. This 900 * method is called by Toolkit.getSystemEventQueue(). The default 901 * implementation checks <code>AWTPermission("accessEventQueue")</code>. 902 * you override this, call <code>super.checkAwtEventQueueAccess</code> 903 * rather than throwing an exception. 904 * 905 * @throws SecurityException if permission is denied 906 * @see java.awt.Toolkit#getSystemEventQueue() 907 * @since 1.1 908 */ checkAwtEventQueueAccess()909 public void checkAwtEventQueueAccess() 910 { 911 checkPermission(new AWTPermission("accessEventQueue")); 912 } 913 914 /** 915 * Check if the current thread is allowed to access the specified package 916 * at all. This method is called by ClassLoader.loadClass() in user-created 917 * ClassLoaders. The default implementation gets a list of all restricted 918 * packages, via <code>Security.getProperty("package.access")</code>. Then, 919 * if packageName starts with or equals any restricted package, it checks 920 * <code>RuntimePermission("accessClassInPackage." + packageName)</code>. 921 * If you override this, you should call 922 * <code>super.checkPackageAccess</code> before doing anything else. 923 * 924 * @param packageName the package name to check access to 925 * @throws SecurityException if permission is denied 926 * @throws NullPointerException if packageName is null 927 * @see ClassLoader#loadClass(String, boolean) 928 * @see Security#getProperty(String) 929 */ checkPackageAccess(String packageName)930 public void checkPackageAccess(String packageName) 931 { 932 checkPackageList(packageName, "package.access", "accessClassInPackage."); 933 } 934 935 /** 936 * Check if the current thread is allowed to define a class into the 937 * specified package. This method is called by ClassLoader.loadClass() in 938 * user-created ClassLoaders. The default implementation gets a list of all 939 * restricted packages, via 940 * <code>Security.getProperty("package.definition")</code>. Then, if 941 * packageName starts with or equals any restricted package, it checks 942 * <code>RuntimePermission("defineClassInPackage." + packageName)</code>. 943 * If you override this, you should call 944 * <code>super.checkPackageDefinition</code> before doing anything else. 945 * 946 * @param packageName the package name to check access to 947 * @throws SecurityException if permission is denied 948 * @throws NullPointerException if packageName is null 949 * @see ClassLoader#loadClass(String, boolean) 950 * @see Security#getProperty(String) 951 */ checkPackageDefinition(String packageName)952 public void checkPackageDefinition(String packageName) 953 { 954 checkPackageList(packageName, "package.definition", "defineClassInPackage."); 955 } 956 957 /** 958 * Check if the current thread is allowed to set the current socket factory. 959 * This method is called by Socket.setSocketImplFactory(), 960 * ServerSocket.setSocketFactory(), and URL.setURLStreamHandlerFactory(). 961 * The default implementation checks 962 * <code>RuntimePermission("setFactory")</code>. If you override this, call 963 * <code>super.checkSetFactory</code> rather than throwing an exception. 964 * 965 * @throws SecurityException if permission is denied 966 * @see Socket#setSocketImplFactory(SocketImplFactory) 967 * @see ServerSocket#setSocketFactory(SocketImplFactory) 968 * @see URL#setURLStreamHandlerFactory(URLStreamHandlerFactory) 969 */ checkSetFactory()970 public void checkSetFactory() 971 { 972 checkPermission(new RuntimePermission("setFactory")); 973 } 974 975 /** 976 * Check if the current thread is allowed to get certain types of Methods, 977 * Fields and Constructors from a Class object. This method is called by 978 * Class.getMethod[s](), Class.getField[s](), Class.getConstructor[s], 979 * Class.getDeclaredMethod[s](), Class.getDeclaredField[s](), and 980 * Class.getDeclaredConstructor[s](). The default implementation allows 981 * PUBLIC access, and access to classes defined by the same classloader as 982 * the code performing the reflection. Otherwise, it checks 983 * <code>RuntimePermission("accessDeclaredMembers")</code>. If you override 984 * this, do not call <code>super.checkMemberAccess</code>, as this would 985 * mess up the stack depth check that determines the ClassLoader requesting 986 * the access. 987 * 988 * @param c the Class to check 989 * @param memberType either DECLARED or PUBLIC 990 * @throws SecurityException if permission is denied, including when 991 * memberType is not DECLARED or PUBLIC 992 * @throws NullPointerException if c is null 993 * @see Class 994 * @see Member#DECLARED 995 * @see Member#PUBLIC 996 * @since 1.1 997 */ checkMemberAccess(Class<?> c, int memberType)998 public void checkMemberAccess(Class<?> c, int memberType) 999 { 1000 if (c == null) 1001 throw new NullPointerException(); 1002 if (memberType == Member.PUBLIC) 1003 return; 1004 // XXX Allow access to classes created by same classloader before next 1005 // check. 1006 checkPermission(new RuntimePermission("accessDeclaredMembers")); 1007 } 1008 1009 /** 1010 * Test whether a particular security action may be taken. The default 1011 * implementation checks <code>SecurityPermission(action)</code>. If you 1012 * override this, call <code>super.checkSecurityAccess</code> rather than 1013 * throwing an exception. 1014 * 1015 * @param action the desired action to take 1016 * @throws SecurityException if permission is denied 1017 * @throws NullPointerException if action is null 1018 * @throws IllegalArgumentException if action is "" 1019 * @since 1.1 1020 */ checkSecurityAccess(String action)1021 public void checkSecurityAccess(String action) 1022 { 1023 checkPermission(new SecurityPermission(action)); 1024 } 1025 1026 /** 1027 * Get the ThreadGroup that a new Thread should belong to by default. Called 1028 * by Thread.Thread(). The default implementation returns the current 1029 * ThreadGroup of the current Thread. <STRONG>Spec Note:</STRONG> it is not 1030 * clear whether the new Thread is guaranteed to pass the 1031 * checkAccessThreadGroup() test when using this ThreadGroup, but I presume 1032 * so. 1033 * 1034 * @return the ThreadGroup to put the new Thread into 1035 * @since 1.1 1036 */ getThreadGroup()1037 public ThreadGroup getThreadGroup() 1038 { 1039 return Thread.currentThread().getThreadGroup(); 1040 } 1041 1042 /** 1043 * Helper that checks a comma-separated list of restricted packages, from 1044 * <code>Security.getProperty("package.definition")</code>, for the given 1045 * package access permission. If packageName starts with or equals any 1046 * restricted package, it checks 1047 * <code>RuntimePermission(permission + packageName)</code>. 1048 * 1049 * @param packageName the package name to check access to 1050 * @param restriction "package.access" or "package.definition" 1051 * @param permission the base permission, including the '.' 1052 * @throws SecurityException if permission is denied 1053 * @throws NullPointerException if packageName is null 1054 * @see #checkPackageAccess(String) 1055 * @see #checkPackageDefinition(String) 1056 */ checkPackageList(String packageName, final String restriction, String permission)1057 void checkPackageList(String packageName, final String restriction, 1058 String permission) 1059 { 1060 if (packageName == null) 1061 throw new NullPointerException(); 1062 1063 String list = (String)AccessController.doPrivileged(new PrivilegedAction() 1064 { 1065 public Object run() 1066 { 1067 return Security.getProperty(restriction); 1068 } 1069 }); 1070 1071 if (list == null || list.equals("")) 1072 return; 1073 1074 String packageNamePlusDot = packageName + "."; 1075 1076 StringTokenizer st = new StringTokenizer(list, ","); 1077 while (st.hasMoreTokens()) 1078 { 1079 if (packageNamePlusDot.startsWith(st.nextToken())) 1080 { 1081 Permission p = new RuntimePermission(permission + packageName); 1082 checkPermission(p); 1083 return; 1084 } 1085 } 1086 } 1087 } 1088