1 /* 2 * Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package java.security; 27 28 import java.security.*; 29 import java.util.Enumeration; 30 import java.util.Hashtable; 31 import java.util.StringTokenizer; 32 33 /** 34 * This class is for security permissions. A {@code SecurityPermission} 35 * contains a name (also referred to as a "target name") but no actions list; 36 * you either have the named permission or you don't. 37 * <p> 38 * The target name is the name of a security configuration parameter 39 * (see below). Currently the {@code SecurityPermission} object is used to 40 * guard access to the {@link AccessControlContext}, {@link Policy}, 41 * {@link Provider}, {@link Security}, {@link Signer}, and {@link Identity} 42 * objects. 43 * <p> 44 * The following table lists the standard {@code SecurityPermission} 45 * target names, and for each provides a description of what the permission 46 * allows and a discussion of the risks of granting code the permission. 47 * 48 * <table class="striped"> 49 * <caption style="display:none">target name, what the permission allows, and associated risks</caption> 50 * <thead> 51 * <tr> 52 * <th scope="col">Permission Target Name</th> 53 * <th scope="col">What the Permission Allows</th> 54 * <th scope="col">Risks of Allowing this Permission</th> 55 * </tr> 56 * </thead> 57 * <tbody> 58 * 59 * <tr> 60 * <th scope="row">authProvider.{provider name}</th> 61 * <td>Allow the named provider to be an AuthProvider for login and 62 * logout operations. </td> 63 * <td>This allows the named provider to perform login and logout 64 * operations. The named provider must extend {@code AuthProvider} 65 * and care must be taken to grant to a trusted provider since 66 * login operations involve sensitive authentication information 67 * such as PINs and passwords. </td> 68 * </tr> 69 * 70 * <tr> 71 * <th scope="row">createAccessControlContext</th> 72 * <td>Creation of an AccessControlContext</td> 73 * <td>This allows someone to instantiate an AccessControlContext 74 * with a {@code DomainCombiner}. Extreme care must be taken when 75 * granting this permission. Malicious code could create a DomainCombiner 76 * that augments the set of permissions granted to code, and even grant the 77 * code {@link java.security.AllPermission}.</td> 78 * </tr> 79 * 80 * <tr> 81 * <th scope="row">getDomainCombiner</th> 82 * <td>Retrieval of an AccessControlContext's DomainCombiner</td> 83 * <td>This allows someone to retrieve an AccessControlContext's 84 * {@code DomainCombiner}. Since DomainCombiners may contain 85 * sensitive information, this could potentially lead to a privacy leak.</td> 86 * </tr> 87 * 88 * <tr> 89 * <th scope="row">getPolicy</th> 90 * <td>Retrieval of the system-wide security policy (specifically, of the 91 * currently-installed Policy object)</td> 92 * <td>This allows someone to query the policy via the 93 * {@code getPermissions} call, 94 * which discloses which permissions would be granted to a given CodeSource. 95 * While revealing the policy does not compromise the security of 96 * the system, it does provide malicious code with additional information 97 * which it may use to better aim an attack. It is wise 98 * not to divulge more information than necessary.</td> 99 * </tr> 100 * 101 * <tr> 102 * <th scope="row">setPolicy</th> 103 * <td>Setting of the system-wide security policy (specifically, 104 * the Policy object)</td> 105 * <td>Granting this permission is extremely dangerous, as malicious 106 * code may grant itself all the necessary permissions it needs 107 * to successfully mount an attack on the system.</td> 108 * </tr> 109 * 110 * <tr> 111 * <th scope="row">createPolicy.{policy type}</th> 112 * <td>Getting an instance of a Policy implementation from a provider</td> 113 * <td>Granting this permission enables code to obtain a Policy object. 114 * Malicious code may query the Policy object to determine what permissions 115 * have been granted to code other than itself.</td> 116 * </tr> 117 * 118 * <tr> 119 * <th scope="row">getProperty.{key}</th> 120 * <td>Retrieval of the security property with the specified key</td> 121 * <td>Depending on the particular key for which access has 122 * been granted, the code may have access to the list of security 123 * providers, as well as the location of the system-wide and user 124 * security policies. while revealing this information does not 125 * compromise the security of the system, it does provide malicious 126 * code with additional information which it may use to better aim 127 * an attack.</td> 128 * </tr> 129 * 130 * <tr> 131 * <th scope="row">setProperty.{key}</th> 132 * <td>Setting of the security property with the specified key</td> 133 * <td>This could include setting a security provider or defining 134 * the location of the system-wide security policy. Malicious 135 * code that has permission to set a new security provider may 136 * set a rogue provider that steals confidential information such 137 * as cryptographic private keys. In addition, malicious code with 138 * permission to set the location of the system-wide security policy 139 * may point it to a security policy that grants the attacker 140 * all the necessary permissions it requires to successfully mount 141 * an attack on the system.</td> 142 * </tr> 143 * 144 * <tr> 145 * <th scope="row">insertProvider</th> 146 * <td>Addition of a new provider</td> 147 * <td>This would allow somebody to introduce a possibly 148 * malicious provider (e.g., one that discloses the private keys passed 149 * to it) as the highest-priority provider. This would be possible 150 * because the Security object (which manages the installed providers) 151 * currently does not check the integrity or authenticity of a provider 152 * before attaching it. The "insertProvider" permission subsumes the 153 * "insertProvider.{provider name}" permission (see the section below for 154 * more information).</td> 155 * </tr> 156 * 157 * <tr> 158 * <th scope="row">removeProvider.{provider name}</th> 159 * <td>Removal of the specified provider</td> 160 * <td>This may change the behavior or disable execution of other 161 * parts of the program. If a provider subsequently requested by the 162 * program has been removed, execution may fail. Also, if the removed 163 * provider is not explicitly requested by the rest of the program, but 164 * it would normally be the provider chosen when a cryptography service 165 * is requested (due to its previous order in the list of providers), 166 * a different provider will be chosen instead, or no suitable provider 167 * will be found, thereby resulting in program failure.</td> 168 * </tr> 169 * 170 * <tr> 171 * <th scope="row">clearProviderProperties.{provider name}</th> 172 * <td>"Clearing" of a Provider so that it no longer contains the properties 173 * used to look up services implemented by the provider</td> 174 * <td>This disables the lookup of services implemented by the provider. 175 * This may thus change the behavior or disable execution of other 176 * parts of the program that would normally utilize the Provider, as 177 * described under the "removeProvider.{provider name}" permission.</td> 178 * </tr> 179 * 180 * <tr> 181 * <th scope="row">putProviderProperty.{provider name}</th> 182 * <td>Setting of properties for the specified Provider</td> 183 * <td>The provider properties each specify the name and location 184 * of a particular service implemented by the provider. By granting 185 * this permission, you let code replace the service specification 186 * with another one, thereby specifying a different implementation.</td> 187 * </tr> 188 * 189 * <tr> 190 * <th scope="row">removeProviderProperty.{provider name}</th> 191 * <td>Removal of properties from the specified Provider</td> 192 * <td>This disables the lookup of services implemented by the 193 * provider. They are no longer accessible due to removal of the properties 194 * specifying their names and locations. This 195 * may change the behavior or disable execution of other 196 * parts of the program that would normally utilize the Provider, as 197 * described under the "removeProvider.{provider name}" permission.</td> 198 * </tr> 199 * 200 * </tbody> 201 * </table> 202 * 203 * <P> 204 * The following permissions have been superseded by newer permissions or are 205 * associated with classes that have been deprecated: {@link Identity}, 206 * {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the 207 * applicable classes for more information. 208 * 209 * <table class="striped"> 210 * <caption style="display:none">target name, what the permission allows, and associated risks</caption> 211 * <thead> 212 * <tr> 213 * <th scope="col">Permission Target Name</th> 214 * <th scope="col">What the Permission Allows</th> 215 * <th scope="col">Risks of Allowing this Permission</th> 216 * </tr> 217 * </thead> 218 * 219 * <tbody> 220 * <tr> 221 * <th scope="row">insertProvider.{provider name}</th> 222 * <td>Addition of a new provider, with the specified name</td> 223 * <td>Use of this permission is discouraged from further use because it is 224 * possible to circumvent the name restrictions by overriding the 225 * {@link java.security.Provider#getName} method. Also, there is an equivalent 226 * level of risk associated with granting code permission to insert a provider 227 * with a specific name, or any name it chooses. Users should use the 228 * "insertProvider" permission instead. 229 * <p>This would allow somebody to introduce a possibly 230 * malicious provider (e.g., one that discloses the private keys passed 231 * to it) as the highest-priority provider. This would be possible 232 * because the Security object (which manages the installed providers) 233 * currently does not check the integrity or authenticity of a provider 234 * before attaching it.</td> 235 * </tr> 236 * 237 * <tr> 238 * <th scope="row">setSystemScope</th> 239 * <td>Setting of the system identity scope</td> 240 * <td>This would allow an attacker to configure the system identity scope with 241 * certificates that should not be trusted, thereby granting applet or 242 * application code signed with those certificates privileges that 243 * would have been denied by the system's original identity scope.</td> 244 * </tr> 245 * 246 * <tr> 247 * <th scope="row">setIdentityPublicKey</th> 248 * <td>Setting of the public key for an Identity</td> 249 * <td>If the identity is marked as "trusted", this allows an attacker to 250 * introduce a different public key (e.g., its own) that is not trusted 251 * by the system's identity scope, thereby granting applet or 252 * application code signed with that public key privileges that 253 * would have been denied otherwise.</td> 254 * </tr> 255 * 256 * <tr> 257 * <th scope="row">setIdentityInfo</th> 258 * <td>Setting of a general information string for an Identity</td> 259 * <td>This allows attackers to set the general description for 260 * an identity. This may trick applications into using a different 261 * identity than intended or may prevent applications from finding a 262 * particular identity.</td> 263 * </tr> 264 * 265 * <tr> 266 * <th scope="row">addIdentityCertificate</th> 267 * <td>Addition of a certificate for an Identity</td> 268 * <td>This allows attackers to set a certificate for 269 * an identity's public key. This is dangerous because it affects 270 * the trust relationship across the system. This public key suddenly 271 * becomes trusted to a wider audience than it otherwise would be.</td> 272 * </tr> 273 * 274 * <tr> 275 * <th scope="row">removeIdentityCertificate</th> 276 * <td>Removal of a certificate for an Identity</td> 277 * <td>This allows attackers to remove a certificate for 278 * an identity's public key. This is dangerous because it affects 279 * the trust relationship across the system. This public key suddenly 280 * becomes considered less trustworthy than it otherwise would be.</td> 281 * </tr> 282 * 283 * <tr> 284 * <th scope="row">printIdentity</th> 285 * <td>Viewing the name of a principal 286 * and optionally the scope in which it is used, and whether 287 * or not it is considered "trusted" in that scope</td> 288 * <td>The scope that is printed out may be a filename, in which case 289 * it may convey local system information. For example, here's a sample 290 * printout of an identity named "carol", who is 291 * marked not trusted in the user's identity database:<br> 292 * carol[/home/luehe/identitydb.obj][not trusted]</td> 293 *</tr> 294 * 295 * <tr> 296 * <th scope="row">getSignerPrivateKey</th> 297 * <td>Retrieval of a Signer's private key</td> 298 * <td>It is very dangerous to allow access to a private key; private 299 * keys are supposed to be kept secret. Otherwise, code can use the 300 * private key to sign various files and claim the signature came from 301 * the Signer.</td> 302 * </tr> 303 * 304 * <tr> 305 * <th scope="row">setSignerKeyPair</th> 306 * <td>Setting of the key pair (public key and private key) for a Signer</td> 307 * <td>This would allow an attacker to replace somebody else's (the "target's") 308 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller 309 * keysize). This also would allow the attacker to listen in on encrypted 310 * communication between the target and its peers. The target's peers 311 * might wrap an encryption session key under the target's "new" public 312 * key, which would allow the attacker (who possesses the corresponding 313 * private key) to unwrap the session key and decipher the communication 314 * data encrypted under that session key.</td> 315 * </tr> 316 * 317 * </tbody> 318 * </table> 319 * 320 * @implNote 321 * Implementations may define additional target names, but should use naming 322 * conventions such as reverse domain name notation to avoid name clashes. 323 * 324 * @see java.security.BasicPermission 325 * @see java.security.Permission 326 * @see java.security.Permissions 327 * @see java.security.PermissionCollection 328 * @see java.lang.SecurityManager 329 * 330 * 331 * @author Marianne Mueller 332 * @author Roland Schemers 333 * @since 1.2 334 */ 335 336 public final class SecurityPermission extends BasicPermission { 337 338 @java.io.Serial 339 private static final long serialVersionUID = 5236109936224050470L; 340 341 /** 342 * Creates a new SecurityPermission with the specified name. 343 * The name is the symbolic name of the SecurityPermission. An asterisk 344 * may appear at the end of the name, following a ".", or by itself, to 345 * signify a wildcard match. 346 * 347 * @param name the name of the SecurityPermission 348 * 349 * @throws NullPointerException if {@code name} is {@code null}. 350 * @throws IllegalArgumentException if {@code name} is empty. 351 */ SecurityPermission(String name)352 public SecurityPermission(String name) 353 { 354 super(name); 355 } 356 357 /** 358 * Creates a new SecurityPermission object with the specified name. 359 * The name is the symbolic name of the SecurityPermission, and the 360 * actions String is currently unused and should be null. 361 * 362 * @param name the name of the SecurityPermission 363 * @param actions should be null. 364 * 365 * @throws NullPointerException if {@code name} is {@code null}. 366 * @throws IllegalArgumentException if {@code name} is empty. 367 */ SecurityPermission(String name, String actions)368 public SecurityPermission(String name, String actions) 369 { 370 super(name, actions); 371 } 372 } 373