001 /*
002 * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved.
003 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004 *
005 * This code is free software; you can redistribute it and/or modify it
006 * under the terms of the GNU General Public License version 2 only, as
007 * published by the Free Software Foundation. Sun designates this
008 * particular file as subject to the "Classpath" exception as provided
009 * by Sun in the LICENSE file that accompanied this code.
010 *
011 * This code is distributed in the hope that it will be useful, but WITHOUT
012 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014 * version 2 for more details (a copy is included in the LICENSE file that
015 * accompanied this code).
016 *
017 * You should have received a copy of the GNU General Public License version
018 * 2 along with this work; if not, write to the Free Software Foundation,
019 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020 *
021 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022 * CA 95054 USA or visit www.sun.com if you need additional information or
023 * have any questions.
024 */
025
026 package java.security;
027
028 import java.security.*;
029 import java.util.Enumeration;
030 import java.util.Hashtable;
031 import java.util.StringTokenizer;
032
033 /**
034 * This class is for security permissions.
035 * A SecurityPermission contains a name (also referred to as a "target name")
036 * but no actions list; you either have the named permission
037 * or you don't.
038 * <P>
039 * The target name is the name of a security configuration parameter (see below).
040 * Currently the SecurityPermission object is used to guard access
041 * to the Policy, Security, Provider, Signer, and Identity
042 * objects.
043 * <P>
044 * The following table lists all the possible SecurityPermission target names,
045 * and for each provides a description of what the permission allows
046 * and a discussion of the risks of granting code the permission.
047 * <P>
048 *
049 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
050 * <tr>
051 * <th>Permission Target Name</th>
052 * <th>What the Permission Allows</th>
053 * <th>Risks of Allowing this Permission</th>
054 * </tr>
055 *
056 * <tr>
057 * <td>createAccessControlContext</td>
058 * <td>Creation of an AccessControlContext</td>
059 * <td>This allows someone to instantiate an AccessControlContext
060 * with a <code>DomainCombiner</code>. Extreme care must be taken when
061 * granting this permission. Malicious code could create a DomainCombiner
062 * that augments the set of permissions granted to code, and even grant the
063 * code {@link java.security.AllPermission}.</td>
064 * </tr>
065 *
066 * <tr>
067 * <td>getDomainCombiner</td>
068 * <td>Retrieval of an AccessControlContext's DomainCombiner</td>
069 * <td>This allows someone to retrieve an AccessControlContext's
070 * <code>DomainCombiner</code>. Since DomainCombiners may contain
071 * sensitive information, this could potentially lead to a privacy leak.</td>
072 * </tr>
073 *
074 * <tr>
075 * <td>getPolicy</td>
076 * <td>Retrieval of the system-wide security policy (specifically, of the
077 * currently-installed Policy object)</td>
078 * <td>This allows someone to query the policy via the
079 * <code>getPermissions</code> call,
080 * which discloses which permissions would be granted to a given CodeSource.
081 * While revealing the policy does not compromise the security of
082 * the system, it does provide malicious code with additional information
083 * which it may use to better aim an attack. It is wise
084 * not to divulge more information than necessary.</td>
085 * </tr>
086 *
087 * <tr>
088 * <td>setPolicy</td>
089 * <td>Setting of the system-wide security policy (specifically,
090 * the Policy object)</td>
091 * <td>Granting this permission is extremely dangerous, as malicious
092 * code may grant itself all the necessary permissions it needs
093 * to successfully mount an attack on the system.</td>
094 * </tr>
095 *
096 * <tr>
097 * <td>createPolicy.{policy type}</td>
098 * <td>Getting an instance of a Policy implementation from a provider</td>
099 * <td>Granting this permission enables code to obtain a Policy object.
100 * Malicious code may query the Policy object to determine what permissions
101 * have been granted to code other than itself. </td>
102 * </tr>
103 *
104 * <tr>
105 * <td>getProperty.{key}</td>
106 * <td>Retrieval of the security property with the specified key</td>
107 * <td>Depending on the particular key for which access has
108 * been granted, the code may have access to the list of security
109 * providers, as well as the location of the system-wide and user
110 * security policies. while revealing this information does not
111 * compromise the security of the system, it does provide malicious
112 * code with additional information which it may use to better aim
113 * an attack.
114 </td>
115 * </tr>
116 *
117 * <tr>
118 * <td>setProperty.{key}</td>
119 * <td>Setting of the security property with the specified key</td>
120 * <td>This could include setting a security provider or defining
121 * the location of the the system-wide security policy. Malicious
122 * code that has permission to set a new security provider may
123 * set a rogue provider that steals confidential information such
124 * as cryptographic private keys. In addition, malicious code with
125 * permission to set the location of the system-wide security policy
126 * may point it to a security policy that grants the attacker
127 * all the necessary permissions it requires to successfully mount
128 * an attack on the system.
129 </td>
130 * </tr>
131 *
132 * <tr>
133 * <td>insertProvider.{provider name}</td>
134 * <td>Addition of a new provider, with the specified name</td>
135 * <td>This would allow somebody to introduce a possibly
136 * malicious provider (e.g., one that discloses the private keys passed
137 * to it) as the highest-priority provider. This would be possible
138 * because the Security object (which manages the installed providers)
139 * currently does not check the integrity or authenticity of a provider
140 * before attaching it.</td>
141 * </tr>
142 *
143 * <tr>
144 * <td>removeProvider.{provider name}</td>
145 * <td>Removal of the specified provider</td>
146 * <td>This may change the behavior or disable execution of other
147 * parts of the program. If a provider subsequently requested by the
148 * program has been removed, execution may fail. Also, if the removed
149 * provider is not explicitly requested by the rest of the program, but
150 * it would normally be the provider chosen when a cryptography service
151 * is requested (due to its previous order in the list of providers),
152 * a different provider will be chosen instead, or no suitable provider
153 * will be found, thereby resulting in program failure.</td>
154 * </tr>
155 *
156 * <tr>
157 * <td>clearProviderProperties.{provider name}</td>
158 * <td>"Clearing" of a Provider so that it no longer contains the properties
159 * used to look up services implemented by the provider</td>
160 * <td>This disables the lookup of services implemented by the provider.
161 * This may thus change the behavior or disable execution of other
162 * parts of the program that would normally utilize the Provider, as
163 * described under the "removeProvider.{provider name}" permission.</td>
164 * </tr>
165 *
166 * <tr>
167 * <td>putProviderProperty.{provider name}</td>
168 * <td>Setting of properties for the specified Provider</td>
169 * <td>The provider properties each specify the name and location
170 * of a particular service implemented by the provider. By granting
171 * this permission, you let code replace the service specification
172 * with another one, thereby specifying a different implementation.</td>
173 * </tr>
174 *
175 * <tr>
176 * <td>removeProviderProperty.{provider name}</td>
177 * <td>Removal of properties from the specified Provider</td>
178 * <td>This disables the lookup of services implemented by the
179 * provider. They are no longer accessible due to removal of the properties
180 * specifying their names and locations. This
181 * may change the behavior or disable execution of other
182 * parts of the program that would normally utilize the Provider, as
183 * described under the "removeProvider.{provider name}" permission.</td>
184 * </tr>
185 *
186 * </table>
187 *
188 * <P>
189 * The following permissions are associated with classes that have been
190 * deprecated: {@link Identity}, {@link IdentityScope}, {@link Signer}. Use of
191 * them is discouraged. See the applicable classes for more information.
192 * <P>
193 *
194 * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
195 * <tr>
196 * <th>Permission Target Name</th>
197 * <th>What the Permission Allows</th>
198 * <th>Risks of Allowing this Permission</th>
199 * </tr>
200 *
201 * <tr>
202 * <td>setSystemScope</td>
203 * <td>Setting of the system identity scope</td>
204 * <td>This would allow an attacker to configure the system identity scope with
205 * certificates that should not be trusted, thereby granting applet or
206 * application code signed with those certificates privileges that
207 * would have been denied by the system's original identity scope.</td>
208 * </tr>
209 *
210 * <tr>
211 * <td>setIdentityPublicKey</td>
212 * <td>Setting of the public key for an Identity</td>
213 * <td>If the identity is marked as "trusted", this allows an attacker to
214 * introduce a different public key (e.g., its own) that is not trusted
215 * by the system's identity scope, thereby granting applet or
216 * application code signed with that public key privileges that
217 * would have been denied otherwise.</td>
218 * </tr>
219 *
220 * <tr>
221 * <td>setIdentityInfo</td>
222 * <td>Setting of a general information string for an Identity</td>
223 * <td>This allows attackers to set the general description for
224 * an identity. This may trick applications into using a different
225 * identity than intended or may prevent applications from finding a
226 * particular identity.</td>
227 * </tr>
228 *
229 * <tr>
230 * <td>addIdentityCertificate</td>
231 * <td>Addition of a certificate for an Identity</td>
232 * <td>This allows attackers to set a certificate for
233 * an identity's public key. This is dangerous because it affects
234 * the trust relationship across the system. This public key suddenly
235 * becomes trusted to a wider audience than it otherwise would be.</td>
236 * </tr>
237 *
238 * <tr>
239 * <td>removeIdentityCertificate</td>
240 * <td>Removal of a certificate for an Identity</td>
241 * <td>This allows attackers to remove a certificate for
242 * an identity's public key. This is dangerous because it affects
243 * the trust relationship across the system. This public key suddenly
244 * becomes considered less trustworthy than it otherwise would be.</td>
245 * </tr>
246 *
247 * <tr>
248 * <td>printIdentity</td>
249 * <td>Viewing the name of a principal
250 * and optionally the scope in which it is used, and whether
251 * or not it is considered "trusted" in that scope</td>
252 * <td>The scope that is printed out may be a filename, in which case
253 * it may convey local system information. For example, here's a sample
254 * printout of an identity named "carol", who is
255 * marked not trusted in the user's identity database:<br>
256 * carol[/home/luehe/identitydb.obj][not trusted]</td>
257 *</tr>
258 *
259 * <tr>
260 * <td>getSignerPrivateKey</td>
261 * <td>Retrieval of a Signer's private key</td>
262 * <td>It is very dangerous to allow access to a private key; private
263 * keys are supposed to be kept secret. Otherwise, code can use the
264 * private key to sign various files and claim the signature came from
265 * the Signer.</td>
266 * </tr>
267 *
268 * <tr>
269 * <td>setSignerKeyPair</td>
270 * <td>Setting of the key pair (public key and private key) for a Signer</td>
271 * <td>This would allow an attacker to replace somebody else's (the "target's")
272 * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
273 * keysize). This also would allow the attacker to listen in on encrypted
274 * communication between the target and its peers. The target's peers
275 * might wrap an encryption session key under the target's "new" public
276 * key, which would allow the attacker (who possesses the corresponding
277 * private key) to unwrap the session key and decipher the communication
278 * data encrypted under that session key.</td>
279 * </tr>
280 *
281 * </table>
282 *
283 * @see java.security.BasicPermission
284 * @see java.security.Permission
285 * @see java.security.Permissions
286 * @see java.security.PermissionCollection
287 * @see java.lang.SecurityManager
288 *
289 * @version 1.38 07/05/05
290 *
291 * @author Marianne Mueller
292 * @author Roland Schemers
293 */
294
295 public final class SecurityPermission extends BasicPermission {
296
297 private static final long serialVersionUID = 5236109936224050470L;
298
299 /**
300 * Creates a new SecurityPermission with the specified name.
301 * The name is the symbolic name of the SecurityPermission. An asterisk
302 * may appear at the end of the name, following a ".", or by itself, to
303 * signify a wildcard match.
304 *
305 * @param name the name of the SecurityPermission
306 *
307 * @throws NullPointerException if <code>name</code> is <code>null</code>.
308 * @throws IllegalArgumentException if <code>name</code> is empty.
309 */
310
311 public SecurityPermission(String name) {
312 super (name);
313 }
314
315 /**
316 * Creates a new SecurityPermission object with the specified name.
317 * The name is the symbolic name of the SecurityPermission, and the
318 * actions String is currently unused and should be null.
319 *
320 * @param name the name of the SecurityPermission
321 * @param actions should be null.
322 *
323 * @throws NullPointerException if <code>name</code> is <code>null</code>.
324 * @throws IllegalArgumentException if <code>name</code> is empty.
325 */
326
327 public SecurityPermission(String name, String actions) {
328 super(name, actions);
329 }
330 }
|