001 /*
002 * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved.
003 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004 *
005 * This code is free software; you can redistribute it and/or modify it
006 * under the terms of the GNU General Public License version 2 only, as
007 * published by the Free Software Foundation. Sun designates this
008 * particular file as subject to the "Classpath" exception as provided
009 * by Sun in the LICENSE file that accompanied this code.
010 *
011 * This code is distributed in the hope that it will be useful, but WITHOUT
012 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014 * version 2 for more details (a copy is included in the LICENSE file that
015 * accompanied this code).
016 *
017 * You should have received a copy of the GNU General Public License version
018 * 2 along with this work; if not, write to the Free Software Foundation,
019 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020 *
021 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022 * CA 95054 USA or visit www.sun.com if you need additional information or
023 * have any questions.
024 */
025
026 package java.security;
027
028 import java.io.IOException;
029 import java.io.ByteArrayInputStream;
030 import java.util.ArrayList;
031 import java.util.Enumeration;
032 import java.util.Hashtable;
033 import java.util.Vector;
034 import java.lang.reflect.*;
035 import java.security.cert.*;
036
037 /**
038 * The UnresolvedPermission class is used to hold Permissions that
039 * were "unresolved" when the Policy was initialized.
040 * An unresolved permission is one whose actual Permission class
041 * does not yet exist at the time the Policy is initialized (see below).
042 *
043 * <p>The policy for a Java runtime (specifying
044 * which permissions are available for code from various principals)
045 * is represented by a Policy object.
046 * Whenever a Policy is initialized or refreshed, Permission objects of
047 * appropriate classes are created for all permissions
048 * allowed by the Policy.
049 *
050 * <p>Many permission class types
051 * referenced by the policy configuration are ones that exist
052 * locally (i.e., ones that can be found on CLASSPATH).
053 * Objects for such permissions can be instantiated during
054 * Policy initialization. For example, it is always possible
055 * to instantiate a java.io.FilePermission, since the
056 * FilePermission class is found on the CLASSPATH.
057 *
058 * <p>Other permission classes may not yet exist during Policy
059 * initialization. For example, a referenced permission class may
060 * be in a JAR file that will later be loaded.
061 * For each such class, an UnresolvedPermission is instantiated.
062 * Thus, an UnresolvedPermission is essentially a "placeholder"
063 * containing information about the permission.
064 *
065 * <p>Later, when code calls AccessController.checkPermission
066 * on a permission of a type that was previously unresolved,
067 * but whose class has since been loaded, previously-unresolved
068 * permissions of that type are "resolved". That is,
069 * for each such UnresolvedPermission, a new object of
070 * the appropriate class type is instantiated, based on the
071 * information in the UnresolvedPermission.
072 *
073 * <p> To instantiate the new class, UnresolvedPermission assumes
074 * the class provides a zero, one, and/or two-argument constructor.
075 * The zero-argument constructor would be used to instantiate
076 * a permission without a name and without actions.
077 * A one-arg constructor is assumed to take a <code>String</code>
078 * name as input, and a two-arg constructor is assumed to take a
079 * <code>String</code> name and <code>String</code> actions
080 * as input. UnresolvedPermission may invoke a
081 * constructor with a <code>null</code> name and/or actions.
082 * If an appropriate permission constructor is not available,
083 * the UnresolvedPermission is ignored and the relevant permission
084 * will not be granted to executing code.
085 *
086 * <p> The newly created permission object replaces the
087 * UnresolvedPermission, which is removed.
088 *
089 * <p> Note that the <code>getName</code> method for an
090 * <code>UnresolvedPermission</code> returns the
091 * <code>type</code> (class name) for the underlying permission
092 * that has not been resolved.
093 *
094 * @see java.security.Permission
095 * @see java.security.Permissions
096 * @see java.security.PermissionCollection
097 * @see java.security.Policy
098 *
099 * @version 1.38 07/05/05
100 *
101 * @author Roland Schemers
102 */
103
104 public final class UnresolvedPermission extends Permission implements
105 java.io.Serializable {
106
107 private static final long serialVersionUID = -4821973115467008846L;
108
109 private static final sun.security.util.Debug debug = sun.security.util.Debug
110 .getInstance("policy,access", "UnresolvedPermission");
111
112 /**
113 * The class name of the Permission class that will be
114 * created when this unresolved permission is resolved.
115 *
116 * @serial
117 */
118 private String type;
119
120 /**
121 * The permission name.
122 *
123 * @serial
124 */
125 private String name;
126
127 /**
128 * The actions of the permission.
129 *
130 * @serial
131 */
132 private String actions;
133
134 private transient java.security.cert.Certificate certs[];
135
136 /**
137 * Creates a new UnresolvedPermission containing the permission
138 * information needed later to actually create a Permission of the
139 * specified class, when the permission is resolved.
140 *
141 * @param type the class name of the Permission class that will be
142 * created when this unresolved permission is resolved.
143 * @param name the name of the permission.
144 * @param actions the actions of the permission.
145 * @param certs the certificates the permission's class was signed with.
146 * This is a list of certificate chains, where each chain is composed of a
147 * signer certificate and optionally its supporting certificate chain.
148 * Each chain is ordered bottom-to-top (i.e., with the signer certificate
149 * first and the (root) certificate authority last). The signer
150 * certificates are copied from the array. Subsequent changes to
151 * the array will not affect this UnsolvedPermission.
152 */
153 public UnresolvedPermission(String type, String name,
154 String actions, java.security.cert.Certificate certs[]) {
155 super (type);
156
157 if (type == null)
158 throw new NullPointerException("type can't be null");
159
160 this .type = type;
161 this .name = name;
162 this .actions = actions;
163 if (certs != null) {
164 // Extract the signer certs from the list of certificates.
165 for (int i = 0; i < certs.length; i++) {
166 if (!(certs[i] instanceof X509Certificate)) {
167 // there is no concept of signer certs, so we store the
168 // entire cert array
169 this .certs = (java.security.cert.Certificate[]) certs
170 .clone();
171 break;
172 }
173 }
174
175 if (this .certs == null) {
176 // Go through the list of certs and see if all the certs are
177 // signer certs.
178 int i = 0;
179 int count = 0;
180 while (i < certs.length) {
181 count++;
182 while (((i + 1) < certs.length)
183 && ((X509Certificate) certs[i])
184 .getIssuerDN()
185 .equals(
186 ((X509Certificate) certs[i + 1])
187 .getSubjectDN())) {
188 i++;
189 }
190 i++;
191 }
192 if (count == certs.length) {
193 // All the certs are signer certs, so we store the entire
194 // array
195 this .certs = (java.security.cert.Certificate[]) certs
196 .clone();
197 }
198
199 if (this .certs == null) {
200 // extract the signer certs
201 ArrayList<java.security.cert.Certificate> signerCerts = new ArrayList<java.security.cert.Certificate>();
202 i = 0;
203 while (i < certs.length) {
204 signerCerts.add(certs[i]);
205 while (((i + 1) < certs.length)
206 && ((X509Certificate) certs[i])
207 .getIssuerDN()
208 .equals(
209 ((X509Certificate) certs[i + 1])
210 .getSubjectDN())) {
211 i++;
212 }
213 i++;
214 }
215 this .certs = new java.security.cert.Certificate[signerCerts
216 .size()];
217 signerCerts.toArray(this .certs);
218 }
219 }
220 }
221 }
222
223 private static final Class[] PARAMS0 = {};
224 private static final Class[] PARAMS1 = { String.class };
225 private static final Class[] PARAMS2 = { String.class, String.class };
226
227 /**
228 * try and resolve this permission using the class loader of the permission
229 * that was passed in.
230 */
231 Permission resolve(Permission p,
232 java.security.cert.Certificate certs[]) {
233 if (this .certs != null) {
234 // if p wasn't signed, we don't have a match
235 if (certs == null) {
236 return null;
237 }
238
239 // all certs in this.certs must be present in certs
240 boolean match;
241 for (int i = 0; i < this .certs.length; i++) {
242 match = false;
243 for (int j = 0; j < certs.length; j++) {
244 if (this .certs[i].equals(certs[j])) {
245 match = true;
246 break;
247 }
248 }
249 if (!match)
250 return null;
251 }
252 }
253 try {
254 Class pc = p.getClass();
255
256 if (name == null && actions == null) {
257 try {
258 Constructor c = pc.getConstructor(PARAMS0);
259 return (Permission) c.newInstance(new Object[] {});
260 } catch (NoSuchMethodException ne) {
261 try {
262 Constructor c = pc.getConstructor(PARAMS1);
263 return (Permission) c
264 .newInstance(new Object[] { name });
265 } catch (NoSuchMethodException ne1) {
266 Constructor c = pc.getConstructor(PARAMS2);
267 return (Permission) c.newInstance(new Object[] {
268 name, actions });
269 }
270 }
271 } else {
272 if (name != null && actions == null) {
273 try {
274 Constructor c = pc.getConstructor(PARAMS1);
275 return (Permission) c
276 .newInstance(new Object[] { name });
277 } catch (NoSuchMethodException ne) {
278 Constructor c = pc.getConstructor(PARAMS2);
279 return (Permission) c.newInstance(new Object[] {
280 name, actions });
281 }
282 } else {
283 Constructor c = pc.getConstructor(PARAMS2);
284 return (Permission) c.newInstance(new Object[] {
285 name, actions });
286 }
287 }
288 } catch (NoSuchMethodException nsme) {
289 if (debug != null) {
290 debug
291 .println("NoSuchMethodException:\n could not find "
292 + "proper constructor for " + type);
293 nsme.printStackTrace();
294 }
295 return null;
296 } catch (Exception e) {
297 if (debug != null) {
298 debug.println("unable to instantiate " + name);
299 e.printStackTrace();
300 }
301 return null;
302 }
303 }
304
305 /**
306 * This method always returns false for unresolved permissions.
307 * That is, an UnresolvedPermission is never considered to
308 * imply another permission.
309 *
310 * @param p the permission to check against.
311 *
312 * @return false.
313 */
314 public boolean implies(Permission p) {
315 return false;
316 }
317
318 /**
319 * Checks two UnresolvedPermission objects for equality.
320 * Checks that <i>obj</i> is an UnresolvedPermission, and has
321 * the same type (class) name, permission name, actions, and
322 * certificates as this object.
323 *
324 * <p> To determine certificate equality, this method only compares
325 * actual signer certificates. Supporting certificate chains
326 * are not taken into consideration by this method.
327 *
328 * @param obj the object we are testing for equality with this object.
329 *
330 * @return true if obj is an UnresolvedPermission, and has the same
331 * type (class) name, permission name, actions, and
332 * certificates as this object.
333 */
334 public boolean equals(Object obj) {
335 if (obj == this )
336 return true;
337
338 if (!(obj instanceof UnresolvedPermission))
339 return false;
340 UnresolvedPermission that = (UnresolvedPermission) obj;
341
342 // check type
343 if (!this .type.equals(that.type)) {
344 return false;
345 }
346
347 // check name
348 if (this .name == null) {
349 if (that.name != null) {
350 return false;
351 }
352 } else if (!this .name.equals(that.name)) {
353 return false;
354 }
355
356 // check actions
357 if (this .actions == null) {
358 if (that.actions != null) {
359 return false;
360 }
361 } else {
362 if (!this .actions.equals(that.actions)) {
363 return false;
364 }
365 }
366
367 // check certs
368 if ((this .certs == null && that.certs != null)
369 || (this .certs != null && that.certs == null)
370 || (this .certs != null && that.certs != null && this .certs.length != that.certs.length)) {
371 return false;
372 }
373
374 int i, j;
375 boolean match;
376
377 for (i = 0; this .certs != null && i < this .certs.length; i++) {
378 match = false;
379 for (j = 0; j < that.certs.length; j++) {
380 if (this .certs[i].equals(that.certs[j])) {
381 match = true;
382 break;
383 }
384 }
385 if (!match)
386 return false;
387 }
388
389 for (i = 0; that.certs != null && i < that.certs.length; i++) {
390 match = false;
391 for (j = 0; j < this .certs.length; j++) {
392 if (that.certs[i].equals(this .certs[j])) {
393 match = true;
394 break;
395 }
396 }
397 if (!match)
398 return false;
399 }
400 return true;
401 }
402
403 /**
404 * Returns the hash code value for this object.
405 *
406 * @return a hash code value for this object.
407 */
408
409 public int hashCode() {
410 int hash = type.hashCode();
411 if (name != null)
412 hash ^= name.hashCode();
413 if (actions != null)
414 hash ^= actions.hashCode();
415 return hash;
416 }
417
418 /**
419 * Returns the canonical string representation of the actions,
420 * which currently is the empty string "", since there are no actions for
421 * an UnresolvedPermission. That is, the actions for the
422 * permission that will be created when this UnresolvedPermission
423 * is resolved may be non-null, but an UnresolvedPermission
424 * itself is never considered to have any actions.
425 *
426 * @return the empty string "".
427 */
428 public String getActions() {
429 return "";
430 }
431
432 /**
433 * Get the type (class name) of the underlying permission that
434 * has not been resolved.
435 *
436 * @return the type (class name) of the underlying permission that
437 * has not been resolved
438 *
439 * @since 1.5
440 */
441 public String getUnresolvedType() {
442 return type;
443 }
444
445 /**
446 * Get the target name of the underlying permission that
447 * has not been resolved.
448 *
449 * @return the target name of the underlying permission that
450 * has not been resolved, or <code>null</code>,
451 * if there is no targe name
452 *
453 * @since 1.5
454 */
455 public String getUnresolvedName() {
456 return name;
457 }
458
459 /**
460 * Get the actions for the underlying permission that
461 * has not been resolved.
462 *
463 * @return the actions for the underlying permission that
464 * has not been resolved, or <code>null</code>
465 * if there are no actions
466 *
467 * @since 1.5
468 */
469 public String getUnresolvedActions() {
470 return actions;
471 }
472
473 /**
474 * Get the signer certificates (without any supporting chain)
475 * for the underlying permission that has not been resolved.
476 *
477 * @return the signer certificates for the underlying permission that
478 * has not been resolved, or null, if there are no signer certificates.
479 * Returns a new array each time this method is called.
480 *
481 * @since 1.5
482 */
483 public java.security.cert.Certificate[] getUnresolvedCerts() {
484 return (certs == null) ? null
485 : (java.security.cert.Certificate[]) certs.clone();
486 }
487
488 /**
489 * Returns a string describing this UnresolvedPermission. The convention
490 * is to specify the class name, the permission name, and the actions, in
491 * the following format: '(unresolved "ClassName" "name" "actions")'.
492 *
493 * @return information about this UnresolvedPermission.
494 */
495 public String toString() {
496 return "(unresolved " + type + " " + name + " " + actions + ")";
497 }
498
499 /**
500 * Returns a new PermissionCollection object for storing
501 * UnresolvedPermission objects.
502 * <p>
503 * @return a new PermissionCollection object suitable for
504 * storing UnresolvedPermissions.
505 */
506
507 public PermissionCollection newPermissionCollection() {
508 return new UnresolvedPermissionCollection();
509 }
510
511 /**
512 * Writes this object out to a stream (i.e., serializes it).
513 *
514 * @serialData An initial <code>String</code> denoting the
515 * <code>type</code> is followed by a <code>String</code> denoting the
516 * <code>name</code> is followed by a <code>String</code> denoting the
517 * <code>actions</code> is followed by an <code>int</code> indicating the
518 * number of certificates to follow
519 * (a value of "zero" denotes that there are no certificates associated
520 * with this object).
521 * Each certificate is written out starting with a <code>String</code>
522 * denoting the certificate type, followed by an
523 * <code>int</code> specifying the length of the certificate encoding,
524 * followed by the certificate encoding itself which is written out as an
525 * array of bytes.
526 */
527 private void writeObject(java.io.ObjectOutputStream oos)
528 throws IOException {
529 oos.defaultWriteObject();
530
531 if (certs == null || certs.length == 0) {
532 oos.writeInt(0);
533 } else {
534 // write out the total number of certs
535 oos.writeInt(certs.length);
536 // write out each cert, including its type
537 for (int i = 0; i < certs.length; i++) {
538 java.security.cert.Certificate cert = certs[i];
539 try {
540 oos.writeUTF(cert.getType());
541 byte[] encoded = cert.getEncoded();
542 oos.writeInt(encoded.length);
543 oos.write(encoded);
544 } catch (CertificateEncodingException cee) {
545 throw new IOException(cee.getMessage());
546 }
547 }
548 }
549 }
550
551 /**
552 * Restores this object from a stream (i.e., deserializes it).
553 */
554 private void readObject(java.io.ObjectInputStream ois)
555 throws IOException, ClassNotFoundException {
556 CertificateFactory cf;
557 Hashtable<String, CertificateFactory> cfs = null;
558
559 ois.defaultReadObject();
560
561 if (type == null)
562 throw new NullPointerException("type can't be null");
563
564 // process any new-style certs in the stream (if present)
565 int size = ois.readInt();
566 if (size > 0) {
567 // we know of 3 different cert types: X.509, PGP, SDSI, which
568 // could all be present in the stream at the same time
569 cfs = new Hashtable<String, CertificateFactory>(3);
570 this .certs = new java.security.cert.Certificate[size];
571 }
572
573 for (int i = 0; i < size; i++) {
574 // read the certificate type, and instantiate a certificate
575 // factory of that type (reuse existing factory if possible)
576 String certType = ois.readUTF();
577 if (cfs.containsKey(certType)) {
578 // reuse certificate factory
579 cf = cfs.get(certType);
580 } else {
581 // create new certificate factory
582 try {
583 cf = CertificateFactory.getInstance(certType);
584 } catch (CertificateException ce) {
585 throw new ClassNotFoundException(
586 "Certificate factory for " + certType
587 + " not found");
588 }
589 // store the certificate factory so we can reuse it later
590 cfs.put(certType, cf);
591 }
592 // parse the certificate
593 byte[] encoded = null;
594 try {
595 encoded = new byte[ois.readInt()];
596 } catch (OutOfMemoryError oome) {
597 throw new IOException("Certificate too big");
598 }
599 ois.readFully(encoded);
600 ByteArrayInputStream bais = new ByteArrayInputStream(
601 encoded);
602 try {
603 this .certs[i] = cf.generateCertificate(bais);
604 } catch (CertificateException ce) {
605 throw new IOException(ce.getMessage());
606 }
607 bais.close();
608 }
609 }
610 }
|