/* * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.security; import java.util.ArrayList; import java.util.List; import sun.security.util.Debug; import sun.security.util.SecurityConstants; /** * An AccessControlContext is used to make system resource access decisions * based on the context it encapsulates. * *
More specifically, it encapsulates a context and * has a single method, {@code checkPermission}, * that is equivalent to the {@code checkPermission} method * in the AccessController class, with one difference: The AccessControlContext * {@code checkPermission} method makes access decisions based on the * context it encapsulates, * rather than that of the current execution thread. * *
Thus, the purpose of AccessControlContext is for those situations where * a security check that should be made within a given context * actually needs to be done from within a * different context (for example, from within a worker thread). * *
An AccessControlContext is created by calling the * {@code AccessController.getContext} method. * The {@code getContext} method takes a "snapshot" * of the current calling context, and places * it in an AccessControlContext object, which it returns. A sample call is * the following: * *
* AccessControlContext acc = AccessController.getContext() ** *
* Code within a different context can subsequently call the * {@code checkPermission} method on the * previously-saved AccessControlContext object. A sample call is the * following: * *
* acc.checkPermission(permission) ** * @see AccessController * * @author Roland Schemers */ public final class AccessControlContext { private ProtectionDomain context[]; // isPrivileged and isAuthorized are referenced by the VM - do not remove // or change their names private boolean isPrivileged; private boolean isAuthorized = false; // Note: This field is directly used by the virtual machine // native codes. Don't touch it. private AccessControlContext privilegedContext; private DomainCombiner combiner = null; // limited privilege scope private Permission permissions[]; private AccessControlContext parent; private boolean isWrapped; // is constrained by limited privilege scope? private boolean isLimited; private ProtectionDomain limitedContext[]; private static boolean debugInit = false; private static Debug debug = null; static Debug getDebug() { if (debugInit) return debug; else { if (Policy.isSet()) { debug = Debug.getInstance("access"); debugInit = true; } return debug; } } /** * Create an AccessControlContext with the given array of ProtectionDomains. * Context must not be null. Duplicate domains will be removed from the * context. * * @param context the ProtectionDomains associated with this context. * The non-duplicate domains are copied from the array. Subsequent * changes to the array will not affect this AccessControlContext. * @throws NullPointerException if {@code context} is {@code null} */ public AccessControlContext(ProtectionDomain context[]) { if (context.length == 0) { this.context = null; } else if (context.length == 1) { if (context[0] != null) { this.context = context.clone(); } else { this.context = null; } } else { List
* * @param acc the {@code AccessControlContext} associated * with the provided {@code DomainCombiner}. * * @param combiner the {@code DomainCombiner} to be associated * with the provided {@code AccessControlContext}. * * @exception NullPointerException if the provided * {@code context} is {@code null}. * * @exception SecurityException if a security manager is installed and the * caller does not have the "createAccessControlContext" * {@link SecurityPermission} * @since 1.3 */ public AccessControlContext(AccessControlContext acc, DomainCombiner combiner) { this(acc, combiner, false); } /** * package private to allow calls from ProtectionDomain without performing * the security check for {@linkplain SecurityConstants.CREATE_ACC_PERMISSION} * permission */ AccessControlContext(AccessControlContext acc, DomainCombiner combiner, boolean preauthorized) { if (!preauthorized) { SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SecurityConstants.CREATE_ACC_PERMISSION); this.isAuthorized = true; } } else { this.isAuthorized = true; } this.context = acc.context; // we do not need to run the combine method on the // provided ACC. it was already "combined" when the // context was originally retrieved. // // at this point in time, we simply throw away the old // combiner and use the newly provided one. this.combiner = combiner; } /** * package private for AccessController * * This "argument wrapper" context will be passed as the actual context * parameter on an internal doPrivileged() call used in the implementation. */ AccessControlContext(ProtectionDomain caller, DomainCombiner combiner, AccessControlContext parent, AccessControlContext context, Permission[] perms) { /* * Combine the domains from the doPrivileged() context into our * wrapper context, if necessary. */ ProtectionDomain[] callerPDs = null; if (caller != null) { callerPDs = new ProtectionDomain[] { caller }; } if (context != null) { if (combiner != null) { this.context = combiner.combine(callerPDs, context.context); } else { this.context = combine(callerPDs, context.context); } } else { /* * Call combiner even if there is seemingly nothing to combine. */ if (combiner != null) { this.context = combiner.combine(callerPDs, null); } else { this.context = combine(callerPDs, null); } } this.combiner = combiner; Permission[] tmp = null; if (perms != null) { tmp = new Permission[perms.length]; for (int i=0; i < perms.length; i++) { if (perms[i] == null) { throw new NullPointerException("permission can't be null"); } /* * An AllPermission argument is equivalent to calling * doPrivileged() without any limit permissions. */ if (perms[i].getClass() == AllPermission.class) { parent = null; } tmp[i] = perms[i]; } } /* * For a doPrivileged() with limited privilege scope, initialize * the relevant fields. * * The limitedContext field contains the union of all domains which * are enclosed by this limited privilege scope. In other words, * it contains all of the domains which could potentially be checked * if none of the limiting permissions implied a requested permission. */ if (parent != null) { this.limitedContext = combine(parent.context, parent.limitedContext); this.isLimited = true; this.isWrapped = true; this.permissions = tmp; this.parent = parent; this.privilegedContext = context; // used in checkPermission2() } this.isAuthorized = true; } /** * package private constructor for AccessController.getContext() */ AccessControlContext(ProtectionDomain context[], boolean isPrivileged) { this.context = context; this.isPrivileged = isPrivileged; this.isAuthorized = true; } /** * Constructor for JavaSecurityAccess.doIntersectionPrivilege() */ AccessControlContext(ProtectionDomain[] context, AccessControlContext privilegedContext) { this.context = context; this.privilegedContext = privilegedContext; this.isPrivileged = true; } /** * Returns this context's context. */ ProtectionDomain[] getContext() { return context; } /** * Returns true if this context is privileged. */ boolean isPrivileged() { return isPrivileged; } /** * get the assigned combiner from the privileged or inherited context */ DomainCombiner getAssignedCombiner() { AccessControlContext acc; if (isPrivileged) { acc = privilegedContext; } else { acc = AccessController.getInheritedAccessControlContext(); } if (acc != null) { return acc.combiner; } return null; } /** * Get the {@code DomainCombiner} associated with this * {@code AccessControlContext}. * *
* * @return the {@code DomainCombiner} associated with this * {@code AccessControlContext}, or {@code null} * if there is none. * * @exception SecurityException if a security manager is installed and * the caller does not have the "getDomainCombiner" * {@link SecurityPermission} * @since 1.3 */ public DomainCombiner getDomainCombiner() { SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SecurityConstants.GET_COMBINER_PERMISSION); } return getCombiner(); } /** * package private for AccessController */ DomainCombiner getCombiner() { return combiner; } boolean isAuthorized() { return isAuthorized; } /** * Determines whether the access request indicated by the * specified permission should be allowed or denied, based on * the security policy currently in effect, and the context in * this object. The request is allowed only if every ProtectionDomain * in the context implies the permission. Otherwise the request is * denied. * *
* This method quietly returns if the access request
* is permitted, or throws a suitable AccessControlException otherwise.
*
* @param perm the requested permission.
*
* @exception AccessControlException if the specified permission
* is not permitted, based on the current security policy and the
* context encapsulated by this object.
* @exception NullPointerException if the permission to check for is null.
*/
public void checkPermission(Permission perm)
throws AccessControlException
{
boolean dumpDebug = false;
if (perm == null) {
throw new NullPointerException("permission can't be null");
}
if (getDebug() != null) {
// If "codebase" is not specified, we dump the info by default.
dumpDebug = !Debug.isOn("codebase=");
if (!dumpDebug) {
// If "codebase" is specified, only dump if the specified code
// value is in the stack.
for (int i = 0; context != null && i < context.length; i++) {
if (context[i].getCodeSource() != null &&
context[i].getCodeSource().getLocation() != null &&
Debug.isOn("codebase=" + context[i].getCodeSource().getLocation().toString())) {
dumpDebug = true;
break;
}
}
}
dumpDebug &= !Debug.isOn("permission=") ||
Debug.isOn("permission=" + perm.getClass().getCanonicalName());
if (dumpDebug && Debug.isOn("stack")) {
Thread.dumpStack();
}
if (dumpDebug && Debug.isOn("domain")) {
if (context == null) {
debug.println("domain (context is null)");
} else {
for (int i=0; i< context.length; i++) {
debug.println("domain "+i+" "+context[i]);
}
}
}
}
/*
* iterate through the ProtectionDomains in the context.
* Stop at the first one that doesn't allow the
* requested permission (throwing an exception).
*
*/
/* if ctxt is null, all we had on the stack were system domains,
or the first domain was a Privileged system domain. This
is to make the common case for system code very fast */
if (context == null) {
checkPermission2(perm);
return;
}
for (int i=0; i< context.length; i++) {
if (context[i] != null && !context[i].implies(perm)) {
if (dumpDebug) {
debug.println("access denied " + perm);
}
if (Debug.isOn("failure") && debug != null) {
// Want to make sure this is always displayed for failure,
// but do not want to display again if already displayed
// above.
if (!dumpDebug) {
debug.println("access denied " + perm);
}
Thread.dumpStack();
final ProtectionDomain pd = context[i];
final Debug db = debug;
AccessController.doPrivileged (new PrivilegedAction
* @param obj the object we are testing for equality with this object.
* @return true if obj is an AccessControlContext, and has the
* same set of ProtectionDomains as this context, false otherwise.
*/
public boolean equals(Object obj) {
if (obj == this)
return true;
if (! (obj instanceof AccessControlContext))
return false;
AccessControlContext that = (AccessControlContext) obj;
if (!equalContext(that))
return false;
if (!equalLimitedContext(that))
return false;
return true;
}
/*
* Compare for equality based on state that is free of limited
* privilege complications.
*/
private boolean equalContext(AccessControlContext that) {
if (!equalPDs(this.context, that.context))
return false;
if (this.combiner == null && that.combiner != null)
return false;
if (this.combiner != null && !this.combiner.equals(that.combiner))
return false;
return true;
}
private boolean equalPDs(ProtectionDomain[] a, ProtectionDomain[] b) {
if (a == null) {
return (b == null);
}
if (b == null)
return false;
if (!(containsAllPDs(a, b) && containsAllPDs(b, a)))
return false;
return true;
}
/*
* Compare for equality based on state that is captured during a
* call to AccessController.getContext() when a limited privilege
* scope is in effect.
*/
private boolean equalLimitedContext(AccessControlContext that) {
if (that == null)
return false;
/*
* If neither instance has limited privilege scope then we're done.
*/
if (!this.isLimited && !that.isLimited)
return true;
/*
* If only one instance has limited privilege scope then we're done.
*/
if (!(this.isLimited && that.isLimited))
return false;
/*
* Wrapped instances should never escape outside the implementation
* this class and AccessController so this will probably never happen
* but it only makes any sense to compare if they both have the same
* isWrapped state.
*/
if ((this.isWrapped && !that.isWrapped) ||
(!this.isWrapped && that.isWrapped)) {
return false;
}
if (this.permissions == null && that.permissions != null)
return false;
if (this.permissions != null && that.permissions == null)
return false;
if (!(this.containsAllLimits(that) && that.containsAllLimits(this)))
return false;
/*
* Skip through any wrapped contexts.
*/
AccessControlContext thisNextPC = getNextPC(this);
AccessControlContext thatNextPC = getNextPC(that);
/*
* The protection domains and combiner of a privilegedContext are
* not relevant because they have already been included in the context
* of this instance by optimize() so we only care about any limited
* privilege state they may have.
*/
if (thisNextPC == null && thatNextPC != null && thatNextPC.isLimited)
return false;
if (thisNextPC != null && !thisNextPC.equalLimitedContext(thatNextPC))
return false;
if (this.parent == null && that.parent != null)
return false;
if (this.parent != null && !this.parent.equals(that.parent))
return false;
return true;
}
/*
* Follow the privilegedContext link making our best effort to skip
* through any wrapper contexts.
*/
private static AccessControlContext getNextPC(AccessControlContext acc) {
while (acc != null && acc.privilegedContext != null) {
acc = acc.privilegedContext;
if (!acc.isWrapped)
return acc;
}
return null;
}
private static boolean containsAllPDs(ProtectionDomain[] thisContext,
ProtectionDomain[] thatContext) {
boolean match = false;
//
// ProtectionDomains within an ACC currently cannot be null
// and this is enforced by the constructor and the various
// optimize methods. However, historically this logic made attempts
// to support the notion of a null PD and therefore this logic continues
// to support that notion.
ProtectionDomain thisPd;
for (int i = 0; i < thisContext.length; i++) {
match = false;
if ((thisPd = thisContext[i]) == null) {
for (int j = 0; (j < thatContext.length) && !match; j++) {
match = (thatContext[j] == null);
}
} else {
Class> thisPdClass = thisPd.getClass();
ProtectionDomain thatPd;
for (int j = 0; (j < thatContext.length) && !match; j++) {
thatPd = thatContext[j];
// Class check required to avoid PD exposure (4285406)
match = (thatPd != null &&
thisPdClass == thatPd.getClass() && thisPd.equals(thatPd));
}
}
if (!match) return false;
}
return match;
}
private boolean containsAllLimits(AccessControlContext that) {
boolean match = false;
Permission thisPerm;
if (this.permissions == null && that.permissions == null)
return true;
for (int i = 0; i < this.permissions.length; i++) {
Permission limit = this.permissions[i];
Class > limitClass = limit.getClass();
match = false;
for (int j = 0; (j < that.permissions.length) && !match; j++) {
Permission perm = that.permissions[j];
match = (limitClass.equals(perm.getClass()) &&
limit.equals(perm));
}
if (!match) return false;
}
return match;
}
/**
* Returns the hash code value for this context. The hash code
* is computed by exclusive or-ing the hash code of all the protection
* domains in the context together.
*
* @return a hash code value for this context.
*/
public int hashCode() {
int hashCode = 0;
if (context == null)
return hashCode;
for (int i =0; i < context.length; i++) {
if (context[i] != null)
hashCode ^= context[i].hashCode();
}
return hashCode;
}
}