001: /*
002: * Copyright 1997-2005 Sun Microsystems, Inc. All Rights Reserved.
003: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004: *
005: * This code is free software; you can redistribute it and/or modify it
006: * under the terms of the GNU General Public License version 2 only, as
007: * published by the Free Software Foundation. Sun designates this
008: * particular file as subject to the "Classpath" exception as provided
009: * by Sun in the LICENSE file that accompanied this code.
010: *
011: * This code is distributed in the hope that it will be useful, but WITHOUT
012: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014: * version 2 for more details (a copy is included in the LICENSE file that
015: * accompanied this code).
016: *
017: * You should have received a copy of the GNU General Public License version
018: * 2 along with this work; if not, write to the Free Software Foundation,
019: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020: *
021: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022: * CA 95054 USA or visit www.sun.com if you need additional information or
023: * have any questions.
024: */
025:
026: package java.awt;
027:
028: import java.security.BasicPermission;
029:
030: /**
031: * This class is for AWT permissions.
032: * An <code>AWTPermission</code> contains a target name but
033: * no actions list; you either have the named permission
034: * or you don't.
035: *
036: * <P>
037: * The target name is the name of the AWT permission (see below). The naming
038: * convention follows the hierarchical property naming convention.
039: * Also, an asterisk could be used to represent all AWT permissions.
040: *
041: * <P>
042: * The following table lists all the possible <code>AWTPermission</code>
043: * target names, and for each provides a description of what the
044: * permission allows and a discussion of the risks of granting code
045: * the permission.
046: * <P>
047: *
048: * <table border=1 cellpadding=5 summary="AWTPermission target names, descriptions, and associated risks.">
049: * <tr>
050: * <th>Permission Target Name</th>
051: * <th>What the Permission Allows</th>
052: * <th>Risks of Allowing this Permission</th>
053: * </tr>
054: *
055: * <tr>
056: * <td>accessClipboard</td>
057: * <td>Posting and retrieval of information to and from the AWT clipboard</td>
058: * <td>This would allow malfeasant code to share
059: * potentially sensitive or confidential information.</td>
060: * </tr>
061: *
062: * <tr>
063: * <td>accessEventQueue</td>
064: * <td>Access to the AWT event queue</td>
065: * <td>After retrieving the AWT event queue,
066: * malicious code may peek at and even remove existing events
067: * from its event queue, as well as post bogus events which may purposefully
068: * cause the application or applet to misbehave in an insecure manner.</td>
069: * </tr>
070: *
071: * <tr>
072: * <td>accessSystemTray</td>
073: * <td>Access to the AWT SystemTray instance</td>
074: * <td>This would allow malicious code to add tray icons to the system tray.
075: * First, such an icon may look like the icon of some known application
076: * (such as a firewall or anti-virus) and order a user to do something unsafe
077: * (with help of balloon messages). Second, the system tray may be glutted with
078: * tray icons so that no one could add a tray icon anymore.</td>
079: * </tr>
080: *
081: * <tr>
082: * <td>createRobot</td>
083: * <td>Create java.awt.Robot objects</td>
084: * <td>The java.awt.Robot object allows code to generate native-level
085: * mouse and keyboard events as well as read the screen. It could allow
086: * malicious code to control the system, run other programs, read the
087: * display, and deny mouse and keyboard access to the user.</td>
088: * </tr>
089: *
090: * <tr>
091: * <td>fullScreenExclusive</td>
092: * <td>Enter full-screen exclusive mode</td>
093: * <td>Entering full-screen exclusive mode allows direct access to
094: * low-level graphics card memory. This could be used to spoof the
095: * system, since the program is in direct control of rendering.</td>
096: * </tr>
097: *
098: * <tr>
099: * <td>listenToAllAWTEvents</td>
100: * <td>Listen to all AWT events, system-wide</td>
101: * <td>After adding an AWT event listener,
102: * malicious code may scan all AWT events dispatched in the system,
103: * allowing it to read all user input (such as passwords). Each
104: * AWT event listener is called from within the context of that
105: * event queue's EventDispatchThread, so if the accessEventQueue
106: * permission is also enabled, malicious code could modify the
107: * contents of AWT event queues system-wide, causing the application
108: * or applet to misbehave in an insecure manner.</td>
109: * </tr>
110: *
111: * <tr>
112: * <td>readDisplayPixels</td>
113: * <td>Readback of pixels from the display screen</td>
114: * <td>Interfaces such as the java.awt.Composite interface or the
115: * java.awt.Robot class allow arbitrary code to examine pixels on the
116: * display enable malicious code to snoop on the activities of the user.</td>
117: * </tr>
118: *
119: * <tr>
120: * <td>replaceKeyboardFocusManager</td>
121: * <td>Sets the <code>KeyboardFocusManager</code> for
122: * a particular thread.
123: * <td>When <code>SecurityManager</code> is installed, the invoking
124: * thread must be granted this permission in order to replace
125: * the current <code>KeyboardFocusManager</code>. If permission
126: * is not granted, a <code>SecurityException</code> will be thrown.
127: * </tr>
128: *
129: * <tr>
130: * <td>setAppletStub</td>
131: * <td>Setting the stub which implements Applet container services</td>
132: * <td>Malicious code could set an applet's stub and result in unexpected
133: * behavior or denial of service to an applet.</td>
134: * </tr>
135: *
136: * <tr>
137: * <td>setWindowAlwaysOnTop</td>
138: * <td>Setting always-on-top property of the window: {@link Window#setAlwaysOnTop}</td>
139: * <td>The malicious window might make itself look and behave like a real full desktop, so that
140: * information entered by the unsuspecting user is captured and subsequently misused </td>
141: * </tr>
142: *
143: * <tr>
144: * <td>showWindowWithoutWarningBanner</td>
145: * <td>Display of a window without also displaying a banner warning
146: * that the window was created by an applet</td>
147: * <td>Without this warning,
148: * an applet may pop up windows without the user knowing that they
149: * belong to an applet. Since users may make security-sensitive
150: * decisions based on whether or not the window belongs to an applet
151: * (entering a username and password into a dialog box, for example),
152: * disabling this warning banner may allow applets to trick the user
153: * into entering such information.</td>
154: * </tr>
155: *
156: * <tr>
157: * <td>toolkitModality</td>
158: * <td>Creating {@link Dialog.ModalityType#TOOLKIT_MODAL TOOLKIT_MODAL} dialogs
159: * and setting the {@link Dialog.ModalExclusionType#TOOLKIT_EXCLUDE
160: * TOOLKIT_EXCLUDE} window property.</td>
161: * <td>When a toolkit-modal dialog is shown from an applet, it blocks all other
162: * applets in the browser. When launching applications from Java Web Start,
163: * its windows (such as the security dialog) may also be blocked by toolkit-modal
164: * dialogs, shown from these applications.</td>
165: * </tr>
166: *
167: * <tr>
168: * <td>watchMousePointer</td>
169: * <td>Getting the information about the mouse pointer position at any
170: * time</td>
171: * <td>Constantly watching the mouse pointer,
172: * an applet can make guesses about what the user is doing, i.e. moving
173: * the mouse to the lower left corner of the screen most likely means that
174: * the user is about to launch an application. If a virtual keypad is used
175: * so that keyboard is emulated using the mouse, an applet may guess what
176: * is being typed.</td>
177: * </tr>
178: * </table>
179: *
180: * @see java.security.BasicPermission
181: * @see java.security.Permission
182: * @see java.security.Permissions
183: * @see java.security.PermissionCollection
184: * @see java.lang.SecurityManager
185: *
186: * @version 1.38, 05/05/07
187: *
188: * @author Marianne Mueller
189: * @author Roland Schemers
190: */
191:
192: public final class AWTPermission extends BasicPermission {
193:
194: /** use serialVersionUID from the Java 2 platform for interoperability */
195: private static final long serialVersionUID = 8890392402588814465L;
196:
197: /**
198: * Creates a new <code>AWTPermission</code> with the specified name.
199: * The name is the symbolic name of the <code>AWTPermission</code>,
200: * such as "topLevelWindow", "systemClipboard", etc. An asterisk
201: * may be used to indicate all AWT permissions.
202: *
203: * @param name the name of the AWTPermission
204: *
205: * @throws NullPointerException if <code>name</code> is <code>null</code>.
206: * @throws IllegalArgumentException if <code>name</code> is empty.
207: */
208:
209: public AWTPermission(String name) {
210: super (name);
211: }
212:
213: /**
214: * Creates a new <code>AWTPermission</code> object with the specified name.
215: * The name is the symbolic name of the <code>AWTPermission</code>, and the
216: * actions string is currently unused and should be <code>null</code>.
217: *
218: * @param name the name of the <code>AWTPermission</code>
219: * @param actions should be <code>null</code>
220: *
221: * @throws NullPointerException if <code>name</code> is <code>null</code>.
222: * @throws IllegalArgumentException if <code>name</code> is empty.
223: */
224:
225: public AWTPermission(String name, String actions) {
226: super(name, actions);
227: }
228: }
| 