001: /*
002: * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved.
003: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004: *
005: * This code is free software; you can redistribute it and/or modify it
006: * under the terms of the GNU General Public License version 2 only, as
007: * published by the Free Software Foundation. Sun designates this
008: * particular file as subject to the "Classpath" exception as provided
009: * by Sun in the LICENSE file that accompanied this code.
010: *
011: * This code is distributed in the hope that it will be useful, but WITHOUT
012: * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013: * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014: * version 2 for more details (a copy is included in the LICENSE file that
015: * accompanied this code).
016: *
017: * You should have received a copy of the GNU General Public License version
018: * 2 along with this work; if not, write to the Free Software Foundation,
019: * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020: *
021: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022: * CA 95054 USA or visit www.sun.com if you need additional information or
023: * have any questions.
024: */
025:
026: package java.security;
027:
028: import java.io.IOException;
029: import java.io.ByteArrayInputStream;
030: import java.util.ArrayList;
031: import java.util.Enumeration;
032: import java.util.Hashtable;
033: import java.util.Vector;
034: import java.lang.reflect.*;
035: import java.security.cert.*;
036:
037: /**
038: * The UnresolvedPermission class is used to hold Permissions that
039: * were "unresolved" when the Policy was initialized.
040: * An unresolved permission is one whose actual Permission class
041: * does not yet exist at the time the Policy is initialized (see below).
042: *
043: * <p>The policy for a Java runtime (specifying
044: * which permissions are available for code from various principals)
045: * is represented by a Policy object.
046: * Whenever a Policy is initialized or refreshed, Permission objects of
047: * appropriate classes are created for all permissions
048: * allowed by the Policy.
049: *
050: * <p>Many permission class types
051: * referenced by the policy configuration are ones that exist
052: * locally (i.e., ones that can be found on CLASSPATH).
053: * Objects for such permissions can be instantiated during
054: * Policy initialization. For example, it is always possible
055: * to instantiate a java.io.FilePermission, since the
056: * FilePermission class is found on the CLASSPATH.
057: *
058: * <p>Other permission classes may not yet exist during Policy
059: * initialization. For example, a referenced permission class may
060: * be in a JAR file that will later be loaded.
061: * For each such class, an UnresolvedPermission is instantiated.
062: * Thus, an UnresolvedPermission is essentially a "placeholder"
063: * containing information about the permission.
064: *
065: * <p>Later, when code calls AccessController.checkPermission
066: * on a permission of a type that was previously unresolved,
067: * but whose class has since been loaded, previously-unresolved
068: * permissions of that type are "resolved". That is,
069: * for each such UnresolvedPermission, a new object of
070: * the appropriate class type is instantiated, based on the
071: * information in the UnresolvedPermission.
072: *
073: * <p> To instantiate the new class, UnresolvedPermission assumes
074: * the class provides a zero, one, and/or two-argument constructor.
075: * The zero-argument constructor would be used to instantiate
076: * a permission without a name and without actions.
077: * A one-arg constructor is assumed to take a <code>String</code>
078: * name as input, and a two-arg constructor is assumed to take a
079: * <code>String</code> name and <code>String</code> actions
080: * as input. UnresolvedPermission may invoke a
081: * constructor with a <code>null</code> name and/or actions.
082: * If an appropriate permission constructor is not available,
083: * the UnresolvedPermission is ignored and the relevant permission
084: * will not be granted to executing code.
085: *
086: * <p> The newly created permission object replaces the
087: * UnresolvedPermission, which is removed.
088: *
089: * <p> Note that the <code>getName</code> method for an
090: * <code>UnresolvedPermission</code> returns the
091: * <code>type</code> (class name) for the underlying permission
092: * that has not been resolved.
093: *
094: * @see java.security.Permission
095: * @see java.security.Permissions
096: * @see java.security.PermissionCollection
097: * @see java.security.Policy
098: *
099: * @version 1.38 07/05/05
100: *
101: * @author Roland Schemers
102: */
103:
104: public final class UnresolvedPermission extends Permission implements
105: java.io.Serializable {
106:
107: private static final long serialVersionUID = -4821973115467008846L;
108:
109: private static final sun.security.util.Debug debug = sun.security.util.Debug
110: .getInstance("policy,access", "UnresolvedPermission");
111:
112: /**
113: * The class name of the Permission class that will be
114: * created when this unresolved permission is resolved.
115: *
116: * @serial
117: */
118: private String type;
119:
120: /**
121: * The permission name.
122: *
123: * @serial
124: */
125: private String name;
126:
127: /**
128: * The actions of the permission.
129: *
130: * @serial
131: */
132: private String actions;
133:
134: private transient java.security.cert.Certificate certs[];
135:
136: /**
137: * Creates a new UnresolvedPermission containing the permission
138: * information needed later to actually create a Permission of the
139: * specified class, when the permission is resolved.
140: *
141: * @param type the class name of the Permission class that will be
142: * created when this unresolved permission is resolved.
143: * @param name the name of the permission.
144: * @param actions the actions of the permission.
145: * @param certs the certificates the permission's class was signed with.
146: * This is a list of certificate chains, where each chain is composed of a
147: * signer certificate and optionally its supporting certificate chain.
148: * Each chain is ordered bottom-to-top (i.e., with the signer certificate
149: * first and the (root) certificate authority last). The signer
150: * certificates are copied from the array. Subsequent changes to
151: * the array will not affect this UnsolvedPermission.
152: */
153: public UnresolvedPermission(String type, String name,
154: String actions, java.security.cert.Certificate certs[]) {
155: super (type);
156:
157: if (type == null)
158: throw new NullPointerException("type can't be null");
159:
160: this .type = type;
161: this .name = name;
162: this .actions = actions;
163: if (certs != null) {
164: // Extract the signer certs from the list of certificates.
165: for (int i = 0; i < certs.length; i++) {
166: if (!(certs[i] instanceof X509Certificate)) {
167: // there is no concept of signer certs, so we store the
168: // entire cert array
169: this .certs = (java.security.cert.Certificate[]) certs
170: .clone();
171: break;
172: }
173: }
174:
175: if (this .certs == null) {
176: // Go through the list of certs and see if all the certs are
177: // signer certs.
178: int i = 0;
179: int count = 0;
180: while (i < certs.length) {
181: count++;
182: while (((i + 1) < certs.length)
183: && ((X509Certificate) certs[i])
184: .getIssuerDN()
185: .equals(
186: ((X509Certificate) certs[i + 1])
187: .getSubjectDN())) {
188: i++;
189: }
190: i++;
191: }
192: if (count == certs.length) {
193: // All the certs are signer certs, so we store the entire
194: // array
195: this .certs = (java.security.cert.Certificate[]) certs
196: .clone();
197: }
198:
199: if (this .certs == null) {
200: // extract the signer certs
201: ArrayList<java.security.cert.Certificate> signerCerts = new ArrayList<java.security.cert.Certificate>();
202: i = 0;
203: while (i < certs.length) {
204: signerCerts.add(certs[i]);
205: while (((i + 1) < certs.length)
206: && ((X509Certificate) certs[i])
207: .getIssuerDN()
208: .equals(
209: ((X509Certificate) certs[i + 1])
210: .getSubjectDN())) {
211: i++;
212: }
213: i++;
214: }
215: this .certs = new java.security.cert.Certificate[signerCerts
216: .size()];
217: signerCerts.toArray(this .certs);
218: }
219: }
220: }
221: }
222:
223: private static final Class[] PARAMS0 = {};
224: private static final Class[] PARAMS1 = { String.class };
225: private static final Class[] PARAMS2 = { String.class, String.class };
226:
227: /**
228: * try and resolve this permission using the class loader of the permission
229: * that was passed in.
230: */
231: Permission resolve(Permission p,
232: java.security.cert.Certificate certs[]) {
233: if (this .certs != null) {
234: // if p wasn't signed, we don't have a match
235: if (certs == null) {
236: return null;
237: }
238:
239: // all certs in this.certs must be present in certs
240: boolean match;
241: for (int i = 0; i < this .certs.length; i++) {
242: match = false;
243: for (int j = 0; j < certs.length; j++) {
244: if (this .certs[i].equals(certs[j])) {
245: match = true;
246: break;
247: }
248: }
249: if (!match)
250: return null;
251: }
252: }
253: try {
254: Class pc = p.getClass();
255:
256: if (name == null && actions == null) {
257: try {
258: Constructor c = pc.getConstructor(PARAMS0);
259: return (Permission) c.newInstance(new Object[] {});
260: } catch (NoSuchMethodException ne) {
261: try {
262: Constructor c = pc.getConstructor(PARAMS1);
263: return (Permission) c
264: .newInstance(new Object[] { name });
265: } catch (NoSuchMethodException ne1) {
266: Constructor c = pc.getConstructor(PARAMS2);
267: return (Permission) c.newInstance(new Object[] {
268: name, actions });
269: }
270: }
271: } else {
272: if (name != null && actions == null) {
273: try {
274: Constructor c = pc.getConstructor(PARAMS1);
275: return (Permission) c
276: .newInstance(new Object[] { name });
277: } catch (NoSuchMethodException ne) {
278: Constructor c = pc.getConstructor(PARAMS2);
279: return (Permission) c.newInstance(new Object[] {
280: name, actions });
281: }
282: } else {
283: Constructor c = pc.getConstructor(PARAMS2);
284: return (Permission) c.newInstance(new Object[] {
285: name, actions });
286: }
287: }
288: } catch (NoSuchMethodException nsme) {
289: if (debug != null) {
290: debug
291: .println("NoSuchMethodException:\n could not find "
292: + "proper constructor for " + type);
293: nsme.printStackTrace();
294: }
295: return null;
296: } catch (Exception e) {
297: if (debug != null) {
298: debug.println("unable to instantiate " + name);
299: e.printStackTrace();
300: }
301: return null;
302: }
303: }
304:
305: /**
306: * This method always returns false for unresolved permissions.
307: * That is, an UnresolvedPermission is never considered to
308: * imply another permission.
309: *
310: * @param p the permission to check against.
311: *
312: * @return false.
313: */
314: public boolean implies(Permission p) {
315: return false;
316: }
317:
318: /**
319: * Checks two UnresolvedPermission objects for equality.
320: * Checks that <i>obj</i> is an UnresolvedPermission, and has
321: * the same type (class) name, permission name, actions, and
322: * certificates as this object.
323: *
324: * <p> To determine certificate equality, this method only compares
325: * actual signer certificates. Supporting certificate chains
326: * are not taken into consideration by this method.
327: *
328: * @param obj the object we are testing for equality with this object.
329: *
330: * @return true if obj is an UnresolvedPermission, and has the same
331: * type (class) name, permission name, actions, and
332: * certificates as this object.
333: */
334: public boolean equals(Object obj) {
335: if (obj == this )
336: return true;
337:
338: if (!(obj instanceof UnresolvedPermission))
339: return false;
340: UnresolvedPermission that = (UnresolvedPermission) obj;
341:
342: // check type
343: if (!this .type.equals(that.type)) {
344: return false;
345: }
346:
347: // check name
348: if (this .name == null) {
349: if (that.name != null) {
350: return false;
351: }
352: } else if (!this .name.equals(that.name)) {
353: return false;
354: }
355:
356: // check actions
357: if (this .actions == null) {
358: if (that.actions != null) {
359: return false;
360: }
361: } else {
362: if (!this .actions.equals(that.actions)) {
363: return false;
364: }
365: }
366:
367: // check certs
368: if ((this .certs == null && that.certs != null)
369: || (this .certs != null && that.certs == null)
370: || (this .certs != null && that.certs != null && this .certs.length != that.certs.length)) {
371: return false;
372: }
373:
374: int i, j;
375: boolean match;
376:
377: for (i = 0; this .certs != null && i < this .certs.length; i++) {
378: match = false;
379: for (j = 0; j < that.certs.length; j++) {
380: if (this .certs[i].equals(that.certs[j])) {
381: match = true;
382: break;
383: }
384: }
385: if (!match)
386: return false;
387: }
388:
389: for (i = 0; that.certs != null && i < that.certs.length; i++) {
390: match = false;
391: for (j = 0; j < this .certs.length; j++) {
392: if (that.certs[i].equals(this .certs[j])) {
393: match = true;
394: break;
395: }
396: }
397: if (!match)
398: return false;
399: }
400: return true;
401: }
402:
403: /**
404: * Returns the hash code value for this object.
405: *
406: * @return a hash code value for this object.
407: */
408:
409: public int hashCode() {
410: int hash = type.hashCode();
411: if (name != null)
412: hash ^= name.hashCode();
413: if (actions != null)
414: hash ^= actions.hashCode();
415: return hash;
416: }
417:
418: /**
419: * Returns the canonical string representation of the actions,
420: * which currently is the empty string "", since there are no actions for
421: * an UnresolvedPermission. That is, the actions for the
422: * permission that will be created when this UnresolvedPermission
423: * is resolved may be non-null, but an UnresolvedPermission
424: * itself is never considered to have any actions.
425: *
426: * @return the empty string "".
427: */
428: public String getActions() {
429: return "";
430: }
431:
432: /**
433: * Get the type (class name) of the underlying permission that
434: * has not been resolved.
435: *
436: * @return the type (class name) of the underlying permission that
437: * has not been resolved
438: *
439: * @since 1.5
440: */
441: public String getUnresolvedType() {
442: return type;
443: }
444:
445: /**
446: * Get the target name of the underlying permission that
447: * has not been resolved.
448: *
449: * @return the target name of the underlying permission that
450: * has not been resolved, or <code>null</code>,
451: * if there is no targe name
452: *
453: * @since 1.5
454: */
455: public String getUnresolvedName() {
456: return name;
457: }
458:
459: /**
460: * Get the actions for the underlying permission that
461: * has not been resolved.
462: *
463: * @return the actions for the underlying permission that
464: * has not been resolved, or <code>null</code>
465: * if there are no actions
466: *
467: * @since 1.5
468: */
469: public String getUnresolvedActions() {
470: return actions;
471: }
472:
473: /**
474: * Get the signer certificates (without any supporting chain)
475: * for the underlying permission that has not been resolved.
476: *
477: * @return the signer certificates for the underlying permission that
478: * has not been resolved, or null, if there are no signer certificates.
479: * Returns a new array each time this method is called.
480: *
481: * @since 1.5
482: */
483: public java.security.cert.Certificate[] getUnresolvedCerts() {
484: return (certs == null) ? null
485: : (java.security.cert.Certificate[]) certs.clone();
486: }
487:
488: /**
489: * Returns a string describing this UnresolvedPermission. The convention
490: * is to specify the class name, the permission name, and the actions, in
491: * the following format: '(unresolved "ClassName" "name" "actions")'.
492: *
493: * @return information about this UnresolvedPermission.
494: */
495: public String toString() {
496: return "(unresolved " + type + " " + name + " " + actions + ")";
497: }
498:
499: /**
500: * Returns a new PermissionCollection object for storing
501: * UnresolvedPermission objects.
502: * <p>
503: * @return a new PermissionCollection object suitable for
504: * storing UnresolvedPermissions.
505: */
506:
507: public PermissionCollection newPermissionCollection() {
508: return new UnresolvedPermissionCollection();
509: }
510:
511: /**
512: * Writes this object out to a stream (i.e., serializes it).
513: *
514: * @serialData An initial <code>String</code> denoting the
515: * <code>type</code> is followed by a <code>String</code> denoting the
516: * <code>name</code> is followed by a <code>String</code> denoting the
517: * <code>actions</code> is followed by an <code>int</code> indicating the
518: * number of certificates to follow
519: * (a value of "zero" denotes that there are no certificates associated
520: * with this object).
521: * Each certificate is written out starting with a <code>String</code>
522: * denoting the certificate type, followed by an
523: * <code>int</code> specifying the length of the certificate encoding,
524: * followed by the certificate encoding itself which is written out as an
525: * array of bytes.
526: */
527: private void writeObject(java.io.ObjectOutputStream oos)
528: throws IOException {
529: oos.defaultWriteObject();
530:
531: if (certs == null || certs.length == 0) {
532: oos.writeInt(0);
533: } else {
534: // write out the total number of certs
535: oos.writeInt(certs.length);
536: // write out each cert, including its type
537: for (int i = 0; i < certs.length; i++) {
538: java.security.cert.Certificate cert = certs[i];
539: try {
540: oos.writeUTF(cert.getType());
541: byte[] encoded = cert.getEncoded();
542: oos.writeInt(encoded.length);
543: oos.write(encoded);
544: } catch (CertificateEncodingException cee) {
545: throw new IOException(cee.getMessage());
546: }
547: }
548: }
549: }
550:
551: /**
552: * Restores this object from a stream (i.e., deserializes it).
553: */
554: private void readObject(java.io.ObjectInputStream ois)
555: throws IOException, ClassNotFoundException {
556: CertificateFactory cf;
557: Hashtable<String, CertificateFactory> cfs = null;
558:
559: ois.defaultReadObject();
560:
561: if (type == null)
562: throw new NullPointerException("type can't be null");
563:
564: // process any new-style certs in the stream (if present)
565: int size = ois.readInt();
566: if (size > 0) {
567: // we know of 3 different cert types: X.509, PGP, SDSI, which
568: // could all be present in the stream at the same time
569: cfs = new Hashtable<String, CertificateFactory>(3);
570: this .certs = new java.security.cert.Certificate[size];
571: }
572:
573: for (int i = 0; i < size; i++) {
574: // read the certificate type, and instantiate a certificate
575: // factory of that type (reuse existing factory if possible)
576: String certType = ois.readUTF();
577: if (cfs.containsKey(certType)) {
578: // reuse certificate factory
579: cf = cfs.get(certType);
580: } else {
581: // create new certificate factory
582: try {
583: cf = CertificateFactory.getInstance(certType);
584: } catch (CertificateException ce) {
585: throw new ClassNotFoundException(
586: "Certificate factory for " + certType
587: + " not found");
588: }
589: // store the certificate factory so we can reuse it later
590: cfs.put(certType, cf);
591: }
592: // parse the certificate
593: byte[] encoded = null;
594: try {
595: encoded = new byte[ois.readInt()];
596: } catch (OutOfMemoryError oome) {
597: throw new IOException("Certificate too big");
598: }
599: ois.readFully(encoded);
600: ByteArrayInputStream bais = new ByteArrayInputStream(
601: encoded);
602: try {
603: this .certs[i] = cf.generateCertificate(bais);
604: } catch (CertificateException ce) {
605: throw new IOException(ce.getMessage());
606: }
607: bais.close();
608: }
609: }
610: }
|
