📄 servicepermission.java
字号:
/* * @(#)ServicePermission.java 1.16 06/04/07 * * Copyright 2006 Sun Microsystems, Inc. All rights reserved. * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. */package javax.security.auth.kerberos;import java.util.*;import java.security.Permission;import java.security.PermissionCollection;import java.io.ObjectStreamField;import java.io.ObjectOutputStream;import java.io.ObjectInputStream;import java.io.IOException;/** * This class is used to protect Kerberos services and the * credentials necessary to access those services. There is a one to * one mapping of a service principal and the credentials necessary * to access the service. Therefore granting access to a service * principal implicitly grants access to the credential necessary to * establish a security context with the service principal. This * applies regardless of whether the credentials are in a cache * or acquired via an exchange with the KDC. The credential can * be either a ticket granting ticket, a service ticket or a secret * key from a key table. * <p> * A ServicePermission contains a service principal name and * a list of actions which specify the context the credential can be * used within. * <p> * The service principal name is the canonical name of the * <code>KereberosPrincipal</code> supplying the service, that is * the KerberosPrincipal represents a Kerberos service * principal. This name is treated in a case sensitive manner. * An asterisk may appear by itself, to signify any service principal. * <p> * Granting this permission implies that the caller can use a cached * credential (TGT, service ticket or secret key) within the context * designated by the action. In the case of the TGT, granting this * permission also implies that the TGT can be obtained by an * Authentication Service exchange. * <p> * The possible actions are: * <p> * <pre> * initiate - allow the caller to use the credential to * initiate a security context with a service * principal. * * accept - allow the caller to use the credential to * accept security context as a particular * principal. * </pre> * * For example, to specify the permission to access to the TGT to * initiate a security context the permission is constructed as follows: * <p> * <pre> * ServicePermission("krbtgt/EXAMPLE.COM@EXAMPLE.COM", "initiate"); * </pre> * <p> * To obtain a service ticket to initiate a context with the "host" * service the permission is constructed as follows: * <pre> * ServicePermission("host/foo.example.com@EXAMPLE.COM", "initiate"); * </pre> * <p> * For a Kerberized server the action is "accept". For example, the permission * necessary to access and use the secret key of the Kerberized "host" * service (telnet and the likes) would be constructed as follows: * <p> * <pre> * ServicePermission("host/foo.example.com@EXAMPLE.COM", "accept"); * </pre> * * @since 1.4 */public final class ServicePermission extends Permission implements java.io.Serializable { private static final long serialVersionUID = -1227585031618624935L; /** * Initiate a security context to the specified service */ private final static int INITIATE = 0x1; /** * Accept a security context */ private final static int ACCEPT = 0x2; /** * All actions */ private final static int ALL = INITIATE|ACCEPT; /** * No actions. */ private final static int NONE = 0x0; // the actions mask private transient int mask; /** * the actions string. * * @serial */ private String actions; // Left null as long as possible, then // created and re-used in the getAction function. /** * Create a new <code>ServicePermission</code> * with the specified <code>servicePrincipal</code> * and <code>action</code>. * * @param servicePrincipal the name of the service principal. * An asterisk may appear by itself, to signify any service principal. * <p> * @param action the action string */ public ServicePermission(String servicePrincipal, String action) { super(servicePrincipal); init(servicePrincipal, getMask(action)); } /** * Initialize the ServicePermission object. */ private void init(String servicePrincipal, int mask) { if (servicePrincipal == null) throw new NullPointerException("service principal can't be null"); if ((mask & ALL) != mask) throw new IllegalArgumentException("invalid actions mask"); this.mask = mask; } /** * Checks if this Kerberos service permission object "implies" the * specified permission. * <P> * If none of the above are true, <code>implies</code> returns false. * @param p the permission to check against. * * @return true if the specified permission is implied by this object, * false if not. */ public boolean implies(Permission p) { if (!(p instanceof ServicePermission)) return false; ServicePermission that = (ServicePermission) p; return ((this.mask & that.mask) == that.mask) && impliesIgnoreMask(that); } boolean impliesIgnoreMask(ServicePermission p) { return ((this.getName().equals("*")) || this.getName().equals(p.getName())); } /** * Checks two ServicePermission objects for equality. * <P> * @param obj the object to test for equality with this object. * * @return true if <i>obj</i> is a ServicePermission, and has the * same service principal, and actions as this * ServicePermission object. */ public boolean equals(Object obj) { if (obj == this) return true; if (! (obj instanceof ServicePermission)) return false; ServicePermission that = (ServicePermission) obj; return ((this.mask & that.mask) == that.mask) && this.getName().equals(that.getName()); } /** * Returns the hash code value for this object. * * @return a hash code value for this object. */ public int hashCode() { return (getName().hashCode() ^ mask); } /** * Returns the "canonical string representation" of the actions in the * specified mask. * Always returns present actions in the following order: * initiate, accept. * * @param mask a specific integer action mask to translate into a string * @return the canonical string representation of the actions */ private static String getActions(int mask) { StringBuilder sb = new StringBuilder(); boolean comma = false; if ((mask & INITIATE) == INITIATE) { if (comma) sb.append(','); else comma = true; sb.append("initiate"); } if ((mask & ACCEPT) == ACCEPT) { if (comma) sb.append(','); else comma = true; sb.append("accept"); } return sb.toString(); } /** * Returns the canonical string representation of the actions. * Always returns present actions in the following order: * initiate, accept. */ public String getActions() { if (actions == null) actions = getActions(this.mask); return actions; } /** * Returns a PermissionCollection object for storing * ServicePermission objects. * <br> * ServicePermission objects must be stored in a manner that * allows them to be inserted into the collection in any order, but * that also enables the PermissionCollection implies method to * be implemented in an efficient (and consistent) manner. * * @return a new PermissionCollection object suitable for storing * ServicePermissions. */ public PermissionCollection newPermissionCollection() { return new KrbServicePermissionCollection(); } /** * Return the current action mask. * * @return the actions mask. */ int getMask() { return mask; } /** * Convert an action string to an integer actions mask. * * @param action the action string * @return the action mask */ private static int getMask(String action) { if (action == null) { throw new NullPointerException("action can't be null"); }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -