policyfile.java
来自「JAVA 所有包」· Java 代码 · 共 1,455 行 · 第 1/3 页
JAVA
1,455 行
if (debug != null) pe.printStackTrace(); } catch (Exception e) { if (debug != null) { debug.println("error parsing "+policy); debug.println(e.toString()); e.printStackTrace(); } } } /* * Fast path reading from file urls in order to avoid calling * FileURLConnection.connect() which can be quite slow the first time * it is called. We really should clean up FileURLConnection so that * this is not a problem but in the meantime this fix helps reduce * start up time noticeably for the new launcher. -- DAC */ private InputStream getInputStream(URL url) throws IOException { if ("file".equals(url.getProtocol())) { String path = url.getFile().replace('/', File.separatorChar); return new FileInputStream(path); } else { return url.openStream(); } } /** * Given a PermissionEntry, create a codeSource. * * @return null if signedBy alias is not recognized */ CodeSource getCodeSource(PolicyParser.GrantEntry ge, KeyStore keyStore) throws java.net.MalformedURLException { Certificate[] certs = null; if (ge.signedBy != null) { certs = getCertificates(keyStore, ge.signedBy); if (certs == null) { // we don't have a key for this alias, // just return if (debug != null) { debug.println(" no certs for alias " + ge.signedBy + ", ignoring."); } return null; } } URL location; if (ge.codeBase != null) location = new URL(ge.codeBase); else location = null; if (ge.principals == null || ge.principals.size() == 0) { return (canonicalizeCodebase (new CodeSource(location, certs), false)); } else { return (canonicalizeCodebase (new SubjectCodeSource(null, ge.principals, location, certs), false)); } } /** * Add one policy entry to the vector. */ private void addGrantEntry(PolicyParser.GrantEntry ge, KeyStore keyStore) { if (debug != null) { debug.println("Adding policy entry: "); debug.println(" signedBy " + ge.signedBy); debug.println(" codeBase " + ge.codeBase); if (ge.principals != null && ge.principals.size() > 0) { ListIterator li = ge.principals.listIterator(); while (li.hasNext()) { PolicyParser.PrincipalEntry pppe = (PolicyParser.PrincipalEntry)li.next(); debug.println(" " + pppe.principalClass + " " + pppe.principalName); } } debug.println(); } try { CodeSource codesource = getCodeSource(ge, keyStore); // skip if signedBy alias was unknown... if (codesource == null) return; PolicyEntry entry = new PolicyEntry(codesource); Enumeration enum_ = ge.permissionElements(); while (enum_.hasMoreElements()) { PolicyParser.PermissionEntry pe = (PolicyParser.PermissionEntry) enum_.nextElement(); try { // XXX special case PrivateCredentialPermission-SELF Permission perm; if (pe.permission.equals ("javax.security.auth.PrivateCredentialPermission") && pe.name.endsWith(" self")) { perm = getInstance(pe.permission, pe.name + " \"self\"", pe.action); } else { perm = getInstance(pe.permission, pe.name, pe.action); } entry.add(perm); if (debug != null) { debug.println(" "+perm); } } catch (ClassNotFoundException cnfe) { Certificate certs[]; if (pe.signedBy != null) certs = getCertificates(keyStore, pe.signedBy); else certs = null; // only add if we had no signer or we had a // a signer and found the keys for it. if (certs != null || pe.signedBy == null) { Permission perm = new UnresolvedPermission( pe.permission, pe.name, pe.action, certs); entry.add(perm); if (debug != null) { debug.println(" "+perm); } } } catch (java.lang.reflect.InvocationTargetException ite) { System.err.println (AUTH_POLICY + rb.getString(": error adding Permission ") + pe.permission + rb.getString(" ") + ite.getTargetException()); } catch (Exception e) { System.err.println (AUTH_POLICY + rb.getString(": error adding Permission ") + pe.permission + rb.getString(" ") + e); } } policyEntries.addElement(entry); } catch (Exception e) { System.err.println (AUTH_POLICY + rb.getString(": error adding Entry ") + ge + rb.getString(" ") + e); } if (debug != null) debug.println(); } /** * Returns a new Permission object of the given Type. The Permission is * created by getting the * Class object using the <code>Class.forName</code> method, and using * the reflection API to invoke the (String name, String actions) * constructor on the * object. * * @param type the type of Permission being created. * @param name the name of the Permission being created. * @param actions the actions of the Permission being created. * * @exception ClassNotFoundException if the particular Permission * class could not be found. * * @exception IllegalAccessException if the class or initializer is * not accessible. * * @exception InstantiationException if getInstance tries to * instantiate an abstract class or an interface, or if the * instantiation fails for some other reason. * * @exception NoSuchMethodException if the (String, String) constructor * is not found. * * @exception InvocationTargetException if the underlying Permission * constructor throws an exception. * */ private static final Permission getInstance(String type, String name, String actions) throws ClassNotFoundException, InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException { //XXX we might want to keep a hash of created factories... Class pc = Class.forName(type); Constructor c = pc.getConstructor(PARAMS); return (Permission) c.newInstance(new Object[] { name, actions }); } /** * Fetch all certs associated with this alias. */ Certificate[] getCertificates( KeyStore keyStore, String aliases) { Vector vcerts = null; StringTokenizer st = new StringTokenizer(aliases, ","); int n = 0; while (st.hasMoreTokens()) { String alias = st.nextToken().trim(); n++; Certificate cert = null; //See if this alias's cert has already been cached cert = (Certificate) aliasMapping.get(alias); if (cert == null && keyStore != null) { try { cert = keyStore.getCertificate(alias); } catch (KeyStoreException kse) { // never happens, because keystore has already been loaded // when we call this } if (cert != null) { aliasMapping.put(alias, cert); aliasMapping.put(cert, alias); } } if (cert != null) { if (vcerts == null) vcerts = new Vector(); vcerts.addElement(cert); } } // make sure n == vcerts.size, since we are doing a logical *and* if (vcerts != null && n == vcerts.size()) { Certificate[] certs = new Certificate[vcerts.size()]; vcerts.copyInto(certs); return certs; } else { return null; } } /** * Enumerate all the entries in the global policy object. * This method is used by policy admin tools. The tools * should use the Enumeration methods on the returned object * to fetch the elements sequentially. */ private final synchronized Enumeration elements(){ return policyEntries.elements(); } /** * Examines this <code>Policy</code> and returns the Permissions granted * to the specified <code>Subject</code> and <code>CodeSource</code>. * * <p> Permissions for a particular <i>grant</i> entry are returned * if the <code>CodeSource</code> constructed using the codebase and * signedby values specified in the entry <code>implies</code> * the <code>CodeSource</code> provided to this method, and if the * <code>Subject</code> provided to this method contains all of the * Principals specified in the entry. * * <p> The <code>Subject</code> provided to this method contains all * of the Principals specified in the entry if, for each * <code>Principal</code>, "P1", specified in the <i>grant</i> entry * one of the following two conditions is met: * * <p> * <ol> * <li> the <code>Subject</code> has a * <code>Principal</code>, "P2", where * <code>P2.getClass().getName()</code> equals the * P1's class name, and where * <code>P2.getName()</code> equals the P1's name. * * <li> P1 implements * <code>com.sun.security.auth.PrincipalComparator</code>, * and <code>P1.implies</code> the provided <code>Subject</code>. * </ol> * * <p> Note that this <code>Policy</code> implementation has * special handling for PrivateCredentialPermissions. * When this method encounters a <code>PrivateCredentialPermission</code> * which specifies "self" as the <code>Principal</code> class and name, * it does not add that <code>Permission</code> to the returned * <code>PermissionCollection</code>. Instead, it builds * a new <code>PrivateCredentialPermission</code> * for each <code>Principal</code> associated with the provided * <code>Subject</code>. Each new <code>PrivateCredentialPermission</code> * contains the same Credential class as specified in the * originally granted permission, as well as the Class and name * for the respective <code>Principal</code>. * * <p> * * @param subject the Permissions granted to this <code>Subject</code> * and the additionally provided <code>CodeSource</code> * are returned. <p> * * @param codesource the Permissions granted to this <code>CodeSource</code> * and the additionally provided <code>Subject</code> * are returned. * * @return the Permissions granted to the provided <code>Subject</code> * <code>CodeSource</code>. */ public PermissionCollection getPermissions(final Subject subject, final CodeSource codesource) { // XXX when JAAS goes into the JDK core, // we can remove this method and simply // rely on the getPermissions variant that takes a codesource, // which no one can use at this point in time. // at that time, we can also make SubjectCodeSource a public // class. // XXX // // 1) if code instantiates PolicyFile directly, then it will need // all the permissions required for the PolicyFile initialization // 2) if code calls Policy.getPolicy, then it simply needs // AuthPermission(getPolicy), and the javax.security.auth.Policy // implementation instantiates PolicyFile in a doPrivileged block // 3) if after instantiating a Policy (either via #1 or #2), // code calls getPermissions, PolicyFile wraps the call // in a doPrivileged block. return (PermissionCollection)java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public Object run() { SubjectCodeSource scs = new SubjectCodeSource (subject, null, codesource == null ? null : codesource.getLocation(), codesource == null ? null : codesource.getCertificates()); if (initialized) return getPermissions(new Permissions(), scs); else return new PolicyPermissions(PolicyFile.this, scs); } }); } /** * Examines the global policy for the specified CodeSource, and * creates a PermissionCollection object with * the set of permissions for that principal's protection domain. * * @param CodeSource the codesource associated with the caller. * This encapsulates the original location of the code (where the code * came from) and the public key(s) of its signer. * * @return the set of permissions according to the policy. */ PermissionCollection getPermissions(CodeSource codesource) { if (initialized) return getPermissions(new Permissions(), codesource); else return new PolicyPermissions(this, codesource); } /** * Examines the global policy for the specified CodeSource, and * creates a PermissionCollection object with * the set of permissions for that principal's protection domain. * * @param permissions the permissions to populate * @param codesource the codesource associated with the caller. * This encapsulates the original location of the code (where the code * came from) and the public key(s) of its signer. * * @return the set of permissions according to the policy. */ Permissions getPermissions(final Permissions perms, final CodeSource cs) { if (!initialized) { init(); } final CodeSource codesource[] = {null}; codesource[0] = canonicalizeCodebase(cs, true); if (debug != null) { debug.println("evaluate("+codesource[0]+")\n"); } // needs to be in a begin/endPrivileged block because // codesource.implies calls URL.equals which does an // InetAddress lookup for (int i = 0; i < policyEntries.size(); i++) { PolicyEntry entry = (PolicyEntry)policyEntries.elementAt(i); if (debug != null) { debug.println("PolicyFile CodeSource implies: " + entry.codesource.toString() + "\n\n" + "\t" + codesource[0].toString() + "\n\n"); } if (entry.codesource.implies(codesource[0])) { for (int j = 0; j < entry.permissions.size(); j++) { Permission p = (Permission) entry.permissions.elementAt(j); if (debug != null) { debug.println(" granting " + p); } if (!addSelfPermissions(p, entry.codesource, codesource[0], perms)) { // we could check for duplicates // before adding new permissions, // but the SubjectDomainCombiner // already checks for duplicates later perms.add(p); } } } } // now see if any of the keys are trusted ids. if (!ignoreIdentityScope) { Certificate certs[] = codesource[0].getCertificates(); if (certs != null) { for (int k=0; k < certs.length; k++) { if ((aliasMapping.get(certs[k]) == null) && checkForTrustedIdentity(certs[k])) { // checkForTrustedIdentity added it // to the policy for us. next time // around we'll find it. This time // around we need to add it. perms.add(new java.security.AllPermission()); } } } } return perms; } /** * Returns true if 'Self' permissions were added to the provided * 'perms', and false otherwise. * * <p> * * @param p check to see if this Permission is a "SELF" * PrivateCredentialPermission. <p> * * @param entryCs the codesource for the Policy entry. * * @param accCs the codesource for from the current AccessControlContext. * * @param perms the PermissionCollection where the individual * PrivateCredentialPermissions will be added. */ private boolean addSelfPermissions(final Permission p, CodeSource entryCs, CodeSource accCs, Permissions perms) { if (!(p instanceof PrivateCredentialPermission)) return false;⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?