policyfile.java
来自「JAVA 所有包」· Java 代码 · 共 1,455 行 · 第 1/3 页
JAVA
1,455 行
if (!(entryCs instanceof SubjectCodeSource)) return false; PrivateCredentialPermission pcp = (PrivateCredentialPermission)p; SubjectCodeSource scs = (SubjectCodeSource)entryCs; // see if it is a SELF permission String[][] pPrincipals = pcp.getPrincipals(); if (pPrincipals.length <= 0 || !pPrincipals[0][0].equalsIgnoreCase("self") || !pPrincipals[0][1].equalsIgnoreCase("self")) { // regular PrivateCredentialPermission return false; } else { // granted a SELF permission - create a // PrivateCredentialPermission for each // of the Policy entry's CodeSource Principals if (scs.getPrincipals() == null) { // XXX SubjectCodeSource has no Subject??? return true; } ListIterator pli = scs.getPrincipals().listIterator(); while (pli.hasNext()) { PolicyParser.PrincipalEntry principal = (PolicyParser.PrincipalEntry)pli.next(); // XXX // if the Policy entry's Principal does not contain a // WILDCARD for the Principal name, then a // new PrivateCredentialPermission is created // for the Principal listed in the Policy entry. // if the Policy entry's Principal contains a WILDCARD // for the Principal name, then a new // PrivateCredentialPermission is created // for each Principal associated with the Subject // in the current ACC. String[][] principalInfo = getPrincipalInfo (principal, accCs); for (int i = 0; i < principalInfo.length; i++) { // here's the new PrivateCredentialPermission PrivateCredentialPermission newPcp = new PrivateCredentialPermission (pcp.getCredentialClass() + " " + principalInfo[i][0] + " " + "\"" + principalInfo[i][1] + "\"", "read"); if (debug != null) { debug.println("adding SELF permission: " + newPcp.toString()); } perms.add(newPcp); } } } return true; } /** * return the principal class/name pair in the 2D array. * array[x][y]: x corresponds to the array length. * if (y == 0), it's the principal class. * if (y == 1), it's the principal name. */ private String[][] getPrincipalInfo (PolicyParser.PrincipalEntry principal, final CodeSource accCs) { // there are 3 possibilities: // 1) the entry's Principal class and name are not wildcarded // 2) the entry's Principal name is wildcarded only // 3) the entry's Principal class and name are wildcarded if (!principal.principalClass.equals (PolicyParser.PrincipalEntry.WILDCARD_CLASS) && !principal.principalName.equals (PolicyParser.PrincipalEntry.WILDCARD_NAME)) { // build a PrivateCredentialPermission for the principal // from the Policy entry String[][] info = new String[1][2]; info[0][0] = principal.principalClass; info[0][1] = principal.principalName; return info; } else if (!principal.principalClass.equals (PolicyParser.PrincipalEntry.WILDCARD_CLASS) && principal.principalName.equals (PolicyParser.PrincipalEntry.WILDCARD_NAME)) { // build a PrivateCredentialPermission for all // the Subject's principals that are instances of principalClass // the accCs is guaranteed to be a SubjectCodeSource // because the earlier CodeSource.implies succeeded SubjectCodeSource scs = (SubjectCodeSource)accCs; Set principalSet = null; try { Class pClass = Class.forName(principal.principalClass, false, ClassLoader.getSystemClassLoader()); principalSet = scs.getSubject().getPrincipals(pClass); } catch (Exception e) { if (debug != null) { debug.println("problem finding Principal Class " + "when expanding SELF permission: " + e.toString()); } } if (principalSet == null) { // error return new String[0][0]; } String[][] info = new String[principalSet.size()][2]; java.util.Iterator pIterator = principalSet.iterator(); int i = 0; while (pIterator.hasNext()) { Principal p = (Principal)pIterator.next(); info[i][0] = p.getClass().getName(); info[i][1] = p.getName(); i++; } return info; } else { // build a PrivateCredentialPermission for every // one of the current Subject's principals // the accCs is guaranteed to be a SubjectCodeSource // because the earlier CodeSource.implies succeeded SubjectCodeSource scs = (SubjectCodeSource)accCs; Set principalSet = scs.getSubject().getPrincipals(); String[][] info = new String[principalSet.size()][2]; java.util.Iterator pIterator = principalSet.iterator(); int i = 0; while (pIterator.hasNext()) { Principal p = (Principal)pIterator.next(); info[i][0] = p.getClass().getName(); info[i][1] = p.getName(); i++; } return info; } } /* * Returns the signer certificates from the list of certificates associated * with the given code source. * * The signer certificates are those certificates that were used to verify * signed code originating from the codesource location. * * This method assumes that in the given code source, each signer * certificate is followed by its supporting certificate chain * (which may be empty), and that the signer certificate and its * supporting certificate chain are ordered bottom-to-top (i.e., with the * signer certificate first and the (root) certificate authority last). */ Certificate[] getSignerCertificates(CodeSource cs) { Certificate[] certs = null; if ((certs = cs.getCertificates()) == null) return null; for (int i=0; i<certs.length; i++) { if (!(certs[i] instanceof X509Certificate)) return cs.getCertificates(); } // Do we have to do anything? int i = 0; int count = 0; while (i < certs.length) { count++; while (((i+1) < certs.length) && ((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i+1]).getSubjectDN())) { i++; } i++; } if (count == certs.length) // Done return certs; ArrayList userCertList = new ArrayList(); i = 0; while (i < certs.length) { userCertList.add(certs[i]); while (((i+1) < certs.length) && ((X509Certificate)certs[i]).getIssuerDN().equals( ((X509Certificate)certs[i+1]).getSubjectDN())) { i++; } i++; } Certificate[] userCerts = new Certificate[userCertList.size()]; userCertList.toArray(userCerts); return userCerts; } private CodeSource canonicalizeCodebase(CodeSource cs, boolean extractSignerCerts) { CodeSource canonCs = cs; if (cs.getLocation() != null && cs.getLocation().getProtocol().equalsIgnoreCase("file")) { try { String path = cs.getLocation().getFile().replace ('/', File.separatorChar); URL csUrl = null; if (path.endsWith("*")) { // remove trailing '*' because it causes canonicalization // to fail on win32 path = path.substring(0, path.length()-1); boolean appendFileSep = false; if (path.endsWith(File.separator)) appendFileSep = true; if (path.equals("")) { path = System.getProperty("user.dir"); } File f = new File(path); path = f.getCanonicalPath(); StringBuffer sb = new StringBuffer(path); // reappend '*' to canonicalized filename (note that // canonicalization may have removed trailing file // separator, so we have to check for that, too) if (!path.endsWith(File.separator) && (appendFileSep || f.isDirectory())) sb.append(File.separatorChar); sb.append('*'); path = sb.toString(); } else { path = new File(path).getCanonicalPath(); } csUrl = new File(path).toURL(); if (cs instanceof SubjectCodeSource) { SubjectCodeSource scs = (SubjectCodeSource)cs; if (extractSignerCerts) { canonCs = new SubjectCodeSource (scs.getSubject(), scs.getPrincipals(), csUrl, getSignerCertificates(scs)); } else { canonCs = new SubjectCodeSource (scs.getSubject(), scs.getPrincipals(), csUrl, scs.getCertificates()); } } else { if (extractSignerCerts) { canonCs = new CodeSource(csUrl, getSignerCertificates(cs)); } else { canonCs = new CodeSource(csUrl, cs.getCertificates()); } } } catch (IOException ioe) { // leave codesource as it is, unless we have to extract its // signer certificates if (extractSignerCerts) { if (!(cs instanceof SubjectCodeSource)) { canonCs = new CodeSource(cs.getLocation(), getSignerCertificates(cs)); } else { SubjectCodeSource scs = (SubjectCodeSource)cs; canonCs = new SubjectCodeSource(scs.getSubject(), scs.getPrincipals(), scs.getLocation(), getSignerCertificates(scs)); } } } } else { if (extractSignerCerts) { if (!(cs instanceof SubjectCodeSource)) { canonCs = new CodeSource(cs.getLocation(), getSignerCertificates(cs)); } else { SubjectCodeSource scs = (SubjectCodeSource)cs; canonCs = new SubjectCodeSource(scs.getSubject(), scs.getPrincipals(), scs.getLocation(), getSignerCertificates(scs)); } } } return canonCs; } /** * Each entry in the policy configuration file is represented by a * PolicyEntry object. <p> * * A PolicyEntry is a (CodeSource,Permission) pair. The * CodeSource contains the (URL, PublicKey) that together identify * where the Java bytecodes come from and who (if anyone) signed * them. The URL could refer to localhost. The URL could also be * null, meaning that this policy entry is given to all comers, as * long as they match the signer field. The signer could be null, * meaning the code is not signed. <p> * * The Permission contains the (Type, Name, Action) triplet. <p> * * For now, the Policy object retrieves the public key from the * X.509 certificate on disk that corresponds to the signedBy * alias specified in the Policy config file. For reasons of * efficiency, the Policy object keeps a hashtable of certs already * read in. This could be replaced by a secure internal key * store. * * <p> * For example, the entry * <pre> * permission java.io.File "/tmp", "read,write", * signedBy "Duke"; * </pre> * is represented internally * <pre> * * FilePermission f = new FilePermission("/tmp", "read,write"); * PublicKey p = publickeys.get("Duke"); * URL u = InetAddress.getLocalHost(); * CodeBase c = new CodeBase( p, u ); * pe = new PolicyEntry(f, c); * </pre> * * @author Marianne Mueller * @author Roland Schemers * @version 1.6, 03/04/97 * @see java.security.CodeSource * @see java.security.Policy * @see java.security.Permissions * @see java.security.ProtectionDomain */ private static class PolicyEntry { CodeSource codesource; Vector permissions; /** * Given a Permission and a CodeSource, create a policy entry. * * XXX Decide if/how to add validity fields and "purpose" fields to * XXX policy entries * * @param cs the CodeSource, which encapsulates the URL and the public * key * attributes from the policy config file. Validity checks are * performed on the public key before PolicyEntry is called. * */ PolicyEntry(CodeSource cs) { this.codesource = cs; this.permissions = new Vector(); } /** * add a Permission object to this entry. */ void add(Permission p) { permissions.addElement(p); } /** * Return the CodeSource for this policy entry */ CodeSource getCodeSource() { return this.codesource; } public String toString(){ StringBuffer sb = new StringBuffer(); sb.append(rb.getString("(")); sb.append(getCodeSource()); sb.append("\n"); for (int j = 0; j < permissions.size(); j++) { Permission p = (Permission) permissions.elementAt(j); sb.append(rb.getString(" ")); sb.append(rb.getString(" ")); sb.append(p); sb.append(rb.getString("\n")); } sb.append(rb.getString(")")); sb.append(rb.getString("\n")); return sb.toString(); } }}class PolicyPermissions extends PermissionCollection { private static final long serialVersionUID = -1954188373270545523L; private CodeSource codesource; private Permissions perms; private PolicyFile policy; private boolean notInit; // have we pulled in the policy permissions yet? private Vector additionalPerms; PolicyPermissions(PolicyFile policy, CodeSource codesource) { this.codesource = codesource; this.policy = policy; this.perms = null; this.notInit = true; this.additionalPerms = null; } public void add(Permission permission) { if (isReadOnly()) throw new SecurityException (PolicyFile.rb.getString ("attempt to add a Permission to a readonly PermissionCollection")); if (perms == null) { if (additionalPerms == null) additionalPerms = new Vector(); additionalPerms.add(permission); } else { perms.add(permission); } } private synchronized void init() { if (notInit) { if (perms == null) perms = new Permissions(); if (additionalPerms != null) { Enumeration e = additionalPerms.elements(); while (e.hasMoreElements()) { perms.add((Permission)e.nextElement()); } additionalPerms = null; } policy.getPermissions(perms,codesource); notInit=false; } } public boolean implies(Permission permission) { if (notInit) init(); return perms.implies(permission); } public Enumeration elements() { if (notInit) init(); return perms.elements(); } public String toString() { if (notInit) init(); return perms.toString(); }}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?