001: /*
002: * @(#)UnresolvedPermission.java 1.24 06/10/10
003: *
004: * Copyright 1990-2006 Sun Microsystems, Inc. All Rights Reserved.
005: * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER
006: *
007: * This program is free software; you can redistribute it and/or
008: * modify it under the terms of the GNU General Public License version
009: * 2 only, as published by the Free Software Foundation.
010: *
011: * This program is distributed in the hope that it will be useful, but
012: * WITHOUT ANY WARRANTY; without even the implied warranty of
013: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
014: * General Public License version 2 for more details (a copy is
015: * included at /legal/license.txt).
016: *
017: * You should have received a copy of the GNU General Public License
018: * version 2 along with this work; if not, write to the Free Software
019: * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA
021: *
022: * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa
023: * Clara, CA 95054 or visit www.sun.com if you need additional
024: * information or have any questions.
025: *
026: */
027:
028: package java.security;
029:
030: import java.io.IOException;
031: import java.io.ByteArrayInputStream;
032: import java.util.ArrayList;
033: import java.util.Enumeration;
034: import java.util.Hashtable;
035: import java.util.Vector;
036: import java.lang.reflect.*;
037: import java.security.cert.*;
038:
039: /**
040: * The UnresolvedPermission class is used to hold Permissions that
041: * were "unresolved" when the Policy was initialized.
042: * An unresolved permission is one whose actual Permission class
043: * does not yet exist at the time the Policy is initialized (see below).
044: *
045: * <p>The policy for a Java runtime (specifying
046: * which permissions are available for code from various principals)
047: * is represented by a Policy object.
048: * Whenever a Policy is initialized or refreshed, Permission objects of
049: * appropriate classes are created for all permissions
050: * allowed by the Policy.
051: *
052: * <p>Many permission class types
053: * referenced by the policy configuration are ones that exist
054: * locally (i.e., ones that can be found on CLASSPATH).
055: * Objects for such permissions can be instantiated during
056: * Policy initialization. For example, it is always possible
057: * to instantiate a java.io.FilePermission, since the
058: * FilePermission class is found on the CLASSPATH.
059: *
060: * <p>Other permission classes may not yet exist during Policy
061: * initialization. For example, a referenced permission class may
062: * be in a JAR file that will later be loaded.
063: * For each such class, an UnresolvedPermission is instantiated.
064: * Thus, an UnresolvedPermission is essentially a "placeholder"
065: * containing information about the permission.
066: *
067: * <p>Later, when code calls AccessController.checkPermission
068: * on a permission of a type that was previously unresolved,
069: * but whose class has since been loaded, previously-unresolved
070: * permissions of that type are "resolved". That is,
071: * for each such UnresolvedPermission, a new object of
072: * the appropriate class type is instantiated, based on the
073: * information in the UnresolvedPermission.
074: *
075: * <p> To instantiate the new class, UnresolvedPermission assumes
076: * the class provides a zero, one, and/or two-argument constructor.
077: * The zero-argument constructor would be used to instantiate
078: * a permission without a name and without actions.
079: * A one-arg constructor is assumed to take a <code>String</code>
080: * name as input, and a two-arg constructor is assumed to take a
081: * <code>String</code> name and <code>String</code> actions
082: * as input. UnresolvedPermission may invoke a
083: * constructor with a <code>null</code> name and/or actions.
084: * If an appropriate permission constructor is not available,
085: * the UnresolvedPermission is ignored and the relevant permission
086: * will not be granted to executing code.
087: *
088: * <p> The newly created permission object replaces the
089: * UnresolvedPermission, which is removed.
090: *
091: * @see java.security.Permission
092: * @see java.security.Permissions
093: * @see java.security.PermissionCollection
094: * @see java.security.Policy
095: *
096: * @version 1.17 00/02/02
097: *
098: * @author Roland Schemers
099: */
100:
101: public final class UnresolvedPermission extends Permission implements
102: java.io.Serializable {
103: private static final sun.security.util.Debug debug = sun.security.util.Debug
104: .getInstance("policy,access", "UnresolvedPermission");
105:
106: /**
107: * The class name of the Permission class that will be
108: * created when this unresolved permission is resolved.
109: *
110: * @serial
111: */
112: private String type;
113:
114: /**
115: * The permission name.
116: *
117: * @serial
118: */
119: private String name;
120:
121: /**
122: * The actions of the permission.
123: *
124: * @serial
125: */
126: private String actions;
127:
128: private transient java.security.cert.Certificate certs[];
129:
130: /**
131: * Creates a new UnresolvedPermission containing the permission
132: * information needed later to actually create a Permission of the
133: * specified class, when the permission is resolved.
134: *
135: * @param type the class name of the Permission class that will be
136: * created when this unresolved permission is resolved.
137: * @param name the name of the permission.
138: * @param actions the actions of the permission.
139: * @param certs the certificates the permission's class was signed with.
140: * This is a list of certificate chains, where each chain is composed of a
141: * signer certificate and optionally its supporting certificate chain.
142: * Each chain is ordered bottom-to-top (i.e., with the signer certificate
143: * first and the (root) certificate authority last).
144: */
145: public UnresolvedPermission(String type, String name,
146: String actions, java.security.cert.Certificate certs[]) {
147: super (type);
148:
149: if (type == null)
150: throw new NullPointerException("type can't be null");
151:
152: this .type = type;
153: this .name = name;
154: this .actions = actions;
155: if (certs != null) {
156: // Extract the signer certs from the list of certificates.
157: for (int i = 0; i < certs.length; i++) {
158: if (!(certs[i] instanceof X509Certificate)) {
159: // there is no concept of signer certs, so we store the
160: // entire cert array
161: this .certs = (java.security.cert.Certificate[]) certs
162: .clone();
163: break;
164: }
165: }
166:
167: if (this .certs == null) {
168: // Go through the list of certs and see if all the certs are
169: // signer certs.
170: int i = 0;
171: int count = 0;
172: while (i < certs.length) {
173: count++;
174: while (((i + 1) < certs.length)
175: && ((X509Certificate) certs[i])
176: .getIssuerDN()
177: .equals(
178: ((X509Certificate) certs[i + 1])
179: .getSubjectDN())) {
180: i++;
181: }
182: i++;
183: }
184: if (count == certs.length) {
185: // All the certs are signer certs, so we store the entire
186: // array
187: this .certs = (java.security.cert.Certificate[]) certs
188: .clone();
189: }
190:
191: if (this .certs == null) {
192: // extract the signer certs
193: ArrayList signerCerts = new ArrayList();
194: i = 0;
195: while (i < certs.length) {
196: signerCerts.add(certs[i]);
197: while (((i + 1) < certs.length)
198: && ((X509Certificate) certs[i])
199: .getIssuerDN()
200: .equals(
201: ((X509Certificate) certs[i + 1])
202: .getSubjectDN())) {
203: i++;
204: }
205: i++;
206: }
207: this .certs = new java.security.cert.Certificate[signerCerts
208: .size()];
209: signerCerts.toArray(this .certs);
210: }
211: }
212: }
213: }
214:
215: private static final Class[] PARAMS0 = {};
216: private static final Class[] PARAMS1 = { String.class };
217: private static final Class[] PARAMS2 = { String.class, String.class };
218:
219: /**
220: * try and resolve this permission using the class loader of the permission
221: * that was passed in.
222: */
223: Permission resolve(Permission p,
224: java.security.cert.Certificate certs[]) {
225: if (this .certs != null) {
226: // if p wasn't signed, we don't have a match
227: if (certs == null) {
228: return null;
229: }
230:
231: // all certs in this.certs must be present in certs
232: boolean match;
233: for (int i = 0; i < this .certs.length; i++) {
234: match = false;
235: for (int j = 0; j < certs.length; j++) {
236: if (this .certs[i].equals(certs[j])) {
237: match = true;
238: break;
239: }
240: }
241: if (!match)
242: return null;
243: }
244: }
245: try {
246: Class pc = p.getClass();
247:
248: if (name == null && actions == null) {
249: try {
250: Constructor c = pc.getConstructor(PARAMS0);
251: return (Permission) c.newInstance(new Object[] {});
252: } catch (NoSuchMethodException ne) {
253: try {
254: Constructor c = pc.getConstructor(PARAMS1);
255: return (Permission) c
256: .newInstance(new Object[] { name });
257: } catch (NoSuchMethodException ne1) {
258: Constructor c = pc.getConstructor(PARAMS2);
259: return (Permission) c.newInstance(new Object[] {
260: name, actions });
261: }
262: }
263: } else {
264: if (name != null && actions == null) {
265: try {
266: Constructor c = pc.getConstructor(PARAMS1);
267: return (Permission) c
268: .newInstance(new Object[] { name });
269: } catch (NoSuchMethodException ne) {
270: Constructor c = pc.getConstructor(PARAMS2);
271: return (Permission) c.newInstance(new Object[] {
272: name, actions });
273: }
274: } else {
275: Constructor c = pc.getConstructor(PARAMS2);
276: return (Permission) c.newInstance(new Object[] {
277: name, actions });
278: }
279: }
280: } catch (NoSuchMethodException nsme) {
281: if (debug != null) {
282: debug
283: .println("NoSuchMethodException:\n could not find "
284: + "proper constructor for " + type);
285: nsme.printStackTrace();
286: }
287: return null;
288: } catch (Exception e) {
289: if (debug != null) {
290: debug.println("unable to instantiate " + name);
291: e.printStackTrace();
292: }
293: return null;
294: }
295: }
296:
297: /**
298: * This method always returns false for unresolved permissions.
299: * That is, an UnresolvedPermission is never considered to
300: * imply another permission.
301: *
302: * @param p the permission to check against.
303: *
304: * @return false.
305: */
306: public boolean implies(Permission p) {
307: return false;
308: }
309:
310: /**
311: * Checks two UnresolvedPermission objects for equality.
312: * Checks that <i>obj</i> is an UnresolvedPermission, and has
313: * the same type (class) name, permission name, actions, and
314: * certificates as this object.
315: *
316: * @param obj the object we are testing for equality with this object.
317: *
318: * @return true if obj is an UnresolvedPermission, and has the same
319: * type (class) name, permission name, actions, and
320: * certificates as this object.
321: */
322: public boolean equals(Object obj) {
323: if (obj == this )
324: return true;
325:
326: if (!(obj instanceof UnresolvedPermission))
327: return false;
328: UnresolvedPermission that = (UnresolvedPermission) obj;
329:
330: // check type
331: if (!this .type.equals(that.type)) {
332: return false;
333: }
334:
335: // check name
336: if (this .name == null) {
337: if (that.name != null) {
338: return false;
339: }
340: } else if (!this .name.equals(that.name)) {
341: return false;
342: }
343:
344: // check actions
345: if (this .actions == null) {
346: if (that.actions != null) {
347: return false;
348: }
349: } else {
350: if (!this .actions.equals(that.actions)) {
351: return false;
352: }
353: }
354:
355: // check certs
356: if ((this .certs == null && that.certs != null)
357: || (this .certs != null && that.certs == null)
358: || (this .certs != null && that.certs != null && this .certs.length != that.certs.length)) {
359: return false;
360: }
361:
362: int i, j;
363: boolean match;
364:
365: for (i = 0; this .certs != null && i < this .certs.length; i++) {
366: match = false;
367: for (j = 0; j < that.certs.length; j++) {
368: if (this .certs[i].equals(that.certs[j])) {
369: match = true;
370: break;
371: }
372: }
373: if (!match)
374: return false;
375: }
376:
377: for (i = 0; that.certs != null && i < that.certs.length; i++) {
378: match = false;
379: for (j = 0; j < this .certs.length; j++) {
380: if (that.certs[i].equals(this .certs[j])) {
381: match = true;
382: break;
383: }
384: }
385: if (!match)
386: return false;
387: }
388: return true;
389: }
390:
391: /**
392: * Returns the hash code value for this object.
393: *
394: * @return a hash code value for this object.
395: */
396:
397: public int hashCode() {
398: int hash = type.hashCode();
399: if (name != null)
400: hash ^= name.hashCode();
401: if (actions != null)
402: hash ^= actions.hashCode();
403: return hash;
404: }
405:
406: /**
407: * Returns the canonical string representation of the actions,
408: * which currently is the empty string "", since there are no actions for
409: * an UnresolvedPermission. That is, the actions for the
410: * permission that will be created when this UnresolvedPermission
411: * is resolved may be non-null, but an UnresolvedPermission
412: * itself is never considered to have any actions.
413: *
414: * @return the empty string "".
415: */
416: public String getActions() {
417: return "";
418: }
419:
420: /**
421: * Returns a string describing this UnresolvedPermission. The convention
422: * is to specify the class name, the permission name, and the actions, in
423: * the following format: '(unresolved "ClassName" "name" "actions")'.
424: *
425: * @return information about this UnresolvedPermission.
426: */
427: public String toString() {
428: return "(unresolved " + type + " " + name + " " + actions + ")";
429: }
430:
431: /**
432: * Returns a new PermissionCollection object for storing
433: * UnresolvedPermission objects.
434: * <p>
435: * @return a new PermissionCollection object suitable for
436: * storing UnresolvedPermissions.
437: */
438:
439: public PermissionCollection newPermissionCollection() {
440: return new UnresolvedPermissionCollection();
441: }
442:
443: /**
444: * Writes this object out to a stream (i.e., serializes it).
445: *
446: * @serialData An initial <code>String</code> denoting the
447: * <code>type</code> is followed by a <code>String</code> denoting the
448: * <code>name</code> is followed by a <code>String</code> denoting the
449: * <code>actions</code> is followed by an <code>int</code> indicating the
450: * number of certificates to follow
451: * (a value of "zero" denotes that there are no certificates associated
452: * with this object).
453: * Each certificate is written out starting with a <code>String</code>
454: * denoting the certificate type, followed by an
455: * <code>int</code> specifying the length of the certificate encoding,
456: * followed by the certificate encoding itself which is written out as an
457: * array of bytes.
458: */
459: private synchronized void writeObject(java.io.ObjectOutputStream oos)
460: throws IOException {
461: oos.defaultWriteObject();
462:
463: if (certs == null || certs.length == 0) {
464: oos.writeInt(0);
465: } else {
466: // write out the total number of certs
467: oos.writeInt(certs.length);
468: // write out each cert, including its type
469: for (int i = 0; i < certs.length; i++) {
470: java.security.cert.Certificate cert = certs[i];
471: try {
472: oos.writeUTF(cert.getType());
473: byte[] encoded = cert.getEncoded();
474: oos.writeInt(encoded.length);
475: oos.write(encoded);
476: } catch (CertificateEncodingException cee) {
477: throw new IOException(cee.getMessage());
478: }
479: }
480: }
481: }
482:
483: /**
484: * Restores this object from a stream (i.e., deserializes it).
485: */
486: private synchronized void readObject(java.io.ObjectInputStream ois)
487: throws IOException, ClassNotFoundException {
488: CertificateFactory cf;
489: Hashtable cfs = null;
490:
491: ois.defaultReadObject();
492:
493: if (type == null)
494: throw new NullPointerException("type can't be null");
495:
496: // process any new-style certs in the stream (if present)
497: int size = ois.readInt();
498: if (size > 0) {
499: // we know of 3 different cert types: X.509, PGP, SDSI, which
500: // could all be present in the stream at the same time
501: cfs = new Hashtable(3);
502: this .certs = new java.security.cert.Certificate[size];
503: }
504:
505: for (int i = 0; i < size; i++) {
506: // read the certificate type, and instantiate a certificate
507: // factory of that type (reuse existing factory if possible)
508: String certType = ois.readUTF();
509: if (cfs.containsKey(certType)) {
510: // reuse certificate factory
511: cf = (CertificateFactory) cfs.get(certType);
512: } else {
513: // create new certificate factory
514: try {
515: cf = CertificateFactory.getInstance(certType);
516: } catch (CertificateException ce) {
517: throw new ClassNotFoundException(
518: "Certificate factory for " + certType
519: + " not found");
520: }
521: // store the certificate factory so we can reuse it later
522: cfs.put(certType, cf);
523: }
524: // parse the certificate
525: byte[] encoded = null;
526: try {
527: encoded = new byte[ois.readInt()];
528: } catch (OutOfMemoryError oome) {
529: throw new IOException("Certificate too big");
530: }
531: ois.readFully(encoded);
532: ByteArrayInputStream bais = new ByteArrayInputStream(
533: encoded);
534: try {
535: this .certs[i] = cf.generateCertificate(bais);
536: } catch (CertificateException ce) {
537: throw new IOException(ce.getMessage());
538: }
539: bais.close();
540: }
541: }
542: }
|