1. /*

  2.  * Copyright 2002 Sun Microsystems, Inc. All rights reserved.

  3.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  4.  */

  5.  

  6. package javax.security.auth;

  7. 

  8. /**

  9.  * <p> This is an abstract class for representing the system policy for

  10.  * Subject-based authorization.  A subclass implementation

  11.  * of this class provides a means to specify a Subject-based

  12.  * access control <code>Policy</code>.

  13.  *

  14.  * <p> A <code>Policy</code> object can be queried for the set of

  15.  * Permissions granted to code running as a 

  16.  * <code>Principal</code> in the following manner:

  17.  *

  18.  * <pre>

  19.  *	policy = Policy.getPolicy();

  20.  *	PermissionCollection perms = policy.getPermissions(subject,

  21.  *							codeSource);

  22.  * </pre>

  23.  *

  24.  * The <code>Policy</code> object consults the local policy and returns

  25.  * and appropriate <code>Permissions</code> object with the

  26.  * Permissions granted to the Principals associated with the

  27.  * provided <i>subject</i>, and granted to the code specified

  28.  * by the provided <i>codeSource</i>.

  29.  *

  30.  * <p> A <code>Policy</code> contains the following information.

  31.  * Note that this example only represents the syntax for the default

  32.  * <code>Policy</code> implementation.  Subclass implementations of this class

  33.  * may implement alternative syntaxes and may retrieve the

  34.  * <code>Policy</code> from any source such as files, databases,

  35.  * or servers.

  36.  *

  37.  * <p> Each entry in the <code>Policy</code> is represented as

  38.  * a <b><i>grant</i></b> entry.  Each <b><i>grant</i></b> entry

  39.  * specifies a codebase, code signers, and Principals triplet,

  40.  * as well as the Permissions granted to that triplet.

  41.  *

  42.  * <pre>

  43.  *	grant CodeBase ["URL"], Signedby ["signers"],

  44.  *	      Principal [Principal_Class] "Principal_Name" {

  45.  *	    Permission Permission_Class ["Target_Name"]

  46.  *					[, "Permission_Actions"]

  47.  *					[, signedBy "SignerName"];

  48.  *	};

  49.  * </pre>

  50.  *

  51.  * The CodeBase and Signedby components of the triplet name/value pairs

  52.  * are optional.  If they are not present, then any any codebase will match,

  53.  * and any signer (including unsigned code) will match.

  54.  * For Example,

  55.  *

  56.  * <pre>

  57.  *	grant CodeBase "foo.com", Signedby "foo",

  58.  *	      Principal com.sun.security.auth.SolarisPrincipal "duke" {

  59.  *	    permission java.io.FilePermission "/home/duke", "read, write";

  60.  *	};

  61.  * </pre>

  62.  *

  63.  * This <b><i>grant</i></b> entry specifies that code from "foo.com",

  64.  * signed by "foo', and running as a <code>SolarisPrincipal</code> with the

  65.  * name, duke, has one <code>Permission</code>.  This <code>Permission</code>

  66.  * permits the executing code to read and write files in the directory,

  67.  * "/home/duke".

  68.  *

  69.  * <p> To "run" as a particular <code>Principal</code>,

  70.  * code invokes the <code>Subject.doAs(subject, ...)</code> method.

  71.  * After invoking that method, the code runs as all the Principals

  72.  * associated with the specified <code>Subject</code>.

  73.  * Note that this <code>Policy</code> (and the Permissions

  74.  * granted in this <code>Policy</code>) only become effective

  75.  * after the call to <code>Subject.doAs</code> has occurred.

  76.  *

  77.  * <p> Multiple Principals may be listed within one <b><i>grant</i></b> entry.

  78.  * All the Principals in the grant entry must be associated with

  79.  * the <code>Subject</code> provided to <code>Subject.doAs</code>

  80.  * for that <code>Subject</code> to be granted the specified Permissions.

  81.  *

  82.  * <pre>

  83.  *	grant Principal com.sun.security.auth.SolarisPrincipal "duke",

  84.  *	      Principal com.sun.security.auth.SolarisNumericUserPrincipal "0" {

  85.  *	    permission java.io.FilePermission "/home/duke", "read, write";

  86.  *	    permission java.net.SocketPermission "duke.com", "connect";

  87.  *	};

  88.  * </pre>

  89.  *

  90.  * This entry grants any code running as both "duke" and "0"

  91.  * permission to read and write files in duke's home directory,

  92.  * as well as permission to make socket connections to "duke.com".

  93.  * 

  94.  * <p> Note that non Principal-based grant entries are not permitted

  95.  * in this <code>Policy</code>.  Therefore, grant entries such as:

  96.  *

  97.  * <pre>

  98.  *	grant CodeBase "foo.com", Signedby "foo" {

  99.  *	    permission java.io.FilePermission "/tmp/scratch", "read, write";

  100.  *	};

  101.  * </pre>

  102.  *

  103.  * are rejected.  Such permission must be listed in the

  104.  * <code>java.security.Policy</code>.

  105.  *

  106.  * <p> The default <code>Policy</code> implementation can be changed by

  107.  * setting the value of the "auth.policy.provider" security property

  108.  * (in the Java security properties file) to the fully qualified name of

  109.  * the desired <code>Policy</code> implementation class.

  110.  * The Java security properties file is located in the file named

  111.  * <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME>

  112.  * refers to the directory where the JDK was installed.

  113.  *

  114.  * @version 1.39, 01/25/00

  115.  */

  116. public abstract class Policy {

  117. 

  118.     // XXX

  119.     //	there are two approaches for the JAAS policy implementation:

  120.     //

  121.     //	1) make this a subclass implementation of java.security.Policy,

  122.     //	   where getPermissions takes a SubjectCodeSource,

  123.     //	   and SubjectCodeSource is a public class

  124.     //

  125.     //		this would work, but it would require people to

  126.     //		reconfigure the standard policy.provider to be

  127.     //		javax.security.auth.Policy.

  128.     //		

  129.     //		it also requires SubjectCodeSource to be a public class.

  130.     //		because of the way getPermissions is implemented in

  131.     //		the JDK, there's some ugliness in SubjectCodeSource.

  132.     //		it represents a runtime Subject as a Subject object,

  133.     //		but it must represent Subject from the policy as

  134.     //		a linked list of Principals (because it can't reliably

  135.     //		instantiate a Principal from the information contained

  136.     //		in the Policy).  either exposing this ugliness or

  137.     //		finding a workaround is not palatable.

  138.     //

  139.     //		finally, because of bug 4202504, policy implementations

  140.     //		in standard extensions can't even be specified in

  141.     //		the policy.provider property.

  142.     //

  143.     //  2) have an abstract javax.security.auth.Policy,

  144.     //	   where getPermissions takes a Subject and a CodeSource

  145.     //

  146.     //		the upside of this is that no one has to fiddle with

  147.     //		policy.provider, we can keep the SubjectCodeSource

  148.     //		package private, and we can ignore bug 4202504.

  149.     //

  150.     //		the downside is that until JAAS goes into core,

  151.     //		developers that want to provide their own Policy

  152.     //		implementation will need to provide two subclass

  153.     //		implementations (one for java.security.Policy,

  154.     //		and one for javax.security.auth.Policy).

  155. 

  156.     private static final java.util.ResourceBundle rb =

  157. 	java.util.ResourceBundle.getBundle("com.sun.security.auth.Resources");

  158. 

  159.     private static Policy policy;

  160.     private static ClassLoader sysClassLoader;

  161. 

  162.     static {

  163. 	sysClassLoader =

  164. 		(ClassLoader)java.security.AccessController.doPrivileged

  165.                 (new java.security.PrivilegedAction() {

  166.                 public Object run() {

  167.                     return ClassLoader.getSystemClassLoader();

  168.                 }

  169.         });

  170.     };

  171. 

  172.     /**

  173.      * Sole constructor.  (For invocation by subclass constructors, typically

  174.      * implicit.)

  175.      */

  176.     protected Policy() { }

  177. 

  178.     /**

  179.      * Returns the installed Policy object.

  180.      * This method first calls

  181.      * <code>SecurityManager.checkPermission</code> with the

  182.      * <code>AuthPermission("getPolicy")</code> permission

  183.      * to ensure the caller has permission to get the Policy object.

  184.      *

  185.      * <p>

  186.      *

  187.      * @return the installed Policy.  The return value can not be

  188.      *		<code>null</code>.

  189.      *

  190.      * @exception java.lang.SecurityException if the current thread does not

  191.      *	    have permission to get the Policy object.

  192.      */

  193.     public static Policy getPolicy() {

  194. 	java.lang.SecurityManager sm = System.getSecurityManager();

  195. 	if (sm != null) sm.checkPermission(new AuthPermission("getPolicy"));

  196. 	return getPolicyNoCheck();

  197.     }

  198. 

  199.     /**

  200.      * Returns the installed Policy object, skipping the security check.

  201.      *

  202.      * @return the installed Policy.

  203.      *

  204.      */

  205.     static Policy getPolicyNoCheck() {

  206. 	if (policy == null) {

  207.  

  208. 	    synchronized(Policy.class) {

  209.  

  210. 		if (policy == null) {

  211. 		    String policy_class = null;

  212. 		    policy_class = (String)

  213. 			java.security.AccessController.doPrivileged

  214. 			(new java.security.PrivilegedAction() {

  215. 			public Object run() {

  216. 			    return java.security.Security.getProperty

  217. 				("auth.policy.provider");

  218. 			}

  219. 		    });

  220. 		    if (policy_class == null) {

  221. 			policy_class = "com.sun.security.auth.PolicyFile";

  222. 		    }

  223.  

  224. 		    try {

  225. 			final String finalClass = policy_class;

  226. 			policy = (Policy)

  227. 			    java.security.AccessController.doPrivileged

  228. 			    (new java.security.PrivilegedExceptionAction() {

  229. 			    public Object run() throws ClassNotFoundException,

  230. 						InstantiationException,

  231. 						IllegalAccessException {

  232. 				return Class.forName

  233. 					(finalClass,

  234. 					true,

  235. 					sysClassLoader).newInstance();

  236. 			    }

  237. 			});

  238. 		    } catch (Exception e) {

  239. 			throw new SecurityException

  240. 				(rb.getString

  241. 				("unable to instantiate Subject-based policy"));

  242. 		    }

  243. 		}

  244. 	    }

  245. 	}

  246. 	return policy;

  247.     }

  248. 

  249. 

  250.     /**

  251.      * Sets the system-wide Policy object. This method first calls

  252.      * <code>SecurityManager.checkPermission</code> with the

  253.      * <code>AuthPermission("setPolicy")</code>

  254.      * permission to ensure the caller has permission to set the Policy.

  255.      *

  256.      * <p>

  257.      *

  258.      * @param policy the new system Policy object.

  259.      *

  260.      * @exception java.lang.SecurityException if the current thread does not

  261.      *		have permission to set the Policy.

  262.      */

  263.     public static void setPolicy(Policy policy) {

  264. 	java.lang.SecurityManager sm = System.getSecurityManager();

  265. 	if (sm != null) sm.checkPermission(new AuthPermission("setPolicy"));

  266. 	Policy.policy = policy;

  267.     }

  268. 

  269.     /**

  270.      * Retrieve the Permissions granted to the Principals associated with

  271.      * the specified <code>CodeSource</code>.

  272.      *

  273.      * <p>

  274.      *

  275.      * @param subject the <code>Subject</code>

  276.      *			whose associated Principals,

  277.      *			in conjunction with the provided

  278.      *			<code>CodeSource</code>, determines the Permissions

  279.      *			returned by this method.  This parameter

  280.      *			may be <code>null</code>. <p>

  281.      *

  282.      * @param cs the code specified by its <code>CodeSource</code>

  283.      *			that determines, in conjunction with the provided

  284.      *			<code>Subject</code>, the Permissions

  285.      *			returned by this method.  This parameter may be

  286.      *			<code>null</code>.

  287.      *

  288.      * @return the Collection of Permissions granted to all the

  289.      *			<code>Subject</code> and code specified in

  290.      *			the provided <i>subject</i> and <i>cs</i>

  291.      *			parameters.

  292.      */

  293.     public abstract java.security.PermissionCollection getPermissions

  294. 					(Subject subject,

  295. 					java.security.CodeSource cs);

  296. 

  297.     /**

  298.      * Refresh and reload the Policy.

  299.      *

  300.      * <p>This method causes this object to refresh/reload its current

  301.      * Policy. This is implementation-dependent.

  302.      * For example, if the Policy object is stored in

  303.      * a file, calling <code>refresh</code> will cause the file to be re-read.

  304.      *

  305.      * <p>

  306.      *

  307.      * @exception SecurityException if the caller does not have permission

  308.      *				to refresh the Policy.

  309.      */

  310.     public abstract void refresh();

  311. }