1. /*

  2.  * @(#)SecurityPermission.java	1.21 00/02/02

  3.  *

  4.  * Copyright 1997-2000 Sun Microsystems, Inc. All Rights Reserved.

  5.  * 

  6.  * This software is the proprietary information of Sun Microsystems, Inc.  

  7.  * Use is subject to license terms.

  8.  * 

  9.  */

  10. 

  11. package java.security;

  12. 

  13. import java.security.*;

  14. import java.util.Enumeration;

  15. import java.util.Hashtable;

  16. import java.util.StringTokenizer;

  17. 

  18. /**

  19.  * This class is for security permissions.

  20.  * A SecurityPermission contains a name (also referred to as a "target name")

  21.  * but no actions list; you either have the named permission

  22.  * or you don't.

  23.  * <P>

  24.  * The target name is the name of a security configuration parameter (see below).

  25.  * Currently the SecurityPermission object is used to guard access

  26.  * to the Policy, Security, Provider, Signer, and Identity

  27.  * objects.

  28.  * <P>

  29.  * The following table lists all the possible SecurityPermission target names,

  30.  * and for each provides a description of what the permission allows

  31.  * and a discussion of the risks of granting code the permission.

  32.  * <P>

  33.  *

  34.  * <table border=1 cellpadding=5>

  35.  * <tr>

  36.  * <th>Permission Target Name</th>

  37.  * <th>What the Permission Allows</th>

  38.  * <th>Risks of Allowing this Permission</th>

  39.  * </tr>

  40.  *

  41.  * <tr>

  42.  *   <td>createAccessControlContext</td>

  43.  *   <td>Creation of an AccessControlContext</td>

  44.  *   <td>This allows someone to instantiate an AccessControlContext

  45.  * with a <code>DomainCombiner</code>.  Since DomainCombiners are given

  46.  * a reference to the ProtectionDomains currently on the stack,

  47.  * this could potentially lead to a privacy leak if the DomainCombiner

  48.  * is malicious.</td>

  49.  * </tr>

  50.  *

  51.  * <tr>

  52.  *   <td>getDomainCombiner</td>

  53.  *   <td>Retrieval of an AccessControlContext's DomainCombiner</td>

  54.  *   <td>This allows someone to retrieve an AccessControlContext's

  55.  * <code>DomainCombiner</code>.  Since DomainCombiners may contain

  56.  * sensitive information, this could potentially lead to a privacy leak.</td>

  57.  * </tr>

  58.  *

  59.  * <tr>

  60.  *   <td>getPolicy</td>

  61.  *   <td>Retrieval of the system-wide security policy (specifically, of the

  62.  * currently-installed Policy object)</td>

  63.  *   <td>This allows someone to query the policy via the

  64.  * <code>getPermissions</code> call,

  65.  * which discloses which permissions would be granted to a given CodeSource.

  66.  * While revealing the policy does not compromise the security of

  67.  * the system, it does provide malicious code with additional information

  68.  * which it may use to better aim an attack. It is wise

  69.  * not to divulge more information than necessary.</td>

  70.  * </tr>

  71.  *

  72.  * <tr>

  73.  *   <td>setPolicy</td>

  74.  *   <td>Setting of the system-wide security policy (specifically,

  75.  * the Policy object)</td>

  76.  *   <td>Granting this permission is extremely dangerous, as malicious

  77.  * code may grant itself all the necessary permissions it needs

  78.  * to successfully mount an attack on the system.</td>

  79.  * </tr>

  80.  *

  81.  * <tr>

  82.  *   <td>getProperty.{key}</td>

  83.  *   <td>Retrieval of the security property with the specified key</td>

  84.  *   <td>Depending on the particular key for which access has

  85.  * been granted, the code may have access to the list of security

  86.  * providers, as well as the location of the system-wide and user

  87.  * security policies.  while revealing this information does not

  88.  * compromise the security of the system, it does provide malicious

  89.  * code with additional information which it may use to better aim

  90.  * an attack.

  91. </td>

  92.  * </tr>

  93.  *

  94.  * <tr>

  95.  *   <td>setProperty.{key}</td>

  96.  *   <td>Setting of the security property with the specified key</td>

  97.  *   <td>This could include setting a security provider or defining

  98.  * the location of the the system-wide security policy.  Malicious

  99.  * code that has permission to set a new security provider may

  100.  * set a rogue provider that steals confidential information such

  101.  * as cryptographic private keys. In addition, malicious code with

  102.  * permission to set the location of the system-wide security policy

  103.  * may point it to a security policy that grants the attacker

  104.  * all the necessary permissions it requires to successfully mount

  105.  * an attack on the system.

  106. </td>

  107.  * </tr>

  108.  *

  109.  * <tr>

  110.  *   <td>insertProvider.{provider name}</td>

  111.  *   <td>Addition of a new provider, with the specified name</td>

  112.  *   <td>This would allow somebody to introduce a possibly

  113.  * malicious provider (e.g., one that discloses the private keys passed

  114.  * to it) as the highest-priority provider. This would be possible

  115.  * because the Security object (which manages the installed providers)

  116.  * currently does not check the integrity or authenticity of a provider

  117.  * before attaching it.</td>

  118.  * </tr>

  119.  *

  120.  * <tr>

  121.  *   <td>removeProvider.{provider name}</td>

  122.  *   <td>Removal of the specified provider</td>

  123.  *   <td>This may change the behavior or disable execution of other

  124.  * parts of the program. If a provider subsequently requested by the

  125.  * program has been removed, execution may fail. Also, if the removed

  126.  * provider is not explicitly requested by the rest of the program, but

  127.  * it would normally be the provider chosen when a cryptography service

  128.  * is requested (due to its previous order in the list of providers),

  129.  * a different provider will be chosen instead, or no suitable provider

  130.  * will be found, thereby resulting in program failure.</td>

  131.  * </tr>

  132.  *

  133.  * <tr>

  134.  *   <td>setSystemScope</td>

  135.  *   <td>Setting of the system identity scope</td>

  136.  *   <td>This would allow an attacker to configure the system identity scope with

  137.  * certificates that should not be trusted, thereby granting applet or

  138.  * application code signed with those certificates privileges that

  139.  * would have been denied by the system's original identity scope</td>

  140.  * </tr>

  141.  *

  142.  * <tr>

  143.  *   <td>setIdentityPublicKey</td>

  144.  *   <td>Setting of the public key for an Identity</td>

  145.  *   <td>If the identity is marked as "trusted", this allows an attacker to

  146.  * introduce a different public key (e.g., its own) that is not trusted

  147.  * by the system's identity scope, thereby granting applet or

  148.  * application code signed with that public key privileges that

  149.  * would have been denied otherwise.</td>

  150.  * </tr>

  151.  *

  152.  * <tr>

  153.  *   <td>setIdentityInfo</td>

  154.  *   <td>Setting of a general information string for an Identity</td>

  155.  *   <td>This allows attackers to set the general description for

  156.  * an identity.  This may trick applications into using a different

  157.  * identity than intended or may prevent applications from finding a

  158.  * particular identity.</td>

  159.  * </tr>

  160.  *

  161.  * <tr>

  162.  *   <td>addIdentityCertificate</td>

  163.  *   <td>Addition of a certificate for an Identity</td>

  164.  *   <td>This allows attackers to set a certificate for

  165.  * an identity's public key.  This is dangerous because it affects

  166.  * the trust relationship across the system. This public key suddenly

  167.  * becomes trusted to a wider audience than it otherwise would be.</td>

  168.  * </tr>

  169.  *

  170.  * <tr>

  171.  *   <td>removeIdentityCertificate</td>

  172.  *   <td>Removal of a certificate for an Identity</td>

  173.  *   <td>This allows attackers to remove a certificate for

  174.  * an identity's public key. This is dangerous because it affects

  175.  * the trust relationship across the system. This public key suddenly

  176.  * becomes considered less trustworthy than it otherwise would be.</td>

  177.  * </tr>

  178.  *

  179.  * <tr>

  180.  *  <td>printIdentity</td>

  181.  *  <td>Viewing the name of a principal

  182.  * and optionally the scope in which it is used, and whether

  183.  * or not it is considered "trusted" in that scope</td>

  184.  *  <td>The scope that is printed out may be a filename, in which case

  185.  * it may convey local system information. For example, here's a sample

  186.  * printout of an identity named "carol", who is

  187.  * marked not trusted in the user's identity database:<br>

  188.  *   carol[/home/luehe/identitydb.obj][not trusted]</td>

  189.  *</tr>

  190.  * 

  191.  * <tr>

  192.  *   <td>clearProviderProperties.{provider name}</td>

  193.  *   <td>"Clearing" of a Provider so that it no longer contains the properties

  194.  * used to look up services implemented by the provider</td>

  195.  *   <td>This disables the lookup of services implemented by the provider.

  196.  * This may thus change the behavior or disable execution of other

  197.  * parts of the program that would normally utilize the Provider, as

  198.  * described under the "removeProvider.{provider name}" permission.</td>

  199.  * </tr>

  200.  *

  201.  * <tr>

  202.  *   <td>putProviderProperty.{provider name}</td>

  203.  *   <td>Setting of properties for the specified Provider</td>

  204.  *   <td>The provider properties each specify the name and location

  205.  * of a particular service implemented by the provider. By granting

  206.  * this permission, you let code replace the service specification

  207.  * with another one, thereby specifying a different implementation.</td>

  208.  * </tr>

  209.  *

  210.  * <tr>

  211.  *   <td>removeProviderProperty.{provider name}</td>

  212.  *   <td>Removal of properties from the specified Provider</td>

  213.  *   <td>This disables the lookup of services implemented by the

  214.  * provider. They are no longer accessible due to removal of the properties

  215.  * specifying their names and locations. This

  216.  * may change the behavior or disable execution of other

  217.  * parts of the program that would normally utilize the Provider, as

  218.  * described under the "removeProvider.{provider name}" permission.</td>

  219.  * </tr>

  220.  *

  221.  * <tr>

  222.  *   <td>getSignerPrivateKey</td>

  223.  *   <td>Retrieval of a Signer's private key</td>

  224.  *   <td>It is very dangerous to allow access to a private key; private

  225.  * keys are supposed to be kept secret. Otherwise, code can use the

  226.  * private key to sign various files and claim the signature came from

  227.  * the Signer.</td>

  228.  * </tr>

  229.  *

  230.  * <tr>

  231.  *   <td>setSignerKeyPair</td>

  232.  *   <td>Setting of the key pair (public key and private key) for a Signer</td>

  233.  *   <td>This would allow an attacker to replace somebody else's (the "target's")

  234.  * keypair with a possibly weaker keypair (e.g., a keypair of a smaller

  235.  * keysize).  This also would allow the attacker to listen in on encrypted

  236.  * communication between the target and its peers. The target's peers

  237.  * might wrap an encryption session key under the target's "new" public

  238.  * key, which would allow the attacker (who possesses the corresponding

  239.  * private key) to unwrap the session key and decipher the communication

  240.  * data encrypted under that session key.</td>

  241.  * </tr>

  242.  *

  243.  * </table>

  244.  *

  245.  * @see java.security.BasicPermission

  246.  * @see java.security.Permission

  247.  * @see java.security.Permissions

  248.  * @see java.security.PermissionCollection

  249.  * @see java.lang.SecurityManager

  250.  *

  251.  * @version 1.21 00/02/02

  252.  *

  253.  * @author Marianne Mueller

  254.  * @author Roland Schemers

  255.  */

  256. 

  257. public final class SecurityPermission extends BasicPermission {

  258. 

  259.     /**

  260.      * Creates a new SecurityPermission with the specified name.

  261.      * The name is the symbolic name of the SecurityPermission. An asterisk

  262.      * may appear at the end of the name, following a ".", or by itself, to

  263.      * signify a wildcard match.

  264.      *

  265.      * @param name the name of the SecurityPermission

  266.      */

  267. 

  268.     public SecurityPermission(String name)

  269.     {

  270. 	super(name);

  271.     }

  272. 

  273.     /**

  274.      * Creates a new SecurityPermission object with the specified name.

  275.      * The name is the symbolic name of the SecurityPermission, and the

  276.      * actions String is currently unused and should be null.  This

  277.      * constructor exists for use by the <code>Policy</code> object

  278.      * to instantiate new Permission objects.

  279.      *

  280.      * @param name the name of the SecurityPermission

  281.      * @param actions should be null.

  282.      */

  283. 

  284.     public SecurityPermission(String name, String actions)

  285.     {

  286. 	super(name, actions);

  287.     }

  288. }