1. /*

  2.  * @(#)Policy.java	1.89 03/01/23

  3.  *

  4.  * Copyright 2003 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. 

  9. package java.security;

  10. 

  11. import java.io.*;

  12. import java.lang.RuntimePermission;

  13. import java.net.MalformedURLException;

  14. import java.net.URL;

  15. import java.util.Enumeration;

  16. import java.util.Hashtable;

  17. import java.util.Vector;

  18. import java.util.StringTokenizer;

  19. import java.util.PropertyPermission;

  20. 

  21. import java.lang.reflect.*;

  22. 

  23. import java.util.WeakHashMap;

  24. import sun.security.util.Debug;

  25. import sun.security.util.SecurityConstants;

  26. 

  27. 

  28. /**

  29.  * This is an abstract class for representing the system security

  30.  * policy for a Java application environment (specifying

  31.  * which permissions are available for code from various sources).

  32.  * That is, the security policy is represented by a Policy subclass

  33.  * providing an implementation of the abstract methods

  34.  * in this Policy class.

  35.  *

  36.  * <p>There is only one Policy object in effect at any given time.

  37.  *

  38.  * <p>The source location for the policy information utilized by the

  39.  * Policy object is up to the Policy implementation.

  40.  * The policy configuration may be stored, for example, as a

  41.  * flat ASCII file, as a serialized binary file of

  42.  * the Policy class, or as a database.

  43.  *

  44.  * <p>The currently-installed Policy object can be obtained by

  45.  * calling the <code>getPolicy</code> method, and it can be

  46.  * changed by a call to the <code>setPolicy</code> method (by

  47.  * code with permission to reset the Policy).

  48.  *

  49.  * <p>The <code>refresh</code> method causes the policy

  50.  * object to refresh/reload its current configuration.

  51.  *

  52.  * <p>This is implementation-dependent. For example, if the policy

  53.  * object stores its policy in configuration files, calling

  54.  * <code>refresh</code> will cause it to re-read the configuration 

  55.  * policy files. The refreshed policy may not have an effect on classes

  56.  * in a particular ProtectionDomain. This is dependent on the Policy

  57.  * provider's implementation of the 

  58.  * {@link #implies(ProtectionDomain,Permission) implies}

  59.  * method and the PermissionCollection caching strategy.

  60.  *

  61.  * <p>The default Policy implementation can be changed by setting the

  62.  * value of the "policy.provider" security property (in the Java

  63.  * security properties file) to the fully qualified name of

  64.  * the desired Policy implementation class.

  65.  * The Java security properties file is located in the file named

  66.  * <JAVA_HOME>/lib/security/java.security, where <JAVA_HOME>

  67.  * refers to the directory where the SDK was installed.

  68.  *

  69.  * @author Roland Schemers

  70.  * @author Gary Ellison

  71.  * @version 1.89, 01/23/03

  72.  * @see java.security.CodeSource

  73.  * @see java.security.PermissionCollection

  74.  * @see java.security.SecureClassLoader

  75.  */

  76. 

  77. public abstract class Policy {

  78. 

  79.     /** the system-wide policy. */

  80.     private static Policy policy; // package private for AccessControlContext

  81.     private static final Debug debug = Debug.getInstance("policy");

  82. 

  83.     // Cache mapping  ProtectionDomain to PermissionCollection

  84.     private WeakHashMap pdMapping;

  85. 

  86.     /** package private for AccessControlContext */

  87.     static boolean isSet()

  88.     {

  89. 	return policy != null;

  90.     }

  91. 

  92.     /**

  93.      * Returns the installed Policy object. This value should not be cached,

  94.      * as it may be changed by a call to <code>setPolicy</code>.

  95.      * This method first calls

  96.      * <code>SecurityManager.checkPermission</code> with a

  97.      * <code>SecurityPermission("getPolicy")</code> permission

  98.      * to ensure it's ok to get the Policy object..

  99.      *

  100.      * @return the installed Policy.

  101.      *

  102.      * @throws SecurityException

  103.      *        if a security manager exists and its

  104.      *        <code>checkPermission</code> method doesn't allow

  105.      *        getting the Policy object.

  106.      *

  107.      * @see SecurityManager#checkPermission(Permission)

  108.      * @see #setPolicy(java.security.Policy)

  109.      */

  110.     public static Policy getPolicy()

  111.     {

  112.         SecurityManager sm = System.getSecurityManager();

  113.         if (sm != null)

  114. 	    sm.checkPermission(SecurityConstants.GET_POLICY_PERMISSION);

  115. 	return getPolicyNoCheck();

  116.     }

  117. 

  118.     /**

  119.      * Returns the installed Policy object, skipping the security check.

  120.      * Used by SecureClassLoader and getPolicy.

  121.      *

  122.      * @return the installed Policy.

  123.      *

  124.      */

  125.     static synchronized Policy getPolicyNoCheck()

  126.     {

  127. 	if (policy == null) {

  128. 	    String policy_class = null;

  129. 	    policy_class = (String)AccessController.doPrivileged(

  130.                 new PrivilegedAction() {

  131. 		    public Object run() {

  132. 			return Security.getProperty("policy.provider");

  133. 		    }

  134. 		});

  135. 	    if (policy_class == null) {

  136. 		policy_class = "sun.security.provider.PolicyFile";

  137. 	    }

  138. 

  139. 	    try {

  140. 		policy = (Policy)

  141. 		    Class.forName(policy_class).newInstance();

  142. 	    } catch (Exception e) {

  143. 		/*

  144. 		 * The policy_class seems to be an extension

  145. 		 * so we have to bootstrap loading it via a policy

  146. 		 * provider that is on the bootclasspath

  147. 		 * If it loads then shift gears to using the configured

  148. 		 * provider. 

  149. 		 */

  150. 

  151. 		// install the bootstrap provider to avoid recursion

  152. 		policy = new sun.security.provider.PolicyFile();

  153. 			

  154. 		final String pc = policy_class;

  155. 		Policy p = (Policy)

  156. 		    AccessController.doPrivileged(new PrivilegedAction() {

  157. 			public Object run() {

  158. 			    try {

  159. 				ClassLoader cl =

  160. 					ClassLoader.getSystemClassLoader();

  161. 				// we want the extension loader 

  162. 				ClassLoader extcl = null;

  163. 				while (cl != null) {

  164. 				    extcl = cl;

  165. 				    cl = cl.getParent();

  166. 				} 

  167. 				return (extcl != null? Class.forName

  168. 					(pc, true, extcl).newInstance():

  169. 					null);

  170. 			    } catch (Exception e) {

  171. 				return null;

  172. 			    }

  173. 			}

  174. 		    });

  175. 		/*

  176. 		 * if it loaded install it as the policy provider. Otherwise

  177. 		 * continue to use the system default implementation

  178. 		 */

  179. 		if (p != null) 

  180. 		    policy = p;

  181. 			

  182. 		if (p == null && debug != null) {

  183. 		    debug.println("policy provider " + 

  184. 				  policy_class + " not available;using " +

  185. 				  "sun.security.provider.PolicyFile");

  186. 		    e.printStackTrace();

  187. 		}

  188. 	    }

  189. 	}

  190. 	return policy;

  191.     }

  192. 

  193.     /**

  194.      * Sets the system-wide Policy object. This method first calls

  195.      * <code>SecurityManager.checkPermission</code> with a

  196.      * <code>SecurityPermission("setPolicy")</code>

  197.      * permission to ensure it's ok to set the Policy.

  198.      *

  199.      * @param policy the new system Policy object.

  200.      *

  201.      * @throws SecurityException

  202.      *        if a security manager exists and its

  203.      *        <code>checkPermission</code> method doesn't allow

  204.      *        setting the Policy.

  205.      *

  206.      * @see SecurityManager#checkPermission(Permission)

  207.      * @see #getPolicy()

  208.      *

  209.      */

  210.     public static void setPolicy(Policy policy)

  211.     {

  212. 	SecurityManager sm = System.getSecurityManager();

  213. 	if (sm != null) sm.checkPermission(

  214. 				 new SecurityPermission("setPolicy"));

  215. 	if (policy != null) {

  216. 	    initPolicy(policy);

  217. 	}

  218. 	Policy.policy = policy;

  219.     }

  220. 

  221.     /**

  222.      * Initialize superclass state such that a legacy provider can

  223.      * handle queries for itself.

  224.      *

  225.      * @since 1.4

  226.      */

  227.     private static void initPolicy (final Policy p) {

  228. 	/*

  229. 	 * A policy provider not on the bootclasspath could trigger

  230. 	 * security checks fulfilling a call to either Policy.implies

  231. 	 * or Policy.getPermissions. If this does occur the provider

  232. 	 * must be able to answer for it's own ProtectionDomain

  233. 	 * without triggering additional security checks, otherwise

  234. 	 * the policy implementation will end up in an infinite

  235. 	 * recursion.

  236. 	 * 

  237. 	 * To mitigate this, the provider can collect it's own

  238. 	 * ProtectionDomain and associate a PermissionCollection while

  239. 	 * it is being installed. The currently installed policy

  240. 	 * provider (if there is one) will handle calls to

  241. 	 * Policy.implies or Policy.getPermissions during this

  242. 	 * process.

  243. 	 * 

  244. 	 * This Policy superclass caches away the ProtectionDomain and

  245. 	 * statically binds permissions so that legacy Policy 

  246. 	 * implementations will continue to function.

  247. 	 */

  248. 

  249. 	ProtectionDomain policyDomain = (ProtectionDomain)

  250. 		AccessController.doPrivileged(new PrivilegedAction() {

  251. 		    public Object run() {

  252. 			return p.getClass().getProtectionDomain();

  253. 		    }

  254. 		});

  255. 

  256. 	/*

  257. 	 * Collect the permissions granted to this protection domain

  258. 	 * so that the provider can be security checked while processing

  259. 	 * calls to Policy.implies or Policy.getPermissions.

  260. 	 */

  261. 	PermissionCollection policyPerms = null;

  262. 	synchronized (p) {

  263. 	   if (p.pdMapping == null) {

  264. 		    p.pdMapping = new WeakHashMap();

  265. 	   }

  266. 	}

  267. 

  268. 	if (policyDomain.getCodeSource() != null) {

  269. 	    if (Policy.isSet()) {

  270. 		    policyPerms = policy.getPermissions(policyDomain);

  271. 	    }

  272. 

  273. 	    if (policyPerms == null) { // assume it has all

  274. 		policyPerms = new Permissions();

  275. 		policyPerms.add(SecurityConstants.ALL_PERMISSION);

  276. 	    }

  277. 

  278. 	    synchronized (p) {

  279. 		    // cache of pd to permissions

  280. 		    p.pdMapping.put(policyDomain, policyPerms);

  281. 	    }

  282. 	}

  283. 	return;

  284.     }

  285.     

  286.     /**

  287.      * Evaluates the global policy and returns a

  288.      * PermissionCollection object specifying the set of

  289.      * permissions allowed for code from the specified

  290.      * code source.

  291.      *

  292.      * @param codesource the CodeSource associated with the caller.

  293.      * This encapsulates the original location of the code (where the code

  294.      * came from) and the public key(s) of its signer.

  295.      *

  296.      * @return the set of permissions allowed for code from <i>codesource</i>

  297.      * according to the policy.The returned set of permissions must be 

  298.      * a new mutable instance and it must support heterogeneous 

  299.      * Permission types.

  300.      *

  301.      */

  302.     public abstract PermissionCollection getPermissions(CodeSource codesource);

  303. 

  304.     /**

  305.      * Evaluates the global policy and returns a

  306.      * PermissionCollection object specifying the set of

  307.      * permissions allowed given the characteristics of the 

  308.      * protection domain.

  309.      *

  310.      * @param domain the ProtectionDomain associated with the caller.

  311.      *

  312.      * @return the set of permissions allowed for the <i>domain</i>

  313.      * according to the policy.The returned set of permissions must be 

  314.      * a new mutable instance and it must support heterogeneous 

  315.      * Permission types.

  316.      *

  317.      * @see java.security.ProtectionDomain

  318.      * @see java.security.SecureClassLoader

  319.      * @since 1.4

  320.      */

  321.     public PermissionCollection getPermissions(ProtectionDomain domain) {

  322. 	PermissionCollection pc = null;

  323. 

  324. 	if (domain == null)

  325. 	    return new Permissions();

  326. 

  327. 	if (pdMapping == null) {

  328. 	    initPolicy(this);

  329. 	}

  330. 

  331. 	synchronized (pdMapping) {

  332. 	    pc = (PermissionCollection)pdMapping.get(domain);

  333. 	}

  334. 

  335. 	if (pc != null) {

  336. 	    Permissions perms = new Permissions();

  337. 	    for (Enumeration e = pc.elements() ; e.hasMoreElements() ;) {

  338. 		perms.add((Permission)e.nextElement());

  339. 	    }

  340. 	    return perms;

  341. 	}

  342. 

  343. 	pc = getPermissions(domain.getCodeSource());

  344. 	if (pc == null) {

  345. 	    pc = new Permissions();

  346. 	}

  347. 

  348. 	addStaticPerms(pc, domain.getPermissions());

  349. 	return pc;

  350.     }

  351. 

  352.     /**

  353.      * add static permissions to provided permission collection

  354.      */

  355.     private void addStaticPerms(PermissionCollection perms,

  356. 				PermissionCollection statics) {

  357. 	if (statics != null) {

  358. 	    Enumeration e = statics.elements();

  359. 	    while (e.hasMoreElements()) {

  360. 		perms.add((Permission)e.nextElement());

  361. 	    }

  362. 	}

  363.     }

  364. 

  365.     /**

  366.      * Evaluates the global policy for the permissions granted to

  367.      * the ProtectionDomain and tests whether the permission is 

  368.      * granted.

  369.      *

  370.      * @param domain the ProtectionDomain to test

  371.      * @param permission the Permission object to be tested for implication.

  372.      *

  373.      * @return true if "permission" is a proper subset of a permission

  374.      * granted to this ProtectionDomain.

  375.      *

  376.      * @see java.security.ProtectionDomain

  377.      * @since 1.4

  378.      */

  379.     public boolean implies(ProtectionDomain domain, Permission permission) {

  380. 	PermissionCollection pc;

  381. 	WeakHashMap policyCache;

  382. 

  383. 	if (pdMapping == null) {

  384. 	    initPolicy(this);

  385. 	}

  386. 

  387. 	policyCache = pdMapping;

  388. 

  389. 	synchronized (policyCache) {

  390. 	    pc = (PermissionCollection)policyCache.get(domain);

  391. 	}

  392. 

  393. 	if (pc != null) {

  394. 	    return pc.implies(permission);

  395. 	} 

  396. 	

  397. 	pc = getPermissions(domain);

  398. 	if (pc == null) {

  399. 	    return false;

  400. 	}

  401. 

  402. 	synchronized (policyCache) {

  403. 	    // cache it 

  404. 	    policyCache.put(domain, pc);

  405. 	}

  406. 	

  407. 	return pc.implies(permission);

  408.     }

  409. 

  410.     /**

  411.      * Refreshes/reloads the policy configuration. The behavior of this method

  412.      * depends on the implementation. For example, calling <code>refresh</code>

  413.      * on a file-based policy will cause the file to be re-read.

  414.      *

  415.      */

  416.     public abstract void refresh();

  417. }