1. /*

  2.  * @(#)SerializablePermission.java	1.19 04/01/12

  3.  *

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */

  7. 

  8. package java.io;

  9. 

  10. import java.security.*;

  11. import java.util.Enumeration;

  12. import java.util.Hashtable;

  13. import java.util.StringTokenizer;

  14. 

  15. /**

  16.  * This class is for Serializable permissions. A SerializablePermission

  17.  * contains a name (also referred to as a "target name") but

  18.  * no actions list; you either have the named permission

  19.  * or you don't.

  20.  *

  21.  * <P>

  22.  * The target name is the name of the Serializable permission (see below).

  23.  *

  24.  * <P>

  25.  * The following table lists all the possible SerializablePermission target names,

  26.  * and for each provides a description of what the permission allows

  27.  * and a discussion of the risks of granting code the permission.

  28.  * <P>

  29.  *

  30.  * <table border=1 cellpadding=5 summary="Permission target name, what the permission allows, and associated risks">

  31.  * <tr>

  32.  * <th>Permission Target Name</th>

  33.  * <th>What the Permission Allows</th>

  34.  * <th>Risks of Allowing this Permission</th>

  35.  * </tr>

  36.  *

  37.  * <tr>

  38.  *   <td>enableSubclassImplementation</td>

  39.  *   <td>Subclass implementation of ObjectOutputStream or ObjectInputStream

  40.  * to override the default serialization or deserialization, respectively,

  41.  * of objects</td>

  42.  *   <td>Code can use this to serialize or

  43.  * deserialize classes in a purposefully malfeasant manner. For example,

  44.  * during serialization, malicious code can use this to

  45.  * purposefully store confidential private field data in a way easily accessible

  46.  * to attackers. Or, during deserialization it could, for example, deserialize

  47.  * a class with all its private fields zeroed out.</td>

  48.  * </tr>

  49.  *

  50.  * <tr>

  51.  *   <td>enableSubstitution</td>

  52.  *   <td>Substitution of one object for another during

  53.  * serialization or deserialization</td>

  54.  *   <td>This is dangerous because malicious code

  55.  * can replace the actual object with one which has incorrect or

  56.  * malignant data.</td>

  57.  * </tr>

  58.  *

  59.  * </table>

  60.  *

  61.  * @see java.security.BasicPermission

  62.  * @see java.security.Permission

  63.  * @see java.security.Permissions

  64.  * @see java.security.PermissionCollection

  65.  * @see java.lang.SecurityManager

  66.  *

  67.  * @version 1.19, 01/12/04

  68.  *

  69.  * @author Joe Fialli

  70.  * @since 1.2

  71.  */

  72. 

  73. /* code was borrowed originally from java.lang.RuntimePermission. */

  74. 

  75. public final class SerializablePermission extends BasicPermission {

  76. 

  77.     /**

  78.      * @serial

  79.      */

  80.     private String actions;

  81. 

  82.     /**

  83.      * Creates a new SerializablePermission with the specified name.

  84.      * The name is the symbolic name of the SerializablePermission, such as

  85.      * "enableSubstitution", etc.

  86.      *

  87.      * @param name the name of the SerializablePermission.

  88.      */

  89. 

  90. 

  91.     public SerializablePermission(String name)

  92.     {

  93. 	super(name);

  94.     }

  95. 

  96.     /**

  97.      * Creates a new SerializablePermission object with the specified name.

  98.      * The name is the symbolic name of the SerializablePermission, and the

  99.      * actions String is currently unused and should be null.

  100.      *

  101.      * @param name the name of the SerializablePermission.

  102.      * @param actions currently unused and must be set to null

  103.      */

  104. 

  105.     public SerializablePermission(String name, String actions)

  106.     {

  107. 	super(name, actions);

  108.     }

  109. }