1 /*
2 * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security;
27
28 import java.util.ArrayList;
29 import java.util.Collections;
30 import java.util.Enumeration;
31 import java.util.List;
32 import java.util.Map;
33 import java.util.Objects;
34 import java.util.WeakHashMap;
35 import jdk.internal.misc.JavaSecurityAccess;
36 import jdk.internal.misc.SharedSecrets;
37 import sun.security.action.GetPropertyAction;
38 import sun.security.provider.PolicyFile;
39 import sun.security.util.Debug;
40 import sun.security.util.FilePermCompat;
41 import sun.security.util.SecurityConstants;
42
43 /**
44 * The ProtectionDomain class encapsulates the characteristics of a domain,
45 * which encloses a set of classes whose instances are granted a set
46 * of permissions when being executed on behalf of a given set of Principals.
47 * <p>
48 * A static set of permissions can be bound to a ProtectionDomain when it is
49 * constructed; such permissions are granted to the domain regardless of the
50 * Policy in force. However, to support dynamic security policies, a
51 * ProtectionDomain can also be constructed such that it is dynamically
52 * mapped to a set of permissions by the current Policy whenever a permission
53 * is checked.
54 *
55 * @author Li Gong
56 * @author Roland Schemers
57 * @author Gary Ellison
58 * @since 1.2
59 */
60
61 public class ProtectionDomain {
62
63 /**
64 * If true, {@link #impliesWithAltFilePerm} will try to be compatible on
65 * FilePermission checking even if a 3rd-party Policy implementation is set.
66 */
67 private static final boolean filePermCompatInPD =
68 "true".equals(GetPropertyAction.privilegedGetProperty(
69 "jdk.security.filePermCompat"));
70
71 private static class JavaSecurityAccessImpl implements JavaSecurityAccess {
72
73 private JavaSecurityAccessImpl() {
74 }
75
76 @Override
77 public <T> T doIntersectionPrivilege(
78 PrivilegedAction<T> action,
79 final AccessControlContext stack,
80 final AccessControlContext context) {
81 if (action == null) {
82 throw new NullPointerException();
83 }
84
85 return AccessController.doPrivileged(
86 action,
87 getCombinedACC(context, stack)
88 );
89 }
90
91 @Override
92 public <T> T doIntersectionPrivilege(
93 PrivilegedAction<T> action,
94 AccessControlContext context) {
95 return doIntersectionPrivilege(action,
96 AccessController.getContext(), context);
97 }
98
99 @Override
100 public ProtectionDomain[] getProtectDomains(AccessControlContext context) {
101 return context.getContext();
102 }
103
104 private static AccessControlContext getCombinedACC(
105 AccessControlContext context, AccessControlContext stack) {
106 AccessControlContext acc =
107 new AccessControlContext(context, stack.getCombiner(), true);
108
109 return new AccessControlContext(stack.getContext(), acc).optimize();
110 }
111
112 @Override
113 public ProtectionDomainCache getProtectionDomainCache() {
114 return new ProtectionDomainCache() {
115 private final Map<Key, PermissionCollection> map =
116 Collections.synchronizedMap(new WeakHashMap<>());
117 public void put(ProtectionDomain pd,
118 PermissionCollection pc) {
119 map.put((pd == null ? null : pd.key), pc);
120 }
121 public PermissionCollection get(ProtectionDomain pd) {
122 return pd == null ? map.get(null) : map.get(pd.key);
123 }
124 };
125 }
126 }
127
128 static {
129 // Set up JavaSecurityAccess in SharedSecrets
130 SharedSecrets.setJavaSecurityAccess(new JavaSecurityAccessImpl());
131 }
132
133 /* CodeSource */
134 private CodeSource codesource ;
135
136 /* ClassLoader the protection domain was consed from */
137 private ClassLoader classloader;
138
139 /* Principals running-as within this protection domain */
140 private Principal[] principals;
141
142 /* the rights this protection domain is granted */
143 private PermissionCollection permissions;
144
145 /* if the permissions object has AllPermission */
146 private boolean hasAllPerm = false;
147
148 /* the PermissionCollection is static (pre 1.4 constructor)
149 or dynamic (via a policy refresh) */
150 private final boolean staticPermissions;
151
152 /*
153 * An object used as a key when the ProtectionDomain is stored in a Map.
154 */
155 final Key key = new Key();
156
157 /**
158 * Creates a new ProtectionDomain with the given CodeSource and
159 * Permissions. If the permissions object is not null, then
160 * {@code setReadOnly()} will be called on the passed in
161 * Permissions object.
162 * <p>
163 * The permissions granted to this domain are static, i.e.
164 * invoking the {@link #staticPermissionsOnly()} method returns true.
165 * They contain only the ones passed to this constructor and
166 * the current Policy will not be consulted.
167 *
168 * @param codesource the codesource associated with this domain
169 * @param permissions the permissions granted to this domain
170 */
171 public ProtectionDomain(CodeSource codesource,
172 PermissionCollection permissions) {
173 this.codesource = codesource;
174 if (permissions != null) {
175 this.permissions = permissions;
176 this.permissions.setReadOnly();
177 if (permissions instanceof Permissions &&
178 ((Permissions)permissions).allPermission != null) {
179 hasAllPerm = true;
180 }
181 }
182 this.classloader = null;
183 this.principals = new Principal[0];
184 staticPermissions = true;
185 }
186
187 /**
188 * Creates a new ProtectionDomain qualified by the given CodeSource,
189 * Permissions, ClassLoader and array of Principals. If the
190 * permissions object is not null, then {@code setReadOnly()}
191 * will be called on the passed in Permissions object.
192 * <p>
193 * The permissions granted to this domain are dynamic, i.e.
194 * invoking the {@link #staticPermissionsOnly()} method returns false.
195 * They include both the static permissions passed to this constructor,
196 * and any permissions granted to this domain by the current Policy at the
197 * time a permission is checked.
198 * <p>
199 * This constructor is typically used by
200 * {@link SecureClassLoader ClassLoaders}
201 * and {@link DomainCombiner DomainCombiners} which delegate to
202 * {@code Policy} to actively associate the permissions granted to
203 * this domain. This constructor affords the
204 * Policy provider the opportunity to augment the supplied
205 * PermissionCollection to reflect policy changes.
206 *
207 * @param codesource the CodeSource associated with this domain
208 * @param permissions the permissions granted to this domain
209 * @param classloader the ClassLoader associated with this domain
210 * @param principals the array of Principals associated with this
211 * domain. The contents of the array are copied to protect against
212 * subsequent modification.
213 * @see Policy#refresh
214 * @see Policy#getPermissions(ProtectionDomain)
215 * @since 1.4
216 */
217 public ProtectionDomain(CodeSource codesource,
218 PermissionCollection permissions,
219 ClassLoader classloader,
220 Principal[] principals) {
221 this.codesource = codesource;
222 if (permissions != null) {
223 this.permissions = permissions;
224 this.permissions.setReadOnly();
225 if (permissions instanceof Permissions &&
226 ((Permissions)permissions).allPermission != null) {
227 hasAllPerm = true;
228 }
229 }
230 this.classloader = classloader;
231 this.principals = (principals != null ? principals.clone():
232 new Principal[0]);
233 staticPermissions = false;
234 }
235
236 /**
237 * Returns the CodeSource of this domain.
238 * @return the CodeSource of this domain which may be null.
239 * @since 1.2
240 */
241 public final CodeSource getCodeSource() {
242 return this.codesource;
243 }
244
245
246 /**
247 * Returns the ClassLoader of this domain.
248 * @return the ClassLoader of this domain which may be null.
249 *
250 * @since 1.4
251 */
252 public final ClassLoader getClassLoader() {
253 return this.classloader;
254 }
255
256
257 /**
258 * Returns an array of principals for this domain.
259 * @return a non-null array of principals for this domain.
260 * Returns a new array each time this method is called.
261 *
262 * @since 1.4
263 */
264 public final Principal[] getPrincipals() {
265 return this.principals.clone();
266 }
267
268 /**
269 * Returns the static permissions granted to this domain.
270 *
271 * @return the static set of permissions for this domain which may be null.
272 * @see Policy#refresh
273 * @see Policy#getPermissions(ProtectionDomain)
274 */
275 public final PermissionCollection getPermissions() {
276 return permissions;
277 }
278
279 /**
280 * Returns true if this domain contains only static permissions
281 * and does not check the current {@code Policy} at the time of
282 * permission checking.
283 *
284 * @return true if this domain contains only static permissions.
285 *
286 * @since 9
287 */
288 public final boolean staticPermissionsOnly() {
289 return this.staticPermissions;
290 }
291
292 /**
293 * Check and see if this ProtectionDomain implies the permissions
294 * expressed in the Permission object.
295 * <p>
296 * The set of permissions evaluated is a function of whether the
297 * ProtectionDomain was constructed with a static set of permissions
298 * or it was bound to a dynamically mapped set of permissions.
299 * <p>
300 * If the {@link #staticPermissionsOnly()} method returns
301 * true, then the permission will only be checked against the
302 * PermissionCollection supplied at construction.
303 * <p>
304 * Otherwise, the permission will be checked against the combination
305 * of the PermissionCollection supplied at construction and
306 * the current Policy binding.
307 *
308 * @param perm the Permission object to check.
309 *
310 * @return true if {@code perm} is implied by this ProtectionDomain.
311 */
312 public boolean implies(Permission perm) {
313
314 if (hasAllPerm) {
315 // internal permission collection already has AllPermission -
316 // no need to go to policy
317 return true;
318 }
319
320 if (!staticPermissions &&
321 Policy.getPolicyNoCheck().implies(this, perm)) {
322 return true;
323 }
324 if (permissions != null) {
325 return permissions.implies(perm);
326 }
327
328 return false;
329 }
330
331 /**
332 * This method has almost the same logic flow as {@link #implies} but
333 * it ensures some level of FilePermission compatibility after JDK-8164705.
334 *
335 * This method is called by {@link AccessControlContext#checkPermission}
336 * and not intended to be called by an application.
337 */
338 boolean impliesWithAltFilePerm(Permission perm) {
339
340 // If FilePermCompat.compat is set (default value), FilePermission
341 // checking compatibility should be considered.
342
343 // If filePermCompatInPD is set, this method checks for alternative
344 // FilePermission to keep compatibility for any Policy implementation.
345 // When set to false (default value), implies() is called since
346 // the PolicyFile implementation already supports compatibility.
347
348 // If this is a subclass of ProtectionDomain, call implies()
349 // because most likely user has overridden it.
350
351 if (!filePermCompatInPD || !FilePermCompat.compat ||
352 getClass() != ProtectionDomain.class) {
353 return implies(perm);
354 }
355
356 if (hasAllPerm) {
357 // internal permission collection already has AllPermission -
358 // no need to go to policy
359 return true;
360 }
361
362 Permission p2 = null;
363 boolean p2Calculated = false;
364
365 if (!staticPermissions) {
366 Policy policy = Policy.getPolicyNoCheck();
367 if (policy instanceof PolicyFile) {
368 // The PolicyFile implementation supports compatibility
369 // inside and it also covers the static permissions.
370 return policy.implies(this, perm);
371 } else {
372 if (policy.implies(this, perm)) {
373 return true;
374 }
375 p2 = FilePermCompat.newPermUsingAltPath(perm);
376 p2Calculated = true;
377 if (p2 != null && policy.implies(this, p2)) {
378 return true;
379 }
380 }
381 }
382 if (permissions != null) {
383 if (permissions.implies(perm)) {
384 return true;
385 } else {
386 if (!p2Calculated) {
387 p2 = FilePermCompat.newPermUsingAltPath(perm);
388 }
389 if (p2 != null) {
390 return permissions.implies(p2);
391 }
392 }
393 }
394 return false;
395 }
396
397 // called by the VM -- do not remove
398 boolean impliesCreateAccessControlContext() {
399 return implies(SecurityConstants.CREATE_ACC_PERMISSION);
400 }
401
402 /**
403 * Convert a ProtectionDomain to a String.
404 */
405 @Override public String toString() {
406 String pals = "<no principals>";
407 if (principals != null && principals.length > 0) {
408 StringBuilder palBuf = new StringBuilder("(principals ");
409
410 for (int i = 0; i < principals.length; i++) {
411 palBuf.append(principals[i].getClass().getName() +
412 " \"" + principals[i].getName() +
413 "\"");
414 if (i < principals.length-1)
415 palBuf.append(",\n");
416 else
417 palBuf.append(")\n");
418 }
419 pals = palBuf.toString();
420 }
421
422 // Check if policy is set; we don't want to load
423 // the policy prematurely here
424 PermissionCollection pc = Policy.isSet() && seeAllp() ?
425 mergePermissions():
426 getPermissions();
427
428 return "ProtectionDomain "+
429 " "+codesource+"\n"+
430 " "+classloader+"\n"+
431 " "+pals+"\n"+
432 " "+pc+"\n";
433 }
434
435 /*
436 * holder class for the static field "debug" to delay its initialization
437 */
438 private static class DebugHolder {
439 private static final Debug debug = Debug.getInstance("domain");
440 }
441
442 /**
443 * Return true (merge policy permissions) in the following cases:
444 *
445 * . SecurityManager is null
446 *
447 * . SecurityManager is not null,
448 * debug is not null,
449 * SecurityManager impelmentation is in bootclasspath,
450 * Policy implementation is in bootclasspath
451 * (the bootclasspath restrictions avoid recursion)
452 *
453 * . SecurityManager is not null,
454 * debug is null,
455 * caller has Policy.getPolicy permission
456 */
457 private static boolean seeAllp() {
458 SecurityManager sm = System.getSecurityManager();
459
460 if (sm == null) {
461 return true;
462 } else {
463 if (DebugHolder.debug != null) {
464 if (sm.getClass().getClassLoader() == null &&
465 Policy.getPolicyNoCheck().getClass().getClassLoader()
466 == null) {
467 return true;
468 }
469 } else {
470 try {
471 sm.checkPermission(SecurityConstants.GET_POLICY_PERMISSION);
472 return true;
473 } catch (SecurityException se) {
474 // fall thru and return false
475 }
476 }
477 }
478
479 return false;
480 }
481
482 private PermissionCollection mergePermissions() {
483 if (staticPermissions)
484 return permissions;
485
486 PermissionCollection perms =
487 java.security.AccessController.doPrivileged
488 (new java.security.PrivilegedAction<>() {
489 public PermissionCollection run() {
490 Policy p = Policy.getPolicyNoCheck();
491 return p.getPermissions(ProtectionDomain.this);
492 }
493 });
494
495 Permissions mergedPerms = new Permissions();
496 int swag = 32;
497 int vcap = 8;
498 Enumeration<Permission> e;
499 List<Permission> pdVector = new ArrayList<>(vcap);
500 List<Permission> plVector = new ArrayList<>(swag);
501
502 //
503 // Build a vector of domain permissions for subsequent merge
504 if (permissions != null) {
505 synchronized (permissions) {
506 e = permissions.elements();
507 while (e.hasMoreElements()) {
508 pdVector.add(e.nextElement());
509 }
510 }
511 }
512
513 //
514 // Build a vector of Policy permissions for subsequent merge
515 if (perms != null) {
516 synchronized (perms) {
517 e = perms.elements();
518 while (e.hasMoreElements()) {
519 plVector.add(e.nextElement());
520 vcap++;
521 }
522 }
523 }
524
525 if (perms != null && permissions != null) {
526 //
527 // Weed out the duplicates from the policy. Unless a refresh
528 // has occurred since the pd was consed this should result in
529 // an empty vector.
530 synchronized (permissions) {
531 e = permissions.elements(); // domain vs policy
532 while (e.hasMoreElements()) {
533 Permission pdp = e.nextElement();
534 Class<?> pdpClass = pdp.getClass();
535 String pdpActions = pdp.getActions();
536 String pdpName = pdp.getName();
537 for (int i = 0; i < plVector.size(); i++) {
538 Permission pp = plVector.get(i);
539 if (pdpClass.isInstance(pp)) {
540 // The equals() method on some permissions
541 // have some side effects so this manual
542 // comparison is sufficient.
543 if (pdpName.equals(pp.getName()) &&
544 Objects.equals(pdpActions, pp.getActions())) {
545 plVector.remove(i);
546 break;
547 }
548 }
549 }
550 }
551 }
552 }
553
554 if (perms !=null) {
555 // the order of adding to merged perms and permissions
556 // needs to preserve the bugfix 4301064
557
558 for (int i = plVector.size()-1; i >= 0; i--) {
559 mergedPerms.add(plVector.get(i));
560 }
561 }
562 if (permissions != null) {
563 for (int i = pdVector.size()-1; i >= 0; i--) {
564 mergedPerms.add(pdVector.get(i));
565 }
566 }
567
568 return mergedPerms;
569 }
570
571 /**
572 * Used for storing ProtectionDomains as keys in a Map.
573 */
574 final class Key {}
575
576 }
577