use of java.io.FilePermission in project jdk8u_jdk by JetBrains.
the class RegistryImpl method getAccessControlContext.
/**
* Generates an AccessControlContext with minimal permissions.
* The approach used here is taken from the similar method
* getAccessControlContext() in the sun.applet.AppletPanel class.
*/
private static AccessControlContext getAccessControlContext(int port) {
// begin with permissions granted to all code in current policy
PermissionCollection perms = AccessController.doPrivileged(new java.security.PrivilegedAction<PermissionCollection>() {
public PermissionCollection run() {
CodeSource codesource = new CodeSource(null, (java.security.cert.Certificate[]) null);
Policy p = java.security.Policy.getPolicy();
if (p != null) {
return p.getPermissions(codesource);
} else {
return new Permissions();
}
}
});
/*
* Anyone can connect to the registry and the registry can connect
* to and possibly download stubs from anywhere. Downloaded stubs and
* related classes themselves are more tightly limited by RMI.
*/
perms.add(new SocketPermission("*", "connect,accept"));
perms.add(new SocketPermission("localhost:" + port, "listen,accept"));
perms.add(new RuntimePermission("accessClassInPackage.sun.jvmstat.*"));
perms.add(new RuntimePermission("accessClassInPackage.sun.jvm.hotspot.*"));
perms.add(new FilePermission("<<ALL FILES>>", "read"));
/*
* Create an AccessControlContext that consists of a single
* protection domain with only the permissions calculated above.
*/
ProtectionDomain pd = new ProtectionDomain(new CodeSource(null, (java.security.cert.Certificate[]) null), perms);
return new AccessControlContext(new ProtectionDomain[] { pd });
}
use of java.io.FilePermission in project jdk8u_jdk by JetBrains.
the class TestPolicy method setMinimalPermissions.
/*
* Defines the minimal permissions required by testNG when running these
* tests
*/
private void setMinimalPermissions() {
permissions.add(new SecurityPermission("getPolicy"));
permissions.add(new SecurityPermission("setPolicy"));
permissions.add(new RuntimePermission("getClassLoader"));
permissions.add(new RuntimePermission("setSecurityManager"));
permissions.add(new RuntimePermission("createSecurityManager"));
permissions.add(new PropertyPermission("testng.show.stack.frames", "read"));
permissions.add(new PropertyPermission("line.separator", "read"));
permissions.add(new PropertyPermission("fileStringBuffer", "read"));
permissions.add(new PropertyPermission("dataproviderthreadcount", "read"));
permissions.add(new PropertyPermission("java.io.tmpdir", "read"));
permissions.add(new FilePermission("<<ALL FILES>>", "read, write, delete"));
}
use of java.io.FilePermission in project jdk8u_jdk by JetBrains.
the class PathPermissions method init.
private synchronized void init() {
if (perms != null)
return;
perms = new Permissions();
// this is needed to be able to create the classloader itself!
perms.add(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);
// add permission to read any "java.*" property
perms.add(new java.util.PropertyPermission("java.*", SecurityConstants.PROPERTY_READ_ACTION));
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() {
for (int i = 0; i < path.length; i++) {
File f = path[i];
String path;
try {
path = f.getCanonicalPath();
} catch (IOException ioe) {
path = f.getAbsolutePath();
}
if (i == 0) {
codeBase = Launcher.getFileURL(new File(path));
}
if (f.isDirectory()) {
if (path.endsWith(File.separator)) {
perms.add(new FilePermission(path + "-", SecurityConstants.FILE_READ_ACTION));
} else {
perms.add(new FilePermission(path + File.separator + "-", SecurityConstants.FILE_READ_ACTION));
}
} else {
int endIndex = path.lastIndexOf(File.separatorChar);
if (endIndex != -1) {
path = path.substring(0, endIndex + 1) + "-";
perms.add(new FilePermission(path, SecurityConstants.FILE_READ_ACTION));
} else {
// XXX?
}
}
}
return null;
}
});
}
use of java.io.FilePermission in project jdk8u_jdk by JetBrains.
the class FactoryURLClassLoader method getPermissions.
/**
* Returns the permissions for the given codesource object.
* The implementation of this method first calls super.getPermissions
* and then adds permissions based on the URL of the codesource.
* <p>
* If the protocol of this URL is "jar", then the permission granted
* is based on the permission that is required by the URL of the Jar
* file.
* <p>
* If the protocol is "file" and there is an authority component, then
* permission to connect to and accept connections from that authority
* may be granted. If the protocol is "file"
* and the path specifies a file, then permission to read that
* file is granted. If protocol is "file" and the path is
* a directory, permission is granted to read all files
* and (recursively) all files and subdirectories contained in
* that directory.
* <p>
* If the protocol is not "file", then permission
* to connect to and accept connections from the URL's host is granted.
* @param codesource the codesource
* @exception NullPointerException if {@code codesource} is {@code null}.
* @return the permissions granted to the codesource
*/
protected PermissionCollection getPermissions(CodeSource codesource) {
PermissionCollection perms = super.getPermissions(codesource);
URL url = codesource.getLocation();
Permission p;
URLConnection urlConnection;
try {
urlConnection = url.openConnection();
p = urlConnection.getPermission();
} catch (java.io.IOException ioe) {
p = null;
urlConnection = null;
}
if (p instanceof FilePermission) {
// if the permission has a separator char on the end,
// it means the codebase is a directory, and we need
// to add an additional permission to read recursively
String path = p.getName();
if (path.endsWith(File.separator)) {
path += "-";
p = new FilePermission(path, SecurityConstants.FILE_READ_ACTION);
}
} else if ((p == null) && (url.getProtocol().equals("file"))) {
String path = url.getFile().replace('/', File.separatorChar);
path = ParseUtil.decode(path);
if (path.endsWith(File.separator))
path += "-";
p = new FilePermission(path, SecurityConstants.FILE_READ_ACTION);
} else {
/**
* Not loading from a 'file:' URL so we want to give the class
* permission to connect to and accept from the remote host
* after we've made sure the host is the correct one and is valid.
*/
URL locUrl = url;
if (urlConnection instanceof JarURLConnection) {
locUrl = ((JarURLConnection) urlConnection).getJarFileURL();
}
String host = locUrl.getHost();
if (host != null && (host.length() > 0))
p = new SocketPermission(host, SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION);
}
if (p != null) {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
final Permission fp = p;
AccessController.doPrivileged(new PrivilegedAction<Void>() {
public Void run() throws SecurityException {
sm.checkPermission(fp);
return null;
}
}, acc);
}
perms.add(p);
}
return perms;
}
use of java.io.FilePermission in project sling by apache.
the class JspRuntimeContext method initSecurity.
// -------------------------------------------------------- Private Methods
/**
* Method used to initialize SecurityManager data.
*/
private void initSecurity() {
// Setup the PermissionCollection for this web app context
// based on the permissions configured for the root of the
// web app context directory, then add a file read permission
// for that directory.
Policy policy = Policy.getPolicy();
if (policy != null) {
try {
// Get the permissions for the web app context
String docBase = context.getRealPath("/");
if (docBase == null) {
docBase = options.getScratchDir().toString();
}
String codeBase = docBase;
if (!codeBase.endsWith(File.separator)) {
codeBase = codeBase + File.separator;
}
File contextDir = new File(codeBase);
URL url = contextDir.getCanonicalFile().toURL();
final CodeSource codeSource = new CodeSource(url, (Certificate[]) null);
permissionCollection = policy.getPermissions(codeSource);
// Create a file read permission for web app context directory
if (!docBase.endsWith(File.separator)) {
permissionCollection.add(new FilePermission(docBase, "read"));
docBase = docBase + File.separator;
} else {
permissionCollection.add(new FilePermission(docBase.substring(0, docBase.length() - 1), "read"));
}
docBase = docBase + "-";
permissionCollection.add(new FilePermission(docBase, "read"));
// Create a file read permission for web app tempdir (work)
// directory
String workDir = options.getScratchDir().toString();
if (!workDir.endsWith(File.separator)) {
permissionCollection.add(new FilePermission(workDir, "read"));
workDir = workDir + File.separator;
}
workDir = workDir + "-";
permissionCollection.add(new FilePermission(workDir, "read"));
// Allow the JSP to access org.apache.sling.scripting.jsp.jasper.runtime.HttpJspBase
permissionCollection.add(new RuntimePermission("accessClassInPackage.org.apache.jasper.runtime"));
} catch (final Exception e) {
context.log("Security Init for context failed", e);
}
}
}
Aggregations