Examples with CodeSource - java.security.CodeSource

Example 56 with CodeSource

use of java.security.CodeSource in project Payara by payara.

the class ASURLClassLoader method findClassData.

/**
 * This method is responsible for locating the url from the class bytes
 * have to be read and reading the bytes. It does not actually define
 * the Class object.
 * <p>
 * To preclude a race condition on checking 'doneCalled', as well as transient errors
 * if done() is called while running, this method is 'synchronized'.
 *
 * @param name class name in java.lang.Object format
 * @return class bytes as well protection domain information
 * @throws ClassNotFoundException
 */
protected synchronized ClassData findClassData(String name) throws ClassNotFoundException {
    if (doneCalled) {
        _logger.log(Level.WARNING, CULoggerInfo.getString(CULoggerInfo.findClassAfterDone, name, this.toString()), new Throwable());
        throw new ClassNotFoundException(name);
    }
    String nf = (String) notFoundClasses.get(name);
    if (nf != null && nf.equals(name)) {
        throw new ClassNotFoundException(name);
    }
    // search thru the JARs for a file of the form java/lang/Object.class
    String entryName = name.replace('.', '/') + ".class";
    int i = 0;
    for (URLEntry u : this.urlSet) {
        if (!u.hasItem(entryName)) {
            i++;
            continue;
        }
        byte[] result = loadClassData0(u, entryName);
        if (result != null) {
            if (System.getSecurityManager() == null)
                return new ClassData(result, u.pd);
            else {
                // recreate the pd to include the declared permissions
                CodeSource cs = u.pd.getCodeSource();
                PermissionCollection pc = this.getPermissions(cs);
                ProtectionDomain pdWithPemissions = new ProtectionDomain(u.pd.getCodeSource(), pc, u.pd.getClassLoader(), u.pd.getPrincipals());
                return new ClassData(result, pdWithPemissions);
            }
        }
        i++;
    }
    // add to the not found classes list
    notFoundClasses.put(name, name);
    throw new ClassNotFoundException(name);
}

Also used : PermissionCollection(java.security.PermissionCollection) ProtectionDomain(java.security.ProtectionDomain) CodeSource(java.security.CodeSource)

Example 57 with CodeSource

use of java.security.CodeSource in project dubbo by alibaba.

the class ReflectUtils method getCodeBase.

public static String getCodeBase(Class<?> cls) {
    if (cls == null)
        return null;
    ProtectionDomain domain = cls.getProtectionDomain();
    if (domain == null)
        return null;
    CodeSource source = domain.getCodeSource();
    if (source == null)
        return null;
    URL location = source.getLocation();
    if (location == null)
        return null;
    return location.getFile();
}

Also used : ProtectionDomain(java.security.ProtectionDomain) CodeSource(java.security.CodeSource) URL(java.net.URL)

Example 58 with CodeSource

use of java.security.CodeSource in project tomcat by apache.

the class WebappClassLoaderBase method check.

@Override
public boolean check(Permission permission) {
    if (!Globals.IS_SECURITY_ENABLED) {
        return true;
    }
    Policy currentPolicy = Policy.getPolicy();
    if (currentPolicy != null) {
        URL contextRootUrl = resources.getResource("/").getCodeBase();
        CodeSource cs = new CodeSource(contextRootUrl, (Certificate[]) null);
        PermissionCollection pc = currentPolicy.getPermissions(cs);
        if (pc.implies(permission)) {
            return true;
        }
    }
    return false;
}

Also used : Policy(java.security.Policy) PermissionCollection(java.security.PermissionCollection) CodeSource(java.security.CodeSource) URL(java.net.URL) Certificate(java.security.cert.Certificate)

Example 59 with CodeSource

use of java.security.CodeSource in project elasticsearch by elastic.

the class ESPolicy method implies.

@Override
@SuppressForbidden(reason = "fast equals check is desired")
public boolean implies(ProtectionDomain domain, Permission permission) {
    CodeSource codeSource = domain.getCodeSource();
    // codesource can be null when reducing privileges via doPrivileged()
    if (codeSource == null) {
        return false;
    }
    URL location = codeSource.getLocation();
    // https://bugs.openjdk.java.net/browse/JDK-8129972
    if (location != null) {
        // run scripts with limited permissions
        if (BootstrapInfo.UNTRUSTED_CODEBASE.equals(location.getFile())) {
            return untrusted.implies(domain, permission);
        }
        // check for an additional plugin permission: plugin policy is
        // only consulted for its codesources.
        Policy plugin = plugins.get(location.getFile());
        if (plugin != null && plugin.implies(domain, permission)) {
            return true;
        }
    }
    // yeah right, REMOVE THIS when hadoop is fixed
    if (permission instanceof FilePermission && "<<ALL FILES>>".equals(permission.getName())) {
        for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
            if ("org.apache.hadoop.util.Shell".equals(element.getClassName()) && "runCommand".equals(element.getMethodName())) {
                // we found the horrible method: the hack begins!
                // force the hadoop code to back down, by throwing an exception that it catches.
                rethrow(new IOException("no hadoop, you cannot do this."));
            }
        }
    }
    // otherwise defer to template + dynamic file permissions
    return template.implies(domain, permission) || dynamic.implies(permission) || system.implies(domain, permission);
}

Also used : Policy(java.security.Policy) IOException(java.io.IOException) CodeSource(java.security.CodeSource) FilePermission(java.io.FilePermission) URL(java.net.URL) SuppressForbidden(org.elasticsearch.common.SuppressForbidden)

Example 60 with CodeSource

use of java.security.CodeSource in project flyway by flyway.

the class ClassUtils method getLocationOnDisk.

/**
     * Retrieves the physical location on disk of this class.
     *
     * @param aClass The class to get the location for.
     * @return The absolute path of the .class file.
     */
public static String getLocationOnDisk(Class<?> aClass) {
    try {
        ProtectionDomain protectionDomain = aClass.getProtectionDomain();
        if (protectionDomain == null) {
            //Android
            return null;
        }
        CodeSource codeSource = protectionDomain.getCodeSource();
        if (codeSource == null) {
            //Custom classloader with for example classes defined using URLClassLoader#defineClass(String name, byte[] b, int off, int len)
            return null;
        }
        String url = codeSource.getLocation().getPath();
        return URLDecoder.decode(url, "UTF-8");
    } catch (UnsupportedEncodingException e) {
        //Can never happen.
        return null;
    }
}

Also used : ProtectionDomain(java.security.ProtectionDomain) UnsupportedEncodingException(java.io.UnsupportedEncodingException) CodeSource(java.security.CodeSource)

Aggregations

CodeSource (java.security.CodeSource)104 URL (java.net.URL)49 ProtectionDomain (java.security.ProtectionDomain)39 File (java.io.File)30 IOException (java.io.IOException)20 Certificate (java.security.cert.Certificate)17 JarFile (java.util.jar.JarFile)13 PermissionCollection (java.security.PermissionCollection)12 URI (java.net.URI)11 URISyntaxException (java.net.URISyntaxException)11 Permissions (java.security.Permissions)11 Policy (java.security.Policy)10 FilePermission (java.io.FilePermission)7 InputStream (java.io.InputStream)6 AccessControlContext (java.security.AccessControlContext)6 MalformedURLException (java.net.MalformedURLException)5 Permission (java.security.Permission)4 JarEntry (java.util.jar.JarEntry)4 GroovyClassLoader (groovy.lang.GroovyClassLoader)3 URLClassLoader (java.net.URLClassLoader)3