Search in sources :

Example 71 with Permission

use of java.security.Permission in project tomcat70 by apache.

the class WebappClassLoaderBase method getPermissions.

/**
 * Get the Permissions for a CodeSource.  If this instance
 * of WebappClassLoaderBase is for a web application context,
 * add read FilePermission or JndiPermissions for the base
 * directory (if unpacked),
 * the context URL, and jar file resources.
 *
 * @param codeSource where the code was loaded from
 * @return PermissionCollection for CodeSource
 */
@Override
protected PermissionCollection getPermissions(CodeSource codeSource) {
    String codeUrl = codeSource.getLocation().toString();
    PermissionCollection pc;
    if ((pc = loaderPC.get(codeUrl)) == null) {
        pc = super.getPermissions(codeSource);
        if (pc != null) {
            Iterator<Permission> perms = permissionList.iterator();
            while (perms.hasNext()) {
                Permission p = perms.next();
                pc.add(p);
            }
            loaderPC.put(codeUrl, pc);
        }
    }
    return (pc);
}
Also used : PermissionCollection(java.security.PermissionCollection) JndiPermission(org.apache.naming.JndiPermission) FilePermission(java.io.FilePermission) Permission(java.security.Permission)

Example 72 with Permission

use of java.security.Permission in project tomcat70 by apache.

the class HostConfig method isDeployThisXML.

private boolean isDeployThisXML(File docBase, ContextName cn) {
    boolean deployThisXML = isDeployXML();
    if (Globals.IS_SECURITY_ENABLED && !deployThisXML) {
        // When running under a SecurityManager, deployXML may be overridden
        // on a per Context basis by the granting of a specific permission
        Policy currentPolicy = Policy.getPolicy();
        if (currentPolicy != null) {
            URL contextRootUrl;
            try {
                contextRootUrl = docBase.toURI().toURL();
                CodeSource cs = new CodeSource(contextRootUrl, (Certificate[]) null);
                PermissionCollection pc = currentPolicy.getPermissions(cs);
                Permission p = new DeployXmlPermission(cn.getBaseName());
                if (pc.implies(p)) {
                    deployThisXML = true;
                }
            } catch (MalformedURLException e) {
                // Should never happen
                log.warn("hostConfig.docBaseUrlInvalid", e);
            }
        }
    }
    return deployThisXML;
}
Also used : Policy(java.security.Policy) PermissionCollection(java.security.PermissionCollection) MalformedURLException(java.net.MalformedURLException) Permission(java.security.Permission) DeployXmlPermission(org.apache.catalina.security.DeployXmlPermission) CodeSource(java.security.CodeSource) DeployXmlPermission(org.apache.catalina.security.DeployXmlPermission) URL(java.net.URL) Certificate(java.security.cert.Certificate)

Example 73 with Permission

use of java.security.Permission in project tomcat70 by apache.

the class ClassLoaderLogManager method readConfiguration.

/**
 * Read configuration for the specified classloader.
 *
 * @param classLoader
 * @throws IOException Error
 */
protected synchronized void readConfiguration(ClassLoader classLoader) throws IOException {
    InputStream is = null;
    // only look in the local repositories to avoid redefining loggers 20 times
    try {
        if (classLoader instanceof URLClassLoader) {
            URL logConfig = ((URLClassLoader) classLoader).findResource("logging.properties");
            if (null != logConfig) {
                if (Boolean.getBoolean(DEBUG_PROPERTY))
                    System.err.println(getClass().getName() + ".readConfiguration(): " + "Found logging.properties at " + logConfig);
                is = classLoader.getResourceAsStream("logging.properties");
            } else {
                if (Boolean.getBoolean(DEBUG_PROPERTY))
                    System.err.println(getClass().getName() + ".readConfiguration(): " + "Found no logging.properties");
            }
        }
    } catch (AccessControlException ace) {
        // No permission to configure logging in context
        // Log and carry on
        ClassLoaderLogInfo info = classLoaderLoggers.get(ClassLoader.getSystemClassLoader());
        if (info != null) {
            Logger log = info.loggers.get("");
            if (log != null) {
                Permission perm = ace.getPermission();
                if (perm instanceof FilePermission && perm.getActions().equals("read")) {
                    log.warning("Reading " + perm.getName() + " is not permitted. See \"per context logging\" in the default catalina.policy file.");
                } else {
                    log.warning("Reading logging.properties is not permitted in some context. See \"per context logging\" in the default catalina.policy file.");
                    log.warning("Original error was: " + ace.getMessage());
                }
            }
        }
    }
    if ((is == null) && (classLoader == ClassLoader.getSystemClassLoader())) {
        String configFileStr = System.getProperty("java.util.logging.config.file");
        if (configFileStr != null) {
            try {
                is = new FileInputStream(replace(configFileStr));
            } catch (IOException e) {
                System.err.println("Configuration error");
                e.printStackTrace();
            }
        }
        // Try the default JVM configuration
        if (is == null) {
            File defaultFile = new File(new File(System.getProperty("java.home"), isJava9 ? "conf" : "lib"), "logging.properties");
            try {
                is = new FileInputStream(defaultFile);
            } catch (IOException e) {
                System.err.println("Configuration error");
                e.printStackTrace();
            }
        }
    }
    Logger localRootLogger = new RootLogger();
    if (is == null) {
        // Retrieve the root logger of the parent classloader instead
        ClassLoader current = classLoader.getParent();
        ClassLoaderLogInfo info = null;
        while (current != null && info == null) {
            info = getClassLoaderInfo(current);
            current = current.getParent();
        }
        if (info != null) {
            localRootLogger.setParent(info.rootNode.logger);
        }
    }
    ClassLoaderLogInfo info = new ClassLoaderLogInfo(new LogNode(null, localRootLogger));
    classLoaderLoggers.put(classLoader, info);
    if (is != null) {
        readConfiguration(is, classLoader);
    }
    try {
        // Use a ThreadLocal to work around
        // https://bugs.openjdk.java.net/browse/JDK-8195096
        addingLocalRootLogger.set(Boolean.TRUE);
        addLogger(localRootLogger);
    } finally {
        addingLocalRootLogger.set(Boolean.FALSE);
    }
}
Also used : FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) AccessControlException(java.security.AccessControlException) IOException(java.io.IOException) Logger(java.util.logging.Logger) FilePermission(java.io.FilePermission) URL(java.net.URL) FileInputStream(java.io.FileInputStream) URLClassLoader(java.net.URLClassLoader) Permission(java.security.Permission) FilePermission(java.io.FilePermission) URLClassLoader(java.net.URLClassLoader) File(java.io.File)

Example 74 with Permission

use of java.security.Permission in project logging-log4j2 by apache.

the class ThrowableProxyTest method testLogStackTraceWithClassLoaderThatWithCauseSecurityException.

@Test
public void testLogStackTraceWithClassLoaderThatWithCauseSecurityException() throws Exception {
    final SecurityManager sm = System.getSecurityManager();
    try {
        System.setSecurityManager(new SecurityManager() {

            @Override
            public void checkPermission(final Permission perm) {
                if (perm instanceof RuntimePermission) {
                    // deny access to the classloader to trigger the security exception
                    if ("getClassLoader".equals(perm.getName())) {
                        throw new SecurityException(perm.toString());
                    }
                }
            }
        });
        final String algorithm = "AES/CBC/PKCS5Padding";
        final Cipher ec = Cipher.getInstance(algorithm);
        // initialization vector
        final byte[] bytes = new byte[16];
        final SecureRandom secureRandom = new SecureRandom();
        secureRandom.nextBytes(bytes);
        final KeyGenerator generator = KeyGenerator.getInstance("AES");
        generator.init(128);
        final IvParameterSpec algorithmParameterSpec = new IvParameterSpec(bytes);
        ec.init(Cipher.ENCRYPT_MODE, generator.generateKey(), algorithmParameterSpec, secureRandom);
        final byte[] raw = new byte[0];
        final byte[] encrypted = ec.doFinal(raw);
        final Cipher dc = Cipher.getInstance(algorithm);
        dc.init(Cipher.DECRYPT_MODE, generator.generateKey(), algorithmParameterSpec, secureRandom);
        final BadPaddingException e = assertThrows(BadPaddingException.class, () -> dc.doFinal(encrypted));
        assertDoesNotThrow(() -> new ThrowableProxy(e));
    } finally {
        // restore the existing security manager
        System.setSecurityManager(sm);
    }
}
Also used : SecureRandom(java.security.SecureRandom) BadPaddingException(javax.crypto.BadPaddingException) Permission(java.security.Permission) IvParameterSpec(javax.crypto.spec.IvParameterSpec) Cipher(javax.crypto.Cipher) KeyGenerator(javax.crypto.KeyGenerator) Test(org.junit.jupiter.api.Test)

Example 75 with Permission

use of java.security.Permission in project symja_android_library by axkr.

the class L4MLogger method initialize.

/**
 * Default initialization, checking for applet in sandbox.
 */
protected void initialize() {
    String loggerName = getName();
    boolean runningSandbox = false;
    // check if we are running in an applet sandbox
    SecurityManager sm = System.getSecurityManager();
    if (null != sm) {
        try {
            Permission perm = new java.util.logging.LoggingPermission("control", "");
            sm.checkPermission(perm);
        } catch (SecurityException e) {
            System.out.println("L4M Logger runs in sandbox");
            runningSandbox = true;
        }
    }
    if (!runningSandbox) {
        // do not use parent handlers but our own
        setUseParentHandlers(false);
        // and add the Lab4inf handler to our logger
        addHandler(new Lab4InfHandler());
    // register with the LogManager
    }
    LogManager manager = LogManager.getLogManager();
    Logger aLogger = manager.getLogger(loggerName);
    if (manager.getLogger(loggerName) == null) {
        if (!LogManager.getLogManager().addLogger(this)) {
            System.err.println("failed to add " + this);
            throw new RuntimeException("addding L4MLogger failed");
        }
    } else {
        String msg;
        msg = format("allready registered %s by %s", loggerName, aLogger);
        aLogger.warning(msg);
        msg = format("could not register me: %s", this);
        aLogger.warning(msg);
    }
    setLevel(Level.WARNING);
}
Also used : Permission(java.security.Permission) Logger(java.util.logging.Logger) LogManager(java.util.logging.LogManager)

Aggregations

Permission (java.security.Permission)236 Test (org.junit.Test)55 PermissionCollection (java.security.PermissionCollection)39 FilePermission (java.io.FilePermission)38 Permissions (java.security.Permissions)31 ProtectionDomain (java.security.ProtectionDomain)27 IOException (java.io.IOException)20 AllPermission (java.security.AllPermission)20 QuickTest (com.hazelcast.test.annotation.QuickTest)17 File (java.io.File)17 URL (java.net.URL)16 AccessControlException (java.security.AccessControlException)14 Principal (java.security.Principal)14 PropertyPermission (java.util.PropertyPermission)14 Policy (java.security.Policy)13 MBeanPermission (javax.management.MBeanPermission)13 AccessControlContext (java.security.AccessControlContext)12 CodeSource (java.security.CodeSource)11 SecurityPermission (java.security.SecurityPermission)11 ArrayList (java.util.ArrayList)10