javax.management
public class: MBeanPermission [javadoc |
source]
java.lang.Object
java.security.Permission
javax.management.MBeanPermission
All Implemented Interfaces:
Guard, Serializable
Permission controlling access to MBeanServer operations. If a
security manager has been set using System#setSecurityManager , most operations on the MBean Server
require that the caller's permissions imply an MBeanPermission
appropriate for the operation. This is described in detail in the
documentation for the MBeanServer interface.
As with other Permission objects, an MBeanPermission can
represent either a permission that you have or a
permission that you need. When a sensitive operation is
being checked for permission, an MBeanPermission is constructed
representing the permission you need. The operation is only
allowed if the permissions you have imply the
permission you need.
An MBeanPermission contains four items of information:
The action. For a permission you need,
this is one of the actions in the list below. For a permission you have, this is
a comma-separated list of those actions, or *,
representing all actions.
The action is returned by #getActions() .
The class name.
For a permission you need, this is the class name of an MBean
you are accessing, as returned by MBeanServer.getMBeanInfo(name) .getClassName() . Certain operations do not reference a class name,
in which case the class name is null.
For a permission you have, this is either empty or a class
name pattern. A class name pattern is a string following the
Java conventions for dot-separated class names. It may end with
".*" meaning that the permission grants access to any
class that begins with the string preceding ".*". For
instance, "javax.management.*" grants access to
javax.management.MBeanServerDelegate and
javax.management.timer.Timer, among other classes.
A class name pattern can also be empty or the single character
"*", both of which grant access to any class.
The member.
For a permission you need, this is the name of the attribute or
operation you are accessing. For operations that do not reference
an attribute or operation, the member is null.
For a permission you have, this is either the name of an attribute
or operation you can access, or it is empty or the single character
"*", both of which grant access to any member.
The object name.
For a permission you need, this is the ObjectName of the
MBean you are accessing. For operations that do not reference a
single MBean, it is null. It is never an object name pattern.
For a permission you have, this is the ObjectName of the
MBean or MBeans you can access. It may be an object name pattern
to grant access to all MBeans whose names match the pattern. It
may also be empty, which grants access to all MBeans whatever their
name.
If you have an MBeanPermission, it allows operations only if all
four of the items match.
The class name, member, and object name can be written together
as a single string, which is the name of this permission.
The name of the permission is the string returned by getName() . The format of the string is:
className#member[objectName]
The object name is written using the usual syntax for ObjectName . It may contain any legal characters, including
]. It is terminated by a ] character
that is the last character in the string.
One or more of the className, member,
or objectName may be omitted. If the
member is omitted, the # may be too (but
does not have to be). If the objectName is omitted,
the [] may be too (but does not have to be). It is
not legal to omit all three items, that is to have a name
that is the empty string.
One or more of the className, member,
or objectName may be the character "-",
which is equivalent to a null value. A null value is implied by
any value (including another null value) but does not imply any
other value.
The possible actions are these:
- addNotificationListener
- getAttribute
- getClassLoader
- getClassLoaderFor
- getClassLoaderRepository
- getDomains
- getMBeanInfo
- getObjectInstance
- instantiate
- invoke
- isInstanceOf
- queryMBeans
- queryNames
- registerMBean
- removeNotificationListener
- setAttribute
- unregisterMBean
In a comma-separated list of actions, spaces are allowed before
and after each action.
| Constructor: |
|---|
 public MBeanPermission(String name,
String actions) {
super(name);
parseName();
this.actions = actions;
parseActions();
}
Create a new MBeanPermission object with the specified target name
and actions.
The target name is of the form
"className#member[objectName]" where each part is
optional. It must not be empty or null.
The actions parameter contains a comma-separated list of the
desired actions granted on the target name. It must not be
empty or null.
Parameters:
name - the triplet "className#member[objectName]".
actions - the action string.
IllegalArgumentException - if the name or
actions is invalid.
- exception:
IllegalArgumentException - if the name or
actions is invalid.
|
public MBeanPermission(String className,
String member,
ObjectName objectName,
String actions) {
super(makeName(className, member, objectName));
initName(className, member, objectName);
this.actions = actions;
parseActions();
} Create a new MBeanPermission object with the specified target name
(class name, member, object name) and actions.
The class name, member and object name parameters define a
target name of the form
"className#member[objectName]" where each part is
optional. This will be the result of #getName() on the
resultant MBeanPermission.
The actions parameter contains a comma-separated list of the
desired actions granted on the target name. It must not be
empty or null.
Parameters:
className - the class name to which this permission applies.
May be null or "-", which represents a class name
that is implied by any class name but does not imply any other
class name.
member - the member to which this permission applies. May
be null or "-", which represents a member that is
implied by any member but does not imply any other member.
objectName - the object name to which this permission
applies. May be null, which represents an object name that is
implied by any object name but does not imply any other object
name.
actions - the action string.
|
| Methods from java.lang.Object: |
|---|
|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Method from javax.management.MBeanPermission Detail: |
|---|
public boolean equals(Object obj) {
if (obj == this)
return true;
if (! (obj instanceof MBeanPermission))
return false;
MBeanPermission that = (MBeanPermission) obj;
return (this.mask == that.mask) &&
(this.getName().equals(that.getName()));
} Checks two MBeanPermission objects for equality. Checks
that obj is an MBeanPermission, and has the same
name and actions as this object.
|
public String getActions() {
if (actions == null)
actions = getActions(this.mask);
return actions;
} Returns the "canonical string representation" of the actions. That is,
this method always returns present actions in alphabetical order. |
public int hashCode() {
return this.getName().hashCode() + this.getActions().hashCode();
} Returns the hash code value for this object. |
public boolean implies(Permission p) {
if (!(p instanceof MBeanPermission))
return false;
MBeanPermission that = (MBeanPermission) p;
// Actions
//
// The actions in 'this' permission must be a
// superset of the actions in 'that' permission
//
/* "queryMBeans" implies "queryNames" */
if ((this.mask & QueryMBeans) == QueryMBeans) {
if (((this.mask | QueryNames) & that.mask) != that.mask) {
//System.out.println("action [with QueryNames] does not imply");
return false;
}
} else {
if ((this.mask & that.mask) != that.mask) {
//System.out.println("action does not imply");
return false;
}
}
// Target name
//
// The 'className' check is true iff:
// 1) the className in 'this' permission is omitted or "*", or
// 2) the className in 'that' permission is omitted or "*", or
// 3) the className in 'this' permission does pattern
// matching with the className in 'that' permission.
//
// The 'member' check is true iff:
// 1) the member in 'this' permission is omitted or "*", or
// 2) the member in 'that' permission is omitted or "*", or
// 3) the member in 'this' permission equals the member in
// 'that' permission.
//
// The 'object name' check is true iff:
// 1) the object name in 'this' permission is omitted or "*:*", or
// 2) the object name in 'that' permission is omitted or "*:*", or
// 3) the object name in 'this' permission does pattern
// matching with the object name in 'that' permission.
//
/* Check if this.className implies that.className.
If that.classNamePrefix is empty that means the className is
irrelevant for this permission check. Otherwise, we do not
expect that "that" contains a wildcard, since it is a
needed permission. So we assume that.classNameExactMatch. */
if (that.classNamePrefix == null) {
// bottom is implied
} else if (this.classNamePrefix == null) {
// bottom implies nothing but itself
return false;
} else if (this.classNameExactMatch) {
if (!that.classNameExactMatch)
return false; // exact never implies wildcard
if (!that.classNamePrefix.equals(this.classNamePrefix))
return false; // exact match fails
} else {
// prefix match, works even if "that" is also a wildcard
// e.g. a.* implies a.* and a.b.*
if (!that.classNamePrefix.startsWith(this.classNamePrefix))
return false;
}
/* Check if this.member implies that.member */
if (that.member == null) {
// bottom is implied
} else if (this.member == null) {
// bottom implies nothing but itself
return false;
} else if (this.member.equals("*")) {
// wildcard implies everything (including itself)
} else if (!this.member.equals(that.member)) {
return false;
}
/* Check if this.objectName implies that.objectName */
if (that.objectName == null) {
// bottom is implied
} else if (this.objectName == null) {
// bottom implies nothing but itself
return false;
} else if (!this.objectName.apply(that.objectName)) {
/* ObjectName.apply returns false if that.objectName is a
wildcard so we also allow equals for that case. This
never happens during real permission checks, but means
the implies relation is reflexive. */
if (!this.objectName.equals(that.objectName))
return false;
}
return true;
} Checks if this MBeanPermission object "implies" the
specified permission.
More specifically, this method returns true if:
- p is an instance of MBeanPermission; and
- p has a null className or p's className
matches this object's className; and
- p has a null member or p's member matches this
object's member; and
- p has a null object name or p's
object name matches this object's object name; and
- p's actions are a subset of this object's actions
If this object's className is "*", p's
className always matches it. If it is "a.*", p's
className matches it if it begins with "a.".
If this object's member is "*", p's
member always matches it.
If this object's objectName n1 is an object name pattern,
p's objectName n2 matches it if
n1.equals(n2) or if
n1.apply(n2) .
A permission that includes the queryMBeans action
is considered to include queryNames as well.
|
Save This Page