1 /*
2 * Copyright 1995-2006 Sun Microsystems, Inc. All Rights Reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Sun designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Sun in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
22 * CA 95054 USA or visit www.sun.com if you need additional information or
23 * have any questions.
24 */
25
26 package java.lang;
27
28 import java.security;
29 import java.io.FileDescriptor;
30 import java.io.File;
31 import java.io.FilePermission;
32 import java.awt.AWTPermission;
33 import java.util.PropertyPermission;
34 import java.lang.RuntimePermission;
35 import java.net.SocketPermission;
36 import java.net.NetPermission;
37 import java.util.Hashtable;
38 import java.net.InetAddress;
39 import java.lang.reflect.Member;
40 import java.lang.reflect;
41 import java.net.URL;
42
43 import sun.security.util.SecurityConstants;
44
45 /**
46 * The security manager is a class that allows
47 * applications to implement a security policy. It allows an
48 * application to determine, before performing a possibly unsafe or
49 * sensitive operation, what the operation is and whether
50 * it is being attempted in a security context that allows the
51 * operation to be performed. The
52 * application can allow or disallow the operation.
53 * <p>
54 * The <code>SecurityManager</code> class contains many methods with
55 * names that begin with the word <code>check</code>. These methods
56 * are called by various methods in the Java libraries before those
57 * methods perform certain potentially sensitive operations. The
58 * invocation of such a <code>check</code> method typically looks like this:
59 * <p><blockquote><pre>
60 * SecurityManager security = System.getSecurityManager();
61 * if (security != null) {
62 * security.check<i>XXX</i>(argument, . . . );
63 * }
64 * </pre></blockquote>
65 * <p>
66 * The security manager is thereby given an opportunity to prevent
67 * completion of the operation by throwing an exception. A security
68 * manager routine simply returns if the operation is permitted, but
69 * throws a <code>SecurityException</code> if the operation is not
70 * permitted. The only exception to this convention is
71 * <code>checkTopLevelWindow</code>, which returns a
72 * <code>boolean</code> value.
73 * <p>
74 * The current security manager is set by the
75 * <code>setSecurityManager</code> method in class
76 * <code>System</code>. The current security manager is obtained
77 * by the <code>getSecurityManager</code> method.
78 * <p>
79 * The special method
80 * {@link SecurityManager#checkPermission(java.security.Permission)}
81 * determines whether an access request indicated by a specified
82 * permission should be granted or denied. The
83 * default implementation calls
84 *
85 * <pre>
86 * AccessController.checkPermission(perm);
87 * </pre>
88 *
89 * <p>
90 * If a requested access is allowed,
91 * <code>checkPermission</code> returns quietly. If denied, a
92 * <code>SecurityException</code> is thrown.
93 * <p>
94 * As of Java 2 SDK v1.2, the default implementation of each of the other
95 * <code>check</code> methods in <code>SecurityManager</code> is to
96 * call the <code>SecurityManager checkPermission</code> method
97 * to determine if the calling thread has permission to perform the requested
98 * operation.
99 * <p>
100 * Note that the <code>checkPermission</code> method with
101 * just a single permission argument always performs security checks
102 * within the context of the currently executing thread.
103 * Sometimes a security check that should be made within a given context
104 * will actually need to be done from within a
105 * <i>different</i> context (for example, from within a worker thread).
106 * The {@link SecurityManager#getSecurityContext getSecurityContext} method
107 * and the {@link SecurityManager#checkPermission(java.security.Permission,
108 * java.lang.Object) checkPermission}
109 * method that includes a context argument are provided
110 * for this situation. The
111 * <code>getSecurityContext</code> method returns a "snapshot"
112 * of the current calling context. (The default implementation
113 * returns an AccessControlContext object.) A sample call is
114 * the following:
115 *
116 * <pre>
117 * Object context = null;
118 * SecurityManager sm = System.getSecurityManager();
119 * if (sm != null) context = sm.getSecurityContext();
120 * </pre>
121 *
122 * <p>
123 * The <code>checkPermission</code> method
124 * that takes a context object in addition to a permission
125 * makes access decisions based on that context,
126 * rather than on that of the current execution thread.
127 * Code within a different context can thus call that method,
128 * passing the permission and the
129 * previously-saved context object. A sample call, using the
130 * SecurityManager <code>sm</code> obtained as in the previous example,
131 * is the following:
132 *
133 * <pre>
134 * if (sm != null) sm.checkPermission(permission, context);
135 * </pre>
136 *
137 * <p>Permissions fall into these categories: File, Socket, Net,
138 * Security, Runtime, Property, AWT, Reflect, and Serializable.
139 * The classes managing these various
140 * permission categories are <code>java.io.FilePermission</code>,
141 * <code>java.net.SocketPermission</code>,
142 * <code>java.net.NetPermission</code>,
143 * <code>java.security.SecurityPermission</code>,
144 * <code>java.lang.RuntimePermission</code>,
145 * <code>java.util.PropertyPermission</code>,
146 * <code>java.awt.AWTPermission</code>,
147 * <code>java.lang.reflect.ReflectPermission</code>, and
148 * <code>java.io.SerializablePermission</code>.
149 *
150 * <p>All but the first two (FilePermission and SocketPermission) are
151 * subclasses of <code>java.security.BasicPermission</code>, which itself
152 * is an abstract subclass of the
153 * top-level class for permissions, which is
154 * <code>java.security.Permission</code>. BasicPermission defines the
155 * functionality needed for all permissions that contain a name
156 * that follows the hierarchical property naming convention
157 * (for example, "exitVM", "setFactory", "queuePrintJob", etc).
158 * An asterisk
159 * may appear at the end of the name, following a ".", or by itself, to
160 * signify a wildcard match. For example: "a.*" or "*" is valid,
161 * "*a" or "a*b" is not valid.
162 *
163 * <p>FilePermission and SocketPermission are subclasses of the
164 * top-level class for permissions
165 * (<code>java.security.Permission</code>). Classes like these
166 * that have a more complicated name syntax than that used by
167 * BasicPermission subclass directly from Permission rather than from
168 * BasicPermission. For example,
169 * for a <code>java.io.FilePermission</code> object, the permission name is
170 * the path name of a file (or directory).
171 *
172 * <p>Some of the permission classes have an "actions" list that tells
173 * the actions that are permitted for the object. For example,
174 * for a <code>java.io.FilePermission</code> object, the actions list
175 * (such as "read, write") specifies which actions are granted for the
176 * specified file (or for files in the specified directory).
177 *
178 * <p>Other permission classes are for "named" permissions -
179 * ones that contain a name but no actions list; you either have the
180 * named permission or you don't.
181 *
182 * <p>Note: There is also a <code>java.security.AllPermission</code>
183 * permission that implies all permissions. It exists to simplify the work
184 * of system administrators who might need to perform multiple
185 * tasks that require all (or numerous) permissions.
186 * <p>
187 * See <a href ="../../../technotes/guides/security/permissions.html">
188 * Permissions in the JDK</a> for permission-related information.
189 * This document includes, for example, a table listing the various SecurityManager
190 * <code>check</code> methods and the permission(s) the default
191 * implementation of each such method requires.
192 * It also contains a table of all the version 1.2 methods
193 * that require permissions, and for each such method tells
194 * which permission it requires.
195 * <p>
196 * For more information about <code>SecurityManager</code> changes made in
197 * the JDK and advice regarding porting of 1.1-style security managers,
198 * see the <a href="../../../technotes/guides/security/index.html">security documentation</a>.
199 *
200 * @author Arthur van Hoff
201 * @author Roland Schemers
202 *
203 * @see java.lang.ClassLoader
204 * @see java.lang.SecurityException
205 * @see java.lang.SecurityManager#checkTopLevelWindow(java.lang.Object)
206 * checkTopLevelWindow
207 * @see java.lang.System#getSecurityManager() getSecurityManager
208 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager)
209 * setSecurityManager
210 * @see java.security.AccessController AccessController
211 * @see java.security.AccessControlContext AccessControlContext
212 * @see java.security.AccessControlException AccessControlException
213 * @see java.security.Permission
214 * @see java.security.BasicPermission
215 * @see java.io.FilePermission
216 * @see java.net.SocketPermission
217 * @see java.util.PropertyPermission
218 * @see java.lang.RuntimePermission
219 * @see java.awt.AWTPermission
220 * @see java.security.Policy Policy
221 * @see java.security.SecurityPermission SecurityPermission
222 * @see java.security.ProtectionDomain
223 *
224 * @since JDK1.0
225 */
226 public
227 class SecurityManager {
228
229 /**
230 * This field is <code>true</code> if there is a security check in
231 * progress; <code>false</code> otherwise.
232 *
233 * @deprecated This type of security checking is not recommended.
234 * It is recommended that the <code>checkPermission</code>
235 * call be used instead.
236 */
237 @Deprecated
238 protected boolean inCheck;
239
240 /*
241 * Have we been initialized. Effective against finalizer attacks.
242 */
243 private boolean initialized = false;
244
245
246 /**
247 * returns true if the current context has been granted AllPermission
248 */
249 private boolean hasAllPermission()
250 {
251 try {
252 checkPermission(SecurityConstants.ALL_PERMISSION);
253 return true;
254 } catch (SecurityException se) {
255 return false;
256 }
257 }
258
259 /**
260 * Tests if there is a security check in progress.
261 *
262 * @return the value of the <code>inCheck</code> field. This field
263 * should contain <code>true</code> if a security check is
264 * in progress,
265 * <code>false</code> otherwise.
266 * @see java.lang.SecurityManager#inCheck
267 * @deprecated This type of security checking is not recommended.
268 * It is recommended that the <code>checkPermission</code>
269 * call be used instead.
270 */
271 @Deprecated
272 public boolean getInCheck() {
273 return inCheck;
274 }
275
276 /**
277 * Constructs a new <code>SecurityManager</code>.
278 *
279 * <p> If there is a security manager already installed, this method first
280 * calls the security manager's <code>checkPermission</code> method
281 * with the <code>RuntimePermission("createSecurityManager")</code>
282 * permission to ensure the calling thread has permission to create a new
283 * security manager.
284 * This may result in throwing a <code>SecurityException</code>.
285 *
286 * @exception java.lang.SecurityException if a security manager already
287 * exists and its <code>checkPermission</code> method
288 * doesn't allow creation of a new security manager.
289 * @see java.lang.System#getSecurityManager()
290 * @see #checkPermission(java.security.Permission) checkPermission
291 * @see java.lang.RuntimePermission
292 */
293 public SecurityManager() {
294 synchronized(SecurityManager.class) {
295 SecurityManager sm = System.getSecurityManager();
296 if (sm != null) {
297 // ask the currently installed security manager if we
298 // can create a new one.
299 sm.checkPermission(new RuntimePermission
300 ("createSecurityManager"));
301 }
302 initialized = true;
303 }
304 }
305
306 /**
307 * Returns the current execution stack as an array of classes.
308 * <p>
309 * The length of the array is the number of methods on the execution
310 * stack. The element at index <code>0</code> is the class of the
311 * currently executing method, the element at index <code>1</code> is
312 * the class of that method's caller, and so on.
313 *
314 * @return the execution stack.
315 */
316 protected native Class[] getClassContext();
317
318 /**
319 * Returns the class loader of the most recently executing method from
320 * a class defined using a non-system class loader. A non-system
321 * class loader is defined as being a class loader that is not equal to
322 * the system class loader (as returned
323 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
324 * <p>
325 * This method will return
326 * <code>null</code> in the following three cases:<p>
327 * <ol>
328 * <li>All methods on the execution stack are from classes
329 * defined using the system class loader or one of its ancestors.
330 *
331 * <li>All methods on the execution stack up to the first
332 * "privileged" caller
333 * (see {@link java.security.AccessController#doPrivileged})
334 * are from classes
335 * defined using the system class loader or one of its ancestors.
336 *
337 * <li> A call to <code>checkPermission</code> with
338 * <code>java.security.AllPermission</code> does not
339 * result in a SecurityException.
340 *
341 * </ol>
342 *
343 * @return the class loader of the most recent occurrence on the stack
344 * of a method from a class defined using a non-system class
345 * loader.
346 *
347 * @deprecated This type of security checking is not recommended.
348 * It is recommended that the <code>checkPermission</code>
349 * call be used instead.
350 *
351 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
352 * @see #checkPermission(java.security.Permission) checkPermission
353 */
354 @Deprecated
355 protected ClassLoader currentClassLoader()
356 {
357 ClassLoader cl = currentClassLoader0();
358 if ((cl != null) && hasAllPermission())
359 cl = null;
360 return cl;
361 }
362
363 private native ClassLoader currentClassLoader0();
364
365 /**
366 * Returns the class of the most recently executing method from
367 * a class defined using a non-system class loader. A non-system
368 * class loader is defined as being a class loader that is not equal to
369 * the system class loader (as returned
370 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
371 * <p>
372 * This method will return
373 * <code>null</code> in the following three cases:<p>
374 * <ol>
375 * <li>All methods on the execution stack are from classes
376 * defined using the system class loader or one of its ancestors.
377 *
378 * <li>All methods on the execution stack up to the first
379 * "privileged" caller
380 * (see {@link java.security.AccessController#doPrivileged})
381 * are from classes
382 * defined using the system class loader or one of its ancestors.
383 *
384 * <li> A call to <code>checkPermission</code> with
385 * <code>java.security.AllPermission</code> does not
386 * result in a SecurityException.
387 *
388 * </ol>
389 *
390 * @return the class of the most recent occurrence on the stack
391 * of a method from a class defined using a non-system class
392 * loader.
393 *
394 * @deprecated This type of security checking is not recommended.
395 * It is recommended that the <code>checkPermission</code>
396 * call be used instead.
397 *
398 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
399 * @see #checkPermission(java.security.Permission) checkPermission
400 */
401 @Deprecated
402 protected Class<?> currentLoadedClass() {
403 Class c = currentLoadedClass0();
404 if ((c != null) && hasAllPermission())
405 c = null;
406 return c;
407 }
408
409 /**
410 * Returns the stack depth of the specified class.
411 *
412 * @param name the fully qualified name of the class to search for.
413 * @return the depth on the stack frame of the first occurrence of a
414 * method from a class with the specified name;
415 * <code>-1</code> if such a frame cannot be found.
416 * @deprecated This type of security checking is not recommended.
417 * It is recommended that the <code>checkPermission</code>
418 * call be used instead.
419 *
420 */
421 @Deprecated
422 protected native int classDepth(String name);
423
424 /**
425 * Returns the stack depth of the most recently executing method
426 * from a class defined using a non-system class loader. A non-system
427 * class loader is defined as being a class loader that is not equal to
428 * the system class loader (as returned
429 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors.
430 * <p>
431 * This method will return
432 * -1 in the following three cases:<p>
433 * <ol>
434 * <li>All methods on the execution stack are from classes
435 * defined using the system class loader or one of its ancestors.
436 *
437 * <li>All methods on the execution stack up to the first
438 * "privileged" caller
439 * (see {@link java.security.AccessController#doPrivileged})
440 * are from classes
441 * defined using the system class loader or one of its ancestors.
442 *
443 * <li> A call to <code>checkPermission</code> with
444 * <code>java.security.AllPermission</code> does not
445 * result in a SecurityException.
446 *
447 * </ol>
448 *
449 * @return the depth on the stack frame of the most recent occurrence of
450 * a method from a class defined using a non-system class loader.
451 *
452 * @deprecated This type of security checking is not recommended.
453 * It is recommended that the <code>checkPermission</code>
454 * call be used instead.
455 *
456 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader
457 * @see #checkPermission(java.security.Permission) checkPermission
458 */
459 @Deprecated
460 protected int classLoaderDepth()
461 {
462 int depth = classLoaderDepth0();
463 if (depth != -1) {
464 if (hasAllPermission())
465 depth = -1;
466 else
467 depth--; // make sure we don't include ourself
468 }
469 return depth;
470 }
471
472 private native int classLoaderDepth0();
473
474 /**
475 * Tests if a method from a class with the specified
476 * name is on the execution stack.
477 *
478 * @param name the fully qualified name of the class.
479 * @return <code>true</code> if a method from a class with the specified
480 * name is on the execution stack; <code>false</code> otherwise.
481 * @deprecated This type of security checking is not recommended.
482 * It is recommended that the <code>checkPermission</code>
483 * call be used instead.
484 */
485 @Deprecated
486 protected boolean inClass(String name) {
487 return classDepth(name) >= 0;
488 }
489
490 /**
491 * Basically, tests if a method from a class defined using a
492 * class loader is on the execution stack.
493 *
494 * @return <code>true</code> if a call to <code>currentClassLoader</code>
495 * has a non-null return value.
496 *
497 * @deprecated This type of security checking is not recommended.
498 * It is recommended that the <code>checkPermission</code>
499 * call be used instead.
500 * @see #currentClassLoader() currentClassLoader
501 */
502 @Deprecated
503 protected boolean inClassLoader() {
504 return currentClassLoader() != null;
505 }
506
507 /**
508 * Creates an object that encapsulates the current execution
509 * environment. The result of this method is used, for example, by the
510 * three-argument <code>checkConnect</code> method and by the
511 * two-argument <code>checkRead</code> method.
512 * These methods are needed because a trusted method may be called
513 * on to read a file or open a socket on behalf of another method.
514 * The trusted method needs to determine if the other (possibly
515 * untrusted) method would be allowed to perform the operation on its
516 * own.
517 * <p> The default implementation of this method is to return
518 * an <code>AccessControlContext</code> object.
519 *
520 * @return an implementation-dependent object that encapsulates
521 * sufficient information about the current execution environment
522 * to perform some security checks later.
523 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int,
524 * java.lang.Object) checkConnect
525 * @see java.lang.SecurityManager#checkRead(java.lang.String,
526 * java.lang.Object) checkRead
527 * @see java.security.AccessControlContext AccessControlContext
528 */
529 public Object getSecurityContext() {
530 return AccessController.getContext();
531 }
532
533 /**
534 * Throws a <code>SecurityException</code> if the requested
535 * access, specified by the given permission, is not permitted based
536 * on the security policy currently in effect.
537 * <p>
538 * This method calls <code>AccessController.checkPermission</code>
539 * with the given permission.
540 *
541 * @param perm the requested permission.
542 * @exception SecurityException if access is not permitted based on
543 * the current security policy.
544 * @exception NullPointerException if the permission argument is
545 * <code>null</code>.
546 * @since 1.2
547 */
548 public void checkPermission(Permission perm) {
549 java.security.AccessController.checkPermission(perm);
550 }
551
552 /**
553 * Throws a <code>SecurityException</code> if the
554 * specified security context is denied access to the resource
555 * specified by the given permission.
556 * The context must be a security
557 * context returned by a previous call to
558 * <code>getSecurityContext</code> and the access control
559 * decision is based upon the configured security policy for
560 * that security context.
561 * <p>
562 * If <code>context</code> is an instance of
563 * <code>AccessControlContext</code> then the
564 * <code>AccessControlContext.checkPermission</code> method is
565 * invoked with the specified permission.
566 * <p>
567 * If <code>context</code> is not an instance of
568 * <code>AccessControlContext</code> then a
569 * <code>SecurityException</code> is thrown.
570 *
571 * @param perm the specified permission
572 * @param context a system-dependent security context.
573 * @exception SecurityException if the specified security context
574 * is not an instance of <code>AccessControlContext</code>
575 * (e.g., is <code>null</code>), or is denied access to the
576 * resource specified by the given permission.
577 * @exception NullPointerException if the permission argument is
578 * <code>null</code>.
579 * @see java.lang.SecurityManager#getSecurityContext()
580 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
581 * @since 1.2
582 */
583 public void checkPermission(Permission perm, Object context) {
584 if (context instanceof AccessControlContext) {
585 ((AccessControlContext)context).checkPermission(perm);
586 } else {
587 throw new SecurityException();
588 }
589 }
590
591 /**
592 * Throws a <code>SecurityException</code> if the
593 * calling thread is not allowed to create a new class loader.
594 * <p>
595 * This method calls <code>checkPermission</code> with the
596 * <code>RuntimePermission("createClassLoader")</code>
597 * permission.
598 * <p>
599 * If you override this method, then you should make a call to
600 * <code>super.checkCreateClassLoader</code>
601 * at the point the overridden method would normally throw an
602 * exception.
603 *
604 * @exception SecurityException if the calling thread does not
605 * have permission
606 * to create a new class loader.
607 * @see java.lang.ClassLoader#ClassLoader()
608 * @see #checkPermission(java.security.Permission) checkPermission
609 */
610 public void checkCreateClassLoader() {
611 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);
612 }
613
614 /**
615 * reference to the root thread group, used for the checkAccess
616 * methods.
617 */
618
619 private static ThreadGroup rootGroup = getRootGroup();
620
621 private static ThreadGroup getRootGroup() {
622 ThreadGroup root = Thread.currentThread().getThreadGroup();
623 while (root.getParent() != null) {
624 root = root.getParent();
625 }
626 return root;
627 }
628
629 /**
630 * Throws a <code>SecurityException</code> if the
631 * calling thread is not allowed to modify the thread argument.
632 * <p>
633 * This method is invoked for the current security manager by the
634 * <code>stop</code>, <code>suspend</code>, <code>resume</code>,
635 * <code>setPriority</code>, <code>setName</code>, and
636 * <code>setDaemon</code> methods of class <code>Thread</code>.
637 * <p>
638 * If the thread argument is a system thread (belongs to
639 * the thread group with a <code>null</code> parent) then
640 * this method calls <code>checkPermission</code> with the
641 * <code>RuntimePermission("modifyThread")</code> permission.
642 * If the thread argument is <i>not</i> a system thread,
643 * this method just returns silently.
644 * <p>
645 * Applications that want a stricter policy should override this
646 * method. If this method is overridden, the method that overrides
647 * it should additionally check to see if the calling thread has the
648 * <code>RuntimePermission("modifyThread")</code> permission, and
649 * if so, return silently. This is to ensure that code granted
650 * that permission (such as the JDK itself) is allowed to
651 * manipulate any thread.
652 * <p>
653 * If this method is overridden, then
654 * <code>super.checkAccess</code> should
655 * be called by the first statement in the overridden method, or the
656 * equivalent security check should be placed in the overridden method.
657 *
658 * @param t the thread to be checked.
659 * @exception SecurityException if the calling thread does not have
660 * permission to modify the thread.
661 * @exception NullPointerException if the thread argument is
662 * <code>null</code>.
663 * @see java.lang.Thread#resume() resume
664 * @see java.lang.Thread#setDaemon(boolean) setDaemon
665 * @see java.lang.Thread#setName(java.lang.String) setName
666 * @see java.lang.Thread#setPriority(int) setPriority
667 * @see java.lang.Thread#stop() stop
668 * @see java.lang.Thread#suspend() suspend
669 * @see #checkPermission(java.security.Permission) checkPermission
670 */
671 public void checkAccess(Thread t) {
672 if (t == null) {
673 throw new NullPointerException("thread can't be null");
674 }
675 if (t.getThreadGroup() == rootGroup) {
676 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION);
677 } else {
678 // just return
679 }
680 }
681 /**
682 * Throws a <code>SecurityException</code> if the
683 * calling thread is not allowed to modify the thread group argument.
684 * <p>
685 * This method is invoked for the current security manager when a
686 * new child thread or child thread group is created, and by the
687 * <code>setDaemon</code>, <code>setMaxPriority</code>,
688 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and
689 * <code>destroy</code> methods of class <code>ThreadGroup</code>.
690 * <p>
691 * If the thread group argument is the system thread group (
692 * has a <code>null</code> parent) then
693 * this method calls <code>checkPermission</code> with the
694 * <code>RuntimePermission("modifyThreadGroup")</code> permission.
695 * If the thread group argument is <i>not</i> the system thread group,
696 * this method just returns silently.
697 * <p>
698 * Applications that want a stricter policy should override this
699 * method. If this method is overridden, the method that overrides
700 * it should additionally check to see if the calling thread has the
701 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and
702 * if so, return silently. This is to ensure that code granted
703 * that permission (such as the JDK itself) is allowed to
704 * manipulate any thread.
705 * <p>
706 * If this method is overridden, then
707 * <code>super.checkAccess</code> should
708 * be called by the first statement in the overridden method, or the
709 * equivalent security check should be placed in the overridden method.
710 *
711 * @param g the thread group to be checked.
712 * @exception SecurityException if the calling thread does not have
713 * permission to modify the thread group.
714 * @exception NullPointerException if the thread group argument is
715 * <code>null</code>.
716 * @see java.lang.ThreadGroup#destroy() destroy
717 * @see java.lang.ThreadGroup#resume() resume
718 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon
719 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority
720 * @see java.lang.ThreadGroup#stop() stop
721 * @see java.lang.ThreadGroup#suspend() suspend
722 * @see #checkPermission(java.security.Permission) checkPermission
723 */
724 public void checkAccess(ThreadGroup g) {
725 if (g == null) {
726 throw new NullPointerException("thread group can't be null");
727 }
728 if (g == rootGroup) {
729 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION);
730 } else {
731 // just return
732 }
733 }
734
735 /**
736 * Throws a <code>SecurityException</code> if the
737 * calling thread is not allowed to cause the Java Virtual Machine to
738 * halt with the specified status code.
739 * <p>
740 * This method is invoked for the current security manager by the
741 * <code>exit</code> method of class <code>Runtime</code>. A status
742 * of <code>0</code> indicates success; other values indicate various
743 * errors.
744 * <p>
745 * This method calls <code>checkPermission</code> with the
746 * <code>RuntimePermission("exitVM."+status)</code> permission.
747 * <p>
748 * If you override this method, then you should make a call to
749 * <code>super.checkExit</code>
750 * at the point the overridden method would normally throw an
751 * exception.
752 *
753 * @param status the exit status.
754 * @exception SecurityException if the calling thread does not have
755 * permission to halt the Java Virtual Machine with
756 * the specified status.
757 * @see java.lang.Runtime#exit(int) exit
758 * @see #checkPermission(java.security.Permission) checkPermission
759 */
760 public void checkExit(int status) {
761 checkPermission(new RuntimePermission("exitVM."+status));
762 }
763
764 /**
765 * Throws a <code>SecurityException</code> if the
766 * calling thread is not allowed to create a subprocess.
767 * <p>
768 * This method is invoked for the current security manager by the
769 * <code>exec</code> methods of class <code>Runtime</code>.
770 * <p>
771 * This method calls <code>checkPermission</code> with the
772 * <code>FilePermission(cmd,"execute")</code> permission
773 * if cmd is an absolute path, otherwise it calls
774 * <code>checkPermission</code> with
775 * <code>FilePermission("<<ALL FILES>>","execute")</code>.
776 * <p>
777 * If you override this method, then you should make a call to
778 * <code>super.checkExec</code>
779 * at the point the overridden method would normally throw an
780 * exception.
781 *
782 * @param cmd the specified system command.
783 * @exception SecurityException if the calling thread does not have
784 * permission to create a subprocess.
785 * @exception NullPointerException if the <code>cmd</code> argument is
786 * <code>null</code>.
787 * @see java.lang.Runtime#exec(java.lang.String)
788 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[])
789 * @see java.lang.Runtime#exec(java.lang.String[])
790 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[])
791 * @see #checkPermission(java.security.Permission) checkPermission
792 */
793 public void checkExec(String cmd) {
794 File f = new File(cmd);
795 if (f.isAbsolute()) {
796 checkPermission(new FilePermission(cmd,
797 SecurityConstants.FILE_EXECUTE_ACTION));
798 } else {
799 checkPermission(new FilePermission("<<ALL FILES>>",
800 SecurityConstants.FILE_EXECUTE_ACTION));
801 }
802 }
803
804 /**
805 * Throws a <code>SecurityException</code> if the
806 * calling thread is not allowed to dynamic link the library code
807 * specified by the string argument file. The argument is either a
808 * simple library name or a complete filename.
809 * <p>
810 * This method is invoked for the current security manager by
811 * methods <code>load</code> and <code>loadLibrary</code> of class
812 * <code>Runtime</code>.
813 * <p>
814 * This method calls <code>checkPermission</code> with the
815 * <code>RuntimePermission("loadLibrary."+lib)</code> permission.
816 * <p>
817 * If you override this method, then you should make a call to
818 * <code>super.checkLink</code>
819 * at the point the overridden method would normally throw an
820 * exception.
821 *
822 * @param lib the name of the library.
823 * @exception SecurityException if the calling thread does not have
824 * permission to dynamically link the library.
825 * @exception NullPointerException if the <code>lib</code> argument is
826 * <code>null</code>.
827 * @see java.lang.Runtime#load(java.lang.String)
828 * @see java.lang.Runtime#loadLibrary(java.lang.String)
829 * @see #checkPermission(java.security.Permission) checkPermission
830 */
831 public void checkLink(String lib) {
832 if (lib == null) {
833 throw new NullPointerException("library can't be null");
834 }
835 checkPermission(new RuntimePermission("loadLibrary."+lib));
836 }
837
838 /**
839 * Throws a <code>SecurityException</code> if the
840 * calling thread is not allowed to read from the specified file
841 * descriptor.
842 * <p>
843 * This method calls <code>checkPermission</code> with the
844 * <code>RuntimePermission("readFileDescriptor")</code>
845 * permission.
846 * <p>
847 * If you override this method, then you should make a call to
848 * <code>super.checkRead</code>
849 * at the point the overridden method would normally throw an
850 * exception.
851 *
852 * @param fd the system-dependent file descriptor.
853 * @exception SecurityException if the calling thread does not have
854 * permission to access the specified file descriptor.
855 * @exception NullPointerException if the file descriptor argument is
856 * <code>null</code>.
857 * @see java.io.FileDescriptor
858 * @see #checkPermission(java.security.Permission) checkPermission
859 */
860 public void checkRead(FileDescriptor fd) {
861 if (fd == null) {
862 throw new NullPointerException("file descriptor can't be null");
863 }
864 checkPermission(new RuntimePermission("readFileDescriptor"));
865 }
866
867 /**
868 * Throws a <code>SecurityException</code> if the
869 * calling thread is not allowed to read the file specified by the
870 * string argument.
871 * <p>
872 * This method calls <code>checkPermission</code> with the
873 * <code>FilePermission(file,"read")</code> permission.
874 * <p>
875 * If you override this method, then you should make a call to
876 * <code>super.checkRead</code>
877 * at the point the overridden method would normally throw an
878 * exception.
879 *
880 * @param file the system-dependent file name.
881 * @exception SecurityException if the calling thread does not have
882 * permission to access the specified file.
883 * @exception NullPointerException if the <code>file</code> argument is
884 * <code>null</code>.
885 * @see #checkPermission(java.security.Permission) checkPermission
886 */
887 public void checkRead(String file) {
888 checkPermission(new FilePermission(file,
889 SecurityConstants.FILE_READ_ACTION));
890 }
891
892 /**
893 * Throws a <code>SecurityException</code> if the
894 * specified security context is not allowed to read the file
895 * specified by the string argument. The context must be a security
896 * context returned by a previous call to
897 * <code>getSecurityContext</code>.
898 * <p> If <code>context</code> is an instance of
899 * <code>AccessControlContext</code> then the
900 * <code>AccessControlContext.checkPermission</code> method will
901 * be invoked with the <code>FilePermission(file,"read")</code> permission.
902 * <p> If <code>context</code> is not an instance of
903 * <code>AccessControlContext</code> then a
904 * <code>SecurityException</code> is thrown.
905 * <p>
906 * If you override this method, then you should make a call to
907 * <code>super.checkRead</code>
908 * at the point the overridden method would normally throw an
909 * exception.
910 *
911 * @param file the system-dependent filename.
912 * @param context a system-dependent security context.
913 * @exception SecurityException if the specified security context
914 * is not an instance of <code>AccessControlContext</code>
915 * (e.g., is <code>null</code>), or does not have permission
916 * to read the specified file.
917 * @exception NullPointerException if the <code>file</code> argument is
918 * <code>null</code>.
919 * @see java.lang.SecurityManager#getSecurityContext()
920 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
921 */
922 public void checkRead(String file, Object context) {
923 checkPermission(
924 new FilePermission(file, SecurityConstants.FILE_READ_ACTION),
925 context);
926 }
927
928 /**
929 * Throws a <code>SecurityException</code> if the
930 * calling thread is not allowed to write to the specified file
931 * descriptor.
932 * <p>
933 * This method calls <code>checkPermission</code> with the
934 * <code>RuntimePermission("writeFileDescriptor")</code>
935 * permission.
936 * <p>
937 * If you override this method, then you should make a call to
938 * <code>super.checkWrite</code>
939 * at the point the overridden method would normally throw an
940 * exception.
941 *
942 * @param fd the system-dependent file descriptor.
943 * @exception SecurityException if the calling thread does not have
944 * permission to access the specified file descriptor.
945 * @exception NullPointerException if the file descriptor argument is
946 * <code>null</code>.
947 * @see java.io.FileDescriptor
948 * @see #checkPermission(java.security.Permission) checkPermission
949 */
950 public void checkWrite(FileDescriptor fd) {
951 if (fd == null) {
952 throw new NullPointerException("file descriptor can't be null");
953 }
954 checkPermission(new RuntimePermission("writeFileDescriptor"));
955
956 }
957
958 /**
959 * Throws a <code>SecurityException</code> if the
960 * calling thread is not allowed to write to the file specified by
961 * the string argument.
962 * <p>
963 * This method calls <code>checkPermission</code> with the
964 * <code>FilePermission(file,"write")</code> permission.
965 * <p>
966 * If you override this method, then you should make a call to
967 * <code>super.checkWrite</code>
968 * at the point the overridden method would normally throw an
969 * exception.
970 *
971 * @param file the system-dependent filename.
972 * @exception SecurityException if the calling thread does not
973 * have permission to access the specified file.
974 * @exception NullPointerException if the <code>file</code> argument is
975 * <code>null</code>.
976 * @see #checkPermission(java.security.Permission) checkPermission
977 */
978 public void checkWrite(String file) {
979 checkPermission(new FilePermission(file,
980 SecurityConstants.FILE_WRITE_ACTION));
981 }
982
983 /**
984 * Throws a <code>SecurityException</code> if the
985 * calling thread is not allowed to delete the specified file.
986 * <p>
987 * This method is invoked for the current security manager by the
988 * <code>delete</code> method of class <code>File</code>.
989 * <p>
990 * This method calls <code>checkPermission</code> with the
991 * <code>FilePermission(file,"delete")</code> permission.
992 * <p>
993 * If you override this method, then you should make a call to
994 * <code>super.checkDelete</code>
995 * at the point the overridden method would normally throw an
996 * exception.
997 *
998 * @param file the system-dependent filename.
999 * @exception SecurityException if the calling thread does not
1000 * have permission to delete the file.
1001 * @exception NullPointerException if the <code>file</code> argument is
1002 * <code>null</code>.
1003 * @see java.io.File#delete()
1004 * @see #checkPermission(java.security.Permission) checkPermission
1005 */
1006 public void checkDelete(String file) {
1007 checkPermission(new FilePermission(file,
1008 SecurityConstants.FILE_DELETE_ACTION));
1009 }
1010
1011 /**
1012 * Throws a <code>SecurityException</code> if the
1013 * calling thread is not allowed to open a socket connection to the
1014 * specified host and port number.
1015 * <p>
1016 * A port number of <code>-1</code> indicates that the calling
1017 * method is attempting to determine the IP address of the specified
1018 * host name.
1019 * <p>
1020 * This method calls <code>checkPermission</code> with the
1021 * <code>SocketPermission(host+":"+port,"connect")</code> permission if
1022 * the port is not equal to -1. If the port is equal to -1, then
1023 * it calls <code>checkPermission</code> with the
1024 * <code>SocketPermission(host,"resolve")</code> permission.
1025 * <p>
1026 * If you override this method, then you should make a call to
1027 * <code>super.checkConnect</code>
1028 * at the point the overridden method would normally throw an
1029 * exception.
1030 *
1031 * @param host the host name port to connect to.
1032 * @param port the protocol port to connect to.
1033 * @exception SecurityException if the calling thread does not have
1034 * permission to open a socket connection to the specified
1035 * <code>host</code> and <code>port</code>.
1036 * @exception NullPointerException if the <code>host</code> argument is
1037 * <code>null</code>.
1038 * @see #checkPermission(java.security.Permission) checkPermission
1039 */
1040 public void checkConnect(String host, int port) {
1041 if (host == null) {
1042 throw new NullPointerException("host can't be null");
1043 }
1044 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1045 host = "[" + host + "]";
1046 }
1047 if (port == -1) {
1048 checkPermission(new SocketPermission(host,
1049 SecurityConstants.SOCKET_RESOLVE_ACTION));
1050 } else {
1051 checkPermission(new SocketPermission(host+":"+port,
1052 SecurityConstants.SOCKET_CONNECT_ACTION));
1053 }
1054 }
1055
1056 /**
1057 * Throws a <code>SecurityException</code> if the
1058 * specified security context is not allowed to open a socket
1059 * connection to the specified host and port number.
1060 * <p>
1061 * A port number of <code>-1</code> indicates that the calling
1062 * method is attempting to determine the IP address of the specified
1063 * host name.
1064 * <p> If <code>context</code> is not an instance of
1065 * <code>AccessControlContext</code> then a
1066 * <code>SecurityException</code> is thrown.
1067 * <p>
1068 * Otherwise, the port number is checked. If it is not equal
1069 * to -1, the <code>context</code>'s <code>checkPermission</code>
1070 * method is called with a
1071 * <code>SocketPermission(host+":"+port,"connect")</code> permission.
1072 * If the port is equal to -1, then
1073 * the <code>context</code>'s <code>checkPermission</code> method
1074 * is called with a
1075 * <code>SocketPermission(host,"resolve")</code> permission.
1076 * <p>
1077 * If you override this method, then you should make a call to
1078 * <code>super.checkConnect</code>
1079 * at the point the overridden method would normally throw an
1080 * exception.
1081 *
1082 * @param host the host name port to connect to.
1083 * @param port the protocol port to connect to.
1084 * @param context a system-dependent security context.
1085 * @exception SecurityException if the specified security context
1086 * is not an instance of <code>AccessControlContext</code>
1087 * (e.g., is <code>null</code>), or does not have permission
1088 * to open a socket connection to the specified
1089 * <code>host</code> and <code>port</code>.
1090 * @exception NullPointerException if the <code>host</code> argument is
1091 * <code>null</code>.
1092 * @see java.lang.SecurityManager#getSecurityContext()
1093 * @see java.security.AccessControlContext#checkPermission(java.security.Permission)
1094 */
1095 public void checkConnect(String host, int port, Object context) {
1096 if (host == null) {
1097 throw new NullPointerException("host can't be null");
1098 }
1099 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1100 host = "[" + host + "]";
1101 }
1102 if (port == -1)
1103 checkPermission(new SocketPermission(host,
1104 SecurityConstants.SOCKET_RESOLVE_ACTION),
1105 context);
1106 else
1107 checkPermission(new SocketPermission(host+":"+port,
1108 SecurityConstants.SOCKET_CONNECT_ACTION),
1109 context);
1110 }
1111
1112 /**
1113 * Throws a <code>SecurityException</code> if the
1114 * calling thread is not allowed to wait for a connection request on
1115 * the specified local port number.
1116 * <p>
1117 * If port is not 0, this method calls
1118 * <code>checkPermission</code> with the
1119 * <code>SocketPermission("localhost:"+port,"listen")</code>.
1120 * If port is zero, this method calls <code>checkPermission</code>
1121 * with <code>SocketPermission("localhost:1024-","listen").</code>
1122 * <p>
1123 * If you override this method, then you should make a call to
1124 * <code>super.checkListen</code>
1125 * at the point the overridden method would normally throw an
1126 * exception.
1127 *
1128 * @param port the local port.
1129 * @exception SecurityException if the calling thread does not have
1130 * permission to listen on the specified port.
1131 * @see #checkPermission(java.security.Permission) checkPermission
1132 */
1133 public void checkListen(int port) {
1134 if (port == 0) {
1135 checkPermission(SecurityConstants.LOCAL_LISTEN_PERMISSION);
1136 } else {
1137 checkPermission(new SocketPermission("localhost:"+port,
1138 SecurityConstants.SOCKET_LISTEN_ACTION));
1139 }
1140 }
1141
1142 /**
1143 * Throws a <code>SecurityException</code> if the
1144 * calling thread is not permitted to accept a socket connection from
1145 * the specified host and port number.
1146 * <p>
1147 * This method is invoked for the current security manager by the
1148 * <code>accept</code> method of class <code>ServerSocket</code>.
1149 * <p>
1150 * This method calls <code>checkPermission</code> with the
1151 * <code>SocketPermission(host+":"+port,"accept")</code> permission.
1152 * <p>
1153 * If you override this method, then you should make a call to
1154 * <code>super.checkAccept</code>
1155 * at the point the overridden method would normally throw an
1156 * exception.
1157 *
1158 * @param host the host name of the socket connection.
1159 * @param port the port number of the socket connection.
1160 * @exception SecurityException if the calling thread does not have
1161 * permission to accept the connection.
1162 * @exception NullPointerException if the <code>host</code> argument is
1163 * <code>null</code>.
1164 * @see java.net.ServerSocket#accept()
1165 * @see #checkPermission(java.security.Permission) checkPermission
1166 */
1167 public void checkAccept(String host, int port) {
1168 if (host == null) {
1169 throw new NullPointerException("host can't be null");
1170 }
1171 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1172 host = "[" + host + "]";
1173 }
1174 checkPermission(new SocketPermission(host+":"+port,
1175 SecurityConstants.SOCKET_ACCEPT_ACTION));
1176 }
1177
1178 /**
1179 * Throws a <code>SecurityException</code> if the
1180 * calling thread is not allowed to use
1181 * (join/leave/send/receive) IP multicast.
1182 * <p>
1183 * This method calls <code>checkPermission</code> with the
1184 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1185 * "accept,connect")</code> permission.
1186 * <p>
1187 * If you override this method, then you should make a call to
1188 * <code>super.checkMulticast</code>
1189 * at the point the overridden method would normally throw an
1190 * exception.
1191 *
1192 * @param maddr Internet group address to be used.
1193 * @exception SecurityException if the calling thread is not allowed to
1194 * use (join/leave/send/receive) IP multicast.
1195 * @exception NullPointerException if the address argument is
1196 * <code>null</code>.
1197 * @since JDK1.1
1198 * @see #checkPermission(java.security.Permission) checkPermission
1199 */
1200 public void checkMulticast(InetAddress maddr) {
1201 String host = maddr.getHostAddress();
1202 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1203 host = "[" + host + "]";
1204 }
1205 checkPermission(new SocketPermission(host,
1206 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1207 }
1208
1209 /**
1210 * Throws a <code>SecurityException</code> if the
1211 * calling thread is not allowed to use
1212 * (join/leave/send/receive) IP multicast.
1213 * <p>
1214 * This method calls <code>checkPermission</code> with the
1215 * <code>java.net.SocketPermission(maddr.getHostAddress(),
1216 * "accept,connect")</code> permission.
1217 * <p>
1218 * If you override this method, then you should make a call to
1219 * <code>super.checkMulticast</code>
1220 * at the point the overridden method would normally throw an
1221 * exception.
1222 *
1223 * @param maddr Internet group address to be used.
1224 * @param ttl value in use, if it is multicast send.
1225 * Note: this particular implementation does not use the ttl
1226 * parameter.
1227 * @exception SecurityException if the calling thread is not allowed to
1228 * use (join/leave/send/receive) IP multicast.
1229 * @exception NullPointerException if the address argument is
1230 * <code>null</code>.
1231 * @since JDK1.1
1232 * @deprecated Use #checkPermission(java.security.Permission) instead
1233 * @see #checkPermission(java.security.Permission) checkPermission
1234 */
1235 @Deprecated
1236 public void checkMulticast(InetAddress maddr, byte ttl) {
1237 String host = maddr.getHostAddress();
1238 if (!host.startsWith("[") && host.indexOf(':') != -1) {
1239 host = "[" + host + "]";
1240 }
1241 checkPermission(new SocketPermission(host,
1242 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
1243 }
1244
1245 /**
1246 * Throws a <code>SecurityException</code> if the
1247 * calling thread is not allowed to access or modify the system
1248 * properties.
1249 * <p>
1250 * This method is used by the <code>getProperties</code> and
1251 * <code>setProperties</code> methods of class <code>System</code>.
1252 * <p>
1253 * This method calls <code>checkPermission</code> with the
1254 * <code>PropertyPermission("*", "read,write")</code> permission.
1255 * <p>
1256 * If you override this method, then you should make a call to
1257 * <code>super.checkPropertiesAccess</code>
1258 * at the point the overridden method would normally throw an
1259 * exception.
1260 * <p>
1261 *
1262 * @exception SecurityException if the calling thread does not have
1263 * permission to access or modify the system properties.
1264 * @see java.lang.System#getProperties()
1265 * @see java.lang.System#setProperties(java.util.Properties)
1266 * @see #checkPermission(java.security.Permission) checkPermission
1267 */
1268 public void checkPropertiesAccess() {
1269 checkPermission(new PropertyPermission("*",
1270 SecurityConstants.PROPERTY_RW_ACTION));
1271 }
1272
1273 /**
1274 * Throws a <code>SecurityException</code> if the
1275 * calling thread is not allowed to access the system property with
1276 * the specified <code>key</code> name.
1277 * <p>
1278 * This method is used by the <code>getProperty</code> method of
1279 * class <code>System</code>.
1280 * <p>
1281 * This method calls <code>checkPermission</code> with the
1282 * <code>PropertyPermission(key, "read")</code> permission.
1283 * <p>
1284 * <p>
1285 * If you override this method, then you should make a call to
1286 * <code>super.checkPropertyAccess</code>
1287 * at the point the overridden method would normally throw an
1288 * exception.
1289 *
1290 * @param key a system property key.
1291 *
1292 * @exception SecurityException if the calling thread does not have
1293 * permission to access the specified system property.
1294 * @exception NullPointerException if the <code>key</code> argument is
1295 * <code>null</code>.
1296 * @exception IllegalArgumentException if <code>key</code> is empty.
1297 *
1298 * @see java.lang.System#getProperty(java.lang.String)
1299 * @see #checkPermission(java.security.Permission) checkPermission
1300 */
1301 public void checkPropertyAccess(String key) {
1302 checkPermission(new PropertyPermission(key,
1303 SecurityConstants.PROPERTY_READ_ACTION));
1304 }
1305
1306 /**
1307 * Returns <code>false</code> if the calling
1308 * thread is not trusted to bring up the top-level window indicated
1309 * by the <code>window</code> argument. In this case, the caller can
1310 * still decide to show the window, but the window should include
1311 * some sort of visual warning. If the method returns
1312 * <code>true</code>, then the window can be shown without any
1313 * special restrictions.
1314 * <p>
1315 * See class <code>Window</code> for more information on trusted and
1316 * untrusted windows.
1317 * <p>
1318 * This method calls
1319 * <code>checkPermission</code> with the
1320 * <code>AWTPermission("showWindowWithoutWarningBanner")</code> permission,
1321 * and returns <code>true</code> if a SecurityException is not thrown,
1322 * otherwise it returns <code>false</code>.
1323 * <p>
1324 * If you override this method, then you should make a call to
1325 * <code>super.checkTopLevelWindow</code>
1326 * at the point the overridden method would normally return
1327 * <code>false</code>, and the value of
1328 * <code>super.checkTopLevelWindow</code> should
1329 * be returned.
1330 *
1331 * @param window the new window that is being created.
1332 * @return <code>true</code> if the calling thread is trusted to put up
1333 * top-level windows; <code>false</code> otherwise.
1334 * @exception NullPointerException if the <code>window</code> argument is
1335 * <code>null</code>.
1336 * @see java.awt.Window
1337 * @see #checkPermission(java.security.Permission) checkPermission
1338 */
1339 public boolean checkTopLevelWindow(Object window) {
1340 if (window == null) {
1341 throw new NullPointerException("window can't be null");
1342 }
1343 try {
1344 checkPermission(SecurityConstants.TOPLEVEL_WINDOW_PERMISSION);
1345 return true;
1346 } catch (SecurityException se) {
1347 // just return false
1348 }
1349 return false;
1350 }
1351
1352 /**
1353 * Throws a <code>SecurityException</code> if the
1354 * calling thread is not allowed to initiate a print job request.
1355 * <p>
1356 * This method calls
1357 * <code>checkPermission</code> with the
1358 * <code>RuntimePermission("queuePrintJob")</code> permission.
1359 * <p>
1360 * If you override this method, then you should make a call to
1361 * <code>super.checkPrintJobAccess</code>
1362 * at the point the overridden method would normally throw an
1363 * exception.
1364 * <p>
1365 *
1366 * @exception SecurityException if the calling thread does not have
1367 * permission to initiate a print job request.
1368 * @since JDK1.1
1369 * @see #checkPermission(java.security.Permission) checkPermission
1370 */
1371 public void checkPrintJobAccess() {
1372 checkPermission(new RuntimePermission("queuePrintJob"));
1373 }
1374
1375 /**
1376 * Throws a <code>SecurityException</code> if the
1377 * calling thread is not allowed to access the system clipboard.
1378 * <p>
1379 * This method calls <code>checkPermission</code> with the
1380 * <code>AWTPermission("accessClipboard")</code>
1381 * permission.
1382 * <p>
1383 * If you override this method, then you should make a call to
1384 * <code>super.checkSystemClipboardAccess</code>
1385 * at the point the overridden method would normally throw an
1386 * exception.
1387 *
1388 * @since JDK1.1
1389 * @exception SecurityException if the calling thread does not have
1390 * permission to access the system clipboard.
1391 * @see #checkPermission(java.security.Permission) checkPermission
1392 */
1393 public void checkSystemClipboardAccess() {
1394 checkPermission(SecurityConstants.ACCESS_CLIPBOARD_PERMISSION);
1395 }
1396
1397 /**
1398 * Throws a <code>SecurityException</code> if the
1399 * calling thread is not allowed to access the AWT event queue.
1400 * <p>
1401 * This method calls <code>checkPermission</code> with the
1402 * <code>AWTPermission("accessEventQueue")</code> permission.
1403 * <p>
1404 * If you override this method, then you should make a call to
1405 * <code>super.checkAwtEventQueueAccess</code>
1406 * at the point the overridden method would normally throw an
1407 * exception.
1408 *
1409 * @since JDK1.1
1410 * @exception SecurityException if the calling thread does not have
1411 * permission to access the AWT event queue.
1412 * @see #checkPermission(java.security.Permission) checkPermission
1413 */
1414 public void checkAwtEventQueueAccess() {
1415 checkPermission(SecurityConstants.CHECK_AWT_EVENTQUEUE_PERMISSION);
1416 }
1417
1418 /*
1419 * We have an initial invalid bit (initially false) for the class
1420 * variables which tell if the cache is valid. If the underlying
1421 * java.security.Security property changes via setProperty(), the
1422 * Security class uses reflection to change the variable and thus
1423 * invalidate the cache.
1424 *
1425 * Locking is handled by synchronization to the
1426 * packageAccessLock/packageDefinitionLock objects. They are only
1427 * used in this class.
1428 *
1429 * Note that cache invalidation as a result of the property change
1430 * happens without using these locks, so there may be a delay between
1431 * when a thread updates the property and when other threads updates
1432 * the cache.
1433 */
1434 private static boolean packageAccessValid = false;
1435 private static String[] packageAccess;
1436 private static final Object packageAccessLock = new Object();
1437
1438 private static boolean packageDefinitionValid = false;
1439 private static String[] packageDefinition;
1440 private static final Object packageDefinitionLock = new Object();
1441
1442 private static String[] getPackages(String p) {
1443 String packages[] = null;
1444 if (p != null && !p.equals("")) {
1445 java.util.StringTokenizer tok =
1446 new java.util.StringTokenizer(p, ",");
1447 int n = tok.countTokens();
1448 if (n > 0) {
1449 packages = new String[n];
1450 int i = 0;
1451 while (tok.hasMoreElements()) {
1452 String s = tok.nextToken().trim();
1453 packages[i++] = s;
1454 }
1455 }
1456 }
1457
1458 if (packages == null)
1459 packages = new String[0];
1460 return packages;
1461 }
1462
1463 /**
1464 * Throws a <code>SecurityException</code> if the
1465 * calling thread is not allowed to access the package specified by
1466 * the argument.
1467 * <p>
1468 * This method is used by the <code>loadClass</code> method of class
1469 * loaders.
1470 * <p>
1471 * This method first gets a list of
1472 * restricted packages by obtaining a comma-separated list from
1473 * a call to
1474 * <code>java.security.Security.getProperty("package.access")</code>,
1475 * and checks to see if <code>pkg</code> starts with or equals
1476 * any of the restricted packages. If it does, then
1477 * <code>checkPermission</code> gets called with the
1478 * <code>RuntimePermission("accessClassInPackage."+pkg)</code>
1479 * permission.
1480 * <p>
1481 * If this method is overridden, then
1482 * <code>super.checkPackageAccess</code> should be called
1483 * as the first line in the overridden method.
1484 *
1485 * @param pkg the package name.
1486 * @exception SecurityException if the calling thread does not have
1487 * permission to access the specified package.
1488 * @exception NullPointerException if the package name argument is
1489 * <code>null</code>.
1490 * @see java.lang.ClassLoader#loadClass(java.lang.String, boolean)
1491 * loadClass
1492 * @see java.security.Security#getProperty getProperty
1493 * @see #checkPermission(java.security.Permission) checkPermission
1494 */
1495 public void checkPackageAccess(String pkg) {
1496 if (pkg == null) {
1497 throw new NullPointerException("package name can't be null");
1498 }
1499
1500 String[] pkgs;
1501 synchronized (packageAccessLock) {
1502 /*
1503 * Do we need to update our property array?
1504 */
1505 if (!packageAccessValid) {
1506 String tmpPropertyStr =
1507 AccessController.doPrivileged(
1508 new PrivilegedAction<String>() {
1509 public String run() {
1510 return java.security.Security.getProperty(
1511 "package.access");
1512 }
1513 }
1514 );
1515 packageAccess = getPackages(tmpPropertyStr);
1516 packageAccessValid = true;
1517 }
1518
1519 // Using a snapshot of packageAccess -- don't care if static field
1520 // changes afterwards; array contents won't change.
1521 pkgs = packageAccess;
1522 }
1523
1524 /*
1525 * Traverse the list of packages, check for any matches.
1526 */
1527 for (int i = 0; i < pkgs.length; i++) {
1528 if (pkg.startsWith(pkgs[i]) || pkgs[i].equals(pkg + ".")) {
1529 checkPermission(
1530 new RuntimePermission("accessClassInPackage."+pkg));
1531 break; // No need to continue; only need to check this once
1532 }
1533 }
1534 }
1535
1536 /**
1537 * Throws a <code>SecurityException</code> if the
1538 * calling thread is not allowed to define classes in the package
1539 * specified by the argument.
1540 * <p>
1541 * This method is used by the <code>loadClass</code> method of some
1542 * class loaders.
1543 * <p>
1544 * This method first gets a list of restricted packages by
1545 * obtaining a comma-separated list from a call to
1546 * <code>java.security.Security.getProperty("package.definition")</code>,
1547 * and checks to see if <code>pkg</code> starts with or equals
1548 * any of the restricted packages. If it does, then
1549 * <code>checkPermission</code> gets called with the
1550 * <code>RuntimePermission("defineClassInPackage."+pkg)</code>
1551 * permission.
1552 * <p>
1553 * If this method is overridden, then
1554 * <code>super.checkPackageDefinition</code> should be called
1555 * as the first line in the overridden method.
1556 *
1557 * @param pkg the package name.
1558 * @exception SecurityException if the calling thread does not have
1559 * permission to define classes in the specified package.
1560 * @see java.lang.ClassLoader#loadClass(java.lang.String, boolean)
1561 * @see java.security.Security#getProperty getProperty
1562 * @see #checkPermission(java.security.Permission) checkPermission
1563 */
1564 public void checkPackageDefinition(String pkg) {
1565 if (pkg == null) {
1566 throw new NullPointerException("package name can't be null");
1567 }
1568
1569 String[] pkgs;
1570 synchronized (packageDefinitionLock) {
1571 /*
1572 * Do we need to update our property array?
1573 */
1574 if (!packageDefinitionValid) {
1575 String tmpPropertyStr =
1576 AccessController.doPrivileged(
1577 new PrivilegedAction<String>() {
1578 public String run() {
1579 return java.security.Security.getProperty(
1580 "package.definition");
1581 }
1582 }
1583 );
1584 packageDefinition = getPackages(tmpPropertyStr);
1585 packageDefinitionValid = true;
1586 }
1587 // Using a snapshot of packageDefinition -- don't care if static
1588 // field changes afterwards; array contents won't change.
1589 pkgs = packageDefinition;
1590 }
1591
1592 /*
1593 * Traverse the list of packages, check for any matches.
1594 */
1595 for (int i = 0; i < pkgs.length; i++) {
1596 if (pkg.startsWith(pkgs[i]) || pkgs[i].equals(pkg + ".")) {
1597 checkPermission(
1598 new RuntimePermission("defineClassInPackage."+pkg));
1599 break; // No need to continue; only need to check this once
1600 }
1601 }
1602 }
1603
1604 /**
1605 * Throws a <code>SecurityException</code> if the
1606 * calling thread is not allowed to set the socket factory used by
1607 * <code>ServerSocket</code> or <code>Socket</code>, or the stream
1608 * handler factory used by <code>URL</code>.
1609 * <p>
1610 * This method calls <code>checkPermission</code> with the
1611 * <code>RuntimePermission("setFactory")</code> permission.
1612 * <p>
1613 * If you override this method, then you should make a call to
1614 * <code>super.checkSetFactory</code>
1615 * at the point the overridden method would normally throw an
1616 * exception.
1617 * <p>
1618 *
1619 * @exception SecurityException if the calling thread does not have
1620 * permission to specify a socket factory or a stream
1621 * handler factory.
1622 *
1623 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory
1624 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory
1625 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory
1626 * @see #checkPermission(java.security.Permission) checkPermission
1627 */
1628 public void checkSetFactory() {
1629 checkPermission(new RuntimePermission("setFactory"));
1630 }
1631
1632 /**
1633 * Throws a <code>SecurityException</code> if the
1634 * calling thread is not allowed to access members.
1635 * <p>
1636 * The default policy is to allow access to PUBLIC members, as well
1637 * as access to classes that have the same class loader as the caller.
1638 * In all other cases, this method calls <code>checkPermission</code>
1639 * with the <code>RuntimePermission("accessDeclaredMembers")
1640 * </code> permission.
1641 * <p>
1642 * If this method is overridden, then a call to
1643 * <code>super.checkMemberAccess</code> cannot be made,
1644 * as the default implementation of <code>checkMemberAccess</code>
1645 * relies on the code being checked being at a stack depth of
1646 * 4.
1647 *
1648 * @param clazz the class that reflection is to be performed on.
1649 *
1650 * @param which type of access, PUBLIC or DECLARED.
1651 *
1652 * @exception SecurityException if the caller does not have
1653 * permission to access members.
1654 * @exception NullPointerException if the <code>clazz</code> argument is
1655 * <code>null</code>.
1656 * @see java.lang.reflect.Member
1657 * @since JDK1.1
1658 * @see #checkPermission(java.security.Permission) checkPermission
1659 */
1660 public void checkMemberAccess(Class<?> clazz, int which) {
1661 if (clazz == null) {
1662 throw new NullPointerException("class can't be null");
1663 }
1664 if (which != Member.PUBLIC) {
1665 Class stack[] = getClassContext();
1666 /*
1667 * stack depth of 4 should be the caller of one of the
1668 * methods in java.lang.Class that invoke checkMember
1669 * access. The stack should look like:
1670 *
1671 * someCaller [3]
1672 * java.lang.Class.someReflectionAPI [2]
1673 * java.lang.Class.checkMemberAccess [1]
1674 * SecurityManager.checkMemberAccess [0]
1675 *
1676 */
1677 if ((stack.length<4) ||
1678 (stack[3].getClassLoader() != clazz.getClassLoader())) {
1679 checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION);
1680 }
1681 }
1682 }
1683
1684 /**
1685 * Determines whether the permission with the specified permission target
1686 * name should be granted or denied.
1687 *
1688 * <p> If the requested permission is allowed, this method returns
1689 * quietly. If denied, a SecurityException is raised.
1690 *
1691 * <p> This method creates a <code>SecurityPermission</code> object for
1692 * the given permission target name and calls <code>checkPermission</code>
1693 * with it.
1694 *
1695 * <p> See the documentation for
1696 * <code>{@link java.security.SecurityPermission}</code> for
1697 * a list of possible permission target names.
1698 *
1699 * <p> If you override this method, then you should make a call to
1700 * <code>super.checkSecurityAccess</code>
1701 * at the point the overridden method would normally throw an
1702 * exception.
1703 *
1704 * @param target the target name of the <code>SecurityPermission</code>.
1705 *
1706 * @exception SecurityException if the calling thread does not have
1707 * permission for the requested access.
1708 * @exception NullPointerException if <code>target</code> is null.
1709 * @exception IllegalArgumentException if <code>target</code> is empty.
1710 *
1711 * @since JDK1.1
1712 * @see #checkPermission(java.security.Permission) checkPermission
1713 */
1714 public void checkSecurityAccess(String target) {
1715 checkPermission(new SecurityPermission(target));
1716 }
1717
1718 private native Class currentLoadedClass0();
1719
1720 /**
1721 * Returns the thread group into which to instantiate any new
1722 * thread being created at the time this is being called.
1723 * By default, it returns the thread group of the current
1724 * thread. This should be overridden by a specific security
1725 * manager to return the appropriate thread group.
1726 *
1727 * @return ThreadGroup that new threads are instantiated into
1728 * @since JDK1.1
1729 * @see java.lang.ThreadGroup
1730 */
1731 public ThreadGroup getThreadGroup() {
1732 return Thread.currentThread().getThreadGroup();
1733 }
1734
1735 }
Save This Page