Save This Page
Home » openjdk-7 » java » security » [javadoc | source]
    1   /*
    2    * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved.
    3    * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
    4    *
    5    * This code is free software; you can redistribute it and/or modify it
    6    * under the terms of the GNU General Public License version 2 only, as
    7    * published by the Free Software Foundation.  Oracle designates this
    8    * particular file as subject to the "Classpath" exception as provided
    9    * by Oracle in the LICENSE file that accompanied this code.
   10    *
   11    * This code is distributed in the hope that it will be useful, but WITHOUT
   12    * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
   13    * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
   14    * version 2 for more details (a copy is included in the LICENSE file that
   15    * accompanied this code).
   16    *
   17    * You should have received a copy of the GNU General Public License version
   18    * 2 along with this work; if not, write to the Free Software Foundation,
   19    * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   20    *
   21    * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
   22    * or visit www.oracle.com if you need additional information or have any
   23    * questions.
   24    */
   25   
   26   package java.security;
   27   
   28   import java.security;
   29   import java.util.Enumeration;
   30   import java.util.Hashtable;
   31   import java.util.StringTokenizer;
   32   
   33   /**
   34    * This class is for security permissions.
   35    * A SecurityPermission contains a name (also referred to as a "target name")
   36    * but no actions list; you either have the named permission
   37    * or you don't.
   38    * <P>
   39    * The target name is the name of a security configuration parameter (see below).
   40    * Currently the SecurityPermission object is used to guard access
   41    * to the Policy, Security, Provider, Signer, and Identity
   42    * objects.
   43    * <P>
   44    * The following table lists all the possible SecurityPermission target names,
   45    * and for each provides a description of what the permission allows
   46    * and a discussion of the risks of granting code the permission.
   47    * <P>
   48    *
   49    * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
   50    * <tr>
   51    * <th>Permission Target Name</th>
   52    * <th>What the Permission Allows</th>
   53    * <th>Risks of Allowing this Permission</th>
   54    * </tr>
   55    *
   56    * <tr>
   57    *   <td>createAccessControlContext</td>
   58    *   <td>Creation of an AccessControlContext</td>
   59    *   <td>This allows someone to instantiate an AccessControlContext
   60    * with a <code>DomainCombiner</code>.  Extreme care must be taken when
   61    * granting this permission. Malicious code could create a DomainCombiner
   62    * that augments the set of permissions granted to code, and even grant the
   63    * code {@link java.security.AllPermission}.</td>
   64    * </tr>
   65    *
   66    * <tr>
   67    *   <td>getDomainCombiner</td>
   68    *   <td>Retrieval of an AccessControlContext's DomainCombiner</td>
   69    *   <td>This allows someone to retrieve an AccessControlContext's
   70    * <code>DomainCombiner</code>.  Since DomainCombiners may contain
   71    * sensitive information, this could potentially lead to a privacy leak.</td>
   72    * </tr>
   73    *
   74    * <tr>
   75    *   <td>getPolicy</td>
   76    *   <td>Retrieval of the system-wide security policy (specifically, of the
   77    * currently-installed Policy object)</td>
   78    *   <td>This allows someone to query the policy via the
   79    * <code>getPermissions</code> call,
   80    * which discloses which permissions would be granted to a given CodeSource.
   81    * While revealing the policy does not compromise the security of
   82    * the system, it does provide malicious code with additional information
   83    * which it may use to better aim an attack. It is wise
   84    * not to divulge more information than necessary.</td>
   85    * </tr>
   86    *
   87    * <tr>
   88    *   <td>setPolicy</td>
   89    *   <td>Setting of the system-wide security policy (specifically,
   90    * the Policy object)</td>
   91    *   <td>Granting this permission is extremely dangerous, as malicious
   92    * code may grant itself all the necessary permissions it needs
   93    * to successfully mount an attack on the system.</td>
   94    * </tr>
   95    *
   96    * <tr>
   97    *   <td>createPolicy.{policy type}</td>
   98    *   <td>Getting an instance of a Policy implementation from a provider</td>
   99    *   <td>Granting this permission enables code to obtain a Policy object.
  100    * Malicious code may query the Policy object to determine what permissions
  101    * have been granted to code other than itself. </td>
  102    * </tr>
  103    *
  104    * <tr>
  105    *   <td>getProperty.{key}</td>
  106    *   <td>Retrieval of the security property with the specified key</td>
  107    *   <td>Depending on the particular key for which access has
  108    * been granted, the code may have access to the list of security
  109    * providers, as well as the location of the system-wide and user
  110    * security policies.  while revealing this information does not
  111    * compromise the security of the system, it does provide malicious
  112    * code with additional information which it may use to better aim
  113    * an attack.
  114   </td>
  115    * </tr>
  116    *
  117    * <tr>
  118    *   <td>setProperty.{key}</td>
  119    *   <td>Setting of the security property with the specified key</td>
  120    *   <td>This could include setting a security provider or defining
  121    * the location of the system-wide security policy.  Malicious
  122    * code that has permission to set a new security provider may
  123    * set a rogue provider that steals confidential information such
  124    * as cryptographic private keys. In addition, malicious code with
  125    * permission to set the location of the system-wide security policy
  126    * may point it to a security policy that grants the attacker
  127    * all the necessary permissions it requires to successfully mount
  128    * an attack on the system.
  129   </td>
  130    * </tr>
  131    *
  132    * <tr>
  133    *   <td>insertProvider.{provider name}</td>
  134    *   <td>Addition of a new provider, with the specified name</td>
  135    *   <td>This would allow somebody to introduce a possibly
  136    * malicious provider (e.g., one that discloses the private keys passed
  137    * to it) as the highest-priority provider. This would be possible
  138    * because the Security object (which manages the installed providers)
  139    * currently does not check the integrity or authenticity of a provider
  140    * before attaching it.</td>
  141    * </tr>
  142    *
  143    * <tr>
  144    *   <td>removeProvider.{provider name}</td>
  145    *   <td>Removal of the specified provider</td>
  146    *   <td>This may change the behavior or disable execution of other
  147    * parts of the program. If a provider subsequently requested by the
  148    * program has been removed, execution may fail. Also, if the removed
  149    * provider is not explicitly requested by the rest of the program, but
  150    * it would normally be the provider chosen when a cryptography service
  151    * is requested (due to its previous order in the list of providers),
  152    * a different provider will be chosen instead, or no suitable provider
  153    * will be found, thereby resulting in program failure.</td>
  154    * </tr>
  155    *
  156    * <tr>
  157    *   <td>clearProviderProperties.{provider name}</td>
  158    *   <td>"Clearing" of a Provider so that it no longer contains the properties
  159    * used to look up services implemented by the provider</td>
  160    *   <td>This disables the lookup of services implemented by the provider.
  161    * This may thus change the behavior or disable execution of other
  162    * parts of the program that would normally utilize the Provider, as
  163    * described under the "removeProvider.{provider name}" permission.</td>
  164    * </tr>
  165    *
  166    * <tr>
  167    *   <td>putProviderProperty.{provider name}</td>
  168    *   <td>Setting of properties for the specified Provider</td>
  169    *   <td>The provider properties each specify the name and location
  170    * of a particular service implemented by the provider. By granting
  171    * this permission, you let code replace the service specification
  172    * with another one, thereby specifying a different implementation.</td>
  173    * </tr>
  174    *
  175    * <tr>
  176    *   <td>removeProviderProperty.{provider name}</td>
  177    *   <td>Removal of properties from the specified Provider</td>
  178    *   <td>This disables the lookup of services implemented by the
  179    * provider. They are no longer accessible due to removal of the properties
  180    * specifying their names and locations. This
  181    * may change the behavior or disable execution of other
  182    * parts of the program that would normally utilize the Provider, as
  183    * described under the "removeProvider.{provider name}" permission.</td>
  184    * </tr>
  185    *
  186    * </table>
  187    *
  188    * <P>
  189    * The following permissions are associated with classes that have been
  190    * deprecated: {@link Identity}, {@link IdentityScope}, {@link Signer}. Use of
  191    * them is discouraged. See the applicable classes for more information.
  192    * <P>
  193    *
  194    * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
  195    * <tr>
  196    * <th>Permission Target Name</th>
  197    * <th>What the Permission Allows</th>
  198    * <th>Risks of Allowing this Permission</th>
  199    * </tr>
  200    *
  201    * <tr>
  202    *   <td>setSystemScope</td>
  203    *   <td>Setting of the system identity scope</td>
  204    *   <td>This would allow an attacker to configure the system identity scope with
  205    * certificates that should not be trusted, thereby granting applet or
  206    * application code signed with those certificates privileges that
  207    * would have been denied by the system's original identity scope.</td>
  208    * </tr>
  209    *
  210    * <tr>
  211    *   <td>setIdentityPublicKey</td>
  212    *   <td>Setting of the public key for an Identity</td>
  213    *   <td>If the identity is marked as "trusted", this allows an attacker to
  214    * introduce a different public key (e.g., its own) that is not trusted
  215    * by the system's identity scope, thereby granting applet or
  216    * application code signed with that public key privileges that
  217    * would have been denied otherwise.</td>
  218    * </tr>
  219    *
  220    * <tr>
  221    *   <td>setIdentityInfo</td>
  222    *   <td>Setting of a general information string for an Identity</td>
  223    *   <td>This allows attackers to set the general description for
  224    * an identity.  This may trick applications into using a different
  225    * identity than intended or may prevent applications from finding a
  226    * particular identity.</td>
  227    * </tr>
  228    *
  229    * <tr>
  230    *   <td>addIdentityCertificate</td>
  231    *   <td>Addition of a certificate for an Identity</td>
  232    *   <td>This allows attackers to set a certificate for
  233    * an identity's public key.  This is dangerous because it affects
  234    * the trust relationship across the system. This public key suddenly
  235    * becomes trusted to a wider audience than it otherwise would be.</td>
  236    * </tr>
  237    *
  238    * <tr>
  239    *   <td>removeIdentityCertificate</td>
  240    *   <td>Removal of a certificate for an Identity</td>
  241    *   <td>This allows attackers to remove a certificate for
  242    * an identity's public key. This is dangerous because it affects
  243    * the trust relationship across the system. This public key suddenly
  244    * becomes considered less trustworthy than it otherwise would be.</td>
  245    * </tr>
  246    *
  247    * <tr>
  248    *  <td>printIdentity</td>
  249    *  <td>Viewing the name of a principal
  250    * and optionally the scope in which it is used, and whether
  251    * or not it is considered "trusted" in that scope</td>
  252    *  <td>The scope that is printed out may be a filename, in which case
  253    * it may convey local system information. For example, here's a sample
  254    * printout of an identity named "carol", who is
  255    * marked not trusted in the user's identity database:<br>
  256    *   carol[/home/luehe/identitydb.obj][not trusted]</td>
  257    *</tr>
  258    *
  259    * <tr>
  260    *   <td>getSignerPrivateKey</td>
  261    *   <td>Retrieval of a Signer's private key</td>
  262    *   <td>It is very dangerous to allow access to a private key; private
  263    * keys are supposed to be kept secret. Otherwise, code can use the
  264    * private key to sign various files and claim the signature came from
  265    * the Signer.</td>
  266    * </tr>
  267    *
  268    * <tr>
  269    *   <td>setSignerKeyPair</td>
  270    *   <td>Setting of the key pair (public key and private key) for a Signer</td>
  271    *   <td>This would allow an attacker to replace somebody else's (the "target's")
  272    * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
  273    * keysize).  This also would allow the attacker to listen in on encrypted
  274    * communication between the target and its peers. The target's peers
  275    * might wrap an encryption session key under the target's "new" public
  276    * key, which would allow the attacker (who possesses the corresponding
  277    * private key) to unwrap the session key and decipher the communication
  278    * data encrypted under that session key.</td>
  279    * </tr>
  280    *
  281    * </table>
  282    *
  283    * @see java.security.BasicPermission
  284    * @see java.security.Permission
  285    * @see java.security.Permissions
  286    * @see java.security.PermissionCollection
  287    * @see java.lang.SecurityManager
  288    *
  289    *
  290    * @author Marianne Mueller
  291    * @author Roland Schemers
  292    */
  293   
  294   public final class SecurityPermission extends BasicPermission {
  295   
  296       private static final long serialVersionUID = 5236109936224050470L;
  297   
  298       /**
  299        * Creates a new SecurityPermission with the specified name.
  300        * The name is the symbolic name of the SecurityPermission. An asterisk
  301        * may appear at the end of the name, following a ".", or by itself, to
  302        * signify a wildcard match.
  303        *
  304        * @param name the name of the SecurityPermission
  305        *
  306        * @throws NullPointerException if <code>name</code> is <code>null</code>.
  307        * @throws IllegalArgumentException if <code>name</code> is empty.
  308        */
  309   
  310       public SecurityPermission(String name)
  311       {
  312           super(name);
  313       }
  314   
  315       /**
  316        * Creates a new SecurityPermission object with the specified name.
  317        * The name is the symbolic name of the SecurityPermission, and the
  318        * actions String is currently unused and should be null.
  319        *
  320        * @param name the name of the SecurityPermission
  321        * @param actions should be null.
  322        *
  323        * @throws NullPointerException if <code>name</code> is <code>null</code>.
  324        * @throws IllegalArgumentException if <code>name</code> is empty.
  325        */
  326   
  327       public SecurityPermission(String name, String actions)
  328       {
  329           super(name, actions);
  330       }
  331   }

Save This Page
Home » openjdk-7 » java » security » [javadoc | source]