/** * Returns collection of permissions allowed for the codesource according to the policy. The * evaluation assumes that current principals are undefined. */ public PermissionCollection getPermissions(CodeSource cs) { if (!initialized) { synchronized (this) { if (!initialized) { refresh(); } } } Collection<Permission> pc = cache.get(cs); if (pc == null) { // have to synchronize to exclude cache pollution after refresh synchronized (cache) { // double check in case value has been put to cache // while we've been awaiting monitor pc = cache.get(cs); if (pc == null) { pc = new HashSet<Permission>(); Iterator<PolicyEntry> it = grants.iterator(); while (it.hasNext()) { PolicyEntry ge = (PolicyEntry) it.next(); if (ge.impliesPrincipals(null) && ge.impliesCodeSource(cs)) { pc.addAll(ge.getPermissions()); } } cache.put(cs, pc); } } } return PolicyUtils.toPermissionCollection(pc); }
/** * Creates an instance of an XmlDocument for storage in the database. * * @param name the name of the document (policy) * @param document the document data as a String * @return the XmlDocument instance * @throws XmlException * @throws PolicyStoreException */ private XmlDocument makeDocument(String name, String document) throws XmlException, PolicyIndexException { Map<String, String> metadata = m_utils.getDocumentMetadata(document.getBytes()); XmlDocument doc = m_dbXmlManager.manager.createDocument(); String docName = name; if (docName == null || docName.isEmpty()) { docName = metadata.get("PolicyId"); } if (docName == null || docName.isEmpty()) { throw new PolicyIndexException("Could not extract PolicyID from document."); } doc.setMetaData("metadata", "PolicyId", new XmlValue(XmlValue.STRING, docName)); doc.setContent(document); doc.setName(docName); // FIXME: // this is probably redundant as the xpath queries now directly query the policy // for the "any" scenarios String item = null; item = metadata.get("anySubject"); if (item != null) { doc.setMetaData("metadata", "anySubject", new XmlValue(XmlValue.STRING, item)); } item = metadata.get("anyResource"); if (item != null) { doc.setMetaData("metadata", "anyResource", new XmlValue(XmlValue.STRING, item)); } item = metadata.get("anyAction"); if (item != null) { doc.setMetaData("metadata", "anyAction", new XmlValue(XmlValue.STRING, item)); } item = metadata.get("anyEnvironment"); if (item != null) { doc.setMetaData("metadata", "anyEnvironment", new XmlValue(XmlValue.STRING, item)); } return doc; }
/** * Gets fresh list of locations and tries to load all of them in sequence; failed loads are * ignored. After processing all locations, old policy settings are discarded and new ones come * into force. <br> * This method is declared synchronized to avoid concurrent reloading. * * @see PolicyUtils#getPolicyURLs(Properties, String, String) */ public synchronized void refresh() { Set<PolicyEntry> fresh = new HashSet<PolicyEntry>(); Properties system = new Properties(AccessController.doPrivileged(new PolicyUtils.SystemKit())); system.setProperty("/", File.separator); // $NON-NLS-1$ URL[] policyLocations = PolicyUtils.getPolicyURLs(system, JAVA_SECURITY_POLICY, POLICY_URL_PREFIX); for (int i = 0; i < policyLocations.length; i++) { try { // TODO debug log // System.err.println("Parsing policy file: " + policyLocations[i]); fresh.addAll(parser.parse(policyLocations[i], system)); } catch (Exception e) { // TODO log warning // System.err.println("Ignoring policy file: " // + policyLocations[i] + ". Reason:\n"+ e); } } // XXX: what if new policy is empty - provide some default?? // we could safely replace references instead of // synchronizing access: // <pre> // grants = fresh; // cache = new WeakHashMap(); // </pre> // but there is possibility that concurrent thread will put // old data to cache right after we finish refresh(), // thus synchronization is added in getPermissions() methods... synchronized (cache) { grants.clear(); grants.addAll(fresh); cache.clear(); } initialized = true; }
/** * 对设备进行合规性检测 将设备信息发送至服务器,由服务器进行检测 * * @param context * @return null通过。"字符串"-未通过某条策略 * @throws Exception */ public static String isDeviceComplianced(Context context) throws Exception { return PolicyUtils.checkPolicy(context); }
protected void handle(Message msg) { if (MessageUtils.isRequestor(msg)) { LOG.fine("Is a requestor."); return; } Exchange exchange = msg.getExchange(); assert null != exchange; BindingOperationInfo boi = exchange.get(BindingOperationInfo.class); if (null == boi) { LOG.fine("No binding operation info."); return; } Endpoint e = exchange.get(Endpoint.class); if (null == e) { LOG.fine("No endpoint."); return; } EndpointInfo ei = e.getEndpointInfo(); Bus bus = exchange.get(Bus.class); PolicyEngine pe = bus.getExtension(PolicyEngine.class); if (null == pe) { return; } Destination destination = exchange.getDestination(); Exception ex = exchange.get(Exception.class); List<Interceptor<? extends Message>> faultInterceptors = new ArrayList<Interceptor<? extends Message>>(); Collection<Assertion> assertions = new ArrayList<Assertion>(); // 1. Check overridden policy Policy p = (Policy) msg.getContextualProperty(PolicyConstants.POLICY_OVERRIDE); if (p != null) { EndpointPolicyImpl endpi = new EndpointPolicyImpl(p); EffectivePolicyImpl effectivePolicy = new EffectivePolicyImpl(); effectivePolicy.initialise(endpi, (PolicyEngineImpl) pe, false, true); PolicyUtils.logPolicy( LOG, Level.FINEST, "Using effective policy: ", effectivePolicy.getPolicy()); faultInterceptors.addAll(effectivePolicy.getInterceptors()); assertions.addAll(effectivePolicy.getChosenAlternative()); } else { // 2. Process effective server policy BindingFaultInfo bfi = getBindingFaultInfo(msg, ex, boi); if (bfi == null && msg.get(FaultMode.class) != FaultMode.UNCHECKED_APPLICATION_FAULT && msg.get(FaultMode.class) != FaultMode.CHECKED_APPLICATION_FAULT) { return; } EffectivePolicy effectivePolicy = pe.getEffectiveServerFaultPolicy(ei, boi, bfi, destination); if (effectivePolicy != null) { faultInterceptors.addAll(effectivePolicy.getInterceptors()); assertions.addAll(effectivePolicy.getChosenAlternative()); } } // add interceptors into message chain for (Interceptor<? extends Message> oi : faultInterceptors) { msg.getInterceptorChain().add(oi); LOG.log(Level.FINE, "Added interceptor of type {0}", oi.getClass().getSimpleName()); } // insert assertions of the chosen alternative into the message if (null != assertions && !assertions.isEmpty()) { msg.put(AssertionInfoMap.class, new AssertionInfoMap(assertions)); } }