private JarFile getCachedJarFile(URL url) {
JarFile result = (JarFile) fileCache.get(url);
/* if the JAR file is cached, the permission will always be there */
if (result != null) {
Permission perm = getPermission(result);
if (perm != null) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
sm.checkPermission(perm);
} catch (SecurityException se) {
// fallback to checkRead/checkConnect for pre 1.2
// security managers
if ((perm instanceof java.io.FilePermission)
&& perm.getActions().indexOf("read") != -1) {
sm.checkRead(perm.getName());
} else if ((perm instanceof java.net.SocketPermission)
&& perm.getActions().indexOf("connect") != -1) {
sm.checkConnect(url.getHost(), url.getPort());
} else {
throw se;
}
}
}
}
}
return result;
}
private void exportAcl(Acl acl) {
if (acl != null) {
ArrayList<String> propval = new ArrayList<String>();
for (Enumeration<AclEntry> ee = acl.entries(); ee.hasMoreElements(); ) {
AclEntry ae = ee.nextElement();
StringBuilder sb = new StringBuilder();
sb.append("ALLOW \"");
sb.append(ae.getPrincipal().getName());
sb.append("\" ");
for (Enumeration<Permission> permissions = ae.permissions();
permissions.hasMoreElements(); ) {
Permission perm = permissions.nextElement();
sb.append(perm.getActions());
sb.append(",");
}
propval.add(sb.toString());
}
exportProperty("wiki:acl", propval.toArray(new String[propval.size()]), STRING);
}
}
/*
* Check whether the resource URL should be returned.
* Throw exception on failure.
* Called internally within this file.
*/
static void check(URL url) throws IOException {
SecurityManager security = System.getSecurityManager();
if (security != null) {
URLConnection urlConnection = url.openConnection();
Permission perm = urlConnection.getPermission();
if (perm != null) {
try {
security.checkPermission(perm);
} catch (SecurityException se) {
// fallback to checkRead/checkConnect for pre 1.2
// security managers
if ((perm instanceof java.io.FilePermission) && perm.getActions().indexOf("read") != -1) {
security.checkRead(perm.getName());
} else if ((perm instanceof java.net.SocketPermission)
&& perm.getActions().indexOf("connect") != -1) {
URL locUrl = url;
if (urlConnection instanceof JarURLConnection) {
locUrl = ((JarURLConnection) urlConnection).getJarFileURL();
}
security.checkConnect(locUrl.getHost(), locUrl.getPort());
} else {
throw se;
}
}
}
}
}
/**
* Set the set of permissions required for read-write access to a triple-collection, if the set is
* non-empty the default TCPermisson is no longer required.
*
* @param GraphUri
* @param permissionDescriptions
*/
public void setRequiredReadWritePermissions(IRI GraphUri, Collection<Permission> permissions) {
Collection<String> permissionStrings = new ArrayList<String>();
for (Permission permission : permissions) {
permissionStrings.add(permission.toString());
}
setRequiredReadWritePermissionStrings(GraphUri, permissionStrings);
}
/** readObject is called to restore the state of the BasicPermissionCollection from a stream. */
private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException {
// Don't call defaultReadObject()
// Read in serialized fields
ObjectInputStream.GetField gfields = in.readFields();
// Get permissions
Hashtable permissions = (Hashtable) gfields.get("permissions", null);
perms = new HashMap(permissions.size() * 2);
perms.putAll(permissions);
// Get all_allowed
all_allowed = gfields.get("all_allowed", false);
// Get permClass
permClass = (Class) gfields.get("permClass", null);
if (permClass == null) {
// set permClass
Enumeration e = permissions.elements();
if (e.hasMoreElements()) {
Permission p = (Permission) e.nextElement();
permClass = p.getClass();
}
}
}
private boolean isImplied(Permission perm) {
for (Permission p : ALLOWED_PERMISSIONS) {
if (p.implies(perm)) {
return true;
}
}
return false;
}
public boolean implies(Permission permission) {
for (Permission p : perms) {
if (p.implies(permission)) {
return true;
}
}
return false;
}
private void dumpPerms(PermissionCollection perms) {
if (DEBUG) {
Enumeration<Permission> p = perms.elements();
while (p.hasMoreElements()) {
Permission pp = p.nextElement();
System.out.println(" " + pp.getName() + " " + pp.getActions());
}
}
}
/**
* This kludge is specific to get over AccessControlException thrown during Applet.stop() or
* destroy() when static thread is suspended. Set a flag in AppletClassLoader to indicate that an
* AccessControlException for RuntimePermission "modifyThread" or "modifyThreadGroup" had
* occurred.
*/
private void setExceptionStatus(AccessControlException e) {
Permission p = e.getPermission();
if (p instanceof RuntimePermission) {
if (p.getName().startsWith("modifyThread")) {
if (loader == null) loader = getClassLoader(getCodeBase(), getClassLoaderCacheKey());
loader.setExceptionStatus();
}
}
}
public void add(Permission p) {
Class c = p.getClass();
PermissionCollection pc = collections.get(c);
if (pc == null) {
pc = p.newPermissionCollection();
if (pc == null) {
pc = new MyPermissionCollection();
}
collections.put(c, pc);
}
pc.add(p);
}
/**
* Test policy with null codesource.
*
* <p>This can happen when restricting privileges with doPrivileged, even though
* ProtectionDomain's ctor javadocs might make you think that the policy won't be consulted.
*/
public void testNullCodeSource() throws Exception {
assumeTrue("test cannot run with security manager", System.getSecurityManager() == null);
// create a policy with AllPermission
Permission all = new AllPermission();
PermissionCollection allCollection = all.newPermissionCollection();
allCollection.add(all);
ESPolicy policy = new ESPolicy(allCollection);
// restrict ourselves to NoPermission
PermissionCollection noPermissions = new Permissions();
assertFalse(
policy.implies(
new ProtectionDomain(null, noPermissions), new FilePermission("foo", "read")));
}
@Override
public void checkPermission(Permission permission) {
if (permission instanceof java.lang.RuntimePermission) {
// except setSecurityManager
String permissionName = permission.getName();
if ("setSecurityManager".equals(permissionName)) {
processSetSecurityManagerAction();
}
} else if (permission instanceof java.security.UnresolvedPermission) {
throw new SecurityException("java.security.UnresolvedPermission is not allowed.");
} else if (permission instanceof java.awt.AWTPermission) {
throw new SecurityException("java.awt.AWTPermission is not allowed.");
} else if (permission instanceof javax.security.auth.AuthPermission) {
throw new SecurityException("javax.security.auth.AuthPermission is not allowed.");
} else if (permission instanceof javax.security.auth.PrivateCredentialPermission) {
throw new SecurityException(
"javax.security.auth.PrivateCredentialPermission is not allowed.");
} else if (permission instanceof javax.security.auth.kerberos.DelegationPermission) {
throw new SecurityException(
"javax.security.auth.kerberos.DelegationPermission is not allowed.");
} else if (permission instanceof javax.security.auth.kerberos.ServicePermission) {
throw new SecurityException("javax.security.auth.kerberos.ServicePermission is not allowed.");
} else if (permission instanceof javax.sound.sampled.AudioPermission) {
throw new SecurityException("javax.sound.sampled.AudioPermission is not allowed.");
}
}
public boolean implies(Permission permission) {
if (permission.getClass().getSimpleName().equals("URLPermission")) {
return isAllowed(URL_PERMISSION);
} else {
return isAllowed(permission);
}
}
@Override
public boolean implies(Permission permission) {
if (permission == null || this.getClass() != permission.getClass()) {
return false;
}
PrivateCredentialPermission that = (PrivateCredentialPermission) permission;
if (!("*".equals(credentialClass)
|| credentialClass //$NON-NLS-1$
.equals(that.getCredentialClass()))) {
return false;
}
if (that.offset == 0) {
return true;
}
CredOwner[] thisCo = set;
CredOwner[] thatCo = that.set;
int thisPrincipalsSize = offset;
int thatPrincipalsSize = that.offset;
for (int i = 0, j; i < thisPrincipalsSize; i++) {
for (j = 0; j < thatPrincipalsSize; j++) {
if (thisCo[i].implies(thatCo[j])) {
break;
}
}
if (j == thatCo.length) {
return false;
}
}
return true;
}
public void checkPermission(Permission perm) throws SecurityException {
final String name = perm.getName().trim();
if (name.startsWith("exitVM")) {
calledExit = true;
throw new RuntimeException("CALLED EXIT");
}
}
/**
* Check and see if this set of permissions implies the permissions expressed in "permission".
*
* @param p the Permission object to compare
* @return true if "permission" is a proper subset of a permission in the set, false if not.
*/
public boolean implies(Permission permission) {
if (!(permission instanceof BasicPermission)) return false;
BasicPermission bp = (BasicPermission) permission;
// random subclasses of BasicPermission do not imply each other
if (bp.getClass() != permClass) return false;
// short circuit if the "*" Permission was added
if (all_allowed) return true;
// strategy:
// Check for full match first. Then work our way up the
// path looking for matches on a.b..*
String path = bp.getName();
// System.out.println("check "+path);
Permission x = (Permission) perms.get(path);
if (x != null) {
// we have a direct hit!
return x.implies(permission);
}
// work our way up the tree...
int last, offset;
offset = path.length() - 1;
while ((last = path.lastIndexOf(".", offset)) != -1) {
path = path.substring(0, last + 1) + "*";
// System.out.println("check "+path);
x = (Permission) perms.get(path);
if (x != null) {
return x.implies(permission);
}
offset = last - 1;
}
// we don't have to check for "*" as it was already checked
// at the top (all_allowed), so we just return false
return false;
}
private boolean isJvmciPermission(Permission perm) {
String name = perm.getName();
boolean isJvmciRuntime =
perm instanceof RuntimePermission
&& (JVMCI_SERVICES.equals(name) || name.startsWith(JVMCI_RT_PERM_START));
boolean isJvmciProperty =
perm instanceof PropertyPermission && name.startsWith(JVMCI_PROP_START);
return isJvmciRuntime || isJvmciProperty;
}
public void compact() {
if (isReadOnly()) {
throw new SecurityException("ClusterPermissionCollection is read-only!");
}
final Iterator<Permission> iter = perms.iterator();
while (iter.hasNext()) {
final Permission perm = iter.next();
boolean implies = false;
for (Permission p : perms) {
if (p != perm && p.implies(perm)) {
implies = true;
break;
}
}
if (implies) {
iter.remove();
}
}
setReadOnly();
}
@Override
public void handlePermission(Permission permission) {
if (!isRuntimePermissionWhitelisted(permission.getName())) {
throwSecurityException(permission);
if (LOG.isDebugEnabled()) {
LOG.debug(Arrays.toString(Thread.currentThread().getStackTrace()));
}
} else {
return;
}
}
public void add(Permission permission) {
if (isReadOnly()) {
throw new SecurityException("ClusterPermissionCollection is read-only!");
}
boolean shouldAdd =
(permClass != null && permClass.equals(permission.getClass()))
|| (permission instanceof ClusterPermission);
if (shouldAdd && !implies(permission)) {
perms.add(permission);
}
}
@Override
public AuthorizationProperty generateAuthorizationProperty(Object... arguments) {
if ((arguments == null) || (arguments.length != 1) || !(arguments[0] instanceof Permission)) {
return null;
}
Permission permission = (Permission) arguments[0];
String name = permission.getName();
String key = null;
String value = null;
if (name.startsWith(RUNTIME_PERMISSION_GET_ENV)) {
key = "security-manager-environment-variables";
value = name.substring(RUNTIME_PERMISSION_GET_ENV.length() + 1);
// Since we are using a regular expression, we cannot allow a lone *
// as the rule
if (value.equals(StringPool.STAR)) {
value = StringPool.DOUBLE_BACK_SLASH + value;
}
} else {
return null;
}
AuthorizationProperty authorizationProperty = new AuthorizationProperty();
authorizationProperty.setKey(key);
authorizationProperty.setValue(value);
return authorizationProperty;
}
public boolean implies(Permission p) {
String pactions = p.getActions();
boolean implied = true;
for (int n = 0; n < actions.length(); n++) {
char a = actions.charAt(n);
char pa = pactions.charAt(n);
if ((a != '-' && pa != '-' && pa != a)) {
implied = false;
break;
} else if (a == '-' && pa != '-') {
implied = false;
break;
}
}
return implied;
}
public void checkPermission(Permission p) {
// liveconnect SocketPermission resolve takes
// FOREVER (like 6 seconds) in Safari
// Java does like 50 of these on the first JS call
// 6*50=300 seconds!
// Opera freaks out though if we deny resolve
if (isActive
&& !isOpera
&& java.net.SocketPermission.class.isInstance(p)
&& p.getActions().matches(".*resolve.*")) {
throw new SecurityException(
"DOH: liveconnect resolve locks up Safari. Denying resolve request.");
} else {
oldsecurity.checkPermission(p);
}
}
public boolean implies(Permission permission) {
String name = permission.getName();
if (name.equals(NET_PERMISSION_GET_PROXY_SELECTOR)) {
if (!hasGetProxySelector()) {
logSecurityException(_log, "Attempted to get proxy selector");
return false;
}
} else if (name.equals(NET_PERMISSION_SPECIFY_STREAM_HANDLER)) {
// TODO
}
return true;
}
/**
* Checks if the specified permission is "implied" by this object.
*
* <p>More specifically, this method returns true if:
*
* <p>
*
* <ul>
* <li><i>p</i>'s class is the same as this object's class, and
* <p>
* <li><i>p</i>'s name equals or (in the case of wildcards) is implied by this object's name.
* For example, "a.b.*" implies "a.b.c".
* </ul>
*
* @param p the permission to check against.
* @return true if the passed permission is equal to or implied by this permission, false
* otherwise.
*/
public boolean implies(Permission p) {
if ((p == null) || (p.getClass() != getClass())) return false;
BasicPermission that = (BasicPermission) p;
if (this.wildcard) {
if (that.wildcard)
// one wildcard can imply another
return that.path.startsWith(path);
else
// make sure ap.path is longer so a.b.* doesn't imply a.b
return (that.path.length() > this.path.length()) && that.path.startsWith(this.path);
} else {
if (that.wildcard) {
// a non-wildcard can't imply a wildcard
return false;
} else {
return this.path.equals(that.path);
}
}
}
public AgentSecurityManager(boolean debugPerm, PROTOCOL proto) {
this.debugPerm = debugPerm;
if (debugPerm) {
permUsed = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
permCreated = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
Runtime.getRuntime()
.addShutdownHook(
new Thread() {
public void run() {
for (String i : new HashSet<String>(permCreated)) {
if (permUsed.contains(i + " =")) {
permCreated.remove(i);
}
}
for (String i : permCreated) {
permUsed.add(i + " +");
}
for (String p : new TreeSet<String>(permUsed)) {
System.out.println(p);
}
}
});
} else {
permUsed = null;
permCreated = null;
}
// Add the java home to readable files
Permission newPerm =
new FilePermission(System.getProperty("java.home") + File.separator + "-", "read");
allowed.add(newPerm);
if (debugPerm) {
permCreated.add(newPerm.toString());
}
Map<String, Set<Permission>> permsSets;
try {
permsSets = getPermsSets();
} catch (SecurityException e) {
throw new RuntimeException(e);
} catch (IllegalArgumentException e) {
throw new RuntimeException(e);
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (NoSuchMethodException e) {
throw new RuntimeException(e);
} catch (InstantiationException e) {
throw new RuntimeException(e);
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
} catch (InvocationTargetException e) {
throw new RuntimeException(e);
}
for (Permission i : permsSets.get("common")) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
for (Permission i : permsSets.get("forprobes")) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
for (Permission i : permsSets.get(proto.name())) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
allowed.setReadOnly();
}
public void checkPermission(Permission perm) {
// They can be an undefined number of security.provider.*
// Used by jmxmp
if (perm instanceof java.security.SecurityPermission
&& perm.getName().startsWith("getProperty.security.provider")) {
if (debugPerm) {
permUsed.add(perm.toString() + " =");
}
return;
}
if (perm instanceof java.io.FilePermission && "read".equals(perm.getActions())) {
String name = perm.getName();
if (filesallowed.contains(name)) {
if (debugPerm) {
permUsed.add(perm.toString() + " =");
}
return;
}
// Already allowed, don't check any more
if (allowed.implies(perm)) {
if (debugPerm) {
permUsed.add(perm.toString() + " =");
}
filesallowed.add(name);
return;
}
// Perhaps it's in the allowed /proc/<pid>/... files
if (procinfoPattern.matcher(name).matches() && "read".equals(perm.getActions())) {
if (debugPerm) {
permUsed.add(
"(\"java.io.FilePermission\" \"" + procinfoPattern.pattern() + "\" \"read\") =");
}
return;
}
// Or it's block device
if (diskPattern.matcher(name).matches() && "read".equals(perm.getActions())) {
if (debugPerm) {
permUsed.add("(\"java.io.FilePermission\" \"" + diskPattern.pattern() + "\" \"read\") =");
}
filesallowed.add(name);
return;
}
// Only non hidden folder are allowed, for file system usage
// If it call itself, privileges will be set to true,
// so it can check isDirectory and isHidden
PrivilegHolder privileged = Privilege.get();
if (privileged.privileged) {
return;
} else {
File fullpath = new File(name);
privileged.privileged = true;
boolean allowed = false;
try {
allowed = fullpath.isDirectory() && !fullpath.isHidden();
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
privileged.privileged = false;
}
if (allowed) {
if (debugPerm) {
permUsed.add(perm.toString() + " =");
}
filesallowed.add(name);
return;
}
}
}
if (allowed.implies(perm)) {
if (debugPerm) {
permUsed.add(perm.toString() + " =");
}
return;
}
try {
super.checkPermission(perm);
// Was acceped, but we should add it anyway
// Some accepted permissions make jrdsagent failed anyway
permUsed.add(perm.toString() + " ?");
} catch (SecurityException e) {
if (debugPerm) {
permUsed.add(perm.toString() + " -");
} else {
throw e;
}
}
}
/** @tests javax.security.auth.SubjectDomainCombiner#combine() */
@TestTargetNew(
level = TestLevel.COMPLETE,
notes = "both currentDomains and assignedDomains are not null",
method = "combine",
args = {ProtectionDomain[].class, ProtectionDomain[].class})
public void test_combine_01() {
URL url;
try {
url = new URL(locationUrl);
} catch (MalformedURLException mue) {
throw new Error(mue);
}
CodeSource cs = new CodeSource(url, (java.security.cert.Certificate[]) null);
class MyClassLoader extends ClassLoader {
public MyClassLoader() {
super();
}
}
ClassLoader current_pd_cl = new MyClassLoader();
ClassLoader assigned_pd_cl = new MyClassLoader();
// current domains
ProtectionDomain[] current_pd =
createProtectionDomains(cs, current_pd_cl, currentDomainX500names, currentDomainPerms);
// assigned domains
ProtectionDomain[] assigned_pd =
createProtectionDomains(cs, assigned_pd_cl, assignedDomainX500names, assignedDomainPerms);
// subject
Subject s = createSubject();
// combine
SubjectDomainCombiner c = new SubjectDomainCombiner(s);
ProtectionDomain[] r_pd = c.combine(current_pd, assigned_pd);
if (DEBUG) {
System.out.println("=========== c_pd");
dumpPD(current_pd);
System.out.println("=========== a_pd");
dumpPD(assigned_pd);
System.out.println("=========== r_pd");
dumpPD(r_pd);
System.out.println("===========");
}
for (int i = 0; i < r_pd.length; i++) {
ProtectionDomain pd = r_pd[i];
// check CodeSource
assertTrue("code source mismatch", pd.getCodeSource().equals(cs));
boolean cpd = false;
// check ClassLoader
if (pd.getClassLoader().equals(current_pd_cl)) {
cpd = true;
} else if (pd.getClassLoader().equals(assigned_pd_cl)) {
cpd = false;
} else {
fail("class loader mismatch");
}
// check principals
Principal[] principals = pd.getPrincipals();
String[] names;
if (cpd == true) names = SubjectX500names;
else names = assignedDomainX500names;
for (int j = 0; j < principals.length; j++) {
if (contains(names, principals[j].getName()) == false)
fail("principal mismatch (" + j + ") " + principals[j].getName());
}
// check permissions
PermissionCollection perms = pd.getPermissions();
Enumeration<Permission> p = perms.elements();
while (p.hasMoreElements()) {
Permission pp = p.nextElement();
String pn = pp.getName();
if (cpd == true) {
if (contains(currentDomainPerms, pn) == false)
fail("current domains permissions mismatch " + pn);
} else {
if (contains(assignedDomainPerms, pn) == false)
fail("assigned domains permissions mismatch " + pn);
}
}
}
}
public void testEvaluateCombinativePermissionCollection() throws Throwable {
PermissionUtils.setCachesEnabled(true);
PermissionUtils.createCaches();
Subject subject = new Subject();
JGuardCredential nameA = new JGuardCredential(NAME, USER_A);
JGuardCredential nameB = new JGuardCredential(NAME, USER_B);
JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A);
JGuardCredential companyB = new JGuardCredential(COMPANY, COMPANY_B);
JGuardCredential age = new JGuardCredential(AGE, DUMMY_AGE);
subject.getPublicCredentials().add(nameA);
subject.getPublicCredentials().add(nameB);
subject.getPublicCredentials().add(companyA);
subject.getPublicCredentials().add(companyB);
subject.getPublicCredentials().add(age);
if (logger.isDebugEnabled()) {
logger.debug("---- logging subject ----");
logger.debug(subject.toString());
}
UserPrincipal userPrincipal = new UserPrincipal(subject);
ProtectionDomain protectionDomain =
new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal});
PermissionCollection pc = new Permissions();
Permission p1 = new FilePermission("file://home", "read");
Permission p2 =
new FilePermission("file://home/user/${subject.publicCredentials.name}", "read");
Permission p3 =
new FilePermission("file://home/user/${subject.publicCredentials.company}", "read");
Permission p4 =
new FilePermission(
"file://home/user/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.company}/${subject.publicCredentials.age}",
"read");
Permission p5 =
new FilePermission(
"file://home/user/${subject.publicCredentials.company}/${subject.publicCredentials.company}",
"read");
Permission p6 =
new URLPermission(
"index",
"http://www.website.com/index.html?name=${subject.publicCredentials.name}&company=${subject.publicCredentials.company}&age=${subject.publicCredentials.age}");
pc.add(p1);
pc.add(p2);
pc.add(p3);
pc.add(p4);
pc.add(p5);
pc.add(p6);
if (logger.isDebugEnabled()) {
logger.debug("---- logging unresolved permissions ----");
Enumeration unresolvedPermEnum = pc.elements();
while (unresolvedPermEnum.hasMoreElements()) {
logger.debug(unresolvedPermEnum.nextElement().toString());
}
}
PermissionCollection expectedPc = new Permissions();
Permission expectedP1 = new FilePermission("file://home", "read");
Permission expectedP2a = new FilePermission("file://home/user/userA", "read");
Permission expectedP2b = new FilePermission("file://home/user/userB", "read");
Permission expectedP3a = new FilePermission("file://home/user/companyA", "read");
Permission expectedP3b = new FilePermission("file://home/user/companyB", "read");
Permission expectedP4a = new FilePermission("file://home/user/userA/companyA/100", "read");
Permission expectedP4b = new FilePermission("file://home/user/userA/companyB/100", "read");
Permission expectedP4c = new FilePermission("file://home/user/userB/companyA/100", "read");
Permission expectedP4d = new FilePermission("file://home/user/userB/companyB/100", "read");
Permission expectedP5a = new FilePermission("file://home/user/companyA/companyA", "read");
Permission expectedP5b = new FilePermission("file://home/user/companyA/companyB", "read");
Permission expectedP5c = new FilePermission("file://home/user/companyB/companyA", "read");
Permission expectedP5d = new FilePermission("file://home/user/companyB/companyB", "read");
Permission expectedP6a =
new URLPermission(
"index", "http://www.website.com/index.html?name=userA&company=companyA&age=100");
Permission expectedP6b =
new URLPermission(
"index", "http://www.website.com/index.html?name=userA&company=companyB&age=100");
Permission expectedP6c =
new URLPermission(
"index", "http://www.website.com/index.html?name=userB&company=companyA&age=100");
Permission expectedP6d =
new URLPermission(
"index", "http://www.website.com/index.html?name=userB&company=companyB&age=100");
expectedPc.add(expectedP1);
expectedPc.add(expectedP2a);
expectedPc.add(expectedP2b);
expectedPc.add(expectedP3a);
expectedPc.add(expectedP3b);
expectedPc.add(expectedP4a);
expectedPc.add(expectedP4b);
expectedPc.add(expectedP4c);
expectedPc.add(expectedP4d);
expectedPc.add(expectedP5a);
expectedPc.add(expectedP5b);
expectedPc.add(expectedP5c);
expectedPc.add(expectedP5d);
expectedPc.add(expectedP6a);
expectedPc.add(expectedP6b);
expectedPc.add(expectedP6c);
expectedPc.add(expectedP6d);
// getting resolved permissions
PermissionCollection resolvedPc =
PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc);
if (logger.isDebugEnabled()) {
logger.debug("---- logging expected permissions ----");
Enumeration expectedPermEnum = expectedPc.elements();
while (expectedPermEnum.hasMoreElements()) {
logger.debug(expectedPermEnum.nextElement().toString());
}
logger.debug("---- logging resolved permissions ----");
}
int collectionSize = 0;
Enumeration permEnum = resolvedPc.elements();
while (permEnum.hasMoreElements()) {
Permission resolvedPerm = (Permission) permEnum.nextElement();
logger.debug("verify implies for " + resolvedPerm.toString());
System.out.println("verify implies for " + resolvedPerm.toString());
assertTrue(expectedPc.implies(resolvedPerm));
collectionSize++;
}
assertEquals(17, collectionSize);
System.out.println("END EVALUATE COMBINATIVE PERMISSION TEST");
}
public void testEvaluatePermissionCollection() throws Throwable {
PermissionUtils.setCachesEnabled(true);
PermissionUtils.createCaches();
Subject subjectA = new Subject();
JGuardCredential nameA = new JGuardCredential(NAME, USER_A);
JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A);
subjectA.getPublicCredentials().add(nameA);
subjectA.getPublicCredentials().add(companyA);
if (logger.isDebugEnabled()) {
logger.debug("---- logging subject ----");
logger.debug(subjectA.toString());
}
UserPrincipal userPrincipal = new UserPrincipal(subjectA);
ProtectionDomain protectionDomain =
new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal});
PermissionCollection pc = new Permissions();
Permission p1 = new FilePermission("file://home", "read");
Permission p2 =
new FilePermission("file://home/user/${subject.publicCredentials.name}", "read");
Permission p3 =
new FilePermission("file://home/user/${subject.publicCredentials.company}", "read");
Permission p4 =
new FilePermission(
"file://home/user/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.company}/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.name}/${subject.publicCredentials.company}",
"read");
Permission p5 = new FilePermission("file://home/user/${subject.publicCredentials.age}", "read");
Permission p6 =
new URLPermission(
"index", "http://www.website.com/index.html?name=${subject.publicCredentials.name}");
Permission p7 =
new URLPermission(
"index2", "http://www.web�site.com/index.html?name=${subject.publicCredentials.name}");
pc.add(p1);
pc.add(p2);
pc.add(p3);
pc.add(p4);
pc.add(p5);
pc.add(p6);
pc.add(p7);
if (logger.isDebugEnabled()) {
logger.debug("---- logging unresolved permissions ----");
Enumeration unresolvedPermEnum = pc.elements();
while (unresolvedPermEnum.hasMoreElements()) {
logger.debug(unresolvedPermEnum.nextElement().toString());
}
}
PermissionCollection expectedPc = new Permissions();
Permission expectedP1 = new FilePermission("file://home", "read");
Permission expectedP2 = new FilePermission("file://home/user/userA", "read");
Permission expectedP3 = new FilePermission("file://home/user/companyA", "read");
Permission expectedP4 =
new FilePermission("file://home/user/userA/companyA/userA/userA/companyA", "read");
Permission expectedP6 =
new URLPermission("index", "http://www.website.com/index.html?name=userA");
Permission expectedP7 =
new URLPermission("index2", "http://www.web�site.com/index.html?name=userA");
expectedPc.add(expectedP1);
expectedPc.add(expectedP2);
expectedPc.add(expectedP3);
expectedPc.add(expectedP4);
expectedPc.add(expectedP6);
expectedPc.add(expectedP7);
// getting resolved permissions
PermissionCollection resolvedPc =
PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc);
if (logger.isDebugEnabled()) {
logger.debug("---- logging expected permissions ----");
Enumeration expectedPermEnum = expectedPc.elements();
while (expectedPermEnum.hasMoreElements()) {
logger.debug(expectedPermEnum.nextElement().toString());
}
logger.debug("---- logging resolved permissions ----");
}
int collectionSize = 0;
Enumeration permEnum = resolvedPc.elements();
while (permEnum.hasMoreElements()) {
Permission resolvedPerm = (Permission) permEnum.nextElement();
logger.debug("verify implies for " + resolvedPerm.toString());
System.out.println("verify implies for " + resolvedPerm.toString());
assertTrue(expectedPc.implies(resolvedPerm));
collectionSize++;
}
assertEquals(6, collectionSize);
System.out.println("END EVALUATE PERMISSION TEST");
}