public ScriptingSecurityManager( boolean pWithoutFileRestriction, boolean pWithoutWriteRestriction, boolean pWithoutNetworkRestriction, boolean pWithoutExecRestriction) { permissions = new Permissions(); if (pWithoutExecRestriction && pWithoutFileRestriction && pWithoutWriteRestriction && pWithoutNetworkRestriction) { permissions.add(new AllPermission()); } else { if (pWithoutNetworkRestriction) { permissions.add(new SocketPermission("*", "connect,accept,listen,resolve")); permissions.add(new RuntimePermission("setFactory")); } if (pWithoutExecRestriction) { permissions.add(new FilePermission("<<ALL FILES>>", "execute")); permissions.add(new RuntimePermission("loadLibrary.*")); } if (pWithoutFileRestriction) { permissions.add(new FilePermission("<<ALL FILES>>", "read")); permissions.add(new RuntimePermission("readFileDescriptor")); } if (pWithoutWriteRestriction) { permissions.add(new RuntimePermission("writeFileDescriptor")); permissions.add(new FilePermission("<<ALL FILES>>", "write,delete")); permissions.add(new RuntimePermission("preferences")); } } permissions.setReadOnly(); }
/** * associate a permission collection with this userId * * @param userId if userId is <code>null</code> the method does nothing */ public void setPermissions(String userId, Permissions p) { if (userId == null) { return; } synchronized (m_storeLock) { if (p == null) { p = new Permissions(); p.setReadOnly(); } m_store.put(userId.toLowerCase(), p); } }
private Permissions getPermissions() { final Permissions ps = new Permissions(); ps.add(new AWTPermission("accessEventQueue")); ps.add(new PropertyPermission("user.home", "read")); ps.add(new PropertyPermission("java.vendor", "read")); ps.add(new PropertyPermission("java.version", "read")); ps.add(new PropertyPermission("os.name", "read")); ps.add(new PropertyPermission("os.arch", "read")); ps.add(new PropertyPermission("os.version", "read")); ps.add(new SocketPermission("*", "connect,resolve")); String uDir = System.getProperty("user.home"); if (uDir != null) { uDir += "/"; } else { uDir = "~/"; } final String[] dirs = { "c:/rscache/", "/rscache/", "c:/windows/", "c:/winnt/", "c:/", uDir, "/tmp/", "." }; final String[] rsDirs = {".jagex_cache_32", ".file_store_32"}; for (String dir : dirs) { final File f = new File(dir); ps.add(new FilePermission(dir, "read")); if (!f.exists()) { continue; } dir = f.getPath(); for (final String rsDir : rsDirs) { ps.add(new FilePermission(dir + File.separator + rsDir + File.separator + "-", "read")); ps.add(new FilePermission(dir + File.separator + rsDir + File.separator + "-", "write")); } } Calendar.getInstance(); // TimeZone.getDefault();//Now the default is set they don't need permission // ps.add(new FilePermission()) ps.setReadOnly(); return ps; }
public AgentSecurityManager(boolean debugPerm, PROTOCOL proto) { this.debugPerm = debugPerm; if (debugPerm) { permUsed = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>()); permCreated = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>()); Runtime.getRuntime() .addShutdownHook( new Thread() { public void run() { for (String i : new HashSet<String>(permCreated)) { if (permUsed.contains(i + " =")) { permCreated.remove(i); } } for (String i : permCreated) { permUsed.add(i + " +"); } for (String p : new TreeSet<String>(permUsed)) { System.out.println(p); } } }); } else { permUsed = null; permCreated = null; } // Add the java home to readable files Permission newPerm = new FilePermission(System.getProperty("java.home") + File.separator + "-", "read"); allowed.add(newPerm); if (debugPerm) { permCreated.add(newPerm.toString()); } Map<String, Set<Permission>> permsSets; try { permsSets = getPermsSets(); } catch (SecurityException e) { throw new RuntimeException(e); } catch (IllegalArgumentException e) { throw new RuntimeException(e); } catch (ClassNotFoundException e) { throw new RuntimeException(e); } catch (NoSuchMethodException e) { throw new RuntimeException(e); } catch (InstantiationException e) { throw new RuntimeException(e); } catch (IllegalAccessException e) { throw new RuntimeException(e); } catch (InvocationTargetException e) { throw new RuntimeException(e); } for (Permission i : permsSets.get("common")) { allowed.add(i); if (debugPerm) { permCreated.add(i.toString()); } } for (Permission i : permsSets.get("forprobes")) { allowed.add(i); if (debugPerm) { permCreated.add(i.toString()); } } for (Permission i : permsSets.get(proto.name())) { allowed.add(i); if (debugPerm) { permCreated.add(i.toString()); } } allowed.setReadOnly(); }
/** * Parse a policy file, incorporating the permission definitions described therein. * * @param url The URL of the policy file to read. * @throws IOException if an I/O error occurs, or if the policy file cannot be parsed. */ private void parse(final URL url) throws IOException { logger.log(Component.POLICY, "reading policy file from {0}", url); final StreamTokenizer in = new StreamTokenizer(new InputStreamReader(url.openStream())); in.resetSyntax(); in.slashSlashComments(true); in.slashStarComments(true); in.wordChars('A', 'Z'); in.wordChars('a', 'z'); in.wordChars('0', '9'); in.wordChars('.', '.'); in.wordChars('_', '_'); in.wordChars('$', '$'); in.whitespaceChars(' ', ' '); in.whitespaceChars('\t', '\t'); in.whitespaceChars('\f', '\f'); in.whitespaceChars('\n', '\n'); in.whitespaceChars('\r', '\r'); in.quoteChar('\''); in.quoteChar('"'); int tok; int state = STATE_BEGIN; List keystores = new LinkedList(); URL currentBase = null; List currentCerts = new LinkedList(); Permissions currentPerms = new Permissions(); while ((tok = in.nextToken()) != StreamTokenizer.TT_EOF) { switch (tok) { case '{': if (state != STATE_GRANT) error(url, in, "spurious '{'"); state = STATE_PERMS; tok = in.nextToken(); break; case '}': if (state != STATE_PERMS) error(url, in, "spurious '}'"); state = STATE_BEGIN; currentPerms.setReadOnly(); Certificate[] c = null; if (!currentCerts.isEmpty()) c = (Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()]); cs2pc.put(new CodeSource(currentBase, c), currentPerms); currentCerts.clear(); currentPerms = new Permissions(); currentBase = null; tok = in.nextToken(); if (tok != ';') in.pushBack(); continue; } if (tok != StreamTokenizer.TT_WORD) { error(url, in, "expecting word token"); } // keystore "<keystore-path>" [',' "<keystore-type>"] ';' if (in.sval.equalsIgnoreCase("keystore")) { String alg = KeyStore.getDefaultType(); tok = in.nextToken(); if (tok != '"' && tok != '\'') error(url, in, "expecting key store URL"); String store = in.sval; tok = in.nextToken(); if (tok == ',') { tok = in.nextToken(); if (tok != '"' && tok != '\'') error(url, in, "expecting key store type"); alg = in.sval; tok = in.nextToken(); } if (tok != ';') error(url, in, "expecting semicolon"); try { KeyStore keystore = KeyStore.getInstance(alg); keystore.load(new URL(url, store).openStream(), null); keystores.add(keystore); } catch (Exception x) { error(url, in, x.toString()); } } else if (in.sval.equalsIgnoreCase("grant")) { if (state != STATE_BEGIN) error(url, in, "extraneous grant keyword"); state = STATE_GRANT; } else if (in.sval.equalsIgnoreCase("signedBy")) { if (state != STATE_GRANT && state != STATE_PERMS) error(url, in, "spurious 'signedBy'"); if (keystores.isEmpty()) error(url, in, "'signedBy' with no keystores"); tok = in.nextToken(); if (tok != '"' && tok != '\'') error(url, in, "expecting signedBy name"); StringTokenizer st = new StringTokenizer(in.sval, ","); while (st.hasMoreTokens()) { String alias = st.nextToken(); for (Iterator it = keystores.iterator(); it.hasNext(); ) { KeyStore keystore = (KeyStore) it.next(); try { if (keystore.isCertificateEntry(alias)) currentCerts.add(keystore.getCertificate(alias)); } catch (KeyStoreException kse) { error(url, in, kse.toString()); } } } tok = in.nextToken(); if (tok != ',') { if (state != STATE_GRANT) error(url, in, "spurious ','"); in.pushBack(); } } else if (in.sval.equalsIgnoreCase("codeBase")) { if (state != STATE_GRANT) error(url, in, "spurious 'codeBase'"); tok = in.nextToken(); if (tok != '"' && tok != '\'') error(url, in, "expecting code base URL"); String base = expand(in.sval); if (File.separatorChar != '/') base = base.replace(File.separatorChar, '/'); try { currentBase = new URL(base); } catch (MalformedURLException mue) { error(url, in, mue.toString()); } tok = in.nextToken(); if (tok != ',') in.pushBack(); } else if (in.sval.equalsIgnoreCase("principal")) { if (state != STATE_GRANT) error(url, in, "spurious 'principal'"); tok = in.nextToken(); if (tok == StreamTokenizer.TT_WORD) { tok = in.nextToken(); if (tok != '"' && tok != '\'') error(url, in, "expecting principal name"); String name = in.sval; Principal p = null; try { Class pclass = Class.forName(in.sval); Constructor c = pclass.getConstructor(new Class[] {String.class}); p = (Principal) c.newInstance(new Object[] {name}); } catch (Exception x) { error(url, in, x.toString()); } for (Iterator it = keystores.iterator(); it.hasNext(); ) { KeyStore ks = (KeyStore) it.next(); try { for (Enumeration e = ks.aliases(); e.hasMoreElements(); ) { String alias = (String) e.nextElement(); if (ks.isCertificateEntry(alias)) { Certificate cert = ks.getCertificate(alias); if (!(cert instanceof X509Certificate)) continue; if (p.equals(((X509Certificate) cert).getSubjectDN()) || p.equals(((X509Certificate) cert).getSubjectX500Principal())) currentCerts.add(cert); } } } catch (KeyStoreException kse) { error(url, in, kse.toString()); } } } else if (tok == '"' || tok == '\'') { String alias = in.sval; for (Iterator it = keystores.iterator(); it.hasNext(); ) { KeyStore ks = (KeyStore) it.next(); try { if (ks.isCertificateEntry(alias)) currentCerts.add(ks.getCertificate(alias)); } catch (KeyStoreException kse) { error(url, in, kse.toString()); } } } else error(url, in, "expecting principal"); tok = in.nextToken(); if (tok != ',') in.pushBack(); } else if (in.sval.equalsIgnoreCase("permission")) { if (state != STATE_PERMS) error(url, in, "spurious 'permission'"); tok = in.nextToken(); if (tok != StreamTokenizer.TT_WORD) error(url, in, "expecting permission class name"); String className = in.sval; Class clazz = null; try { clazz = Class.forName(className); } catch (ClassNotFoundException cnfe) { } tok = in.nextToken(); if (tok == ';') { if (clazz == null) { currentPerms.add( new UnresolvedPermission( className, null, null, (Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()]))); continue; } try { currentPerms.add((Permission) clazz.newInstance()); } catch (Exception x) { error(url, in, x.toString()); } continue; } if (tok != '"' && tok != '\'') error(url, in, "expecting permission target"); String target = expand(in.sval); tok = in.nextToken(); if (tok == ';') { if (clazz == null) { currentPerms.add( new UnresolvedPermission( className, target, null, (Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()]))); continue; } try { Constructor c = clazz.getConstructor(new Class[] {String.class}); currentPerms.add((Permission) c.newInstance(new Object[] {target})); } catch (Exception x) { error(url, in, x.toString()); } continue; } if (tok != ',') error(url, in, "expecting ','"); tok = in.nextToken(); if (tok == StreamTokenizer.TT_WORD) { if (!in.sval.equalsIgnoreCase("signedBy")) error(url, in, "expecting 'signedBy'"); try { Constructor c = clazz.getConstructor(new Class[] {String.class}); currentPerms.add((Permission) c.newInstance(new Object[] {target})); } catch (Exception x) { error(url, in, x.toString()); } in.pushBack(); continue; } if (tok != '"' && tok != '\'') error(url, in, "expecting permission action"); String action = in.sval; if (clazz == null) { currentPerms.add( new UnresolvedPermission( className, target, action, (Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()]))); continue; } else { try { Constructor c = clazz.getConstructor(new Class[] {String.class, String.class}); currentPerms.add((Permission) c.newInstance(new Object[] {target, action})); } catch (Exception x) { error(url, in, x.toString()); } } tok = in.nextToken(); if (tok != ';' && tok != ',') error(url, in, "expecting ';' or ','"); } } }
public void setReadOnly() { perms.setReadOnly(); }