public ScriptingSecurityManager(
boolean pWithoutFileRestriction,
boolean pWithoutWriteRestriction,
boolean pWithoutNetworkRestriction,
boolean pWithoutExecRestriction) {
permissions = new Permissions();
if (pWithoutExecRestriction
&& pWithoutFileRestriction
&& pWithoutWriteRestriction
&& pWithoutNetworkRestriction) {
permissions.add(new AllPermission());
} else {
if (pWithoutNetworkRestriction) {
permissions.add(new SocketPermission("*", "connect,accept,listen,resolve"));
permissions.add(new RuntimePermission("setFactory"));
}
if (pWithoutExecRestriction) {
permissions.add(new FilePermission("<<ALL FILES>>", "execute"));
permissions.add(new RuntimePermission("loadLibrary.*"));
}
if (pWithoutFileRestriction) {
permissions.add(new FilePermission("<<ALL FILES>>", "read"));
permissions.add(new RuntimePermission("readFileDescriptor"));
}
if (pWithoutWriteRestriction) {
permissions.add(new RuntimePermission("writeFileDescriptor"));
permissions.add(new FilePermission("<<ALL FILES>>", "write,delete"));
permissions.add(new RuntimePermission("preferences"));
}
}
permissions.setReadOnly();
}
/**
* associate a permission collection with this userId
*
* @param userId if userId is <code>null</code> the method does nothing
*/
public void setPermissions(String userId, Permissions p) {
if (userId == null) {
return;
}
synchronized (m_storeLock) {
if (p == null) {
p = new Permissions();
p.setReadOnly();
}
m_store.put(userId.toLowerCase(), p);
}
}
private Permissions getPermissions() {
final Permissions ps = new Permissions();
ps.add(new AWTPermission("accessEventQueue"));
ps.add(new PropertyPermission("user.home", "read"));
ps.add(new PropertyPermission("java.vendor", "read"));
ps.add(new PropertyPermission("java.version", "read"));
ps.add(new PropertyPermission("os.name", "read"));
ps.add(new PropertyPermission("os.arch", "read"));
ps.add(new PropertyPermission("os.version", "read"));
ps.add(new SocketPermission("*", "connect,resolve"));
String uDir = System.getProperty("user.home");
if (uDir != null) {
uDir += "/";
} else {
uDir = "~/";
}
final String[] dirs = {
"c:/rscache/", "/rscache/", "c:/windows/", "c:/winnt/", "c:/", uDir, "/tmp/", "."
};
final String[] rsDirs = {".jagex_cache_32", ".file_store_32"};
for (String dir : dirs) {
final File f = new File(dir);
ps.add(new FilePermission(dir, "read"));
if (!f.exists()) {
continue;
}
dir = f.getPath();
for (final String rsDir : rsDirs) {
ps.add(new FilePermission(dir + File.separator + rsDir + File.separator + "-", "read"));
ps.add(new FilePermission(dir + File.separator + rsDir + File.separator + "-", "write"));
}
}
Calendar.getInstance();
// TimeZone.getDefault();//Now the default is set they don't need permission
// ps.add(new FilePermission())
ps.setReadOnly();
return ps;
}
public AgentSecurityManager(boolean debugPerm, PROTOCOL proto) {
this.debugPerm = debugPerm;
if (debugPerm) {
permUsed = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
permCreated = Collections.newSetFromMap(new ConcurrentHashMap<String, Boolean>());
Runtime.getRuntime()
.addShutdownHook(
new Thread() {
public void run() {
for (String i : new HashSet<String>(permCreated)) {
if (permUsed.contains(i + " =")) {
permCreated.remove(i);
}
}
for (String i : permCreated) {
permUsed.add(i + " +");
}
for (String p : new TreeSet<String>(permUsed)) {
System.out.println(p);
}
}
});
} else {
permUsed = null;
permCreated = null;
}
// Add the java home to readable files
Permission newPerm =
new FilePermission(System.getProperty("java.home") + File.separator + "-", "read");
allowed.add(newPerm);
if (debugPerm) {
permCreated.add(newPerm.toString());
}
Map<String, Set<Permission>> permsSets;
try {
permsSets = getPermsSets();
} catch (SecurityException e) {
throw new RuntimeException(e);
} catch (IllegalArgumentException e) {
throw new RuntimeException(e);
} catch (ClassNotFoundException e) {
throw new RuntimeException(e);
} catch (NoSuchMethodException e) {
throw new RuntimeException(e);
} catch (InstantiationException e) {
throw new RuntimeException(e);
} catch (IllegalAccessException e) {
throw new RuntimeException(e);
} catch (InvocationTargetException e) {
throw new RuntimeException(e);
}
for (Permission i : permsSets.get("common")) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
for (Permission i : permsSets.get("forprobes")) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
for (Permission i : permsSets.get(proto.name())) {
allowed.add(i);
if (debugPerm) {
permCreated.add(i.toString());
}
}
allowed.setReadOnly();
}
/**
* Parse a policy file, incorporating the permission definitions described therein.
*
* @param url The URL of the policy file to read.
* @throws IOException if an I/O error occurs, or if the policy file cannot be parsed.
*/
private void parse(final URL url) throws IOException {
logger.log(Component.POLICY, "reading policy file from {0}", url);
final StreamTokenizer in = new StreamTokenizer(new InputStreamReader(url.openStream()));
in.resetSyntax();
in.slashSlashComments(true);
in.slashStarComments(true);
in.wordChars('A', 'Z');
in.wordChars('a', 'z');
in.wordChars('0', '9');
in.wordChars('.', '.');
in.wordChars('_', '_');
in.wordChars('$', '$');
in.whitespaceChars(' ', ' ');
in.whitespaceChars('\t', '\t');
in.whitespaceChars('\f', '\f');
in.whitespaceChars('\n', '\n');
in.whitespaceChars('\r', '\r');
in.quoteChar('\'');
in.quoteChar('"');
int tok;
int state = STATE_BEGIN;
List keystores = new LinkedList();
URL currentBase = null;
List currentCerts = new LinkedList();
Permissions currentPerms = new Permissions();
while ((tok = in.nextToken()) != StreamTokenizer.TT_EOF) {
switch (tok) {
case '{':
if (state != STATE_GRANT) error(url, in, "spurious '{'");
state = STATE_PERMS;
tok = in.nextToken();
break;
case '}':
if (state != STATE_PERMS) error(url, in, "spurious '}'");
state = STATE_BEGIN;
currentPerms.setReadOnly();
Certificate[] c = null;
if (!currentCerts.isEmpty())
c = (Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()]);
cs2pc.put(new CodeSource(currentBase, c), currentPerms);
currentCerts.clear();
currentPerms = new Permissions();
currentBase = null;
tok = in.nextToken();
if (tok != ';') in.pushBack();
continue;
}
if (tok != StreamTokenizer.TT_WORD) {
error(url, in, "expecting word token");
}
// keystore "<keystore-path>" [',' "<keystore-type>"] ';'
if (in.sval.equalsIgnoreCase("keystore")) {
String alg = KeyStore.getDefaultType();
tok = in.nextToken();
if (tok != '"' && tok != '\'') error(url, in, "expecting key store URL");
String store = in.sval;
tok = in.nextToken();
if (tok == ',') {
tok = in.nextToken();
if (tok != '"' && tok != '\'') error(url, in, "expecting key store type");
alg = in.sval;
tok = in.nextToken();
}
if (tok != ';') error(url, in, "expecting semicolon");
try {
KeyStore keystore = KeyStore.getInstance(alg);
keystore.load(new URL(url, store).openStream(), null);
keystores.add(keystore);
} catch (Exception x) {
error(url, in, x.toString());
}
} else if (in.sval.equalsIgnoreCase("grant")) {
if (state != STATE_BEGIN) error(url, in, "extraneous grant keyword");
state = STATE_GRANT;
} else if (in.sval.equalsIgnoreCase("signedBy")) {
if (state != STATE_GRANT && state != STATE_PERMS) error(url, in, "spurious 'signedBy'");
if (keystores.isEmpty()) error(url, in, "'signedBy' with no keystores");
tok = in.nextToken();
if (tok != '"' && tok != '\'') error(url, in, "expecting signedBy name");
StringTokenizer st = new StringTokenizer(in.sval, ",");
while (st.hasMoreTokens()) {
String alias = st.nextToken();
for (Iterator it = keystores.iterator(); it.hasNext(); ) {
KeyStore keystore = (KeyStore) it.next();
try {
if (keystore.isCertificateEntry(alias))
currentCerts.add(keystore.getCertificate(alias));
} catch (KeyStoreException kse) {
error(url, in, kse.toString());
}
}
}
tok = in.nextToken();
if (tok != ',') {
if (state != STATE_GRANT) error(url, in, "spurious ','");
in.pushBack();
}
} else if (in.sval.equalsIgnoreCase("codeBase")) {
if (state != STATE_GRANT) error(url, in, "spurious 'codeBase'");
tok = in.nextToken();
if (tok != '"' && tok != '\'') error(url, in, "expecting code base URL");
String base = expand(in.sval);
if (File.separatorChar != '/') base = base.replace(File.separatorChar, '/');
try {
currentBase = new URL(base);
} catch (MalformedURLException mue) {
error(url, in, mue.toString());
}
tok = in.nextToken();
if (tok != ',') in.pushBack();
} else if (in.sval.equalsIgnoreCase("principal")) {
if (state != STATE_GRANT) error(url, in, "spurious 'principal'");
tok = in.nextToken();
if (tok == StreamTokenizer.TT_WORD) {
tok = in.nextToken();
if (tok != '"' && tok != '\'') error(url, in, "expecting principal name");
String name = in.sval;
Principal p = null;
try {
Class pclass = Class.forName(in.sval);
Constructor c = pclass.getConstructor(new Class[] {String.class});
p = (Principal) c.newInstance(new Object[] {name});
} catch (Exception x) {
error(url, in, x.toString());
}
for (Iterator it = keystores.iterator(); it.hasNext(); ) {
KeyStore ks = (KeyStore) it.next();
try {
for (Enumeration e = ks.aliases(); e.hasMoreElements(); ) {
String alias = (String) e.nextElement();
if (ks.isCertificateEntry(alias)) {
Certificate cert = ks.getCertificate(alias);
if (!(cert instanceof X509Certificate)) continue;
if (p.equals(((X509Certificate) cert).getSubjectDN())
|| p.equals(((X509Certificate) cert).getSubjectX500Principal()))
currentCerts.add(cert);
}
}
} catch (KeyStoreException kse) {
error(url, in, kse.toString());
}
}
} else if (tok == '"' || tok == '\'') {
String alias = in.sval;
for (Iterator it = keystores.iterator(); it.hasNext(); ) {
KeyStore ks = (KeyStore) it.next();
try {
if (ks.isCertificateEntry(alias)) currentCerts.add(ks.getCertificate(alias));
} catch (KeyStoreException kse) {
error(url, in, kse.toString());
}
}
} else error(url, in, "expecting principal");
tok = in.nextToken();
if (tok != ',') in.pushBack();
} else if (in.sval.equalsIgnoreCase("permission")) {
if (state != STATE_PERMS) error(url, in, "spurious 'permission'");
tok = in.nextToken();
if (tok != StreamTokenizer.TT_WORD) error(url, in, "expecting permission class name");
String className = in.sval;
Class clazz = null;
try {
clazz = Class.forName(className);
} catch (ClassNotFoundException cnfe) {
}
tok = in.nextToken();
if (tok == ';') {
if (clazz == null) {
currentPerms.add(
new UnresolvedPermission(
className,
null,
null,
(Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()])));
continue;
}
try {
currentPerms.add((Permission) clazz.newInstance());
} catch (Exception x) {
error(url, in, x.toString());
}
continue;
}
if (tok != '"' && tok != '\'') error(url, in, "expecting permission target");
String target = expand(in.sval);
tok = in.nextToken();
if (tok == ';') {
if (clazz == null) {
currentPerms.add(
new UnresolvedPermission(
className,
target,
null,
(Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()])));
continue;
}
try {
Constructor c = clazz.getConstructor(new Class[] {String.class});
currentPerms.add((Permission) c.newInstance(new Object[] {target}));
} catch (Exception x) {
error(url, in, x.toString());
}
continue;
}
if (tok != ',') error(url, in, "expecting ','");
tok = in.nextToken();
if (tok == StreamTokenizer.TT_WORD) {
if (!in.sval.equalsIgnoreCase("signedBy")) error(url, in, "expecting 'signedBy'");
try {
Constructor c = clazz.getConstructor(new Class[] {String.class});
currentPerms.add((Permission) c.newInstance(new Object[] {target}));
} catch (Exception x) {
error(url, in, x.toString());
}
in.pushBack();
continue;
}
if (tok != '"' && tok != '\'') error(url, in, "expecting permission action");
String action = in.sval;
if (clazz == null) {
currentPerms.add(
new UnresolvedPermission(
className,
target,
action,
(Certificate[]) currentCerts.toArray(new Certificate[currentCerts.size()])));
continue;
} else {
try {
Constructor c = clazz.getConstructor(new Class[] {String.class, String.class});
currentPerms.add((Permission) c.newInstance(new Object[] {target, action}));
} catch (Exception x) {
error(url, in, x.toString());
}
}
tok = in.nextToken();
if (tok != ';' && tok != ',') error(url, in, "expecting ';' or ','");
}
}
}
public void setReadOnly() {
perms.setReadOnly();
}