private static boolean checkPermissions() {
SecurityManager manager = System.getSecurityManager();
if (manager == null) {
return true;
}
manager.checkPermission(ML_PERM);
try {
manager.checkPermission(MODULE_REDEFINE_PERM);
return true;
} catch (SecurityException e) {
return false;
}
}
public ACLProviderEntry[] getACLProviderEntry() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(GET_CONFIG_ENTRY_PERM);
ACLProviderEntry[] entries = new ACLProviderEntry[moduleEntries.size()];
moduleEntries.toArray(entries);
return entries;
}
static UserPrincipal lookup(String name) throws IOException {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new RuntimePermission("lookupUserInformation"));
}
// invoke LookupAccountName to get buffer size needed for SID
int size = 0;
try {
size = LookupAccountName(name, 0L, 0);
} catch (WindowsException x) {
if (x.lastError() == ERROR_NONE_MAPPED) throw new UserPrincipalNotFoundException(name);
throw new IOException(name + ": " + x.errorString());
}
assert size > 0;
// allocate buffer and re-invoke LookupAccountName get SID
NativeBuffer sidBuffer = NativeBuffers.getNativeBuffer(size);
try {
int newSize = LookupAccountName(name, sidBuffer.address(), size);
if (newSize != size) {
// can this happen?
throw new AssertionError("SID change during lookup");
}
// return user principal
return fromSid(sidBuffer.address());
} catch (WindowsException x) {
throw new IOException(name + ": " + x.errorString());
} finally {
sidBuffer.release();
}
}
@Override
public boolean hasPermission(Object permission) {
Generation current = (Generation) module.getCurrentRevision().getRevisionInfo();
ProtectionDomain domain = current.getDomain();
if (domain != null) {
if (permission instanceof Permission) {
SecurityManager sm = System.getSecurityManager();
if (sm instanceof EquinoxSecurityManager) {
/*
* If the FrameworkSecurityManager is active, we need to do checks the "right" way.
* We can exploit our knowledge that the security context of FrameworkSecurityManager
* is an AccessControlContext to invoke it properly with the ProtectionDomain.
*/
AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] {domain});
try {
sm.checkPermission((Permission) permission, acc);
return true;
} catch (Exception e) {
return false;
}
}
return domain.implies((Permission) permission);
}
return false;
}
return true;
}
public LinuxInputDevice addDevice(LinuxInputDevice device, String name) {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(new AllPermission());
}
return addDeviceInternal(device, name);
}
/** @see UserAdminUtil#checkPermission(String, String) */
@Override
public void checkPermission(String name, String action) {
SecurityManager sm = System.getSecurityManager();
if (null != sm) {
sm.checkPermission(new UserAdminPermission(name, action));
}
}
public ConnectionPeerIdentity getConnectionPeerIdentity() throws SecurityException {
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(RemotingPermission.GET_CONNECTION_PEER_IDENTITY);
}
return getPeerIdentityContext().getConnectionIdentity();
}
public static PACLPolicy getPACLPolicy() {
if (!PACLPolicyManager.isActive()) {
return null;
}
SecurityManager securityManager = System.getSecurityManager();
if (securityManager == null) {
return null;
}
try {
java.security.Permission permission = new PACLUtil.Permission();
securityManager.checkPermission(permission);
} catch (SecurityException se) {
if (!(se instanceof PACLUtil.Exception)) {
throw se;
}
PACLUtil.Exception paclUtilException = (PACLUtil.Exception) se;
return paclUtilException.getPaclPolicy();
}
return null;
}
/**
* Gets the class singleton.
*
* @return single instance of ConnectionSettings
*/
public static ConnectionSettings getInstance() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(GenericLocalPermission.EXT_GENERIC);
}
return instance;
}
/**
* Sets (or unsets) the system-wide cookie handler.
*
* <p>Note: non-standard http protocol handlers may ignore this setting.
*
* @param cHandler The HTTP cookie handler, or <code>null</code> to unset.
* @throws SecurityException If a security manager has been installed and it denies {@link
* NetPermission}<tt>("setCookieHandler")</tt>
* @see #getDefault()
*/
public static synchronized void setDefault(CookieHandler cHandler) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(SecurityConstants.SET_COOKIEHANDLER_PERMISSION);
}
cookieHandler = cHandler;
}
final void checkWriteExtended() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
file.checkWrite();
sm.checkPermission(new RuntimePermission("accessUserInformation"));
}
}
/**
* Gets the system-wide cookie handler.
*
* @return the system-wide cookie handler; A null return means there is no system-wide cookie
* handler currently set.
* @throws SecurityException If a security manager has been installed and it denies {@link
* NetPermission}<tt>("getCookieHandler")</tt>
* @see #setDefault(CookieHandler)
*/
public static synchronized CookieHandler getDefault() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(SecurityConstants.GET_COOKIEHANDLER_PERMISSION);
}
return cookieHandler;
}
/**
* Returns a new code store instance.
*
* @param context the current context
* @return The instance, or null if code store could not be created
*/
public static CodeStore newCodeStore(final Context context) {
final Class<CodeStore> baseClass = CodeStore.class;
try {
// security check first
final SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new RuntimePermission(NASHORN_PROVIDE_CODE_STORE));
}
final ServiceLoader<CodeStore> services = ServiceLoader.load(baseClass);
final Iterator<CodeStore> iterator = services.iterator();
if (iterator.hasNext()) {
final CodeStore store = iterator.next();
store
.initLogger(context)
.info("using code store provider ", store.getClass().getCanonicalName());
return store;
}
} catch (final AccessControlException e) {
context.getLogger(CodeStore.class).warning("failed to load code store provider ", e);
}
try {
final CodeStore store = new DirectoryCodeStore(context);
store.initLogger(context);
return store;
} catch (final IOException e) {
context.getLogger(CodeStore.class).warning("failed to create cache directory ", e);
return null;
}
}
private JarFile getCachedJarFile(URL url) {
JarFile result = (JarFile) fileCache.get(url);
/* if the JAR file is cached, the permission will always be there */
if (result != null) {
Permission perm = getPermission(result);
if (perm != null) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
sm.checkPermission(perm);
} catch (SecurityException se) {
// fallback to checkRead/checkConnect for pre 1.2
// security managers
if ((perm instanceof java.io.FilePermission)
&& perm.getActions().indexOf("read") != -1) {
sm.checkRead(perm.getName());
} else if ((perm instanceof java.net.SocketPermission)
&& perm.getActions().indexOf("connect") != -1) {
sm.checkConnect(url.getHost(), url.getPort());
} else {
throw se;
}
}
}
}
}
return result;
}
/**
* Check that the current context is trusted to modify the logging
* configuration. This requires LoggingPermission("control").
* <p>
* If the check fails we throw a SecurityException, otherwise
* we return normally.
*
* @exception SecurityException if a security manager exists and if
* the caller does not have LoggingPermission("control").
*/
public void checkAccess() throws SecurityException {
SecurityManager sm = System.getSecurityManager();
if (sm == null) {
return;
}
sm.checkPermission(ourPermission);
}
/**
* @see
* org.picketlink.identity.federation.core.sts.registry.SecurityTokenRegistry#removeToken(java.lang.String)
*/
public void removeToken(String tokenID) throws IOException {
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(PicketLinkCoreSTS.rte);
holders.remove(tokenID);
flush();
}
/**
* This method initializes a new instance of <code>URL</code> with the specified protocol, host,
* port, and file. Additionally, this method allows the caller to specify a protocol handler to
* use instead of the default. If this handler is specified, the caller must have the
* "specifyStreamHandler" permission (see <code>NetPermission</code>) or a <code>SecurityException
* </code> will be thrown.
*
* @param protocol The protocol for this URL ("http", "ftp", etc)
* @param host The hostname or IP address to connect to
* @param port The port number to use, or -1 to use the protocol's default port
* @param file The "file" portion of the URL.
* @param ph The protocol handler to use with this URL.
* @exception MalformedURLException If no protocol handler can be loaded for the specified
* protocol.
* @exception SecurityException If the <code>SecurityManager</code> exists and does not allow the
* caller to specify its own protocol handler.
* @since 1.2
*/
public URL(String protocol, String host, int port, String file, URLStreamHandler ph)
throws MalformedURLException {
if (protocol == null) throw new MalformedURLException("null protocol");
protocol = protocol.toLowerCase();
this.protocol = protocol;
if (ph != null) {
SecurityManager s = System.getSecurityManager();
if (s != null) s.checkPermission(new NetPermission("specifyStreamHandler"));
this.ph = ph;
} else this.ph = getURLStreamHandler(protocol);
if (this.ph == null) throw new MalformedURLException("Protocol handler not found: " + protocol);
this.host = host;
this.port = port;
this.authority = (host != null) ? host : "";
if (port >= 0 && host != null) this.authority += ":" + port;
int hashAt = file.indexOf('#');
if (hashAt < 0) {
this.file = file;
this.ref = null;
} else {
this.file = file.substring(0, hashAt);
this.ref = file.substring(hashAt + 1);
}
hashCode = hashCode(); // Used for serialization.
}
private static synchronized void setSecurityManager0(final SecurityManager s) {
SecurityManager sm = getSecurityManager();
if (sm != null) {
// ask the currently installed security manager if we
// can replace it.
sm.checkPermission(new RuntimePermission("setSecurityManager"));
}
if ((s != null) && (s.getClass().getClassLoader() != null)) {
// New security manager class is not on bootstrap classpath.
// Cause policy to get initialized before we install the new
// security manager, in order to prevent infinite loops when
// trying to initialize the policy (which usually involves
// accessing some security and/or system properties, which in turn
// calls the installed security manager's checkPermission method
// which will loop infinitely if there is a non-system class
// (in this case: the new security manager class) on the stack).
AccessController.doPrivileged(
new PrivilegedAction<Object>() {
public Object run() {
s.getClass().getProtectionDomain().implies(SecurityConstants.ALL_PERMISSION);
return null;
}
});
}
security = s;
}
private static void permissionCheck() {
SecurityManager sec = System.getSecurityManager();
if (sec != null) {
sec.checkPermission(new RuntimePermission("useKeychainStore"));
}
}
// only package private for testing!
static String parse(final byte content[], final Metadata metadata, final int limit)
throws TikaException, IOException {
// check that its not unprivileged code like a script
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new SpecialPermission());
}
try {
return AccessController.doPrivileged(
new PrivilegedExceptionAction<String>() {
@Override
public String run() throws TikaException, IOException {
return TIKA_INSTANCE.parseToString(StreamInput.wrap(content), metadata, limit);
}
});
} catch (PrivilegedActionException e) {
// checked exception from tika: unbox it
Throwable cause = e.getCause();
if (cause instanceof TikaException) {
throw (TikaException) cause;
} else if (cause instanceof IOException) {
throw (IOException) cause;
} else {
throw new AssertionError(cause);
}
}
}
public void removeDevice(LinuxInputDevice device) {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(new AllPermission());
}
devices.remove(device);
}
public ProtectionDomain getProtectionDomain() {
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(new RuntimePermission("getProtectionDomain"));
}
return pd == null ? StaticData.unknownProtectionDomain : pd;
}
public IdentityTrustModuleEntry[] getIdentityTrustModuleEntry() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(GET_CONFIG_ENTRY_PERM);
IdentityTrustModuleEntry[] entries = new IdentityTrustModuleEntry[moduleEntries.size()];
moduleEntries.toArray(entries);
return entries;
}
/** @com.intel.drl.spec_ref */
public void setAccessible(boolean flag) throws SecurityException {
SecurityManager sc = System.getSecurityManager();
if (sc != null) {
sc.checkPermission(ReflectPermissionCollection.SUPPRESS_ACCESS_CHECKS_PERMISSION);
}
setAccessible0(flag);
}
public static GSSCredential getDelegCredential() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(GET_DELEGATION_CREDENTIAL);
}
return DelegationSecurityActions.getDelegationCredential();
}
/**
* Removes the specified driver from the {@code DriverManager}'s list of registered drivers.
*
* <p>If a {@code null} value is specified for the driver to be removed, then no action is taken.
*
* <p>If a security manager exists and its {@code checkPermission} denies permission, then a
* {@code SecurityException} will be thrown.
*
* <p>If the specified driver is not found in the list of registered drivers, then no action is
* taken. If the driver was found, it will be removed from the list of registered drivers.
*
* <p>If a {@code DriverAction} instance was specified when the JDBC driver was registered, its
* deregister method will be called prior to the driver being removed from the list of registered
* drivers.
*
* @param driver the JDBC Driver to remove
* @exception SQLException if a database access error occurs
* @throws SecurityException if a security manager exists and its {@code checkPermission} method
* denies permission to deregister a driver.
* @see SecurityManager#checkPermission
*/
@CallerSensitive
public static synchronized void deregisterDriver(Driver driver) throws SQLException {
if (driver == null) {
return;
}
SecurityManager sec = System.getSecurityManager();
if (sec != null) {
sec.checkPermission(DEREGISTER_DRIVER_PERMISSION);
}
println("DriverManager.deregisterDriver: " + driver);
DriverInfo aDriver = new DriverInfo(driver, null);
if (registeredDrivers.contains(aDriver)) {
if (isDriverAllowed(driver, Reflection.getCallerClass())) {
DriverInfo di = registeredDrivers.get(registeredDrivers.indexOf(aDriver));
// If a DriverAction was specified, Call it to notify the
// driver that it has been deregistered
if (di.action() != null) {
di.action().deregister();
}
registeredDrivers.remove(aDriver);
} else {
// If the caller does not have permission to load the driver then
// throw a SecurityException.
throw new SecurityException();
}
} else {
println(" couldn't find driver to unload");
}
}
/** Check for permission to get a service. */
private <A> void checkAdaptPermission(Class<A> adapterType) {
SecurityManager sm = System.getSecurityManager();
if (sm == null) {
return;
}
sm.checkPermission(new AdaptPermission(adapterType.getName(), this, AdaptPermission.ADAPT));
}
private static Void checkPermission() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
sm.checkPermission(new RuntimePermission("localeServiceProvider"));
}
return null;
}
/**
* Returns the platform {@link javax.management.MBeanServer MBeanServer}. On the first call to
* this method, it first creates the platform <tt>MBeanServer</tt> by calling the {@link
* javax.management.MBeanServerFactory#createMBeanServer MBeanServerFactory.createMBeanServer}
* method and registers the platform MXBeans in this platform <tt>MBeanServer</tt> using the <a
* href="#MXBeanNames">MXBean names</a> defined in the class description. This method, in
* subsequent calls, will simply return the initially created platform <tt>MBeanServer</tt>.
*
* <p>MXBeans that get created and destroyed dynamically, for example, memory {@link
* MemoryPoolMXBean pools} and {@link MemoryManagerMXBean managers}, will automatically be
* registered and deregistered into the platform <tt>MBeanServer</tt>.
*
* <p>If the system property <tt>javax.management.builder.initial</tt> is set, the platform
* <tt>MBeanServer</tt> creation will be done by the specified {@link
* javax.management.MBeanServerBuilder}.
*
* <p>It is recommended that this platform MBeanServer also be used to register other application
* managed beans besides the platform MXBeans. This will allow all MBeans to be published through
* the same <tt>MBeanServer</tt> and hence allow for easier network publishing and discovery. Name
* conflicts with the platform MXBeans should be avoided.
*
* @return the platform <tt>MBeanServer</tt>; the platform MXBeans are registered into the
* platform <tt>MBeanServer</tt> at the first time this method is called.
* @exception SecurityException if there is a security manager and the caller does not have the
* permission required by {@link javax.management.MBeanServerFactory#createMBeanServer}.
* @see javax.management.MBeanServerFactory
* @see javax.management.MBeanServerFactory#createMBeanServer
*/
public static synchronized MBeanServer getPlatformMBeanServer() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
Permission perm = new MBeanServerPermission("createMBeanServer");
sm.checkPermission(perm);
}
if (platformMBeanServer == null) {
platformMBeanServer = MBeanServerFactory.createMBeanServer();
for (PlatformComponent pc : PlatformComponent.values()) {
List<? extends PlatformManagedObject> list = pc.getMXBeans(pc.getMXBeanInterface());
for (PlatformManagedObject o : list) {
// Each PlatformComponent represents one management
// interface. Some MXBean may extend another one.
// The MXBean instances for one platform component
// (returned by pc.getMXBeans()) might be also
// the MXBean instances for another platform component.
// e.g. com.sun.management.GarbageCollectorMXBean
//
// So need to check if an MXBean instance is registered
// before registering into the platform MBeanServer
if (!platformMBeanServer.isRegistered(o.getObjectName())) {
addMXBean(platformMBeanServer, o);
}
}
}
}
return platformMBeanServer;
}
/**
* Checks whether the current security context allows changing
* the configuration of the logging framework. For the security
* context to be trusted, it has to be granted
* a LoggingPermission("control").
*
* @throws SecurityException if a security manager exists and
* the caller is not granted the permission to control
* the logging infrastructure.
*/
public void checkAccess()
throws SecurityException
{
SecurityManager sm = System.getSecurityManager();
if (sm != null)
sm.checkPermission(controlPermission);
}