private boolean isImplied(Permission perm) {
   for (Permission p : ALLOWED_PERMISSIONS) {
     if (p.implies(perm)) {
       return true;
     }
   }
   return false;
 }
示例#2
0
 /**
  * This kludge is specific to get over AccessControlException thrown during Applet.stop() or
  * destroy() when static thread is suspended. Set a flag in AppletClassLoader to indicate that an
  * AccessControlException for RuntimePermission "modifyThread" or "modifyThreadGroup" had
  * occurred.
  */
 private void setExceptionStatus(AccessControlException e) {
   Permission p = e.getPermission();
   if (p instanceof RuntimePermission) {
     if (p.getName().startsWith("modifyThread")) {
       if (loader == null) loader = getClassLoader(getCodeBase(), getClassLoaderCacheKey());
       loader.setExceptionStatus();
     }
   }
 }
  // Returns every permission on the resource granted to the user.
  public Set<Permission> authorize(AuthenticatedUser user, IResource resource) {
    if (user.isSuper()) return Permission.ALL;

    UntypedResultSet result;
    try {
      ResultMessage.Rows rows =
          authorizeStatement.execute(
              QueryState.forInternalCalls(),
              new QueryOptions(
                  ConsistencyLevel.ONE,
                  Lists.newArrayList(
                      ByteBufferUtil.bytes(user.getName()),
                      ByteBufferUtil.bytes(resource.getName()))));
      result = UntypedResultSet.create(rows.result);
    } catch (RequestValidationException e) {
      throw new AssertionError(e); // not supposed to happen
    } catch (RequestExecutionException e) {
      logger.warn("CassandraAuthorizer failed to authorize {} for {}", user, resource);
      return Permission.NONE;
    }

    if (result.isEmpty() || !result.one().has(PERMISSIONS)) return Permission.NONE;

    Set<Permission> permissions = EnumSet.noneOf(Permission.class);
    for (String perm : result.one().getSet(PERMISSIONS, UTF8Type.instance))
      permissions.add(Permission.valueOf(perm));
    return permissions;
  }
  // 'of' can be null - in that case everyone's permissions have been requested. Otherwise only
  // single user's.
  // If the user requesting 'LIST PERMISSIONS' is not a superuser OR his username doesn't match
  // 'of', we
  // throw UnauthorizedException. So only a superuser can view everybody's permissions. Regular
  // users are only
  // allowed to see their own permissions.
  public Set<PermissionDetails> list(
      AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of)
      throws RequestValidationException, RequestExecutionException {
    if (!performer.isSuper() && !performer.getName().equals(of))
      throw new UnauthorizedException(
          String.format(
              "You are not authorized to view %s's permissions", of == null ? "everyone" : of));

    Set<PermissionDetails> details = new HashSet<PermissionDetails>();

    for (UntypedResultSet.Row row : process(buildListQuery(resource, of))) {
      if (row.has(PERMISSIONS)) {
        for (String p : row.getSet(PERMISSIONS, UTF8Type.instance)) {
          Permission permission = Permission.valueOf(p);
          if (permissions.contains(permission))
            details.add(
                new PermissionDetails(
                    row.getString(USERNAME),
                    DataResource.fromName(row.getString(RESOURCE)),
                    permission));
        }
      }
    }

    return details;
  }
 public void checkPermission(Permission p) {
   // liveconnect SocketPermission resolve takes
   // FOREVER (like 6 seconds) in Safari
   // Java does like 50 of these on the first JS call
   // 6*50=300 seconds!
   // Opera freaks out though if we deny resolve
   if (isActive
       && !isOpera
       && java.net.SocketPermission.class.isInstance(p)
       && p.getActions().matches(".*resolve.*")) {
     throw new SecurityException(
         "DOH: liveconnect resolve locks up Safari. Denying resolve request.");
   } else {
     oldsecurity.checkPermission(p);
   }
 }
 @Override
 public String serialize(final Permission permission) {
   Gson gson = new Gson();
   return gson.toJson(permission, permission.getClass());
 }
示例#7
0
  /**
   * get the context for the AppletClassLoader we are creating. the context is granted permission to
   * create the class loader, connnect to the codebase, and whatever else the policy grants to all
   * codebases.
   */
  private AccessControlContext getAccessControlContext(final URL codebase) {

    PermissionCollection perms =
        AccessController.doPrivileged(
            new PrivilegedAction<PermissionCollection>() {
              @Override
              public PermissionCollection run() {
                Policy p = java.security.Policy.getPolicy();
                if (p != null) {
                  return p.getPermissions(
                      new CodeSource(null, (java.security.cert.Certificate[]) null));
                } else {
                  return null;
                }
              }
            });

    if (perms == null) perms = new Permissions();

    // XXX: this is needed to be able to create the classloader itself!

    perms.add(SecurityConstants.CREATE_CLASSLOADER_PERMISSION);

    Permission p;
    java.net.URLConnection urlConnection = null;
    try {
      urlConnection = codebase.openConnection();
      p = urlConnection.getPermission();
    } catch (java.io.IOException ioe) {
      p = null;
    }

    if (p != null) perms.add(p);

    if (p instanceof FilePermission) {

      String path = p.getName();

      int endIndex = path.lastIndexOf(File.separatorChar);

      if (endIndex != -1) {
        path = path.substring(0, endIndex + 1);

        if (path.endsWith(File.separator)) {
          path += "-";
        }
        perms.add(new FilePermission(path, SecurityConstants.FILE_READ_ACTION));
      }
    } else {
      URL locUrl = codebase;
      if (urlConnection instanceof JarURLConnection) {
        locUrl = ((JarURLConnection) urlConnection).getJarFileURL();
      }
      String host = locUrl.getHost();
      if (host != null && (host.length() > 0))
        perms.add(new SocketPermission(host, SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION));
    }

    ProtectionDomain domain =
        new ProtectionDomain(
            new CodeSource(codebase, (java.security.cert.Certificate[]) null), perms);
    AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] {domain});

    return acc;
  }
示例#8
0
 /**
  * Check and see if this set of permissions implies the permissions expressed in "permission".
  *
  * @param p the Permission object to compare
  * @return always returns true.
  */
 public boolean implies(Permission permission) {
   return ((permission instanceof RuntimePermission && permission.equals(exitVMPermission))
       ? false
       : all_allowed);
 }
示例#9
0
 public boolean implies(Permission p) {
   if (p instanceof RuntimePermission && p.equals(exitVMPermission)) {
     return false;
   } else return true;
 }