private boolean isImplied(Permission perm) { for (Permission p : ALLOWED_PERMISSIONS) { if (p.implies(perm)) { return true; } } return false; }
/** * This kludge is specific to get over AccessControlException thrown during Applet.stop() or * destroy() when static thread is suspended. Set a flag in AppletClassLoader to indicate that an * AccessControlException for RuntimePermission "modifyThread" or "modifyThreadGroup" had * occurred. */ private void setExceptionStatus(AccessControlException e) { Permission p = e.getPermission(); if (p instanceof RuntimePermission) { if (p.getName().startsWith("modifyThread")) { if (loader == null) loader = getClassLoader(getCodeBase(), getClassLoaderCacheKey()); loader.setExceptionStatus(); } } }
// Returns every permission on the resource granted to the user. public Set<Permission> authorize(AuthenticatedUser user, IResource resource) { if (user.isSuper()) return Permission.ALL; UntypedResultSet result; try { ResultMessage.Rows rows = authorizeStatement.execute( QueryState.forInternalCalls(), new QueryOptions( ConsistencyLevel.ONE, Lists.newArrayList( ByteBufferUtil.bytes(user.getName()), ByteBufferUtil.bytes(resource.getName())))); result = UntypedResultSet.create(rows.result); } catch (RequestValidationException e) { throw new AssertionError(e); // not supposed to happen } catch (RequestExecutionException e) { logger.warn("CassandraAuthorizer failed to authorize {} for {}", user, resource); return Permission.NONE; } if (result.isEmpty() || !result.one().has(PERMISSIONS)) return Permission.NONE; Set<Permission> permissions = EnumSet.noneOf(Permission.class); for (String perm : result.one().getSet(PERMISSIONS, UTF8Type.instance)) permissions.add(Permission.valueOf(perm)); return permissions; }
// 'of' can be null - in that case everyone's permissions have been requested. Otherwise only // single user's. // If the user requesting 'LIST PERMISSIONS' is not a superuser OR his username doesn't match // 'of', we // throw UnauthorizedException. So only a superuser can view everybody's permissions. Regular // users are only // allowed to see their own permissions. public Set<PermissionDetails> list( AuthenticatedUser performer, Set<Permission> permissions, IResource resource, String of) throws RequestValidationException, RequestExecutionException { if (!performer.isSuper() && !performer.getName().equals(of)) throw new UnauthorizedException( String.format( "You are not authorized to view %s's permissions", of == null ? "everyone" : of)); Set<PermissionDetails> details = new HashSet<PermissionDetails>(); for (UntypedResultSet.Row row : process(buildListQuery(resource, of))) { if (row.has(PERMISSIONS)) { for (String p : row.getSet(PERMISSIONS, UTF8Type.instance)) { Permission permission = Permission.valueOf(p); if (permissions.contains(permission)) details.add( new PermissionDetails( row.getString(USERNAME), DataResource.fromName(row.getString(RESOURCE)), permission)); } } } return details; }
public void checkPermission(Permission p) { // liveconnect SocketPermission resolve takes // FOREVER (like 6 seconds) in Safari // Java does like 50 of these on the first JS call // 6*50=300 seconds! // Opera freaks out though if we deny resolve if (isActive && !isOpera && java.net.SocketPermission.class.isInstance(p) && p.getActions().matches(".*resolve.*")) { throw new SecurityException( "DOH: liveconnect resolve locks up Safari. Denying resolve request."); } else { oldsecurity.checkPermission(p); } }
@Override public String serialize(final Permission permission) { Gson gson = new Gson(); return gson.toJson(permission, permission.getClass()); }
/** * get the context for the AppletClassLoader we are creating. the context is granted permission to * create the class loader, connnect to the codebase, and whatever else the policy grants to all * codebases. */ private AccessControlContext getAccessControlContext(final URL codebase) { PermissionCollection perms = AccessController.doPrivileged( new PrivilegedAction<PermissionCollection>() { @Override public PermissionCollection run() { Policy p = java.security.Policy.getPolicy(); if (p != null) { return p.getPermissions( new CodeSource(null, (java.security.cert.Certificate[]) null)); } else { return null; } } }); if (perms == null) perms = new Permissions(); // XXX: this is needed to be able to create the classloader itself! perms.add(SecurityConstants.CREATE_CLASSLOADER_PERMISSION); Permission p; java.net.URLConnection urlConnection = null; try { urlConnection = codebase.openConnection(); p = urlConnection.getPermission(); } catch (java.io.IOException ioe) { p = null; } if (p != null) perms.add(p); if (p instanceof FilePermission) { String path = p.getName(); int endIndex = path.lastIndexOf(File.separatorChar); if (endIndex != -1) { path = path.substring(0, endIndex + 1); if (path.endsWith(File.separator)) { path += "-"; } perms.add(new FilePermission(path, SecurityConstants.FILE_READ_ACTION)); } } else { URL locUrl = codebase; if (urlConnection instanceof JarURLConnection) { locUrl = ((JarURLConnection) urlConnection).getJarFileURL(); } String host = locUrl.getHost(); if (host != null && (host.length() > 0)) perms.add(new SocketPermission(host, SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); } ProtectionDomain domain = new ProtectionDomain( new CodeSource(codebase, (java.security.cert.Certificate[]) null), perms); AccessControlContext acc = new AccessControlContext(new ProtectionDomain[] {domain}); return acc; }
/** * Check and see if this set of permissions implies the permissions expressed in "permission". * * @param p the Permission object to compare * @return always returns true. */ public boolean implies(Permission permission) { return ((permission instanceof RuntimePermission && permission.equals(exitVMPermission)) ? false : all_allowed); }
public boolean implies(Permission p) { if (p instanceof RuntimePermission && p.equals(exitVMPermission)) { return false; } else return true; }