1/* 2 * Copyright (c) 1995, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26package java.lang; 27 28import java.lang.module.ModuleDescriptor; 29import java.lang.module.ModuleDescriptor.Exports; 30import java.lang.module.ModuleDescriptor.Opens; 31import java.lang.module.ModuleReference; 32import java.lang.reflect.Member; 33import java.io.FileDescriptor; 34import java.io.File; 35import java.io.FilePermission; 36import java.net.InetAddress; 37import java.net.SocketPermission; 38import java.security.AccessControlContext; 39import java.security.AccessController; 40import java.security.Permission; 41import java.security.PrivilegedAction; 42import java.security.Security; 43import java.security.SecurityPermission; 44import java.util.HashSet; 45import java.util.Map; 46import java.util.Objects; 47import java.util.PropertyPermission; 48import java.util.Set; 49import java.util.concurrent.ConcurrentHashMap; 50import java.util.stream.Collectors; 51 52import jdk.internal.module.ModuleBootstrap; 53import jdk.internal.module.ModuleLoaderMap; 54import jdk.internal.reflect.CallerSensitive; 55import sun.security.util.SecurityConstants; 56 57/** 58 * The security manager is a class that allows 59 * applications to implement a security policy. It allows an 60 * application to determine, before performing a possibly unsafe or 61 * sensitive operation, what the operation is and whether 62 * it is being attempted in a security context that allows the 63 * operation to be performed. The 64 * application can allow or disallow the operation. 65 * <p> 66 * The <code>SecurityManager</code> class contains many methods with 67 * names that begin with the word <code>check</code>. These methods 68 * are called by various methods in the Java libraries before those 69 * methods perform certain potentially sensitive operations. The 70 * invocation of such a <code>check</code> method typically looks like this: 71 * <blockquote><pre> 72 * SecurityManager security = System.getSecurityManager(); 73 * if (security != null) { 74 * security.check<i>XXX</i>(argument, . . . ); 75 * } 76 * </pre></blockquote> 77 * <p> 78 * The security manager is thereby given an opportunity to prevent 79 * completion of the operation by throwing an exception. A security 80 * manager routine simply returns if the operation is permitted, but 81 * throws a <code>SecurityException</code> if the operation is not 82 * permitted. 83 * <p> 84 * The current security manager is set by the 85 * <code>setSecurityManager</code> method in class 86 * <code>System</code>. The current security manager is obtained 87 * by the <code>getSecurityManager</code> method. 88 * <p> 89 * The special method 90 * {@link SecurityManager#checkPermission(java.security.Permission)} 91 * determines whether an access request indicated by a specified 92 * permission should be granted or denied. The 93 * default implementation calls 94 * 95 * <pre> 96 * AccessController.checkPermission(perm); 97 * </pre> 98 * 99 * <p> 100 * If a requested access is allowed, 101 * <code>checkPermission</code> returns quietly. If denied, a 102 * <code>SecurityException</code> is thrown. 103 * <p> 104 * As of Java 2 SDK v1.2, the default implementation of each of the other 105 * <code>check</code> methods in <code>SecurityManager</code> is to 106 * call the <code>SecurityManager checkPermission</code> method 107 * to determine if the calling thread has permission to perform the requested 108 * operation. 109 * <p> 110 * Note that the <code>checkPermission</code> method with 111 * just a single permission argument always performs security checks 112 * within the context of the currently executing thread. 113 * Sometimes a security check that should be made within a given context 114 * will actually need to be done from within a 115 * <i>different</i> context (for example, from within a worker thread). 116 * The {@link SecurityManager#getSecurityContext getSecurityContext} method 117 * and the {@link SecurityManager#checkPermission(java.security.Permission, 118 * java.lang.Object) checkPermission} 119 * method that includes a context argument are provided 120 * for this situation. The 121 * <code>getSecurityContext</code> method returns a "snapshot" 122 * of the current calling context. (The default implementation 123 * returns an AccessControlContext object.) A sample call is 124 * the following: 125 * 126 * <pre> 127 * Object context = null; 128 * SecurityManager sm = System.getSecurityManager(); 129 * if (sm != null) context = sm.getSecurityContext(); 130 * </pre> 131 * 132 * <p> 133 * The <code>checkPermission</code> method 134 * that takes a context object in addition to a permission 135 * makes access decisions based on that context, 136 * rather than on that of the current execution thread. 137 * Code within a different context can thus call that method, 138 * passing the permission and the 139 * previously-saved context object. A sample call, using the 140 * SecurityManager <code>sm</code> obtained as in the previous example, 141 * is the following: 142 * 143 * <pre> 144 * if (sm != null) sm.checkPermission(permission, context); 145 * </pre> 146 * 147 * <p>Permissions fall into these categories: File, Socket, Net, 148 * Security, Runtime, Property, AWT, Reflect, and Serializable. 149 * The classes managing these various 150 * permission categories are <code>java.io.FilePermission</code>, 151 * <code>java.net.SocketPermission</code>, 152 * <code>java.net.NetPermission</code>, 153 * <code>java.security.SecurityPermission</code>, 154 * <code>java.lang.RuntimePermission</code>, 155 * <code>java.util.PropertyPermission</code>, 156 * <code>java.awt.AWTPermission</code>, 157 * <code>java.lang.reflect.ReflectPermission</code>, and 158 * <code>java.io.SerializablePermission</code>. 159 * 160 * <p>All but the first two (FilePermission and SocketPermission) are 161 * subclasses of <code>java.security.BasicPermission</code>, which itself 162 * is an abstract subclass of the 163 * top-level class for permissions, which is 164 * <code>java.security.Permission</code>. BasicPermission defines the 165 * functionality needed for all permissions that contain a name 166 * that follows the hierarchical property naming convention 167 * (for example, "exitVM", "setFactory", "queuePrintJob", etc). 168 * An asterisk 169 * may appear at the end of the name, following a ".", or by itself, to 170 * signify a wildcard match. For example: "a.*" or "*" is valid, 171 * "*a" or "a*b" is not valid. 172 * 173 * <p>FilePermission and SocketPermission are subclasses of the 174 * top-level class for permissions 175 * (<code>java.security.Permission</code>). Classes like these 176 * that have a more complicated name syntax than that used by 177 * BasicPermission subclass directly from Permission rather than from 178 * BasicPermission. For example, 179 * for a <code>java.io.FilePermission</code> object, the permission name is 180 * the path name of a file (or directory). 181 * 182 * <p>Some of the permission classes have an "actions" list that tells 183 * the actions that are permitted for the object. For example, 184 * for a <code>java.io.FilePermission</code> object, the actions list 185 * (such as "read, write") specifies which actions are granted for the 186 * specified file (or for files in the specified directory). 187 * 188 * <p>Other permission classes are for "named" permissions - 189 * ones that contain a name but no actions list; you either have the 190 * named permission or you don't. 191 * 192 * <p>Note: There is also a <code>java.security.AllPermission</code> 193 * permission that implies all permissions. It exists to simplify the work 194 * of system administrators who might need to perform multiple 195 * tasks that require all (or numerous) permissions. 196 * <p> 197 * See {@extLink security_guide_permissions 198 * Permissions in the Java Development Kit (JDK)} 199 * for permission-related information. 200 * This document includes, for example, a table listing the various SecurityManager 201 * <code>check</code> methods and the permission(s) the default 202 * implementation of each such method requires. 203 * It also contains a table of all the version 1.2 methods 204 * that require permissions, and for each such method tells 205 * which permission it requires. 206 * 207 * @author Arthur van Hoff 208 * @author Roland Schemers 209 * 210 * @see java.lang.ClassLoader 211 * @see java.lang.SecurityException 212 * @see java.lang.System#getSecurityManager() getSecurityManager 213 * @see java.lang.System#setSecurityManager(java.lang.SecurityManager) 214 * setSecurityManager 215 * @see java.security.AccessController AccessController 216 * @see java.security.AccessControlContext AccessControlContext 217 * @see java.security.AccessControlException AccessControlException 218 * @see java.security.Permission 219 * @see java.security.BasicPermission 220 * @see java.io.FilePermission 221 * @see java.net.SocketPermission 222 * @see java.util.PropertyPermission 223 * @see java.lang.RuntimePermission 224 * @see java.awt.AWTPermission 225 * @see java.security.Policy Policy 226 * @see java.security.SecurityPermission SecurityPermission 227 * @see java.security.ProtectionDomain 228 * 229 * @since 1.0 230 */ 231public 232class SecurityManager { 233 234 /** 235 * This field is <code>true</code> if there is a security check in 236 * progress; <code>false</code> otherwise. 237 * 238 * @deprecated This type of security checking is not recommended. 239 * It is recommended that the <code>checkPermission</code> 240 * call be used instead. This field is subject to removal in a 241 * future version of Java SE. 242 */ 243 @Deprecated(since="1.2", forRemoval=true) 244 protected boolean inCheck; 245 246 /* 247 * Have we been initialized. Effective against finalizer attacks. 248 */ 249 private boolean initialized = false; 250 251 252 /** 253 * returns true if the current context has been granted AllPermission 254 */ 255 private boolean hasAllPermission() { 256 try { 257 checkPermission(SecurityConstants.ALL_PERMISSION); 258 return true; 259 } catch (SecurityException se) { 260 return false; 261 } 262 } 263 264 /** 265 * Tests if there is a security check in progress. 266 * 267 * @return the value of the <code>inCheck</code> field. This field 268 * should contain <code>true</code> if a security check is 269 * in progress, 270 * <code>false</code> otherwise. 271 * @see java.lang.SecurityManager#inCheck 272 * @deprecated This type of security checking is not recommended. 273 * It is recommended that the <code>checkPermission</code> 274 * call be used instead. This method is subject to removal in a 275 * future version of Java SE. 276 */ 277 @Deprecated(since="1.2", forRemoval=true) 278 public boolean getInCheck() { 279 return inCheck; 280 } 281 282 /** 283 * Constructs a new <code>SecurityManager</code>. 284 * 285 * <p> If there is a security manager already installed, this method first 286 * calls the security manager's <code>checkPermission</code> method 287 * with the <code>RuntimePermission("createSecurityManager")</code> 288 * permission to ensure the calling thread has permission to create a new 289 * security manager. 290 * This may result in throwing a <code>SecurityException</code>. 291 * 292 * @exception java.lang.SecurityException if a security manager already 293 * exists and its <code>checkPermission</code> method 294 * doesn't allow creation of a new security manager. 295 * @see java.lang.System#getSecurityManager() 296 * @see #checkPermission(java.security.Permission) checkPermission 297 * @see java.lang.RuntimePermission 298 */ 299 public SecurityManager() { 300 synchronized(SecurityManager.class) { 301 SecurityManager sm = System.getSecurityManager(); 302 if (sm != null) { 303 // ask the currently installed security manager if we 304 // can create a new one. 305 sm.checkPermission(new RuntimePermission 306 ("createSecurityManager")); 307 } 308 initialized = true; 309 } 310 } 311 312 /** 313 * Returns the current execution stack as an array of classes. 314 * <p> 315 * The length of the array is the number of methods on the execution 316 * stack. The element at index <code>0</code> is the class of the 317 * currently executing method, the element at index <code>1</code> is 318 * the class of that method's caller, and so on. 319 * 320 * @return the execution stack. 321 */ 322 protected native Class<?>[] getClassContext(); 323 324 /** 325 * Returns the class loader of the most recently executing method from 326 * a class defined using a non-system class loader. A non-system 327 * class loader is defined as being a class loader that is not equal to 328 * the system class loader (as returned 329 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 330 * <p> 331 * This method will return 332 * <code>null</code> in the following three cases: 333 * <ol> 334 * <li>All methods on the execution stack are from classes 335 * defined using the system class loader or one of its ancestors. 336 * 337 * <li>All methods on the execution stack up to the first 338 * "privileged" caller 339 * (see {@link java.security.AccessController#doPrivileged}) 340 * are from classes 341 * defined using the system class loader or one of its ancestors. 342 * 343 * <li> A call to <code>checkPermission</code> with 344 * <code>java.security.AllPermission</code> does not 345 * result in a SecurityException. 346 * 347 * </ol> 348 * 349 * @return the class loader of the most recent occurrence on the stack 350 * of a method from a class defined using a non-system class 351 * loader. 352 * 353 * @deprecated This type of security checking is not recommended. 354 * It is recommended that the <code>checkPermission</code> 355 * call be used instead. This method is subject to removal in a 356 * future version of Java SE. 357 * 358 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 359 * @see #checkPermission(java.security.Permission) checkPermission 360 */ 361 @Deprecated(since="1.2", forRemoval=true) 362 protected ClassLoader currentClassLoader() { 363 ClassLoader cl = currentClassLoader0(); 364 if ((cl != null) && hasAllPermission()) 365 cl = null; 366 return cl; 367 } 368 369 private native ClassLoader currentClassLoader0(); 370 371 /** 372 * Returns the class of the most recently executing method from 373 * a class defined using a non-system class loader. A non-system 374 * class loader is defined as being a class loader that is not equal to 375 * the system class loader (as returned 376 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 377 * <p> 378 * This method will return 379 * <code>null</code> in the following three cases: 380 * <ol> 381 * <li>All methods on the execution stack are from classes 382 * defined using the system class loader or one of its ancestors. 383 * 384 * <li>All methods on the execution stack up to the first 385 * "privileged" caller 386 * (see {@link java.security.AccessController#doPrivileged}) 387 * are from classes 388 * defined using the system class loader or one of its ancestors. 389 * 390 * <li> A call to <code>checkPermission</code> with 391 * <code>java.security.AllPermission</code> does not 392 * result in a SecurityException. 393 * 394 * </ol> 395 * 396 * @return the class of the most recent occurrence on the stack 397 * of a method from a class defined using a non-system class 398 * loader. 399 * 400 * @deprecated This type of security checking is not recommended. 401 * It is recommended that the <code>checkPermission</code> 402 * call be used instead. This method is subject to removal in a 403 * future version of Java SE. 404 * 405 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 406 * @see #checkPermission(java.security.Permission) checkPermission 407 */ 408 @Deprecated(since="1.2", forRemoval=true) 409 protected Class<?> currentLoadedClass() { 410 Class<?> c = currentLoadedClass0(); 411 if ((c != null) && hasAllPermission()) 412 c = null; 413 return c; 414 } 415 416 /** 417 * Returns the stack depth of the specified class. 418 * 419 * @param name the fully qualified name of the class to search for. 420 * @return the depth on the stack frame of the first occurrence of a 421 * method from a class with the specified name; 422 * <code>-1</code> if such a frame cannot be found. 423 * @deprecated This type of security checking is not recommended. 424 * It is recommended that the <code>checkPermission</code> 425 * call be used instead. This method is subject to removal in a 426 * future version of Java SE. 427 */ 428 @Deprecated(since="1.2", forRemoval=true) 429 protected native int classDepth(String name); 430 431 /** 432 * Returns the stack depth of the most recently executing method 433 * from a class defined using a non-system class loader. A non-system 434 * class loader is defined as being a class loader that is not equal to 435 * the system class loader (as returned 436 * by {@link ClassLoader#getSystemClassLoader}) or one of its ancestors. 437 * <p> 438 * This method will return 439 * -1 in the following three cases: 440 * <ol> 441 * <li>All methods on the execution stack are from classes 442 * defined using the system class loader or one of its ancestors. 443 * 444 * <li>All methods on the execution stack up to the first 445 * "privileged" caller 446 * (see {@link java.security.AccessController#doPrivileged}) 447 * are from classes 448 * defined using the system class loader or one of its ancestors. 449 * 450 * <li> A call to <code>checkPermission</code> with 451 * <code>java.security.AllPermission</code> does not 452 * result in a SecurityException. 453 * 454 * </ol> 455 * 456 * @return the depth on the stack frame of the most recent occurrence of 457 * a method from a class defined using a non-system class loader. 458 * 459 * @deprecated This type of security checking is not recommended. 460 * It is recommended that the <code>checkPermission</code> 461 * call be used instead. This method is subject to removal in a 462 * future version of Java SE. 463 * 464 * @see java.lang.ClassLoader#getSystemClassLoader() getSystemClassLoader 465 * @see #checkPermission(java.security.Permission) checkPermission 466 */ 467 @Deprecated(since="1.2", forRemoval=true) 468 protected int classLoaderDepth() { 469 int depth = classLoaderDepth0(); 470 if (depth != -1) { 471 if (hasAllPermission()) 472 depth = -1; 473 else 474 depth--; // make sure we don't include ourself 475 } 476 return depth; 477 } 478 479 private native int classLoaderDepth0(); 480 481 /** 482 * Tests if a method from a class with the specified 483 * name is on the execution stack. 484 * 485 * @param name the fully qualified name of the class. 486 * @return <code>true</code> if a method from a class with the specified 487 * name is on the execution stack; <code>false</code> otherwise. 488 * @deprecated This type of security checking is not recommended. 489 * It is recommended that the <code>checkPermission</code> 490 * call be used instead. This method is subject to removal in a 491 * future version of Java SE. 492 */ 493 @Deprecated(since="1.2", forRemoval=true) 494 protected boolean inClass(String name) { 495 return classDepth(name) >= 0; 496 } 497 498 /** 499 * Basically, tests if a method from a class defined using a 500 * class loader is on the execution stack. 501 * 502 * @return <code>true</code> if a call to <code>currentClassLoader</code> 503 * has a non-null return value. 504 * 505 * @deprecated This type of security checking is not recommended. 506 * It is recommended that the <code>checkPermission</code> 507 * call be used instead. This method is subject to removal in a 508 * future version of Java SE. 509 * @see #currentClassLoader() currentClassLoader 510 */ 511 @Deprecated(since="1.2", forRemoval=true) 512 protected boolean inClassLoader() { 513 return currentClassLoader() != null; 514 } 515 516 /** 517 * Creates an object that encapsulates the current execution 518 * environment. The result of this method is used, for example, by the 519 * three-argument <code>checkConnect</code> method and by the 520 * two-argument <code>checkRead</code> method. 521 * These methods are needed because a trusted method may be called 522 * on to read a file or open a socket on behalf of another method. 523 * The trusted method needs to determine if the other (possibly 524 * untrusted) method would be allowed to perform the operation on its 525 * own. 526 * <p> The default implementation of this method is to return 527 * an <code>AccessControlContext</code> object. 528 * 529 * @return an implementation-dependent object that encapsulates 530 * sufficient information about the current execution environment 531 * to perform some security checks later. 532 * @see java.lang.SecurityManager#checkConnect(java.lang.String, int, 533 * java.lang.Object) checkConnect 534 * @see java.lang.SecurityManager#checkRead(java.lang.String, 535 * java.lang.Object) checkRead 536 * @see java.security.AccessControlContext AccessControlContext 537 */ 538 public Object getSecurityContext() { 539 return AccessController.getContext(); 540 } 541 542 /** 543 * Throws a <code>SecurityException</code> if the requested 544 * access, specified by the given permission, is not permitted based 545 * on the security policy currently in effect. 546 * <p> 547 * This method calls <code>AccessController.checkPermission</code> 548 * with the given permission. 549 * 550 * @param perm the requested permission. 551 * @exception SecurityException if access is not permitted based on 552 * the current security policy. 553 * @exception NullPointerException if the permission argument is 554 * <code>null</code>. 555 * @since 1.2 556 */ 557 public void checkPermission(Permission perm) { 558 java.security.AccessController.checkPermission(perm); 559 } 560 561 /** 562 * Throws a <code>SecurityException</code> if the 563 * specified security context is denied access to the resource 564 * specified by the given permission. 565 * The context must be a security 566 * context returned by a previous call to 567 * <code>getSecurityContext</code> and the access control 568 * decision is based upon the configured security policy for 569 * that security context. 570 * <p> 571 * If <code>context</code> is an instance of 572 * <code>AccessControlContext</code> then the 573 * <code>AccessControlContext.checkPermission</code> method is 574 * invoked with the specified permission. 575 * <p> 576 * If <code>context</code> is not an instance of 577 * <code>AccessControlContext</code> then a 578 * <code>SecurityException</code> is thrown. 579 * 580 * @param perm the specified permission 581 * @param context a system-dependent security context. 582 * @exception SecurityException if the specified security context 583 * is not an instance of <code>AccessControlContext</code> 584 * (e.g., is <code>null</code>), or is denied access to the 585 * resource specified by the given permission. 586 * @exception NullPointerException if the permission argument is 587 * <code>null</code>. 588 * @see java.lang.SecurityManager#getSecurityContext() 589 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 590 * @since 1.2 591 */ 592 public void checkPermission(Permission perm, Object context) { 593 if (context instanceof AccessControlContext) { 594 ((AccessControlContext)context).checkPermission(perm); 595 } else { 596 throw new SecurityException(); 597 } 598 } 599 600 /** 601 * Throws a <code>SecurityException</code> if the 602 * calling thread is not allowed to create a new class loader. 603 * <p> 604 * This method calls <code>checkPermission</code> with the 605 * <code>RuntimePermission("createClassLoader")</code> 606 * permission. 607 * <p> 608 * If you override this method, then you should make a call to 609 * <code>super.checkCreateClassLoader</code> 610 * at the point the overridden method would normally throw an 611 * exception. 612 * 613 * @exception SecurityException if the calling thread does not 614 * have permission 615 * to create a new class loader. 616 * @see java.lang.ClassLoader#ClassLoader() 617 * @see #checkPermission(java.security.Permission) checkPermission 618 */ 619 public void checkCreateClassLoader() { 620 checkPermission(SecurityConstants.CREATE_CLASSLOADER_PERMISSION); 621 } 622 623 /** 624 * reference to the root thread group, used for the checkAccess 625 * methods. 626 */ 627 628 private static ThreadGroup rootGroup = getRootGroup(); 629 630 private static ThreadGroup getRootGroup() { 631 ThreadGroup root = Thread.currentThread().getThreadGroup(); 632 while (root.getParent() != null) { 633 root = root.getParent(); 634 } 635 return root; 636 } 637 638 /** 639 * Throws a <code>SecurityException</code> if the 640 * calling thread is not allowed to modify the thread argument. 641 * <p> 642 * This method is invoked for the current security manager by the 643 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, 644 * <code>setPriority</code>, <code>setName</code>, and 645 * <code>setDaemon</code> methods of class <code>Thread</code>. 646 * <p> 647 * If the thread argument is a system thread (belongs to 648 * the thread group with a <code>null</code> parent) then 649 * this method calls <code>checkPermission</code> with the 650 * <code>RuntimePermission("modifyThread")</code> permission. 651 * If the thread argument is <i>not</i> a system thread, 652 * this method just returns silently. 653 * <p> 654 * Applications that want a stricter policy should override this 655 * method. If this method is overridden, the method that overrides 656 * it should additionally check to see if the calling thread has the 657 * <code>RuntimePermission("modifyThread")</code> permission, and 658 * if so, return silently. This is to ensure that code granted 659 * that permission (such as the JDK itself) is allowed to 660 * manipulate any thread. 661 * <p> 662 * If this method is overridden, then 663 * <code>super.checkAccess</code> should 664 * be called by the first statement in the overridden method, or the 665 * equivalent security check should be placed in the overridden method. 666 * 667 * @param t the thread to be checked. 668 * @exception SecurityException if the calling thread does not have 669 * permission to modify the thread. 670 * @exception NullPointerException if the thread argument is 671 * <code>null</code>. 672 * @see java.lang.Thread#resume() resume 673 * @see java.lang.Thread#setDaemon(boolean) setDaemon 674 * @see java.lang.Thread#setName(java.lang.String) setName 675 * @see java.lang.Thread#setPriority(int) setPriority 676 * @see java.lang.Thread#stop() stop 677 * @see java.lang.Thread#suspend() suspend 678 * @see #checkPermission(java.security.Permission) checkPermission 679 */ 680 public void checkAccess(Thread t) { 681 if (t == null) { 682 throw new NullPointerException("thread can't be null"); 683 } 684 if (t.getThreadGroup() == rootGroup) { 685 checkPermission(SecurityConstants.MODIFY_THREAD_PERMISSION); 686 } else { 687 // just return 688 } 689 } 690 /** 691 * Throws a <code>SecurityException</code> if the 692 * calling thread is not allowed to modify the thread group argument. 693 * <p> 694 * This method is invoked for the current security manager when a 695 * new child thread or child thread group is created, and by the 696 * <code>setDaemon</code>, <code>setMaxPriority</code>, 697 * <code>stop</code>, <code>suspend</code>, <code>resume</code>, and 698 * <code>destroy</code> methods of class <code>ThreadGroup</code>. 699 * <p> 700 * If the thread group argument is the system thread group ( 701 * has a <code>null</code> parent) then 702 * this method calls <code>checkPermission</code> with the 703 * <code>RuntimePermission("modifyThreadGroup")</code> permission. 704 * If the thread group argument is <i>not</i> the system thread group, 705 * this method just returns silently. 706 * <p> 707 * Applications that want a stricter policy should override this 708 * method. If this method is overridden, the method that overrides 709 * it should additionally check to see if the calling thread has the 710 * <code>RuntimePermission("modifyThreadGroup")</code> permission, and 711 * if so, return silently. This is to ensure that code granted 712 * that permission (such as the JDK itself) is allowed to 713 * manipulate any thread. 714 * <p> 715 * If this method is overridden, then 716 * <code>super.checkAccess</code> should 717 * be called by the first statement in the overridden method, or the 718 * equivalent security check should be placed in the overridden method. 719 * 720 * @param g the thread group to be checked. 721 * @exception SecurityException if the calling thread does not have 722 * permission to modify the thread group. 723 * @exception NullPointerException if the thread group argument is 724 * <code>null</code>. 725 * @see java.lang.ThreadGroup#destroy() destroy 726 * @see java.lang.ThreadGroup#resume() resume 727 * @see java.lang.ThreadGroup#setDaemon(boolean) setDaemon 728 * @see java.lang.ThreadGroup#setMaxPriority(int) setMaxPriority 729 * @see java.lang.ThreadGroup#stop() stop 730 * @see java.lang.ThreadGroup#suspend() suspend 731 * @see #checkPermission(java.security.Permission) checkPermission 732 */ 733 public void checkAccess(ThreadGroup g) { 734 if (g == null) { 735 throw new NullPointerException("thread group can't be null"); 736 } 737 if (g == rootGroup) { 738 checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION); 739 } else { 740 // just return 741 } 742 } 743 744 /** 745 * Throws a <code>SecurityException</code> if the 746 * calling thread is not allowed to cause the Java Virtual Machine to 747 * halt with the specified status code. 748 * <p> 749 * This method is invoked for the current security manager by the 750 * <code>exit</code> method of class <code>Runtime</code>. A status 751 * of <code>0</code> indicates success; other values indicate various 752 * errors. 753 * <p> 754 * This method calls <code>checkPermission</code> with the 755 * <code>RuntimePermission("exitVM."+status)</code> permission. 756 * <p> 757 * If you override this method, then you should make a call to 758 * <code>super.checkExit</code> 759 * at the point the overridden method would normally throw an 760 * exception. 761 * 762 * @param status the exit status. 763 * @exception SecurityException if the calling thread does not have 764 * permission to halt the Java Virtual Machine with 765 * the specified status. 766 * @see java.lang.Runtime#exit(int) exit 767 * @see #checkPermission(java.security.Permission) checkPermission 768 */ 769 public void checkExit(int status) { 770 checkPermission(new RuntimePermission("exitVM."+status)); 771 } 772 773 /** 774 * Throws a <code>SecurityException</code> if the 775 * calling thread is not allowed to create a subprocess. 776 * <p> 777 * This method is invoked for the current security manager by the 778 * <code>exec</code> methods of class <code>Runtime</code>. 779 * <p> 780 * This method calls <code>checkPermission</code> with the 781 * <code>FilePermission(cmd,"execute")</code> permission 782 * if cmd is an absolute path, otherwise it calls 783 * <code>checkPermission</code> with 784 * <code>FilePermission("<<ALL FILES>>","execute")</code>. 785 * <p> 786 * If you override this method, then you should make a call to 787 * <code>super.checkExec</code> 788 * at the point the overridden method would normally throw an 789 * exception. 790 * 791 * @param cmd the specified system command. 792 * @exception SecurityException if the calling thread does not have 793 * permission to create a subprocess. 794 * @exception NullPointerException if the <code>cmd</code> argument is 795 * <code>null</code>. 796 * @see java.lang.Runtime#exec(java.lang.String) 797 * @see java.lang.Runtime#exec(java.lang.String, java.lang.String[]) 798 * @see java.lang.Runtime#exec(java.lang.String[]) 799 * @see java.lang.Runtime#exec(java.lang.String[], java.lang.String[]) 800 * @see #checkPermission(java.security.Permission) checkPermission 801 */ 802 public void checkExec(String cmd) { 803 File f = new File(cmd); 804 if (f.isAbsolute()) { 805 checkPermission(new FilePermission(cmd, 806 SecurityConstants.FILE_EXECUTE_ACTION)); 807 } else { 808 checkPermission(new FilePermission("<<ALL FILES>>", 809 SecurityConstants.FILE_EXECUTE_ACTION)); 810 } 811 } 812 813 /** 814 * Throws a <code>SecurityException</code> if the 815 * calling thread is not allowed to dynamic link the library code 816 * specified by the string argument file. The argument is either a 817 * simple library name or a complete filename. 818 * <p> 819 * This method is invoked for the current security manager by 820 * methods <code>load</code> and <code>loadLibrary</code> of class 821 * <code>Runtime</code>. 822 * <p> 823 * This method calls <code>checkPermission</code> with the 824 * <code>RuntimePermission("loadLibrary."+lib)</code> permission. 825 * <p> 826 * If you override this method, then you should make a call to 827 * <code>super.checkLink</code> 828 * at the point the overridden method would normally throw an 829 * exception. 830 * 831 * @param lib the name of the library. 832 * @exception SecurityException if the calling thread does not have 833 * permission to dynamically link the library. 834 * @exception NullPointerException if the <code>lib</code> argument is 835 * <code>null</code>. 836 * @see java.lang.Runtime#load(java.lang.String) 837 * @see java.lang.Runtime#loadLibrary(java.lang.String) 838 * @see #checkPermission(java.security.Permission) checkPermission 839 */ 840 public void checkLink(String lib) { 841 if (lib == null) { 842 throw new NullPointerException("library can't be null"); 843 } 844 checkPermission(new RuntimePermission("loadLibrary."+lib)); 845 } 846 847 /** 848 * Throws a <code>SecurityException</code> if the 849 * calling thread is not allowed to read from the specified file 850 * descriptor. 851 * <p> 852 * This method calls <code>checkPermission</code> with the 853 * <code>RuntimePermission("readFileDescriptor")</code> 854 * permission. 855 * <p> 856 * If you override this method, then you should make a call to 857 * <code>super.checkRead</code> 858 * at the point the overridden method would normally throw an 859 * exception. 860 * 861 * @param fd the system-dependent file descriptor. 862 * @exception SecurityException if the calling thread does not have 863 * permission to access the specified file descriptor. 864 * @exception NullPointerException if the file descriptor argument is 865 * <code>null</code>. 866 * @see java.io.FileDescriptor 867 * @see #checkPermission(java.security.Permission) checkPermission 868 */ 869 public void checkRead(FileDescriptor fd) { 870 if (fd == null) { 871 throw new NullPointerException("file descriptor can't be null"); 872 } 873 checkPermission(new RuntimePermission("readFileDescriptor")); 874 } 875 876 /** 877 * Throws a <code>SecurityException</code> if the 878 * calling thread is not allowed to read the file specified by the 879 * string argument. 880 * <p> 881 * This method calls <code>checkPermission</code> with the 882 * <code>FilePermission(file,"read")</code> permission. 883 * <p> 884 * If you override this method, then you should make a call to 885 * <code>super.checkRead</code> 886 * at the point the overridden method would normally throw an 887 * exception. 888 * 889 * @param file the system-dependent file name. 890 * @exception SecurityException if the calling thread does not have 891 * permission to access the specified file. 892 * @exception NullPointerException if the <code>file</code> argument is 893 * <code>null</code>. 894 * @see #checkPermission(java.security.Permission) checkPermission 895 */ 896 public void checkRead(String file) { 897 checkPermission(new FilePermission(file, 898 SecurityConstants.FILE_READ_ACTION)); 899 } 900 901 /** 902 * Throws a <code>SecurityException</code> if the 903 * specified security context is not allowed to read the file 904 * specified by the string argument. The context must be a security 905 * context returned by a previous call to 906 * <code>getSecurityContext</code>. 907 * <p> If <code>context</code> is an instance of 908 * <code>AccessControlContext</code> then the 909 * <code>AccessControlContext.checkPermission</code> method will 910 * be invoked with the <code>FilePermission(file,"read")</code> permission. 911 * <p> If <code>context</code> is not an instance of 912 * <code>AccessControlContext</code> then a 913 * <code>SecurityException</code> is thrown. 914 * <p> 915 * If you override this method, then you should make a call to 916 * <code>super.checkRead</code> 917 * at the point the overridden method would normally throw an 918 * exception. 919 * 920 * @param file the system-dependent filename. 921 * @param context a system-dependent security context. 922 * @exception SecurityException if the specified security context 923 * is not an instance of <code>AccessControlContext</code> 924 * (e.g., is <code>null</code>), or does not have permission 925 * to read the specified file. 926 * @exception NullPointerException if the <code>file</code> argument is 927 * <code>null</code>. 928 * @see java.lang.SecurityManager#getSecurityContext() 929 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 930 */ 931 public void checkRead(String file, Object context) { 932 checkPermission( 933 new FilePermission(file, SecurityConstants.FILE_READ_ACTION), 934 context); 935 } 936 937 /** 938 * Throws a <code>SecurityException</code> if the 939 * calling thread is not allowed to write to the specified file 940 * descriptor. 941 * <p> 942 * This method calls <code>checkPermission</code> with the 943 * <code>RuntimePermission("writeFileDescriptor")</code> 944 * permission. 945 * <p> 946 * If you override this method, then you should make a call to 947 * <code>super.checkWrite</code> 948 * at the point the overridden method would normally throw an 949 * exception. 950 * 951 * @param fd the system-dependent file descriptor. 952 * @exception SecurityException if the calling thread does not have 953 * permission to access the specified file descriptor. 954 * @exception NullPointerException if the file descriptor argument is 955 * <code>null</code>. 956 * @see java.io.FileDescriptor 957 * @see #checkPermission(java.security.Permission) checkPermission 958 */ 959 public void checkWrite(FileDescriptor fd) { 960 if (fd == null) { 961 throw new NullPointerException("file descriptor can't be null"); 962 } 963 checkPermission(new RuntimePermission("writeFileDescriptor")); 964 965 } 966 967 /** 968 * Throws a <code>SecurityException</code> if the 969 * calling thread is not allowed to write to the file specified by 970 * the string argument. 971 * <p> 972 * This method calls <code>checkPermission</code> with the 973 * <code>FilePermission(file,"write")</code> permission. 974 * <p> 975 * If you override this method, then you should make a call to 976 * <code>super.checkWrite</code> 977 * at the point the overridden method would normally throw an 978 * exception. 979 * 980 * @param file the system-dependent filename. 981 * @exception SecurityException if the calling thread does not 982 * have permission to access the specified file. 983 * @exception NullPointerException if the <code>file</code> argument is 984 * <code>null</code>. 985 * @see #checkPermission(java.security.Permission) checkPermission 986 */ 987 public void checkWrite(String file) { 988 checkPermission(new FilePermission(file, 989 SecurityConstants.FILE_WRITE_ACTION)); 990 } 991 992 /** 993 * Throws a <code>SecurityException</code> if the 994 * calling thread is not allowed to delete the specified file. 995 * <p> 996 * This method is invoked for the current security manager by the 997 * <code>delete</code> method of class <code>File</code>. 998 * <p> 999 * This method calls <code>checkPermission</code> with the 1000 * <code>FilePermission(file,"delete")</code> permission. 1001 * <p> 1002 * If you override this method, then you should make a call to 1003 * <code>super.checkDelete</code> 1004 * at the point the overridden method would normally throw an 1005 * exception. 1006 * 1007 * @param file the system-dependent filename. 1008 * @exception SecurityException if the calling thread does not 1009 * have permission to delete the file. 1010 * @exception NullPointerException if the <code>file</code> argument is 1011 * <code>null</code>. 1012 * @see java.io.File#delete() 1013 * @see #checkPermission(java.security.Permission) checkPermission 1014 */ 1015 public void checkDelete(String file) { 1016 checkPermission(new FilePermission(file, 1017 SecurityConstants.FILE_DELETE_ACTION)); 1018 } 1019 1020 /** 1021 * Throws a <code>SecurityException</code> if the 1022 * calling thread is not allowed to open a socket connection to the 1023 * specified host and port number. 1024 * <p> 1025 * A port number of <code>-1</code> indicates that the calling 1026 * method is attempting to determine the IP address of the specified 1027 * host name. 1028 * <p> 1029 * This method calls <code>checkPermission</code> with the 1030 * <code>SocketPermission(host+":"+port,"connect")</code> permission if 1031 * the port is not equal to -1. If the port is equal to -1, then 1032 * it calls <code>checkPermission</code> with the 1033 * <code>SocketPermission(host,"resolve")</code> permission. 1034 * <p> 1035 * If you override this method, then you should make a call to 1036 * <code>super.checkConnect</code> 1037 * at the point the overridden method would normally throw an 1038 * exception. 1039 * 1040 * @param host the host name port to connect to. 1041 * @param port the protocol port to connect to. 1042 * @exception SecurityException if the calling thread does not have 1043 * permission to open a socket connection to the specified 1044 * <code>host</code> and <code>port</code>. 1045 * @exception NullPointerException if the <code>host</code> argument is 1046 * <code>null</code>. 1047 * @see #checkPermission(java.security.Permission) checkPermission 1048 */ 1049 public void checkConnect(String host, int port) { 1050 if (host == null) { 1051 throw new NullPointerException("host can't be null"); 1052 } 1053 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1054 host = "[" + host + "]"; 1055 } 1056 if (port == -1) { 1057 checkPermission(new SocketPermission(host, 1058 SecurityConstants.SOCKET_RESOLVE_ACTION)); 1059 } else { 1060 checkPermission(new SocketPermission(host+":"+port, 1061 SecurityConstants.SOCKET_CONNECT_ACTION)); 1062 } 1063 } 1064 1065 /** 1066 * Throws a <code>SecurityException</code> if the 1067 * specified security context is not allowed to open a socket 1068 * connection to the specified host and port number. 1069 * <p> 1070 * A port number of <code>-1</code> indicates that the calling 1071 * method is attempting to determine the IP address of the specified 1072 * host name. 1073 * <p> If <code>context</code> is not an instance of 1074 * <code>AccessControlContext</code> then a 1075 * <code>SecurityException</code> is thrown. 1076 * <p> 1077 * Otherwise, the port number is checked. If it is not equal 1078 * to -1, the <code>context</code>'s <code>checkPermission</code> 1079 * method is called with a 1080 * <code>SocketPermission(host+":"+port,"connect")</code> permission. 1081 * If the port is equal to -1, then 1082 * the <code>context</code>'s <code>checkPermission</code> method 1083 * is called with a 1084 * <code>SocketPermission(host,"resolve")</code> permission. 1085 * <p> 1086 * If you override this method, then you should make a call to 1087 * <code>super.checkConnect</code> 1088 * at the point the overridden method would normally throw an 1089 * exception. 1090 * 1091 * @param host the host name port to connect to. 1092 * @param port the protocol port to connect to. 1093 * @param context a system-dependent security context. 1094 * @exception SecurityException if the specified security context 1095 * is not an instance of <code>AccessControlContext</code> 1096 * (e.g., is <code>null</code>), or does not have permission 1097 * to open a socket connection to the specified 1098 * <code>host</code> and <code>port</code>. 1099 * @exception NullPointerException if the <code>host</code> argument is 1100 * <code>null</code>. 1101 * @see java.lang.SecurityManager#getSecurityContext() 1102 * @see java.security.AccessControlContext#checkPermission(java.security.Permission) 1103 */ 1104 public void checkConnect(String host, int port, Object context) { 1105 if (host == null) { 1106 throw new NullPointerException("host can't be null"); 1107 } 1108 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1109 host = "[" + host + "]"; 1110 } 1111 if (port == -1) 1112 checkPermission(new SocketPermission(host, 1113 SecurityConstants.SOCKET_RESOLVE_ACTION), 1114 context); 1115 else 1116 checkPermission(new SocketPermission(host+":"+port, 1117 SecurityConstants.SOCKET_CONNECT_ACTION), 1118 context); 1119 } 1120 1121 /** 1122 * Throws a <code>SecurityException</code> if the 1123 * calling thread is not allowed to wait for a connection request on 1124 * the specified local port number. 1125 * <p> 1126 * This method calls <code>checkPermission</code> with the 1127 * <code>SocketPermission("localhost:"+port,"listen")</code>. 1128 * <p> 1129 * If you override this method, then you should make a call to 1130 * <code>super.checkListen</code> 1131 * at the point the overridden method would normally throw an 1132 * exception. 1133 * 1134 * @param port the local port. 1135 * @exception SecurityException if the calling thread does not have 1136 * permission to listen on the specified port. 1137 * @see #checkPermission(java.security.Permission) checkPermission 1138 */ 1139 public void checkListen(int port) { 1140 checkPermission(new SocketPermission("localhost:"+port, 1141 SecurityConstants.SOCKET_LISTEN_ACTION)); 1142 } 1143 1144 /** 1145 * Throws a <code>SecurityException</code> if the 1146 * calling thread is not permitted to accept a socket connection from 1147 * the specified host and port number. 1148 * <p> 1149 * This method is invoked for the current security manager by the 1150 * <code>accept</code> method of class <code>ServerSocket</code>. 1151 * <p> 1152 * This method calls <code>checkPermission</code> with the 1153 * <code>SocketPermission(host+":"+port,"accept")</code> permission. 1154 * <p> 1155 * If you override this method, then you should make a call to 1156 * <code>super.checkAccept</code> 1157 * at the point the overridden method would normally throw an 1158 * exception. 1159 * 1160 * @param host the host name of the socket connection. 1161 * @param port the port number of the socket connection. 1162 * @exception SecurityException if the calling thread does not have 1163 * permission to accept the connection. 1164 * @exception NullPointerException if the <code>host</code> argument is 1165 * <code>null</code>. 1166 * @see java.net.ServerSocket#accept() 1167 * @see #checkPermission(java.security.Permission) checkPermission 1168 */ 1169 public void checkAccept(String host, int port) { 1170 if (host == null) { 1171 throw new NullPointerException("host can't be null"); 1172 } 1173 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1174 host = "[" + host + "]"; 1175 } 1176 checkPermission(new SocketPermission(host+":"+port, 1177 SecurityConstants.SOCKET_ACCEPT_ACTION)); 1178 } 1179 1180 /** 1181 * Throws a <code>SecurityException</code> if the 1182 * calling thread is not allowed to use 1183 * (join/leave/send/receive) IP multicast. 1184 * <p> 1185 * This method calls <code>checkPermission</code> with the 1186 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1187 * "accept,connect")</code> permission. 1188 * <p> 1189 * If you override this method, then you should make a call to 1190 * <code>super.checkMulticast</code> 1191 * at the point the overridden method would normally throw an 1192 * exception. 1193 * 1194 * @param maddr Internet group address to be used. 1195 * @exception SecurityException if the calling thread is not allowed to 1196 * use (join/leave/send/receive) IP multicast. 1197 * @exception NullPointerException if the address argument is 1198 * <code>null</code>. 1199 * @since 1.1 1200 * @see #checkPermission(java.security.Permission) checkPermission 1201 */ 1202 public void checkMulticast(InetAddress maddr) { 1203 String host = maddr.getHostAddress(); 1204 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1205 host = "[" + host + "]"; 1206 } 1207 checkPermission(new SocketPermission(host, 1208 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1209 } 1210 1211 /** 1212 * Throws a <code>SecurityException</code> if the 1213 * calling thread is not allowed to use 1214 * (join/leave/send/receive) IP multicast. 1215 * <p> 1216 * This method calls <code>checkPermission</code> with the 1217 * <code>java.net.SocketPermission(maddr.getHostAddress(), 1218 * "accept,connect")</code> permission. 1219 * <p> 1220 * If you override this method, then you should make a call to 1221 * <code>super.checkMulticast</code> 1222 * at the point the overridden method would normally throw an 1223 * exception. 1224 * 1225 * @param maddr Internet group address to be used. 1226 * @param ttl value in use, if it is multicast send. 1227 * Note: this particular implementation does not use the ttl 1228 * parameter. 1229 * @exception SecurityException if the calling thread is not allowed to 1230 * use (join/leave/send/receive) IP multicast. 1231 * @exception NullPointerException if the address argument is 1232 * <code>null</code>. 1233 * @since 1.1 1234 * @deprecated Use #checkPermission(java.security.Permission) instead 1235 * @see #checkPermission(java.security.Permission) checkPermission 1236 */ 1237 @Deprecated(since="1.4") 1238 public void checkMulticast(InetAddress maddr, byte ttl) { 1239 String host = maddr.getHostAddress(); 1240 if (!host.startsWith("[") && host.indexOf(':') != -1) { 1241 host = "[" + host + "]"; 1242 } 1243 checkPermission(new SocketPermission(host, 1244 SecurityConstants.SOCKET_CONNECT_ACCEPT_ACTION)); 1245 } 1246 1247 /** 1248 * Throws a <code>SecurityException</code> if the 1249 * calling thread is not allowed to access or modify the system 1250 * properties. 1251 * <p> 1252 * This method is used by the <code>getProperties</code> and 1253 * <code>setProperties</code> methods of class <code>System</code>. 1254 * <p> 1255 * This method calls <code>checkPermission</code> with the 1256 * <code>PropertyPermission("*", "read,write")</code> permission. 1257 * <p> 1258 * If you override this method, then you should make a call to 1259 * <code>super.checkPropertiesAccess</code> 1260 * at the point the overridden method would normally throw an 1261 * exception. 1262 * 1263 * @exception SecurityException if the calling thread does not have 1264 * permission to access or modify the system properties. 1265 * @see java.lang.System#getProperties() 1266 * @see java.lang.System#setProperties(java.util.Properties) 1267 * @see #checkPermission(java.security.Permission) checkPermission 1268 */ 1269 public void checkPropertiesAccess() { 1270 checkPermission(new PropertyPermission("*", 1271 SecurityConstants.PROPERTY_RW_ACTION)); 1272 } 1273 1274 /** 1275 * Throws a <code>SecurityException</code> if the 1276 * calling thread is not allowed to access the system property with 1277 * the specified <code>key</code> name. 1278 * <p> 1279 * This method is used by the <code>getProperty</code> method of 1280 * class <code>System</code>. 1281 * <p> 1282 * This method calls <code>checkPermission</code> with the 1283 * <code>PropertyPermission(key, "read")</code> permission. 1284 * <p> 1285 * If you override this method, then you should make a call to 1286 * <code>super.checkPropertyAccess</code> 1287 * at the point the overridden method would normally throw an 1288 * exception. 1289 * 1290 * @param key a system property key. 1291 * 1292 * @exception SecurityException if the calling thread does not have 1293 * permission to access the specified system property. 1294 * @exception NullPointerException if the <code>key</code> argument is 1295 * <code>null</code>. 1296 * @exception IllegalArgumentException if <code>key</code> is empty. 1297 * 1298 * @see java.lang.System#getProperty(java.lang.String) 1299 * @see #checkPermission(java.security.Permission) checkPermission 1300 */ 1301 public void checkPropertyAccess(String key) { 1302 checkPermission(new PropertyPermission(key, 1303 SecurityConstants.PROPERTY_READ_ACTION)); 1304 } 1305 1306 /** 1307 * Returns {@code true} if the calling thread has {@code AllPermission}. 1308 * 1309 * @param window not used except to check if it is {@code null}. 1310 * @return {@code true} if the calling thread has {@code AllPermission}. 1311 * @exception NullPointerException if the {@code window} argument is 1312 * {@code null}. 1313 * @deprecated This method was originally used to check if the calling thread 1314 * was trusted to bring up a top-level window. The method has been 1315 * obsoleted and code should instead use {@link #checkPermission} 1316 * to check {@code AWTPermission("showWindowWithoutWarningBanner")}. 1317 * This method is subject to removal in a future version of Java SE. 1318 * @see #checkPermission(java.security.Permission) checkPermission 1319 */ 1320 @Deprecated(since="1.8", forRemoval=true) 1321 public boolean checkTopLevelWindow(Object window) { 1322 if (window == null) { 1323 throw new NullPointerException("window can't be null"); 1324 } 1325 return hasAllPermission(); 1326 } 1327 1328 /** 1329 * Throws a <code>SecurityException</code> if the 1330 * calling thread is not allowed to initiate a print job request. 1331 * <p> 1332 * This method calls 1333 * <code>checkPermission</code> with the 1334 * <code>RuntimePermission("queuePrintJob")</code> permission. 1335 * <p> 1336 * If you override this method, then you should make a call to 1337 * <code>super.checkPrintJobAccess</code> 1338 * at the point the overridden method would normally throw an 1339 * exception. 1340 * 1341 * @exception SecurityException if the calling thread does not have 1342 * permission to initiate a print job request. 1343 * @since 1.1 1344 * @see #checkPermission(java.security.Permission) checkPermission 1345 */ 1346 public void checkPrintJobAccess() { 1347 checkPermission(new RuntimePermission("queuePrintJob")); 1348 } 1349 1350 /** 1351 * Throws {@code SecurityException} if the calling thread does 1352 * not have {@code AllPermission}. 1353 * 1354 * @since 1.1 1355 * @exception SecurityException if the calling thread does not have 1356 * {@code AllPermission} 1357 * @deprecated This method was originally used to check if the calling 1358 * thread could access the system clipboard. The method has been 1359 * obsoleted and code should instead use {@link #checkPermission} 1360 * to check {@code AWTPermission("accessClipboard")}. 1361 * This method is subject to removal in a future version of Java SE. 1362 * @see #checkPermission(java.security.Permission) checkPermission 1363 */ 1364 @Deprecated(since="1.8", forRemoval=true) 1365 public void checkSystemClipboardAccess() { 1366 checkPermission(SecurityConstants.ALL_PERMISSION); 1367 } 1368 1369 /** 1370 * Throws {@code SecurityException} if the calling thread does 1371 * not have {@code AllPermission}. 1372 * 1373 * @since 1.1 1374 * @exception SecurityException if the calling thread does not have 1375 * {@code AllPermission} 1376 * @deprecated This method was originally used to check if the calling 1377 * thread could access the AWT event queue. The method has been 1378 * obsoleted and code should instead use {@link #checkPermission} 1379 * to check {@code AWTPermission("accessEventQueue")}. 1380 * This method is subject to removal in a future version of Java SE. 1381 * @see #checkPermission(java.security.Permission) checkPermission 1382 */ 1383 @Deprecated(since="1.8", forRemoval=true) 1384 public void checkAwtEventQueueAccess() { 1385 checkPermission(SecurityConstants.ALL_PERMISSION); 1386 } 1387 1388 /* 1389 * We have an initial invalid bit (initially false) for the class 1390 * variables which tell if the cache is valid. If the underlying 1391 * java.security.Security property changes via setProperty(), the 1392 * Security class uses reflection to change the variable and thus 1393 * invalidate the cache. 1394 * 1395 * Locking is handled by synchronization to the 1396 * packageAccessLock/packageDefinitionLock objects. They are only 1397 * used in this class. 1398 * 1399 * Note that cache invalidation as a result of the property change 1400 * happens without using these locks, so there may be a delay between 1401 * when a thread updates the property and when other threads updates 1402 * the cache. 1403 */ 1404 private static boolean packageAccessValid = false; 1405 private static String[] packageAccess; 1406 private static final Object packageAccessLock = new Object(); 1407 1408 private static boolean packageDefinitionValid = false; 1409 private static String[] packageDefinition; 1410 private static final Object packageDefinitionLock = new Object(); 1411 1412 private static String[] getPackages(String p) { 1413 String packages[] = null; 1414 if (p != null && !p.equals("")) { 1415 java.util.StringTokenizer tok = 1416 new java.util.StringTokenizer(p, ","); 1417 int n = tok.countTokens(); 1418 if (n > 0) { 1419 packages = new String[n]; 1420 int i = 0; 1421 while (tok.hasMoreElements()) { 1422 String s = tok.nextToken().trim(); 1423 packages[i++] = s; 1424 } 1425 } 1426 } 1427 1428 if (packages == null) { 1429 packages = new String[0]; 1430 } 1431 return packages; 1432 } 1433 1434 // The non-exported packages in modules defined to the boot or platform 1435 // class loaders. A non-exported package is a package that is not exported 1436 // or is only exported to specific modules. 1437 private static final Map<String, Boolean> nonExportedPkgs = new ConcurrentHashMap<>(); 1438 static { 1439 addNonExportedPackages(ModuleLayer.boot()); 1440 } 1441 1442 /** 1443 * Record the non-exported packages of the modules in the given layer 1444 */ 1445 static void addNonExportedPackages(ModuleLayer layer) { 1446 Set<String> bootModules = ModuleLoaderMap.bootModules(); 1447 Set<String> platformModules = ModuleLoaderMap.platformModules(); 1448 layer.modules().stream() 1449 .map(Module::getDescriptor) 1450 .filter(md -> bootModules.contains(md.name()) 1451 || platformModules.contains(md.name())) 1452 .map(SecurityManager::nonExportedPkgs) 1453 .flatMap(Set::stream) 1454 .forEach(pn -> nonExportedPkgs.put(pn, Boolean.TRUE)); 1455 } 1456 1457 1458 /** 1459 * Called by java.security.Security 1460 */ 1461 static void invalidatePackageAccessCache() { 1462 synchronized (packageAccessLock) { 1463 packageAccessValid = false; 1464 } 1465 synchronized (packageDefinitionLock) { 1466 packageDefinitionValid = false; 1467 } 1468 } 1469 1470 /** 1471 * Returns the non-exported packages of the specified module. 1472 */ 1473 private static Set<String> nonExportedPkgs(ModuleDescriptor md) { 1474 // start with all packages in the module 1475 Set<String> pkgs = new HashSet<>(md.packages()); 1476 1477 // remove the non-qualified exported packages 1478 md.exports().stream() 1479 .filter(p -> !p.isQualified()) 1480 .map(Exports::source) 1481 .forEach(pkgs::remove); 1482 1483 // remove the non-qualified open packages 1484 md.opens().stream() 1485 .filter(p -> !p.isQualified()) 1486 .map(Opens::source) 1487 .forEach(pkgs::remove); 1488 1489 return pkgs; 1490 } 1491 1492 /** 1493 * Throws a {@code SecurityException} if the calling thread is not allowed 1494 * to access the specified package. 1495 * <p> 1496 * During class loading, this method may be called by the {@code loadClass} 1497 * method of class loaders and by the Java Virtual Machine to ensure that 1498 * the caller is allowed to access the package of the class that is 1499 * being loaded. 1500 * <p> 1501 * This method checks if the specified package starts with or equals 1502 * any of the packages in the {@code package.access} Security Property. 1503 * An implementation may also check the package against an additional 1504 * list of restricted packages as noted below. If the package is restricted, 1505 * {@link #checkPermission(Permission)} is called with a 1506 * {@code RuntimePermission("accessClassInPackage."+pkg)} permission. 1507 * <p> 1508 * If this method is overridden, then {@code super.checkPackageAccess} 1509 * should be called as the first line in the overridden method. 1510 * 1511 * @implNote 1512 * This implementation also restricts all non-exported packages of modules 1513 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1514 * the platform class loader} or its ancestors. A "non-exported package" 1515 * refers to a package that is not exported to all modules. Specifically, 1516 * it refers to a package that either is not exported at all by its 1517 * containing module or is exported in a qualified fashion by its 1518 * containing module. 1519 * 1520 * @param pkg the package name. 1521 * @throws SecurityException if the calling thread does not have 1522 * permission to access the specified package. 1523 * @throws NullPointerException if the package name argument is 1524 * {@code null}. 1525 * @see java.lang.ClassLoader#loadClass(String, boolean) loadClass 1526 * @see java.security.Security#getProperty getProperty 1527 * @see #checkPermission(Permission) checkPermission 1528 */ 1529 public void checkPackageAccess(String pkg) { 1530 Objects.requireNonNull(pkg, "package name can't be null"); 1531 1532 // check if pkg is not exported to all modules 1533 if (nonExportedPkgs.containsKey(pkg)) { 1534 checkPermission( 1535 new RuntimePermission("accessClassInPackage." + pkg)); 1536 return; 1537 } 1538 1539 String[] restrictedPkgs; 1540 synchronized (packageAccessLock) { 1541 /* 1542 * Do we need to update our property array? 1543 */ 1544 if (!packageAccessValid) { 1545 String tmpPropertyStr = 1546 AccessController.doPrivileged( 1547 new PrivilegedAction<>() { 1548 public String run() { 1549 return Security.getProperty("package.access"); 1550 } 1551 } 1552 ); 1553 packageAccess = getPackages(tmpPropertyStr); 1554 packageAccessValid = true; 1555 } 1556 1557 // Using a snapshot of packageAccess -- don't care if static field 1558 // changes afterwards; array contents won't change. 1559 restrictedPkgs = packageAccess; 1560 } 1561 1562 /* 1563 * Traverse the list of packages, check for any matches. 1564 */ 1565 final int plen = pkg.length(); 1566 for (String restrictedPkg : restrictedPkgs) { 1567 final int rlast = restrictedPkg.length() - 1; 1568 1569 // Optimizations: 1570 // 1571 // If rlast >= plen then restrictedPkg is longer than pkg by at 1572 // least one char. This means pkg cannot start with restrictedPkg, 1573 // since restrictedPkg will be longer than pkg. 1574 // 1575 // Similarly if rlast != plen, then pkg + "." cannot be the same 1576 // as restrictedPkg, since pkg + "." will have a different length 1577 // than restrictedPkg. 1578 // 1579 if (rlast < plen && pkg.startsWith(restrictedPkg) || 1580 // The following test is equivalent to 1581 // restrictedPkg.equals(pkg + ".") but is noticeably more 1582 // efficient: 1583 rlast == plen && restrictedPkg.startsWith(pkg) && 1584 restrictedPkg.charAt(rlast) == '.') 1585 { 1586 checkPermission( 1587 new RuntimePermission("accessClassInPackage." + pkg)); 1588 break; // No need to continue; only need to check this once 1589 } 1590 } 1591 } 1592 1593 /** 1594 * Throws a {@code SecurityException} if the calling thread is not 1595 * allowed to define classes in the specified package. 1596 * <p> 1597 * This method is called by the {@code loadClass} method of some 1598 * class loaders. 1599 * <p> 1600 * This method checks if the specified package starts with or equals 1601 * any of the packages in the {@code package.definition} Security 1602 * Property. An implementation may also check the package against an 1603 * additional list of restricted packages as noted below. If the package 1604 * is restricted, {@link #checkPermission(Permission)} is called with a 1605 * {@code RuntimePermission("defineClassInPackage."+pkg)} permission. 1606 * <p> 1607 * If this method is overridden, then {@code super.checkPackageDefinition} 1608 * should be called as the first line in the overridden method. 1609 * 1610 * @implNote 1611 * This implementation also restricts all non-exported packages of modules 1612 * loaded by {@linkplain ClassLoader#getPlatformClassLoader 1613 * the platform class loader} or its ancestors. A "non-exported package" 1614 * refers to a package that is not exported to all modules. Specifically, 1615 * it refers to a package that either is not exported at all by its 1616 * containing module or is exported in a qualified fashion by its 1617 * containing module. 1618 * 1619 * @param pkg the package name. 1620 * @throws SecurityException if the calling thread does not have 1621 * permission to define classes in the specified package. 1622 * @throws NullPointerException if the package name argument is 1623 * {@code null}. 1624 * @see java.lang.ClassLoader#loadClass(String, boolean) 1625 * @see java.security.Security#getProperty getProperty 1626 * @see #checkPermission(Permission) checkPermission 1627 */ 1628 public void checkPackageDefinition(String pkg) { 1629 Objects.requireNonNull(pkg, "package name can't be null"); 1630 1631 // check if pkg is not exported to all modules 1632 if (nonExportedPkgs.containsKey(pkg)) { 1633 checkPermission( 1634 new RuntimePermission("defineClassInPackage." + pkg)); 1635 return; 1636 } 1637 1638 String[] pkgs; 1639 synchronized (packageDefinitionLock) { 1640 /* 1641 * Do we need to update our property array? 1642 */ 1643 if (!packageDefinitionValid) { 1644 String tmpPropertyStr = 1645 AccessController.doPrivileged( 1646 new PrivilegedAction<>() { 1647 public String run() { 1648 return java.security.Security.getProperty( 1649 "package.definition"); 1650 } 1651 } 1652 ); 1653 packageDefinition = getPackages(tmpPropertyStr); 1654 packageDefinitionValid = true; 1655 } 1656 // Using a snapshot of packageDefinition -- don't care if static 1657 // field changes afterwards; array contents won't change. 1658 pkgs = packageDefinition; 1659 } 1660 1661 /* 1662 * Traverse the list of packages, check for any matches. 1663 */ 1664 for (String restrictedPkg : pkgs) { 1665 if (pkg.startsWith(restrictedPkg) || restrictedPkg.equals(pkg + ".")) { 1666 checkPermission( 1667 new RuntimePermission("defineClassInPackage." + pkg)); 1668 break; // No need to continue; only need to check this once 1669 } 1670 } 1671 } 1672 1673 /** 1674 * Throws a <code>SecurityException</code> if the 1675 * calling thread is not allowed to set the socket factory used by 1676 * <code>ServerSocket</code> or <code>Socket</code>, or the stream 1677 * handler factory used by <code>URL</code>. 1678 * <p> 1679 * This method calls <code>checkPermission</code> with the 1680 * <code>RuntimePermission("setFactory")</code> permission. 1681 * <p> 1682 * If you override this method, then you should make a call to 1683 * <code>super.checkSetFactory</code> 1684 * at the point the overridden method would normally throw an 1685 * exception. 1686 * 1687 * @exception SecurityException if the calling thread does not have 1688 * permission to specify a socket factory or a stream 1689 * handler factory. 1690 * 1691 * @see java.net.ServerSocket#setSocketFactory(java.net.SocketImplFactory) setSocketFactory 1692 * @see java.net.Socket#setSocketImplFactory(java.net.SocketImplFactory) setSocketImplFactory 1693 * @see java.net.URL#setURLStreamHandlerFactory(java.net.URLStreamHandlerFactory) setURLStreamHandlerFactory 1694 * @see #checkPermission(java.security.Permission) checkPermission 1695 */ 1696 public void checkSetFactory() { 1697 checkPermission(new RuntimePermission("setFactory")); 1698 } 1699 1700 /** 1701 * Throws a <code>SecurityException</code> if the 1702 * calling thread is not allowed to access members. 1703 * <p> 1704 * The default policy is to allow access to PUBLIC members, as well 1705 * as access to classes that have the same class loader as the caller. 1706 * In all other cases, this method calls <code>checkPermission</code> 1707 * with the <code>RuntimePermission("accessDeclaredMembers") 1708 * </code> permission. 1709 * <p> 1710 * If this method is overridden, then a call to 1711 * <code>super.checkMemberAccess</code> cannot be made, 1712 * as the default implementation of <code>checkMemberAccess</code> 1713 * relies on the code being checked being at a stack depth of 1714 * 4. 1715 * 1716 * @param clazz the class that reflection is to be performed on. 1717 * 1718 * @param which type of access, PUBLIC or DECLARED. 1719 * 1720 * @exception SecurityException if the caller does not have 1721 * permission to access members. 1722 * @exception NullPointerException if the <code>clazz</code> argument is 1723 * <code>null</code>. 1724 * 1725 * @deprecated This method relies on the caller being at a stack depth 1726 * of 4 which is error-prone and cannot be enforced by the runtime. 1727 * Users of this method should instead invoke {@link #checkPermission} 1728 * directly. 1729 * This method is subject to removal in a future version of Java SE. 1730 * 1731 * @see java.lang.reflect.Member 1732 * @since 1.1 1733 * @see #checkPermission(java.security.Permission) checkPermission 1734 */ 1735 @Deprecated(since="1.8", forRemoval=true) 1736 @CallerSensitive 1737 public void checkMemberAccess(Class<?> clazz, int which) { 1738 if (clazz == null) { 1739 throw new NullPointerException("class can't be null"); 1740 } 1741 if (which != Member.PUBLIC) { 1742 Class<?> stack[] = getClassContext(); 1743 /* 1744 * stack depth of 4 should be the caller of one of the 1745 * methods in java.lang.Class that invoke checkMember 1746 * access. The stack should look like: 1747 * 1748 * someCaller [3] 1749 * java.lang.Class.someReflectionAPI [2] 1750 * java.lang.Class.checkMemberAccess [1] 1751 * SecurityManager.checkMemberAccess [0] 1752 * 1753 */ 1754 if ((stack.length<4) || 1755 (stack[3].getClassLoader() != clazz.getClassLoader())) { 1756 checkPermission(SecurityConstants.CHECK_MEMBER_ACCESS_PERMISSION); 1757 } 1758 } 1759 } 1760 1761 /** 1762 * Determines whether the permission with the specified permission target 1763 * name should be granted or denied. 1764 * 1765 * <p> If the requested permission is allowed, this method returns 1766 * quietly. If denied, a SecurityException is raised. 1767 * 1768 * <p> This method creates a <code>SecurityPermission</code> object for 1769 * the given permission target name and calls <code>checkPermission</code> 1770 * with it. 1771 * 1772 * <p> See the documentation for 1773 * <code>{@link java.security.SecurityPermission}</code> for 1774 * a list of possible permission target names. 1775 * 1776 * <p> If you override this method, then you should make a call to 1777 * <code>super.checkSecurityAccess</code> 1778 * at the point the overridden method would normally throw an 1779 * exception. 1780 * 1781 * @param target the target name of the <code>SecurityPermission</code>. 1782 * 1783 * @exception SecurityException if the calling thread does not have 1784 * permission for the requested access. 1785 * @exception NullPointerException if <code>target</code> is null. 1786 * @exception IllegalArgumentException if <code>target</code> is empty. 1787 * 1788 * @since 1.1 1789 * @see #checkPermission(java.security.Permission) checkPermission 1790 */ 1791 public void checkSecurityAccess(String target) { 1792 checkPermission(new SecurityPermission(target)); 1793 } 1794 1795 private native Class<?> currentLoadedClass0(); 1796 1797 /** 1798 * Returns the thread group into which to instantiate any new 1799 * thread being created at the time this is being called. 1800 * By default, it returns the thread group of the current 1801 * thread. This should be overridden by a specific security 1802 * manager to return the appropriate thread group. 1803 * 1804 * @return ThreadGroup that new threads are instantiated into 1805 * @since 1.1 1806 * @see java.lang.ThreadGroup 1807 */ 1808 public ThreadGroup getThreadGroup() { 1809 return Thread.currentThread().getThreadGroup(); 1810 } 1811 1812} 1813