FilePermission.java revision 12745:f068a4ffddd2
1/* 2 * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26package java.io; 27 28import java.security.*; 29import java.util.Enumeration; 30import java.util.StringJoiner; 31import java.util.Vector; 32import java.util.concurrent.ConcurrentHashMap; 33import sun.security.util.SecurityConstants; 34 35/** 36 * This class represents access to a file or directory. A FilePermission consists 37 * of a pathname and a set of actions valid for that pathname. 38 * <P> 39 * Pathname is the pathname of the file or directory granted the specified 40 * actions. A pathname that ends in "/*" (where "/" is 41 * the file separator character, <code>File.separatorChar</code>) indicates 42 * all the files and directories contained in that directory. A pathname 43 * that ends with "/-" indicates (recursively) all files 44 * and subdirectories contained in that directory. A pathname consisting of 45 * the special token "<<ALL FILES>>" matches <b>any</b> file. 46 * <P> 47 * Note: A pathname consisting of a single "*" indicates all the files 48 * in the current directory, while a pathname consisting of a single "-" 49 * indicates all the files in the current directory and 50 * (recursively) all files and subdirectories contained in the current 51 * directory. 52 * <P> 53 * The actions to be granted are passed to the constructor in a string containing 54 * a list of one or more comma-separated keywords. The possible keywords are 55 * "read", "write", "execute", "delete", and "readlink". Their meaning is 56 * defined as follows: 57 * 58 * <DL> 59 * <DT> read <DD> read permission 60 * <DT> write <DD> write permission 61 * <DT> execute 62 * <DD> execute permission. Allows <code>Runtime.exec</code> to 63 * be called. Corresponds to <code>SecurityManager.checkExec</code>. 64 * <DT> delete 65 * <DD> delete permission. Allows <code>File.delete</code> to 66 * be called. Corresponds to <code>SecurityManager.checkDelete</code>. 67 * <DT> readlink 68 * <DD> read link permission. Allows the target of a 69 * <a href="../nio/file/package-summary.html#links">symbolic link</a> 70 * to be read by invoking the {@link java.nio.file.Files#readSymbolicLink 71 * readSymbolicLink } method. 72 * </DL> 73 * <P> 74 * The actions string is converted to lowercase before processing. 75 * <P> 76 * Be careful when granting FilePermissions. Think about the implications 77 * of granting read and especially write access to various files and 78 * directories. The "<<ALL FILES>>" permission with write action is 79 * especially dangerous. This grants permission to write to the entire 80 * file system. One thing this effectively allows is replacement of the 81 * system binary, including the JVM runtime environment. 82 * 83 * <p>Please note: Code can always read a file from the same 84 * directory it's in (or a subdirectory of that directory); it does not 85 * need explicit permission to do so. 86 * 87 * @see java.security.Permission 88 * @see java.security.Permissions 89 * @see java.security.PermissionCollection 90 * 91 * 92 * @author Marianne Mueller 93 * @author Roland Schemers 94 * @since 1.2 95 * 96 * @serial exclude 97 */ 98 99public final class FilePermission extends Permission implements Serializable { 100 101 /** 102 * Execute action. 103 */ 104 private static final int EXECUTE = 0x1; 105 /** 106 * Write action. 107 */ 108 private static final int WRITE = 0x2; 109 /** 110 * Read action. 111 */ 112 private static final int READ = 0x4; 113 /** 114 * Delete action. 115 */ 116 private static final int DELETE = 0x8; 117 /** 118 * Read link action. 119 */ 120 private static final int READLINK = 0x10; 121 122 /** 123 * All actions (read,write,execute,delete,readlink) 124 */ 125 private static final int ALL = READ|WRITE|EXECUTE|DELETE|READLINK; 126 /** 127 * No actions. 128 */ 129 private static final int NONE = 0x0; 130 131 // the actions mask 132 private transient int mask; 133 134 // does path indicate a directory? (wildcard or recursive) 135 private transient boolean directory; 136 137 // is it a recursive directory specification? 138 private transient boolean recursive; 139 140 /** 141 * the actions string. 142 * 143 * @serial 144 */ 145 private String actions; // Left null as long as possible, then 146 // created and re-used in the getAction function. 147 148 // canonicalized dir path. In the case of 149 // directories, it is the name "/blah/*" or "/blah/-" without 150 // the last character (the "*" or "-"). 151 152 private transient String cpath; 153 154 // static Strings used by init(int mask) 155 private static final char RECURSIVE_CHAR = '-'; 156 private static final char WILD_CHAR = '*'; 157 158/* 159 public String toString() 160 { 161 StringBuffer sb = new StringBuffer(); 162 sb.append("***\n"); 163 sb.append("cpath = "+cpath+"\n"); 164 sb.append("mask = "+mask+"\n"); 165 sb.append("actions = "+getActions()+"\n"); 166 sb.append("directory = "+directory+"\n"); 167 sb.append("recursive = "+recursive+"\n"); 168 sb.append("***\n"); 169 return sb.toString(); 170 } 171*/ 172 173 private static final long serialVersionUID = 7930732926638008763L; 174 175 /** 176 * initialize a FilePermission object. Common to all constructors. 177 * Also called during de-serialization. 178 * 179 * @param mask the actions mask to use. 180 * 181 */ 182 private void init(int mask) { 183 if ((mask & ALL) != mask) 184 throw new IllegalArgumentException("invalid actions mask"); 185 186 if (mask == NONE) 187 throw new IllegalArgumentException("invalid actions mask"); 188 189 if ((cpath = getName()) == null) 190 throw new NullPointerException("name can't be null"); 191 192 this.mask = mask; 193 194 if (cpath.equals("<<ALL FILES>>")) { 195 directory = true; 196 recursive = true; 197 cpath = ""; 198 return; 199 } 200 201 // store only the canonical cpath if possible 202 cpath = AccessController.doPrivileged(new PrivilegedAction<>() { 203 public String run() { 204 try { 205 String path = cpath; 206 if (cpath.endsWith("*")) { 207 // call getCanonicalPath with a path with wildcard character 208 // replaced to avoid calling it with paths that are 209 // intended to match all entries in a directory 210 path = path.substring(0, path.length()-1) + "-"; 211 path = new File(path).getCanonicalPath(); 212 return path.substring(0, path.length()-1) + "*"; 213 } else { 214 return new File(path).getCanonicalPath(); 215 } 216 } catch (IOException ioe) { 217 return cpath; 218 } 219 } 220 }); 221 222 int len = cpath.length(); 223 char last = ((len > 0) ? cpath.charAt(len - 1) : 0); 224 225 if (last == RECURSIVE_CHAR && 226 cpath.charAt(len - 2) == File.separatorChar) { 227 directory = true; 228 recursive = true; 229 cpath = cpath.substring(0, --len); 230 } else if (last == WILD_CHAR && 231 cpath.charAt(len - 2) == File.separatorChar) { 232 directory = true; 233 //recursive = false; 234 cpath = cpath.substring(0, --len); 235 } else { 236 // overkill since they are initialized to false, but 237 // commented out here to remind us... 238 //directory = false; 239 //recursive = false; 240 } 241 242 // XXX: at this point the path should be absolute. die if it isn't? 243 } 244 245 /** 246 * Creates a new FilePermission object with the specified actions. 247 * <i>path</i> is the pathname of a file or directory, and <i>actions</i> 248 * contains a comma-separated list of the desired actions granted on the 249 * file or directory. Possible actions are 250 * "read", "write", "execute", "delete", and "readlink". 251 * 252 * <p>A pathname that ends in "/*" (where "/" is 253 * the file separator character, <code>File.separatorChar</code>) 254 * indicates all the files and directories contained in that directory. 255 * A pathname that ends with "/-" indicates (recursively) all files and 256 * subdirectories contained in that directory. The special pathname 257 * "<<ALL FILES>>" matches any file. 258 * 259 * <p>A pathname consisting of a single "*" indicates all the files 260 * in the current directory, while a pathname consisting of a single "-" 261 * indicates all the files in the current directory and 262 * (recursively) all files and subdirectories contained in the current 263 * directory. 264 * 265 * <p>A pathname containing an empty string represents an empty path. 266 * 267 * @param path the pathname of the file/directory. 268 * @param actions the action string. 269 * 270 * @throws IllegalArgumentException 271 * If actions is <code>null</code>, empty or contains an action 272 * other than the specified possible actions. 273 */ 274 public FilePermission(String path, String actions) { 275 super(path); 276 init(getMask(actions)); 277 } 278 279 /** 280 * Creates a new FilePermission object using an action mask. 281 * More efficient than the FilePermission(String, String) constructor. 282 * Can be used from within 283 * code that needs to create a FilePermission object to pass into the 284 * <code>implies</code> method. 285 * 286 * @param path the pathname of the file/directory. 287 * @param mask the action mask to use. 288 */ 289 // package private for use by the FilePermissionCollection add method 290 FilePermission(String path, int mask) { 291 super(path); 292 init(mask); 293 } 294 295 /** 296 * Checks if this FilePermission object "implies" the specified permission. 297 * <P> 298 * More specifically, this method returns true if: 299 * <ul> 300 * <li> <i>p</i> is an instanceof FilePermission, 301 * <li> <i>p</i>'s actions are a proper subset of this 302 * object's actions, and 303 * <li> <i>p</i>'s pathname is implied by this object's 304 * pathname. For example, "/tmp/*" implies "/tmp/foo", since 305 * "/tmp/*" encompasses all files in the "/tmp" directory, 306 * including the one named "foo". 307 * </ul> 308 * 309 * @param p the permission to check against. 310 * 311 * @return <code>true</code> if the specified permission is not 312 * <code>null</code> and is implied by this object, 313 * <code>false</code> otherwise. 314 */ 315 @Override 316 public boolean implies(Permission p) { 317 if (!(p instanceof FilePermission)) 318 return false; 319 320 FilePermission that = (FilePermission) p; 321 322 // we get the effective mask. i.e., the "and" of this and that. 323 // They must be equal to that.mask for implies to return true. 324 325 return ((this.mask & that.mask) == that.mask) && impliesIgnoreMask(that); 326 } 327 328 /** 329 * Checks if the Permission's actions are a proper subset of the 330 * this object's actions. Returns the effective mask iff the 331 * this FilePermission's path also implies that FilePermission's path. 332 * 333 * @param that the FilePermission to check against. 334 * @return the effective mask 335 */ 336 boolean impliesIgnoreMask(FilePermission that) { 337 if (this.directory) { 338 if (this.recursive) { 339 // make sure that.path is longer then path so 340 // something like /foo/- does not imply /foo 341 if (that.directory) { 342 return (that.cpath.length() >= this.cpath.length()) && 343 that.cpath.startsWith(this.cpath); 344 } else { 345 return ((that.cpath.length() > this.cpath.length()) && 346 that.cpath.startsWith(this.cpath)); 347 } 348 } else { 349 if (that.directory) { 350 // if the permission passed in is a directory 351 // specification, make sure that a non-recursive 352 // permission (i.e., this object) can't imply a recursive 353 // permission. 354 if (that.recursive) 355 return false; 356 else 357 return (this.cpath.equals(that.cpath)); 358 } else { 359 int last = that.cpath.lastIndexOf(File.separatorChar); 360 if (last == -1) 361 return false; 362 else { 363 // this.cpath.equals(that.cpath.substring(0, last+1)); 364 // Use regionMatches to avoid creating new string 365 return (this.cpath.length() == (last + 1)) && 366 this.cpath.regionMatches(0, that.cpath, 0, last+1); 367 } 368 } 369 } 370 } else if (that.directory) { 371 // if this is NOT recursive/wildcarded, 372 // do not let it imply a recursive/wildcarded permission 373 return false; 374 } else { 375 return (this.cpath.equals(that.cpath)); 376 } 377 } 378 379 /** 380 * Checks two FilePermission objects for equality. Checks that <i>obj</i> is 381 * a FilePermission, and has the same pathname and actions as this object. 382 * 383 * @param obj the object we are testing for equality with this object. 384 * @return <code>true</code> if obj is a FilePermission, and has the same 385 * pathname and actions as this FilePermission object, 386 * <code>false</code> otherwise. 387 */ 388 @Override 389 public boolean equals(Object obj) { 390 if (obj == this) 391 return true; 392 393 if (! (obj instanceof FilePermission)) 394 return false; 395 396 FilePermission that = (FilePermission) obj; 397 398 return (this.mask == that.mask) && 399 this.cpath.equals(that.cpath) && 400 (this.directory == that.directory) && 401 (this.recursive == that.recursive); 402 } 403 404 /** 405 * Returns the hash code value for this object. 406 * 407 * @return a hash code value for this object. 408 */ 409 @Override 410 public int hashCode() { 411 return 0; 412 } 413 414 /** 415 * Converts an actions String to an actions mask. 416 * 417 * @param actions the action string. 418 * @return the actions mask. 419 */ 420 private static int getMask(String actions) { 421 int mask = NONE; 422 423 // Null action valid? 424 if (actions == null) { 425 return mask; 426 } 427 428 // Use object identity comparison against known-interned strings for 429 // performance benefit (these values are used heavily within the JDK). 430 if (actions == SecurityConstants.FILE_READ_ACTION) { 431 return READ; 432 } else if (actions == SecurityConstants.FILE_WRITE_ACTION) { 433 return WRITE; 434 } else if (actions == SecurityConstants.FILE_EXECUTE_ACTION) { 435 return EXECUTE; 436 } else if (actions == SecurityConstants.FILE_DELETE_ACTION) { 437 return DELETE; 438 } else if (actions == SecurityConstants.FILE_READLINK_ACTION) { 439 return READLINK; 440 } 441 442 char[] a = actions.toCharArray(); 443 444 int i = a.length - 1; 445 if (i < 0) 446 return mask; 447 448 while (i != -1) { 449 char c; 450 451 // skip whitespace 452 while ((i!=-1) && ((c = a[i]) == ' ' || 453 c == '\r' || 454 c == '\n' || 455 c == '\f' || 456 c == '\t')) 457 i--; 458 459 // check for the known strings 460 int matchlen; 461 462 if (i >= 3 && (a[i-3] == 'r' || a[i-3] == 'R') && 463 (a[i-2] == 'e' || a[i-2] == 'E') && 464 (a[i-1] == 'a' || a[i-1] == 'A') && 465 (a[i] == 'd' || a[i] == 'D')) 466 { 467 matchlen = 4; 468 mask |= READ; 469 470 } else if (i >= 4 && (a[i-4] == 'w' || a[i-4] == 'W') && 471 (a[i-3] == 'r' || a[i-3] == 'R') && 472 (a[i-2] == 'i' || a[i-2] == 'I') && 473 (a[i-1] == 't' || a[i-1] == 'T') && 474 (a[i] == 'e' || a[i] == 'E')) 475 { 476 matchlen = 5; 477 mask |= WRITE; 478 479 } else if (i >= 6 && (a[i-6] == 'e' || a[i-6] == 'E') && 480 (a[i-5] == 'x' || a[i-5] == 'X') && 481 (a[i-4] == 'e' || a[i-4] == 'E') && 482 (a[i-3] == 'c' || a[i-3] == 'C') && 483 (a[i-2] == 'u' || a[i-2] == 'U') && 484 (a[i-1] == 't' || a[i-1] == 'T') && 485 (a[i] == 'e' || a[i] == 'E')) 486 { 487 matchlen = 7; 488 mask |= EXECUTE; 489 490 } else if (i >= 5 && (a[i-5] == 'd' || a[i-5] == 'D') && 491 (a[i-4] == 'e' || a[i-4] == 'E') && 492 (a[i-3] == 'l' || a[i-3] == 'L') && 493 (a[i-2] == 'e' || a[i-2] == 'E') && 494 (a[i-1] == 't' || a[i-1] == 'T') && 495 (a[i] == 'e' || a[i] == 'E')) 496 { 497 matchlen = 6; 498 mask |= DELETE; 499 500 } else if (i >= 7 && (a[i-7] == 'r' || a[i-7] == 'R') && 501 (a[i-6] == 'e' || a[i-6] == 'E') && 502 (a[i-5] == 'a' || a[i-5] == 'A') && 503 (a[i-4] == 'd' || a[i-4] == 'D') && 504 (a[i-3] == 'l' || a[i-3] == 'L') && 505 (a[i-2] == 'i' || a[i-2] == 'I') && 506 (a[i-1] == 'n' || a[i-1] == 'N') && 507 (a[i] == 'k' || a[i] == 'K')) 508 { 509 matchlen = 8; 510 mask |= READLINK; 511 512 } else { 513 // parse error 514 throw new IllegalArgumentException( 515 "invalid permission: " + actions); 516 } 517 518 // make sure we didn't just match the tail of a word 519 // like "ackbarfaccept". Also, skip to the comma. 520 boolean seencomma = false; 521 while (i >= matchlen && !seencomma) { 522 switch(a[i-matchlen]) { 523 case ',': 524 seencomma = true; 525 break; 526 case ' ': case '\r': case '\n': 527 case '\f': case '\t': 528 break; 529 default: 530 throw new IllegalArgumentException( 531 "invalid permission: " + actions); 532 } 533 i--; 534 } 535 536 // point i at the location of the comma minus one (or -1). 537 i -= matchlen; 538 } 539 540 return mask; 541 } 542 543 /** 544 * Return the current action mask. Used by the FilePermissionCollection. 545 * 546 * @return the actions mask. 547 */ 548 int getMask() { 549 return mask; 550 } 551 552 /** 553 * Return the canonical string representation of the actions. 554 * Always returns present actions in the following order: 555 * read, write, execute, delete, readlink. 556 * 557 * @return the canonical string representation of the actions. 558 */ 559 private static String getActions(int mask) { 560 StringJoiner sj = new StringJoiner(","); 561 562 if ((mask & READ) == READ) { 563 sj.add("read"); 564 } 565 if ((mask & WRITE) == WRITE) { 566 sj.add("write"); 567 } 568 if ((mask & EXECUTE) == EXECUTE) { 569 sj.add("execute"); 570 } 571 if ((mask & DELETE) == DELETE) { 572 sj.add("delete"); 573 } 574 if ((mask & READLINK) == READLINK) { 575 sj.add("readlink"); 576 } 577 578 return sj.toString(); 579 } 580 581 /** 582 * Returns the "canonical string representation" of the actions. 583 * That is, this method always returns present actions in the following order: 584 * read, write, execute, delete, readlink. For example, if this FilePermission 585 * object allows both write and read actions, a call to <code>getActions</code> 586 * will return the string "read,write". 587 * 588 * @return the canonical string representation of the actions. 589 */ 590 @Override 591 public String getActions() { 592 if (actions == null) 593 actions = getActions(this.mask); 594 595 return actions; 596 } 597 598 /** 599 * Returns a new PermissionCollection object for storing FilePermission 600 * objects. 601 * <p> 602 * FilePermission objects must be stored in a manner that allows them 603 * to be inserted into the collection in any order, but that also enables the 604 * PermissionCollection <code>implies</code> 605 * method to be implemented in an efficient (and consistent) manner. 606 * 607 * <p>For example, if you have two FilePermissions: 608 * <OL> 609 * <LI> <code>"/tmp/-", "read"</code> 610 * <LI> <code>"/tmp/scratch/foo", "write"</code> 611 * </OL> 612 * 613 * <p>and you are calling the <code>implies</code> method with the FilePermission: 614 * 615 * <pre> 616 * "/tmp/scratch/foo", "read,write", 617 * </pre> 618 * 619 * then the <code>implies</code> function must 620 * take into account both the "/tmp/-" and "/tmp/scratch/foo" 621 * permissions, so the effective permission is "read,write", 622 * and <code>implies</code> returns true. The "implies" semantics for 623 * FilePermissions are handled properly by the PermissionCollection object 624 * returned by this <code>newPermissionCollection</code> method. 625 * 626 * @return a new PermissionCollection object suitable for storing 627 * FilePermissions. 628 */ 629 @Override 630 public PermissionCollection newPermissionCollection() { 631 return new FilePermissionCollection(); 632 } 633 634 /** 635 * WriteObject is called to save the state of the FilePermission 636 * to a stream. The actions are serialized, and the superclass 637 * takes care of the name. 638 */ 639 private void writeObject(ObjectOutputStream s) 640 throws IOException 641 { 642 // Write out the actions. The superclass takes care of the name 643 // call getActions to make sure actions field is initialized 644 if (actions == null) 645 getActions(); 646 s.defaultWriteObject(); 647 } 648 649 /** 650 * readObject is called to restore the state of the FilePermission from 651 * a stream. 652 */ 653 private void readObject(ObjectInputStream s) 654 throws IOException, ClassNotFoundException 655 { 656 // Read in the actions, then restore everything else by calling init. 657 s.defaultReadObject(); 658 init(getMask(actions)); 659 } 660} 661 662/** 663 * A FilePermissionCollection stores a set of FilePermission permissions. 664 * FilePermission objects 665 * must be stored in a manner that allows them to be inserted in any 666 * order, but enable the implies function to evaluate the implies 667 * method. 668 * For example, if you have two FilePermissions: 669 * <OL> 670 * <LI> "/tmp/-", "read" 671 * <LI> "/tmp/scratch/foo", "write" 672 * </OL> 673 * And you are calling the implies function with the FilePermission: 674 * "/tmp/scratch/foo", "read,write", then the implies function must 675 * take into account both the /tmp/- and /tmp/scratch/foo 676 * permissions, so the effective permission is "read,write". 677 * 678 * @see java.security.Permission 679 * @see java.security.Permissions 680 * @see java.security.PermissionCollection 681 * 682 * 683 * @author Marianne Mueller 684 * @author Roland Schemers 685 * 686 * @serial include 687 * 688 */ 689 690final class FilePermissionCollection extends PermissionCollection 691 implements Serializable 692{ 693 // Not serialized; see serialization section at end of class 694 private transient ConcurrentHashMap<String, Permission> perms; 695 696 /** 697 * Create an empty FilePermissionCollection object. 698 */ 699 public FilePermissionCollection() { 700 perms = new ConcurrentHashMap<>(); 701 } 702 703 /** 704 * Adds a permission to the FilePermissionCollection. The key for the hash is 705 * permission.path. 706 * 707 * @param permission the Permission object to add. 708 * 709 * @exception IllegalArgumentException - if the permission is not a 710 * FilePermission 711 * 712 * @exception SecurityException - if this FilePermissionCollection object 713 * has been marked readonly 714 */ 715 @Override 716 public void add(Permission permission) { 717 if (! (permission instanceof FilePermission)) 718 throw new IllegalArgumentException("invalid permission: "+ 719 permission); 720 if (isReadOnly()) 721 throw new SecurityException( 722 "attempt to add a Permission to a readonly PermissionCollection"); 723 724 FilePermission fp = (FilePermission)permission; 725 726 // Add permission to map if it is absent, or replace with new 727 // permission if applicable. NOTE: cannot use lambda for 728 // remappingFunction parameter until JDK-8076596 is fixed. 729 perms.merge(fp.getName(), fp, 730 new java.util.function.BiFunction<>() { 731 @Override 732 public Permission apply(Permission existingVal, 733 Permission newVal) { 734 int oldMask = ((FilePermission)existingVal).getMask(); 735 int newMask = ((FilePermission)newVal).getMask(); 736 if (oldMask != newMask) { 737 int effective = oldMask | newMask; 738 if (effective == newMask) { 739 return newVal; 740 } 741 if (effective != oldMask) { 742 return new FilePermission(fp.getName(), effective); 743 } 744 } 745 return existingVal; 746 } 747 } 748 ); 749 } 750 751 /** 752 * Check and see if this set of permissions implies the permissions 753 * expressed in "permission". 754 * 755 * @param permission the Permission object to compare 756 * 757 * @return true if "permission" is a proper subset of a permission in 758 * the set, false if not. 759 */ 760 @Override 761 public boolean implies(Permission permission) { 762 if (! (permission instanceof FilePermission)) 763 return false; 764 765 FilePermission fperm = (FilePermission) permission; 766 767 int desired = fperm.getMask(); 768 int effective = 0; 769 int needed = desired; 770 771 for (Permission perm : perms.values()) { 772 FilePermission fp = (FilePermission)perm; 773 if (((needed & fp.getMask()) != 0) && fp.impliesIgnoreMask(fperm)) { 774 effective |= fp.getMask(); 775 if ((effective & desired) == desired) { 776 return true; 777 } 778 needed = (desired ^ effective); 779 } 780 } 781 return false; 782 } 783 784 /** 785 * Returns an enumeration of all the FilePermission objects in the 786 * container. 787 * 788 * @return an enumeration of all the FilePermission objects. 789 */ 790 @Override 791 public Enumeration<Permission> elements() { 792 return perms.elements(); 793 } 794 795 private static final long serialVersionUID = 2202956749081564585L; 796 797 // Need to maintain serialization interoperability with earlier releases, 798 // which had the serializable field: 799 // private Vector permissions; 800 801 /** 802 * @serialField permissions java.util.Vector 803 * A list of FilePermission objects. 804 */ 805 private static final ObjectStreamField[] serialPersistentFields = { 806 new ObjectStreamField("permissions", Vector.class), 807 }; 808 809 /** 810 * @serialData "permissions" field (a Vector containing the FilePermissions). 811 */ 812 /* 813 * Writes the contents of the perms field out as a Vector for 814 * serialization compatibility with earlier releases. 815 */ 816 private void writeObject(ObjectOutputStream out) throws IOException { 817 // Don't call out.defaultWriteObject() 818 819 // Write out Vector 820 Vector<Permission> permissions = new Vector<>(perms.values()); 821 822 ObjectOutputStream.PutField pfields = out.putFields(); 823 pfields.put("permissions", permissions); 824 out.writeFields(); 825 } 826 827 /* 828 * Reads in a Vector of FilePermissions and saves them in the perms field. 829 */ 830 private void readObject(ObjectInputStream in) 831 throws IOException, ClassNotFoundException 832 { 833 // Don't call defaultReadObject() 834 835 // Read in serialized fields 836 ObjectInputStream.GetField gfields = in.readFields(); 837 838 // Get the one we want 839 @SuppressWarnings("unchecked") 840 Vector<Permission> permissions = (Vector<Permission>)gfields.get("permissions", null); 841 perms = new ConcurrentHashMap<>(permissions.size()); 842 for (Permission perm : permissions) { 843 perms.put(perm.getName(), perm); 844 } 845 } 846} 847