Examples of java.security.Policy

• java.security.Policy
  A Policy object is responsible for determining whether code executing in the Java runtime environment has permission to perform a security-sensitive operation.

  There is only one Policy object installed in the runtime at any given time. A Policy object can be installed by calling the setPolicy method. The installed Policy object can be obtained by calling the getPolicy method.

  If no Policy object has been installed in the runtime, a call to getPolicy installs an instance of the default Policy implementation (a default subclass implementation of this abstract class). The default Policy implementation can be changed by setting the value of the "policy.provider" security property (in the Java security properties file) to the fully qualified name of the desired Policy subclass implementation. The Java security properties file is located in the file named <JAVA_HOME>/lib/security/java.security. <JAVA_HOME> refers to the value of the java.home system property, and specifies the directory where the JRE is installed.

  Application code can directly subclass Policy to provide a custom implementation. In addition, an instance of a Policy object can be constructed by invoking one of the getInstance factory methods with a standard type. The default policy type is "JavaPolicy". See Appendix A in the Java Cryptography Architecture API Specification & Reference for a list of standard Policy types.

  Once a Policy instance has been installed (either by default, or by calling setPolicy), the Java runtime invokes its implies when it needs to determine whether executing code (encapsulated in a ProtectionDomain) can perform SecurityManager-protected operations. How a Policy object retrieves its policy data is up to the Policy implementation itself. The policy data may be stored, for example, in a flat ASCII file, in a serialized binary file of the Policy class, or in a database.

  The refresh method causes the policy object to refresh/reload its data. This operation is implementation-dependent. For example, if the policy object stores its data in configuration files, calling refresh will cause it to re-read the configuration policy files. If a refresh operation is not supported, this method does nothing. Note that refreshed policy may not have an effect on classes in a particular ProtectionDomain. This is dependent on the Policy provider's implementation of the implies method and its PermissionCollection caching strategy. @author Roland Schemers @author Gary Ellison @version 1.103, 11/17/06 @see java.security.Provider @see java.security.ProtectionDomain @see java.security.Permission

        // Setup the PermissionCollection for this web app context
        // based on the permissions configured for the root of the
        // web app context directory, then add a file read permission
        // for that directory.
        Policy policy = Policy.getPolicy();
        if( policy != null ) {
            try {
                // Get the permissions for the web app context
                String docBase = context.getRealPath("/");
                if( docBase == null ) {
                    docBase = options.getScratchDir().toString();
                }
                String codeBase = docBase;
                if (!codeBase.endsWith(File.separator)){
                    codeBase = codeBase + File.separator;
                }
                File contextDir = new File(codeBase);
                URL url = contextDir.getCanonicalFile().toURL();
                codeSource = new CodeSource(url,(Certificate[])null);
                permissionCollection = policy.getPermissions(codeSource);

                // Create a file read permission for web app context directory
                if (!docBase.endsWith(File.separator)){
                    permissionCollection.add
                        (new FilePermission(docBase,"read"));

            }

            final URL sourceUrl = jar.getResource(name.replace('.', '/')
                + ".class");
            final CodeSource cs = new CodeSource(sourceUrl, (Certificate[]) null);
            final Policy policy = (Policy) AccessController
                .doPrivileged(GetPolicyAction.getInstance());
            final ProtectionDomain pd = new ProtectionDomain(cs, policy
                .getPermissions(cs));
            final Class<?> cls = defineClass(name, b, pd);
            resolveClass(cls);
            return cls;
        } else {

         IllegalStateException ex = new IllegalStateException("Failed to parse jacc-policy-config-states.xml");
         ex.initCause(e);
         throw ex;
      }
      // Get the DelegatingPolicy
      Policy p = Policy.getPolicy();
      if( (p instanceof DelegatingPolicy) == false )
      {
         // Assume that the installed policy delegates to the DelegatingPolicy
         p = DelegatingPolicy.getInstance();
      }

  PermissionCollection perms = (PermissionCollection)
      AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
        CodeSource codesource =
      new CodeSource(null, (Certificate[]) null);
        Policy p = java.security.Policy.getPolicy();
        if (p != null) {
      return p.getPermissions(codesource);
        } else {
      return new Permissions();
        }
    }
      });

        String policyProvider = System.getProperty("javax.security.jacc.policy.provider", JaccProvider.Policy.class.getName());
        try {
            ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
            Class policyClass = Class.forName(policyProvider, true, classLoader);
            Policy policy = (Policy) policyClass.newInstance();
            policy.refresh();
            Policy.setPolicy(policy);
        } catch (Exception e) {
            throw new IllegalStateException("Could not install JACC Policy Provider: "+policyProvider, e);
        }
    }

            new AggregatePolicyProvider(initialGlobalPolicy);
        Policy.setPolicy(globalPolicy);
              logger.log(Level.FINEST,
            "Global policy set: {0}", globalPolicy);
          }
    Policy service_policy =
        getServicePolicyProvider(
            new PolicyFileProvider(desc.policy));
    Policy backstop_policy =
        getServicePolicyProvider(initialGlobalPolicy);
                LoaderSplitPolicyProvider split_service_policy =
                    new LoaderSplitPolicyProvider(
                        cl, service_policy, backstop_policy);
    /* Grant "this" code enough permission to do its work

            return path.toString();
        }
    }

    static Policy getServicePolicyProvider(Policy service_policy) throws Exception {
        Policy servicePolicyWrapper = null;
        if (servicePolicyProvider != null) {
       Class sp = Class.forName(servicePolicyProvider);
      logger.log(Level.FINEST,
          "Obtained custom service policy implementation class: {0}", sp);
      Constructor constructor =

        try {
            // The policy file may have been modified to adjust
            // permissions, so we're reloading it when loading or
            // reloading a Context
            Policy policy = Policy.getPolicy();
            policy.refresh();
        } catch (AccessControlException e) {
            // Some policy files may restrict this, even for the core,
            // so this exception is ignored
        }

        PermissionCollection perms = (PermissionCollection)
                AccessController.doPrivileged(new PrivilegedAction() {
                    public Object run() {
                        CodeSource cs =
                                new CodeSource(null, (Certificate []) null);
                        Policy policy = Policy.getPolicy();

                        if (policy != null) {
                            return policy.getPermissions(cs);
                        }
                        return new Permissions();
                    }
                });

                return testImpl();
            } else {
                // Emulate calling from restricted code. We create a
                // calling context with only the permission to read
                // the file.
                Policy policy = Policy.getPolicy();
                URL classesURL = (new File("classes")).toURL();
                CodeSource cs = new CodeSource(classesURL, null);
                PermissionCollection permissionsOrig
                    = policy.getPermissions(cs);
                Permissions permissions = new Permissions();
                Enumeration iter = permissionsOrig.elements();
                while (iter.hasMoreElements()) {
                    Permission p = (Permission)iter.nextElement();
                    if (!(p instanceof RuntimePermission)) {