Examples of java.security.ProtectionDomain

• java.security.ProtectionDomain

  This ProtectionDomain class encapsulates the characteristics of a domain, which encloses a set of classes whose instances are granted a set of permissions when being executed on behalf of a given set of Principals.

  A static set of permissions can be bound to a ProtectionDomain when it is constructed; such permissions are granted to the domain regardless of the Policy in force. However, to support dynamic security policies, a ProtectionDomain can also be constructed such that it is dynamically mapped to a set of permissions by the current Policy whenever a permission is checked.

  @version 1.47, 11/17/05 @author Li Gong @author Roland Schemers @author Gary Ellison

        /*
         * Iterate over ProtectionDomains and and check implies().
         */
        for (int i = 0; i < protectionDomains.length; i++) {
            ProtectionDomain pd = protectionDomains[i];

            if (pd == null) {
                continue;
            }

            /*
             * Get CodeSource for ProtectionDomain.
             */
            CodeSource cs = protectionDomains[i].getCodeSource();

            /*
             * Call getPermissions() on PolicyFileProvider passing
             * ProtectionDomain.
             */
            PermissionCollection pcPD = policy.getPermissions(pd);

            /*
             * Call getPermissions() on PolicyFileProvider passing
             * CodeSource.
             */
            PermissionCollection pcCS = policy.getPermissions(cs);

            /*
             * Verify that permissions that granted in the policy file
             * are included in the Enumeration returned from
             * PermissionCollection.elements() for permission collections
             * returned from Policy.getPermissions(ProtectionDomain) and
             * Policy.getPermissions(CodeSource).
             */
            checkElements(pcPD, pma[IGRANTED], true);
            checkElements(pcCS, pma[IGRANTED], true);

            /*
             * Verify that permissions that not granted in the policy file
             * are not included in the Enumeration returned from
             * PermissionCollection.elements() for permission collections
             * returned from Policy.getPermissions(ProtectionDomain) and
             * Policy.getPermissions(CodeSource).
             */
            checkElements(pcPD, pma[INOTGRANTED], false);
            checkElements(pcCS, pma[INOTGRANTED], false);

            /*
             * For ProtectionDomains that have
             * PreferredClassLoader as ClassLoader
             * verify that permissions that granted to
             * qa1-policy-provider.jar's codebase
             * are included in the Enumeration returned from
             * PermissionCollection.elements() for permission collections
             * returned from Policy.getPermissions(ProtectionDomain) and
             * Policy.getPermissions(CodeSource).
             */
            if (pd.getClassLoader() instanceof PreferredClassLoader) {
                checkElements(pcPD, pma[ICODEBASEGRANTED], true);
                checkElements(pcCS, pma[ICODEBASEGRANTED], true);
            }

            if (pma[ICODEBASENOTGRANTED] == null) {
                continue;
            }

            /*
             * For ProtectionDomains that have
             * PreferredClassLoader as ClassLoader
             * verify that permissions that are not granted to
             * qa1-policy-provider.jar's codebase
             * are not included in the Enumeration returned from
             * PermissionCollection.elements() for permission collections
             * returned from Policy.getPermissions(ProtectionDomain) and
             * Policy.getPermissions(CodeSource).
             */
            if (pd.getClassLoader() instanceof PreferredClassLoader) {
                checkElements(pcPD, pma[ICODEBASENOTGRANTED], false);
                checkElements(pcCS, pma[ICODEBASENOTGRANTED], false);
            }
        }
    }

                // non-preferred classes. Do additional tetsing:
                // try to invoke getPermissions() directly
                // for non-preferred classes with its codesource,
                // so we expect SecurityException in this case.
            }
            ProtectionDomain pd = classLoaded.getProtectionDomain();
            CodeSource cs = pd.getCodeSource();
            PermissionCollection pc = null;

            try {
                pc = loader.getPermissionsTest(cs);
            } catch (SecurityException ex) {

     * specified permissions of the specified type.
     */
    public static AccessControlContext withPermissions(Class permissionClass,
                   Permission[] permissions)
    {
  ProtectionDomain domain = UnitTestUtilities.class.getProtectionDomain();
  PermissionCollection origPerms =
      Policy.getPolicy().getPermissions(domain);
  Permissions perms = new Permissions();
  for (Enumeration en = origPerms.elements();
       en.hasMoreElements(); )
  {
      Permission perm = (Permission) en.nextElement();
      if (!(permissionClass.isInstance(perm)
      || isUnresolvedInstanceOf(perm, permissionClass)))
      {
    perms.add(perm);
      }
  }
  if (permissions != null) {
      for (int i = 0; i < permissions.length; i++) {
    perms.add(permissions[i]);
      }
  }
  return new AccessControlContext(
      new ProtectionDomain[] {
    new ProtectionDomain(null, perms)
      });
    }

        permissions.add(perms[i]);
      }
  }
  return new AccessControlContext(
      new ProtectionDomain[] {
    new ProtectionDomain(null, permissions)
      });
    }

  if (isKerberos) {
      permissions.add(new AuthenticationPermission("* \"*\"", "connect"));
  }
  AccessControlContext acc = new AccessControlContext(
            new ProtectionDomain[] {
            new ProtectionDomain(null, permissions),
  });
  if (isKerberos) {
      // kerberos needs the current subject
      return new AccessControlContext(acc, sdc);
  } else {

            for (int j = 0; j < cla.length; j++) {

                /*
                 * Get ProtectionDomain for loaded class.
                 */
                ProtectionDomain pd = cla[j].getProtectionDomain();

                /*
                 * Get CodeSource for ProtectionDomain for loaded class.
                 */
                CodeSource s = pd.getCodeSource();

                /*
                 * Create new ProtectionDomain passing code source,
                 * null as PermissionCollection, class loader of
                 * class and null as array of Principals.
                 */
                ProtectionDomain pdNew01 = new ProtectionDomain(s, null,
                        classLoaders[i], null);

                /*
                 * Create new ProtectionDomain passing null as code source,
                 * null as PermissionCollection, class loader of
                 * class and null as array of Principals.
                 */
                ProtectionDomain pdNew02 = new ProtectionDomain(null, null,
                        classLoaders[i], null);

                /*
                 * Iterate over dynamic granted permissions.
                 */
                for (int k = 0; k < pmDynamicGranted.length; k++) {

                    /*
                     * Call implies() on DynamicPolicyProvider passing
                     * ProtectionDomain for loaded class and granted
                     * permission.
                     * Call implies() on DynamicPolicyProvider passing
                     * newly created ProtectionDomains and granted
                     * permission.
                     * Verify that implies() returns true for permissions
                     * that should be granted for these ProtectionDomains
                     * and false otherwise.
                     */
                    Permission[] p = new Permission[] {
                        pmDynamicGranted[k] };
                    boolean shouldReturn = (k <= i);
                    checkImplies(pd, p, shouldReturn, false);
                    checkImplies(pdNew01, p, shouldReturn, false);
                    checkImplies(pdNew02, p, shouldReturn, false);
                }
            }
        }

        /*
         * Call grant() on DynamicPolicyProvider passing
         * null as specified class and permissions so that
         * some permissions are dynamic granted earlier and
         * some permissions are not dynamic granted yet.
         * Lets name these permissions pmAll.
         */
        Permission[] pmAll = new Permission[] { pm3, pm8 };
        Permission[] pmAsided = new Permission[] { pm4, pm7 };
        String nameAll = pm3.toString() + ", " + pm8.toString();
        msg = "policy.grant(null, null, " + nameAll + ")";
        callGrant(null, null, pmAll, msg);

        /*
         * Iterate over ProtectionDomains (including null ProtectionDomain)
         * and call implies() on DynamicPolicyProvider.
         */
        for (int i = 0; i < protectionDomains.length; i++) {
            ProtectionDomain pd = protectionDomains[i];

            /*
             * Call implies on DynamicPolicyProvider passing
             * pmAll permissions. Verify that implies()
             * returns true for null and non-null
             * ProtectionDomains.
             */
            checkImplies(pd, pmAll, true, false);

            /*
             * Call implies on DynamicPolicyProvider passing
             * permissions that granted in the policy file. Verify that
             * implies() returns false if ProtectionDomain is equal to null,
             * and verify that implies() returns true for non-null
             * ProtectionDomains.
             */
            checkImplies(pd, pmGranted, true, true);

            /*
             * Call implies on DynamicPolicyProvider passing
             * not granted permissions. Verify that implies()
             * returns false for null and non-null
             * ProtectionDomains.
             */
            checkImplies(pd, pmDynamicNotGranted, false, false);

            if (pd == null) {
                continue;
            }

            /*
             * Get CodeSource for ProtectionDomain.
             */
            CodeSource s = pd.getCodeSource();

            /*
             * Iterate over class loaders.
             */
            for (int j = 0; j < classLoaders.length; j++) {

                /*
                 * Create new ProtectionDomain passing code source,
                 * null as PermissionCollection, class loader and
                 * null as array of Principals.
                 */
                ProtectionDomain pdNew01 = new ProtectionDomain(s, null,
                        classLoaders[j], null);

                /*
                 * Create new ProtectionDomain passing null as code source,
                 * null as PermissionCollection, class loader
                 * and null as array of Principals.
                 */
                ProtectionDomain pdNew02 = new ProtectionDomain(null, null,
                        classLoaders[j], null);

                /*
                 * Call implies() on DynamicPolicyProvider passing
                 * newly created ProtectionDomains and pmAll

                /*
                 * Create ProtectionDomain passing null as CodeSource,
                 * null as PermissionCollection, class loader and created
                 * array of QAPrincipals.
                 */
                ProtectionDomain pd = new ProtectionDomain(null, null,
                        classLoaders[i], praa[i]);

                /*
                 * Call implies() on DynamicPolicyProvider passing
                 * created ProtectionDomain and permissions that are
                 * granted in the policy file.
                 * Verify that implies() returns false.
                 */
                checkImplies(pd, pmGranted, false, false);

                /*
                 * Call implies() on DynamicPolicyProvider passing
                 * created ProtectionDomain and permissions that are
                 * dynamic granted in the policy file.
                 * Verify that implies() returns false.
                 */
                checkImplies(pd, pmDynamicGranted, false, false);

                /*
                 * Call implies() on DynamicPolicyProvider passing
                 * created ProtectionDomain and permissions that are
                 * not granted in the policy file.
                 * Verify that implies() returns false.
                 */
                checkImplies(pd, pmDynamicNotGranted, false, false);
            }
        }

        /*
         * Iterate over created array of array of QAPrincipals.
         */
        for (int i = 0; i <= praBase.length; i++) {

            /*
             * For all loaded classes call grant() on
             * DynamicPolicyProvider passing array of QAPrincipals and
             * passing permissions that should NOT BE dynamic granted
             * and verify that SecurityExceptions are thrown.
             */
            checkGrant(classes, praa[i], pmGranted, true);
            checkGrant(classes, praa[i], pmNotGranted, true);
            checkGrant(classes, praa[i], pmDynamicNotGranted, true);
        }

        /*
         * Verify that size of array of loaded classes is less then
         * the size of created array of array of QAPrincipals.
         */
        if (classes.length >= praBase.length) {
            throw new TestException("Too many loaded classes.");
        }

        /*
         * Iterate over loaded classes.
         */
        for (int i = 1; i < classes.length; i++) {

            /*
             * Call grant() on DynamicPolicyProvider
             * passing class, array of QAPrincipals so that
             * index of passing class shoud be equal to
             * index of array of array of QAPrincipals and
             * permissions that should BE dynamic granted
             * and verify that no exceptions are thrown.
             */
            Class[] cla = new Class[] { classes[i] };
            checkGrant(cla, praa[i], pmDynamicGranted, false);
        }

        /*
         * Iterate over loaded classes and check for
         * dynamic permissions granted earlier using getGrants()
         * method.
         */
        int boundCheck = Util.listClasses.length;
        for (int i = 1; i < classes.length; i++) {
            Class[] cla = new Class[] { classes[i] };

            /*
             * Iterate over array of array of QAPrincipals and
             * call getGrants() passing array of QAPrincipals.
             * Verify that getGrants() returns permissions that are
             * dynamic granted earlier only for array of QAPrincipals
             * that have index more or equal to upperbound index
             * for classes that belongs to the same class loader.
             * For indexes that less then upperbound index
             * getGrants() should return empty array of permissions.
             *
             */
            for (int j = 0; j <= praBase.length; j++) {
                int upperBound = 1 + ((i - 1) / boundCheck) * boundCheck;

                if (j < upperBound) {
                    checkGetGrants(cla, praa[j], pmEmpty);
                } else {
                    checkGetGrants(cla, praa[j], pmDynamicGranted);
                }
            }
        }

        /*
         * Iterate over loaded classes and check for
         * dynamic permissions granted earlier using implies()
         * method.
         */
        for (int i = 1; i < classes.length; i++) {

            /*
             * Get CodeSource of class.
             */
            CodeSource s = classes[i].getProtectionDomain().getCodeSource();

            /*
             * Iterate over array of array of QAPrincipals.
             */
            for (int j = 0; j < praBase.length; j++) {

                /*
                 * Create ProtectionDomain passing code source of class,
                 * null as PermissionCollection, class loader of
                 * class and created array of QAPrincipals.
                 */
                ProtectionDomain pd = new ProtectionDomain(s, null,
                        classes[i].getClassLoader(), praa[j]);

                /*
                 * Call implies() on DynamicPolicyProvider passing
                 * created ProtectionDomain and

     **/
    protected PermissionCollection getPermissions(CodeSource codeSource) {
  if (requireDlPerm) {
      SecurityManager sm = System.getSecurityManager();
      if (sm != null) {
    ProtectionDomain pd =
        new ProtectionDomain(codeSource, null, this, null);

    if (!pd.implies(downloadPermission)) {
        throw new SecurityException(
      "CodeSource not permitted to define class: " +
      codeSource);
    }
      }

  /*
   * Create an AccessControlContext that consists of a single
   * protection domain with only the permissions calculated above.
   */
  ProtectionDomain pd = new ProtectionDomain(
      new CodeSource((urls.length > 0 ? urls[0] : null),
         (Certificate[]) null), perms);
  return new AccessControlContext(new ProtectionDomain[] { pd });
    }

      {
         Class iface = ifaces[i];
         results.append("\n++"+iface+"("+Integer.toHexString(iface.hashCode())+")");
         ClassLoader loader = ifaces[i].getClassLoader();
         results.append("\n++++ClassLoader: "+loader);
         ProtectionDomain pd = ifaces[i].getProtectionDomain();
         CodeSource cs = pd.getCodeSource();
         if( cs != null )
            results.append("\n++++CodeSource: "+cs);
         else
            results.append("\n++++Null CodeSource");
      }