J. Duke | 319a3b9 | 2007-12-01 00:00:00 +0000 | [diff] [blame^] | 1 | /* |
| 2 | * Copyright 1999-2006 Sun Microsystems, Inc. All Rights Reserved. |
| 3 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | * |
| 5 | * This code is free software; you can redistribute it and/or modify it |
| 6 | * under the terms of the GNU General Public License version 2 only, as |
| 7 | * published by the Free Software Foundation. Sun designates this |
| 8 | * particular file as subject to the "Classpath" exception as provided |
| 9 | * by Sun in the LICENSE file that accompanied this code. |
| 10 | * |
| 11 | * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | * accompanied this code). |
| 16 | * |
| 17 | * You should have received a copy of the GNU General Public License version |
| 18 | * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | * |
| 21 | * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, |
| 22 | * CA 95054 USA or visit www.sun.com if you need additional information or |
| 23 | * have any questions. |
| 24 | */ |
| 25 | |
| 26 | package com.sun.security.auth; |
| 27 | |
| 28 | import java.net.URL; |
| 29 | import java.util.*; |
| 30 | import java.security.CodeSource; |
| 31 | import java.security.Principal; |
| 32 | import java.security.cert.Certificate; |
| 33 | import java.lang.reflect.Constructor; |
| 34 | |
| 35 | import javax.security.auth.Subject; |
| 36 | |
| 37 | /** |
| 38 | * <p> This <code>SubjectCodeSource</code> class contains |
| 39 | * a <code>URL</code>, signer certificates, and either a <code>Subject</code> |
| 40 | * (that represents the <code>Subject</code> in the current |
| 41 | * <code>AccessControlContext</code>), |
| 42 | * or a linked list of Principals/PrincipalComparators |
| 43 | * (that represent a "subject" in a <code>Policy</code>). |
| 44 | * |
| 45 | */ |
| 46 | class SubjectCodeSource extends CodeSource implements java.io.Serializable { |
| 47 | |
| 48 | private static final long serialVersionUID = 6039418085604715275L; |
| 49 | |
| 50 | private static final java.util.ResourceBundle rb = |
| 51 | java.security.AccessController.doPrivileged |
| 52 | (new java.security.PrivilegedAction<java.util.ResourceBundle>() { |
| 53 | public java.util.ResourceBundle run() { |
| 54 | return (java.util.ResourceBundle.getBundle |
| 55 | ("sun.security.util.AuthResources")); |
| 56 | } |
| 57 | }); |
| 58 | |
| 59 | private Subject subject; |
| 60 | private LinkedList<PolicyParser.PrincipalEntry> principals; |
| 61 | private static final Class[] PARAMS = { String.class }; |
| 62 | private static final sun.security.util.Debug debug = |
| 63 | sun.security.util.Debug.getInstance("auth", "\t[Auth Access]"); |
| 64 | private ClassLoader sysClassLoader; |
| 65 | |
| 66 | /** |
| 67 | * Creates a new <code>SubjectCodeSource</code> |
| 68 | * with the given <code>Subject</code>, principals, <code>URL</code>, |
| 69 | * and signers (Certificates). The <code>Subject</code> |
| 70 | * represents the <code>Subject</code> associated with the current |
| 71 | * <code>AccessControlContext</code>. |
| 72 | * The Principals are given as a <code>LinkedList</code> |
| 73 | * of <code>PolicyParser.PrincipalEntry</code> objects. |
| 74 | * Typically either a <code>Subject</code> will be provided, |
| 75 | * or a list of <code>principals</code> will be provided |
| 76 | * (not both). |
| 77 | * |
| 78 | * <p> |
| 79 | * |
| 80 | * @param subject the <code>Subject</code> associated with this |
| 81 | * <code>SubjectCodeSource</code> <p> |
| 82 | * |
| 83 | * @param url the <code>URL</code> associated with this |
| 84 | * <code>SubjectCodeSource</code> <p> |
| 85 | * |
| 86 | * @param certs the signers associated with this |
| 87 | * <code>SubjectCodeSource</code> <p> |
| 88 | */ |
| 89 | SubjectCodeSource(Subject subject, |
| 90 | LinkedList<PolicyParser.PrincipalEntry> principals, |
| 91 | URL url, Certificate[] certs) { |
| 92 | |
| 93 | super(url, certs); |
| 94 | this.subject = subject; |
| 95 | this.principals = (principals == null ? |
| 96 | new LinkedList<PolicyParser.PrincipalEntry>() : |
| 97 | new LinkedList<PolicyParser.PrincipalEntry>(principals)); |
| 98 | sysClassLoader = java.security.AccessController.doPrivileged |
| 99 | (new java.security.PrivilegedAction<ClassLoader>() { |
| 100 | public ClassLoader run() { |
| 101 | return ClassLoader.getSystemClassLoader(); |
| 102 | } |
| 103 | }); |
| 104 | } |
| 105 | |
| 106 | /** |
| 107 | * Get the Principals associated with this <code>SubjectCodeSource</code>. |
| 108 | * The Principals are retrieved as a <code>LinkedList</code> |
| 109 | * of <code>PolicyParser.PrincipalEntry</code> objects. |
| 110 | * |
| 111 | * <p> |
| 112 | * |
| 113 | * @return the Principals associated with this |
| 114 | * <code>SubjectCodeSource</code> as a <code>LinkedList</code> |
| 115 | * of <code>PolicyParser.PrincipalEntry</code> objects. |
| 116 | */ |
| 117 | LinkedList<PolicyParser.PrincipalEntry> getPrincipals() { |
| 118 | return principals; |
| 119 | } |
| 120 | |
| 121 | /** |
| 122 | * Get the <code>Subject</code> associated with this |
| 123 | * <code>SubjectCodeSource</code>. The <code>Subject</code> |
| 124 | * represents the <code>Subject</code> associated with the |
| 125 | * current <code>AccessControlContext</code>. |
| 126 | * |
| 127 | * <p> |
| 128 | * |
| 129 | * @return the <code>Subject</code> associated with this |
| 130 | * <code>SubjectCodeSource</code>. |
| 131 | */ |
| 132 | Subject getSubject() { |
| 133 | return subject; |
| 134 | } |
| 135 | |
| 136 | /** |
| 137 | * Returns true if this <code>SubjectCodeSource</code> object "implies" |
| 138 | * the specified <code>CodeSource</code>. |
| 139 | * More specifically, this method makes the following checks. |
| 140 | * If any fail, it returns false. If they all succeed, it returns true. |
| 141 | * |
| 142 | * <p> |
| 143 | * <ol> |
| 144 | * <li> The provided codesource must not be <code>null</code>. |
| 145 | * <li> codesource must be an instance of <code>SubjectCodeSource</code>. |
| 146 | * <li> super.implies(codesource) must return true. |
| 147 | * <li> for each principal in this codesource's principal list: |
| 148 | * <ol> |
| 149 | * <li> if the principal is an instanceof |
| 150 | * <code>PrincipalComparator</code>, then the principal must |
| 151 | * imply the provided codesource's <code>Subject</code>. |
| 152 | * <li> if the principal is not an instanceof |
| 153 | * <code>PrincipalComparator</code>, then the provided |
| 154 | * codesource's <code>Subject</code> must have an |
| 155 | * associated <code>Principal</code>, <i>P</i>, where |
| 156 | * P.getClass().getName equals principal.principalClass, |
| 157 | * and P.getName() equals principal.principalName. |
| 158 | * </ol> |
| 159 | * </ol> |
| 160 | * |
| 161 | * <p> |
| 162 | * |
| 163 | * @param codesource the <code>CodeSource</code> to compare against. |
| 164 | * |
| 165 | * @return true if this <code>SubjectCodeSource</code> implies the |
| 166 | * the specified <code>CodeSource</code>. |
| 167 | */ |
| 168 | public boolean implies(CodeSource codesource) { |
| 169 | |
| 170 | LinkedList<PolicyParser.PrincipalEntry> subjectList = null; |
| 171 | |
| 172 | if (codesource == null || |
| 173 | !(codesource instanceof SubjectCodeSource) || |
| 174 | !(super.implies(codesource))) { |
| 175 | |
| 176 | if (debug != null) |
| 177 | debug.println("\tSubjectCodeSource.implies: FAILURE 1"); |
| 178 | return false; |
| 179 | } |
| 180 | |
| 181 | SubjectCodeSource that = (SubjectCodeSource)codesource; |
| 182 | |
| 183 | // if the principal list in the policy "implies" |
| 184 | // the Subject associated with the current AccessControlContext, |
| 185 | // then return true |
| 186 | |
| 187 | if (this.principals == null) { |
| 188 | if (debug != null) |
| 189 | debug.println("\tSubjectCodeSource.implies: PASS 1"); |
| 190 | return true; |
| 191 | } |
| 192 | |
| 193 | if (that.getSubject() == null || |
| 194 | that.getSubject().getPrincipals().size() == 0) { |
| 195 | if (debug != null) |
| 196 | debug.println("\tSubjectCodeSource.implies: FAILURE 2"); |
| 197 | return false; |
| 198 | } |
| 199 | |
| 200 | ListIterator<PolicyParser.PrincipalEntry> li = |
| 201 | this.principals.listIterator(0); |
| 202 | while (li.hasNext()) { |
| 203 | PolicyParser.PrincipalEntry pppe = li.next(); |
| 204 | try { |
| 205 | |
| 206 | // handle PrincipalComparators |
| 207 | |
| 208 | Class principalComparator = Class.forName(pppe.principalClass, |
| 209 | true, |
| 210 | sysClassLoader); |
| 211 | Constructor c = principalComparator.getConstructor(PARAMS); |
| 212 | PrincipalComparator pc = |
| 213 | (PrincipalComparator)c.newInstance |
| 214 | (new Object[] { pppe.principalName }); |
| 215 | |
| 216 | if (!pc.implies(that.getSubject())) { |
| 217 | if (debug != null) |
| 218 | debug.println("\tSubjectCodeSource.implies: FAILURE 3"); |
| 219 | return false; |
| 220 | } else { |
| 221 | if (debug != null) |
| 222 | debug.println("\tSubjectCodeSource.implies: PASS 2"); |
| 223 | return true; |
| 224 | } |
| 225 | } catch (Exception e) { |
| 226 | |
| 227 | // no PrincipalComparator, simply compare Principals |
| 228 | |
| 229 | if (subjectList == null) { |
| 230 | |
| 231 | if (that.getSubject() == null) { |
| 232 | if (debug != null) |
| 233 | debug.println("\tSubjectCodeSource.implies: " + |
| 234 | "FAILURE 4"); |
| 235 | return false; |
| 236 | } |
| 237 | Iterator<Principal> i = |
| 238 | that.getSubject().getPrincipals().iterator(); |
| 239 | |
| 240 | subjectList = new LinkedList<PolicyParser.PrincipalEntry>(); |
| 241 | while (i.hasNext()) { |
| 242 | Principal p = i.next(); |
| 243 | PolicyParser.PrincipalEntry spppe = |
| 244 | new PolicyParser.PrincipalEntry |
| 245 | (p.getClass().getName(), p.getName()); |
| 246 | subjectList.add(spppe); |
| 247 | } |
| 248 | } |
| 249 | |
| 250 | if (!subjectListImpliesPrincipalEntry(subjectList, pppe)) { |
| 251 | if (debug != null) |
| 252 | debug.println("\tSubjectCodeSource.implies: FAILURE 5"); |
| 253 | return false; |
| 254 | } |
| 255 | } |
| 256 | } |
| 257 | |
| 258 | if (debug != null) |
| 259 | debug.println("\tSubjectCodeSource.implies: PASS 3"); |
| 260 | return true; |
| 261 | } |
| 262 | |
| 263 | /** |
| 264 | * This method returns, true, if the provided <i>subjectList</i> |
| 265 | * "contains" the <code>Principal</code> specified |
| 266 | * in the provided <i>pppe</i> argument. |
| 267 | * |
| 268 | * Note that the provided <i>pppe</i> argument may have |
| 269 | * wildcards (*) for the <code>Principal</code> class and name, |
| 270 | * which need to be considered. |
| 271 | * |
| 272 | * <p> |
| 273 | * |
| 274 | * @param subjectList a list of PolicyParser.PrincipalEntry objects |
| 275 | * that correspond to all the Principals in the Subject currently |
| 276 | * on this thread's AccessControlContext. <p> |
| 277 | * |
| 278 | * @param pppe the Principals specified in a grant entry. |
| 279 | * |
| 280 | * @return true if the provided <i>subjectList</i> "contains" |
| 281 | * the <code>Principal</code> specified in the provided |
| 282 | * <i>pppe</i> argument. |
| 283 | */ |
| 284 | private boolean subjectListImpliesPrincipalEntry( |
| 285 | LinkedList<PolicyParser.PrincipalEntry> subjectList, |
| 286 | PolicyParser.PrincipalEntry pppe) { |
| 287 | |
| 288 | ListIterator<PolicyParser.PrincipalEntry> li = |
| 289 | subjectList.listIterator(0); |
| 290 | while (li.hasNext()) { |
| 291 | PolicyParser.PrincipalEntry listPppe = li.next(); |
| 292 | |
| 293 | if (pppe.principalClass.equals |
| 294 | (PolicyParser.PrincipalEntry.WILDCARD_CLASS) || |
| 295 | pppe.principalClass.equals |
| 296 | (listPppe.principalClass)) { |
| 297 | |
| 298 | if (pppe.principalName.equals |
| 299 | (PolicyParser.PrincipalEntry.WILDCARD_NAME) || |
| 300 | pppe.principalName.equals |
| 301 | (listPppe.principalName)) |
| 302 | return true; |
| 303 | } |
| 304 | } |
| 305 | return false; |
| 306 | } |
| 307 | |
| 308 | /** |
| 309 | * Tests for equality between the specified object and this |
| 310 | * object. Two <code>SubjectCodeSource</code> objects are considered equal |
| 311 | * if their locations are of identical value, if the two sets of |
| 312 | * Certificates are of identical values, and if the |
| 313 | * Subjects are equal, and if the PolicyParser.PrincipalEntry values |
| 314 | * are of identical values. It is not required that |
| 315 | * the Certificates or PolicyParser.PrincipalEntry values |
| 316 | * be in the same order. |
| 317 | * |
| 318 | * <p> |
| 319 | * |
| 320 | * @param obj the object to test for equality with this object. |
| 321 | * |
| 322 | * @return true if the objects are considered equal, false otherwise. |
| 323 | */ |
| 324 | public boolean equals(Object obj) { |
| 325 | |
| 326 | if (obj == this) |
| 327 | return true; |
| 328 | |
| 329 | if (super.equals(obj) == false) |
| 330 | return false; |
| 331 | |
| 332 | if (!(obj instanceof SubjectCodeSource)) |
| 333 | return false; |
| 334 | |
| 335 | SubjectCodeSource that = (SubjectCodeSource)obj; |
| 336 | |
| 337 | // the principal lists must match |
| 338 | try { |
| 339 | if (this.getSubject() != that.getSubject()) |
| 340 | return false; |
| 341 | } catch (SecurityException se) { |
| 342 | return false; |
| 343 | } |
| 344 | |
| 345 | if ((this.principals == null && that.principals != null) || |
| 346 | (this.principals != null && that.principals == null)) |
| 347 | return false; |
| 348 | |
| 349 | if (this.principals != null && that.principals != null) { |
| 350 | if (!this.principals.containsAll(that.principals) || |
| 351 | !that.principals.containsAll(this.principals)) |
| 352 | |
| 353 | return false; |
| 354 | } |
| 355 | |
| 356 | return true; |
| 357 | } |
| 358 | |
| 359 | /** |
| 360 | * Return a hashcode for this <code>SubjectCodeSource</code>. |
| 361 | * |
| 362 | * <p> |
| 363 | * |
| 364 | * @return a hashcode for this <code>SubjectCodeSource</code>. |
| 365 | */ |
| 366 | public int hashCode() { |
| 367 | return super.hashCode(); |
| 368 | } |
| 369 | |
| 370 | /** |
| 371 | * Return a String representation of this <code>SubjectCodeSource</code>. |
| 372 | * |
| 373 | * <p> |
| 374 | * |
| 375 | * @return a String representation of this <code>SubjectCodeSource</code>. |
| 376 | */ |
| 377 | public String toString() { |
| 378 | String returnMe = super.toString(); |
| 379 | if (getSubject() != null) { |
| 380 | if (debug != null) { |
| 381 | final Subject finalSubject = getSubject(); |
| 382 | returnMe = returnMe + "\n" + |
| 383 | java.security.AccessController.doPrivileged |
| 384 | (new java.security.PrivilegedAction<String>() { |
| 385 | public String run() { |
| 386 | return finalSubject.toString(); |
| 387 | } |
| 388 | }); |
| 389 | } else { |
| 390 | returnMe = returnMe + "\n" + getSubject().toString(); |
| 391 | } |
| 392 | } |
| 393 | if (principals != null) { |
| 394 | ListIterator<PolicyParser.PrincipalEntry> li = |
| 395 | principals.listIterator(); |
| 396 | while (li.hasNext()) { |
| 397 | PolicyParser.PrincipalEntry pppe = li.next(); |
| 398 | returnMe = returnMe + rb.getString("\n") + |
| 399 | pppe.principalClass + " " + |
| 400 | pppe.principalName; |
| 401 | } |
| 402 | } |
| 403 | return returnMe; |
| 404 | } |
| 405 | } |