Path: blob/master/src/java.base/share/classes/sun/security/provider/SubjectCodeSource.java
41159 views
/*1* Copyright (c) 1999, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.provider;2627import java.net.URL;28import java.util.*;29import java.security.CodeSource;30import java.security.Principal;31import java.security.cert.Certificate;32import java.lang.reflect.Constructor;3334import javax.security.auth.Subject;35import sun.security.provider.PolicyParser.PrincipalEntry;36import sun.security.util.ResourcesMgr;3738/**39* <p> This <code>SubjectCodeSource</code> class contains40* a <code>URL</code>, signer certificates, and either a <code>Subject</code>41* (that represents the <code>Subject</code> in the current42* <code>AccessControlContext</code>), or a linked list of Principals43* (that represent a "subject" in a <code>Policy</code>).44*45*/46class SubjectCodeSource extends CodeSource implements java.io.Serializable {4748@java.io.Serial49private static final long serialVersionUID = 6039418085604715275L;5051private Subject subject;52private LinkedList<PrincipalEntry> principals;53private static final Class<?>[] PARAMS = { String.class };54private static final sun.security.util.Debug debug =55sun.security.util.Debug.getInstance("auth", "\t[Auth Access]");56@SuppressWarnings("serial") // Not statically typed as Serializable57private ClassLoader sysClassLoader;5859/**60* Creates a new <code>SubjectCodeSource</code>61* with the given <code>Subject</code>, principals, <code>URL</code>,62* and signers (Certificates). The <code>Subject</code>63* represents the <code>Subject</code> associated with the current64* <code>AccessControlContext</code>.65* The Principals are given as a <code>LinkedList</code>66* of <code>PolicyParser.PrincipalEntry</code> objects.67* Typically either a <code>Subject</code> will be provided,68* or a list of <code>principals</code> will be provided69* (not both).70*71* <p>72*73* @param subject the <code>Subject</code> associated with this74* <code>SubjectCodeSource</code> <p>75*76* @param url the <code>URL</code> associated with this77* <code>SubjectCodeSource</code> <p>78*79* @param certs the signers associated with this80* <code>SubjectCodeSource</code> <p>81*/82@SuppressWarnings("removal")83SubjectCodeSource(Subject subject,84LinkedList<PrincipalEntry> principals,85URL url, Certificate[] certs) {8687super(url, certs);88this.subject = subject;89this.principals = (principals == null ?90new LinkedList<PrincipalEntry>() :91new LinkedList<PrincipalEntry>(principals));92sysClassLoader = java.security.AccessController.doPrivileged93(new java.security.PrivilegedAction<ClassLoader>() {94public ClassLoader run() {95return ClassLoader.getSystemClassLoader();96}97});98}99100/**101* Get the Principals associated with this <code>SubjectCodeSource</code>.102* The Principals are retrieved as a <code>LinkedList</code>103* of <code>PolicyParser.PrincipalEntry</code> objects.104*105* <p>106*107* @return the Principals associated with this108* <code>SubjectCodeSource</code> as a <code>LinkedList</code>109* of <code>PolicyParser.PrincipalEntry</code> objects.110*/111LinkedList<PrincipalEntry> getPrincipals() {112return principals;113}114115/**116* Get the <code>Subject</code> associated with this117* <code>SubjectCodeSource</code>. The <code>Subject</code>118* represents the <code>Subject</code> associated with the119* current <code>AccessControlContext</code>.120*121* <p>122*123* @return the <code>Subject</code> associated with this124* <code>SubjectCodeSource</code>.125*/126Subject getSubject() {127return subject;128}129130/**131* Returns true if this <code>SubjectCodeSource</code> object "implies"132* the specified <code>CodeSource</code>.133* More specifically, this method makes the following checks.134* If any fail, it returns false. If they all succeed, it returns true.135*136* <p>137* <ol>138* <li> The provided codesource must not be <code>null</code>.139* <li> codesource must be an instance of <code>SubjectCodeSource</code>.140* <li> super.implies(codesource) must return true.141* <li> for each principal in this codesource's principal list:142* <ol>143* <li> if the principal is an instanceof144* <code>Principal</code>, then the principal must145* imply the provided codesource's <code>Subject</code>.146* <li> if the principal is not an instanceof147* <code>Principal</code>, then the provided148* codesource's <code>Subject</code> must have an149* associated <code>Principal</code>, <i>P</i>, where150* P.getClass().getName equals principal.principalClass,151* and P.getName() equals principal.principalName.152* </ol>153* </ol>154*155* <p>156*157* @param codesource the <code>CodeSource</code> to compare against.158*159* @return true if this <code>SubjectCodeSource</code> implies160* the specified <code>CodeSource</code>.161*/162public boolean implies(CodeSource codesource) {163164LinkedList<PrincipalEntry> subjectList = null;165166if (codesource == null ||167!(codesource instanceof SubjectCodeSource) ||168!(super.implies(codesource))) {169170if (debug != null)171debug.println("\tSubjectCodeSource.implies: FAILURE 1");172return false;173}174175SubjectCodeSource that = (SubjectCodeSource)codesource;176177// if the principal list in the policy "implies"178// the Subject associated with the current AccessControlContext,179// then return true180181if (this.principals == null) {182if (debug != null)183debug.println("\tSubjectCodeSource.implies: PASS 1");184return true;185}186187if (that.getSubject() == null ||188that.getSubject().getPrincipals().size() == 0) {189if (debug != null)190debug.println("\tSubjectCodeSource.implies: FAILURE 2");191return false;192}193194ListIterator<PrincipalEntry> li = this.principals.listIterator(0);195while (li.hasNext()) {196PrincipalEntry pppe = li.next();197try {198199// use new Principal.implies method200201Class<?> pClass = Class.forName(pppe.principalClass,202true, sysClassLoader);203if (!Principal.class.isAssignableFrom(pClass)) {204// not the right subtype205throw new ClassCastException(pppe.principalClass +206" is not a Principal");207}208Constructor<?> c = pClass.getConstructor(PARAMS);209Principal p = (Principal)c.newInstance(new Object[] {210pppe.principalName });211212if (!p.implies(that.getSubject())) {213if (debug != null)214debug.println("\tSubjectCodeSource.implies: FAILURE 3");215return false;216} else {217if (debug != null)218debug.println("\tSubjectCodeSource.implies: PASS 2");219return true;220}221} catch (Exception e) {222223// simply compare Principals224225if (subjectList == null) {226227if (that.getSubject() == null) {228if (debug != null)229debug.println("\tSubjectCodeSource.implies: " +230"FAILURE 4");231return false;232}233Iterator<Principal> i =234that.getSubject().getPrincipals().iterator();235236subjectList = new LinkedList<PrincipalEntry>();237while (i.hasNext()) {238Principal p = i.next();239PrincipalEntry spppe = new PrincipalEntry240(p.getClass().getName(), p.getName());241subjectList.add(spppe);242}243}244245if (!subjectListImpliesPrincipalEntry(subjectList, pppe)) {246if (debug != null)247debug.println("\tSubjectCodeSource.implies: FAILURE 5");248return false;249}250}251}252253if (debug != null)254debug.println("\tSubjectCodeSource.implies: PASS 3");255return true;256}257258/**259* This method returns, true, if the provided <i>subjectList</i>260* "contains" the <code>Principal</code> specified261* in the provided <i>pppe</i> argument.262*263* Note that the provided <i>pppe</i> argument may have264* wildcards (*) for the <code>Principal</code> class and name,265* which need to be considered.266*267* <p>268*269* @param subjectList a list of PolicyParser.PrincipalEntry objects270* that correspond to all the Principals in the Subject currently271* on this thread's AccessControlContext. <p>272*273* @param pppe the Principals specified in a grant entry.274*275* @return true if the provided <i>subjectList</i> "contains"276* the <code>Principal</code> specified in the provided277* <i>pppe</i> argument.278*/279private boolean subjectListImpliesPrincipalEntry(280LinkedList<PrincipalEntry> subjectList, PrincipalEntry pppe) {281282ListIterator<PrincipalEntry> li = subjectList.listIterator(0);283while (li.hasNext()) {284PrincipalEntry listPppe = li.next();285286if (pppe.getPrincipalClass().equals287(PrincipalEntry.WILDCARD_CLASS) ||288pppe.getPrincipalClass().equals(listPppe.getPrincipalClass()))289{290if (pppe.getPrincipalName().equals291(PrincipalEntry.WILDCARD_NAME) ||292pppe.getPrincipalName().equals(listPppe.getPrincipalName()))293return true;294}295}296return false;297}298299/**300* Tests for equality between the specified object and this301* object. Two <code>SubjectCodeSource</code> objects are considered equal302* if their locations are of identical value, if the two sets of303* Certificates are of identical values, and if the304* Subjects are equal, and if the PolicyParser.PrincipalEntry values305* are of identical values. It is not required that306* the Certificates or PolicyParser.PrincipalEntry values307* be in the same order.308*309* <p>310*311* @param obj the object to test for equality with this object.312*313* @return true if the objects are considered equal, false otherwise.314*/315public boolean equals(Object obj) {316317if (obj == this)318return true;319320if (super.equals(obj) == false)321return false;322323if (!(obj instanceof SubjectCodeSource))324return false;325326SubjectCodeSource that = (SubjectCodeSource)obj;327328// the principal lists must match329try {330if (this.getSubject() != that.getSubject())331return false;332} catch (SecurityException se) {333return false;334}335336if ((this.principals == null && that.principals != null) ||337(this.principals != null && that.principals == null))338return false;339340if (this.principals != null && that.principals != null) {341if (!this.principals.containsAll(that.principals) ||342!that.principals.containsAll(this.principals))343344return false;345}346347return true;348}349350/**351* Return a hashcode for this <code>SubjectCodeSource</code>.352*353* <p>354*355* @return a hashcode for this <code>SubjectCodeSource</code>.356*/357public int hashCode() {358return super.hashCode();359}360361/**362* Return a String representation of this <code>SubjectCodeSource</code>.363*364* <p>365*366* @return a String representation of this <code>SubjectCodeSource</code>.367*/368@SuppressWarnings("removal")369public String toString() {370String returnMe = super.toString();371if (getSubject() != null) {372if (debug != null) {373final Subject finalSubject = getSubject();374returnMe = returnMe + "\n" +375java.security.AccessController.doPrivileged376(new java.security.PrivilegedAction<String>() {377public String run() {378return finalSubject.toString();379}380});381} else {382returnMe = returnMe + "\n" + getSubject().toString();383}384}385if (principals != null) {386ListIterator<PrincipalEntry> li = principals.listIterator();387while (li.hasNext()) {388PrincipalEntry pppe = li.next();389returnMe = returnMe + ResourcesMgr.getAuthResourceString("NEWLINE") +390pppe.getPrincipalClass() + " " +391pppe.getPrincipalName();392}393}394return returnMe;395}396}397398399