/* * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. * * * * * * * * * * * * * * * * * * * * */ package com.sun.security.auth; import java.net.URL; import java.util.*; import java.security.CodeSource; import java.security.Principal; import java.security.cert.Certificate; import java.lang.reflect.Constructor; import javax.security.auth.Subject; /** *

This SubjectCodeSource class contains * a URL, signer certificates, and either a Subject * (that represents the Subject in the current * AccessControlContext), * or a linked list of Principals/PrincipalComparators * (that represent a "subject" in a Policy). * */ class SubjectCodeSource extends CodeSource implements java.io.Serializable { private static final long serialVersionUID = 6039418085604715275L; private static final java.util.ResourceBundle rb = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public java.util.ResourceBundle run() { return (java.util.ResourceBundle.getBundle ("sun.security.util.AuthResources")); } }); private Subject subject; private LinkedList principals; private static final Class[] PARAMS = { String.class }; private static final sun.security.util.Debug debug = sun.security.util.Debug.getInstance("auth", "\t[Auth Access]"); private ClassLoader sysClassLoader; /** * Creates a new SubjectCodeSource * with the given Subject, principals, URL, * and signers (Certificates). The Subject * represents the Subject associated with the current * AccessControlContext. * The Principals are given as a LinkedList * of PolicyParser.PrincipalEntry objects. * Typically either a Subject will be provided, * or a list of principals will be provided * (not both). * *

* * @param subject the Subject associated with this * SubjectCodeSource

* * @param url the URL associated with this * SubjectCodeSource

* * @param certs the signers associated with this * SubjectCodeSource

*/ SubjectCodeSource(Subject subject, LinkedList principals, URL url, Certificate[] certs) { super(url, certs); this.subject = subject; this.principals = (principals == null ? new LinkedList() : new LinkedList(principals)); sysClassLoader = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public ClassLoader run() { return ClassLoader.getSystemClassLoader(); } }); } /** * Get the Principals associated with this SubjectCodeSource. * The Principals are retrieved as a LinkedList * of PolicyParser.PrincipalEntry objects. * *

* * @return the Principals associated with this * SubjectCodeSource as a LinkedList * of PolicyParser.PrincipalEntry objects. */ LinkedList getPrincipals() { return principals; } /** * Get the Subject associated with this * SubjectCodeSource. The Subject * represents the Subject associated with the * current AccessControlContext. * *

* * @return the Subject associated with this * SubjectCodeSource. */ Subject getSubject() { return subject; } /** * Returns true if this SubjectCodeSource object "implies" * the specified CodeSource. * More specifically, this method makes the following checks. * If any fail, it returns false. If they all succeed, it returns true. * *

*

    *
  1. The provided codesource must not be null. *
  2. codesource must be an instance of SubjectCodeSource. *
  3. super.implies(codesource) must return true. *
  4. for each principal in this codesource's principal list: *
      *
    1. if the principal is an instanceof * PrincipalComparator, then the principal must * imply the provided codesource's Subject. *
    2. if the principal is not an instanceof * PrincipalComparator, then the provided * codesource's Subject must have an * associated Principal, P, where * P.getClass().getName equals principal.principalClass, * and P.getName() equals principal.principalName. *
    *
* *

* * @param codesource the CodeSource to compare against. * * @return true if this SubjectCodeSource implies the * the specified CodeSource. */ public boolean implies(CodeSource codesource) { LinkedList subjectList = null; if (codesource == null || !(codesource instanceof SubjectCodeSource) || !(super.implies(codesource))) { if (debug != null) debug.println("\tSubjectCodeSource.implies: FAILURE 1"); return false; } SubjectCodeSource that = (SubjectCodeSource)codesource; // if the principal list in the policy "implies" // the Subject associated with the current AccessControlContext, // then return true if (this.principals == null) { if (debug != null) debug.println("\tSubjectCodeSource.implies: PASS 1"); return true; } if (that.getSubject() == null || that.getSubject().getPrincipals().size() == 0) { if (debug != null) debug.println("\tSubjectCodeSource.implies: FAILURE 2"); return false; } ListIterator li = this.principals.listIterator(0); while (li.hasNext()) { PolicyParser.PrincipalEntry pppe = li.next(); try { // handle PrincipalComparators Class principalComparator = Class.forName(pppe.principalClass, true, sysClassLoader); Constructor c = principalComparator.getConstructor(PARAMS); PrincipalComparator pc = (PrincipalComparator)c.newInstance (new Object[] { pppe.principalName }); if (!pc.implies(that.getSubject())) { if (debug != null) debug.println("\tSubjectCodeSource.implies: FAILURE 3"); return false; } else { if (debug != null) debug.println("\tSubjectCodeSource.implies: PASS 2"); return true; } } catch (Exception e) { // no PrincipalComparator, simply compare Principals if (subjectList == null) { if (that.getSubject() == null) { if (debug != null) debug.println("\tSubjectCodeSource.implies: " + "FAILURE 4"); return false; } Iterator i = that.getSubject().getPrincipals().iterator(); subjectList = new LinkedList(); while (i.hasNext()) { Principal p = i.next(); PolicyParser.PrincipalEntry spppe = new PolicyParser.PrincipalEntry (p.getClass().getName(), p.getName()); subjectList.add(spppe); } } if (!subjectListImpliesPrincipalEntry(subjectList, pppe)) { if (debug != null) debug.println("\tSubjectCodeSource.implies: FAILURE 5"); return false; } } } if (debug != null) debug.println("\tSubjectCodeSource.implies: PASS 3"); return true; } /** * This method returns, true, if the provided subjectList * "contains" the Principal specified * in the provided pppe argument. * * Note that the provided pppe argument may have * wildcards (*) for the Principal class and name, * which need to be considered. * *

* * @param subjectList a list of PolicyParser.PrincipalEntry objects * that correspond to all the Principals in the Subject currently * on this thread's AccessControlContext.

* * @param pppe the Principals specified in a grant entry. * * @return true if the provided subjectList "contains" * the Principal specified in the provided * pppe argument. */ private boolean subjectListImpliesPrincipalEntry( LinkedList subjectList, PolicyParser.PrincipalEntry pppe) { ListIterator li = subjectList.listIterator(0); while (li.hasNext()) { PolicyParser.PrincipalEntry listPppe = li.next(); if (pppe.principalClass.equals (PolicyParser.PrincipalEntry.WILDCARD_CLASS) || pppe.principalClass.equals (listPppe.principalClass)) { if (pppe.principalName.equals (PolicyParser.PrincipalEntry.WILDCARD_NAME) || pppe.principalName.equals (listPppe.principalName)) return true; } } return false; } /** * Tests for equality between the specified object and this * object. Two SubjectCodeSource objects are considered equal * if their locations are of identical value, if the two sets of * Certificates are of identical values, and if the * Subjects are equal, and if the PolicyParser.PrincipalEntry values * are of identical values. It is not required that * the Certificates or PolicyParser.PrincipalEntry values * be in the same order. * *

* * @param obj the object to test for equality with this object. * * @return true if the objects are considered equal, false otherwise. */ public boolean equals(Object obj) { if (obj == this) return true; if (super.equals(obj) == false) return false; if (!(obj instanceof SubjectCodeSource)) return false; SubjectCodeSource that = (SubjectCodeSource)obj; // the principal lists must match try { if (this.getSubject() != that.getSubject()) return false; } catch (SecurityException se) { return false; } if ((this.principals == null && that.principals != null) || (this.principals != null && that.principals == null)) return false; if (this.principals != null && that.principals != null) { if (!this.principals.containsAll(that.principals) || !that.principals.containsAll(this.principals)) return false; } return true; } /** * Return a hashcode for this SubjectCodeSource. * *

* * @return a hashcode for this SubjectCodeSource. */ public int hashCode() { return super.hashCode(); } /** * Return a String representation of this SubjectCodeSource. * *

* * @return a String representation of this SubjectCodeSource. */ public String toString() { String returnMe = super.toString(); if (getSubject() != null) { if (debug != null) { final Subject finalSubject = getSubject(); returnMe = returnMe + "\n" + java.security.AccessController.doPrivileged (new java.security.PrivilegedAction() { public String run() { return finalSubject.toString(); } }); } else { returnMe = returnMe + "\n" + getSubject().toString(); } } if (principals != null) { ListIterator li = principals.listIterator(); while (li.hasNext()) { PolicyParser.PrincipalEntry pppe = li.next(); returnMe = returnMe + rb.getString("NEWLINE") + pppe.principalClass + " " + pppe.principalName; } } return returnMe; } }