/* * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. * ORACLE PROPRIETARY/CONFIDENTIAL. Use is subject to license terms. * * * * * * * * * * * * * * * * * * * * */ package java.security; import sun.security.util.Debug; import sun.reflect.CallerSensitive; import sun.reflect.Reflection; /** *

The AccessController class is used for access control operations * and decisions. * *

More specifically, the AccessController class is used for * three purposes: * *

* *

The {@link #checkPermission(Permission) checkPermission} method * determines whether the access request indicated by a specified * permission should be granted or denied. A sample call appears * below. In this example, checkPermission will determine * whether or not to grant "read" access to the file named "testFile" in * the "/temp" directory. * * 

 *
 * FilePermission perm = new FilePermission("/temp/testFile", "read");
 * AccessController.checkPermission(perm);
 *
 *
* *

If a requested access is allowed, * checkPermission returns quietly. If denied, an * AccessControlException is * thrown. AccessControlException can also be thrown if the requested * permission is of an incorrect type or contains an invalid value. * Such information is given whenever possible. * * Suppose the current thread traversed m callers, in the order of caller 1 * to caller 2 to caller m. Then caller m invoked the * checkPermission method. * The checkPermission method determines whether access * is granted or denied based on the following algorithm: * * 

 {@code
 * for (int i = m; i > 0; i--) {
 *
 *     if (caller i's domain does not have the permission)
 *         throw AccessControlException
 *
 *     else if (caller i is marked as privileged) {
 *         if (a context was specified in the call to doPrivileged)
 *             context.checkPermission(permission)
 *         return;
 *     }
 * };
 *
 * // Next, check the context inherited when the thread was created.
 * // Whenever a new thread is created, the AccessControlContext at
 * // that time is stored and associated with the new thread, as the
 * // "inherited" context.
 *
 * inheritedContext.checkPermission(permission);
 * }
* *

A caller can be marked as being "privileged" * (see {@link #doPrivileged(PrivilegedAction) doPrivileged} and below). * When making access control decisions, the checkPermission * method stops checking if it reaches a caller that * was marked as "privileged" via a doPrivileged * call without a context argument (see below for information about a * context argument). If that caller's domain has the * specified permission, no further checking is done and * checkPermission * returns quietly, indicating that the requested access is allowed. * If that domain does not have the specified permission, an exception * is thrown, as usual. * *

The normal use of the "privileged" feature is as follows. If you * don't need to return a value from within the "privileged" block, do * the following: * * 

 {@code
 * somemethod() {
 *     ...normal code here...
 *     AccessController.doPrivileged(new PrivilegedAction() {
 *         public Void run() {
 *             // privileged code goes here, for example:
 *             System.loadLibrary("awt");
 *             return null; // nothing to return
 *         }
 *     });
 *     ...normal code here...
 * }}
* *

* PrivilegedAction is an interface with a single method, named * run. * The above example shows creation of an implementation * of that interface; a concrete implementation of the * run method is supplied. * When the call to doPrivileged is made, an * instance of the PrivilegedAction implementation is passed * to it. The doPrivileged method calls the * run method from the PrivilegedAction * implementation after enabling privileges, and returns the * run method's return value as the * doPrivileged return value (which is * ignored in this example). * *

If you need to return a value, you can do something like the following: * * 

 {@code
 * somemethod() {
 *     ...normal code here...
 *     String user = AccessController.doPrivileged(
 *         new PrivilegedAction() {
 *         public String run() {
 *             return System.getProperty("user.name");
 *             }
 *         });
 *     ...normal code here...
 * }}
* *

If the action performed in your run method could * throw a "checked" exception (those listed in the throws clause * of a method), then you need to use the * PrivilegedExceptionAction interface instead of the * PrivilegedAction interface: * * 

 {@code
 * somemethod() throws FileNotFoundException {
 *     ...normal code here...
 *     try {
 *         FileInputStream fis = AccessController.doPrivileged(
 *         new PrivilegedExceptionAction() {
 *             public FileInputStream run() throws FileNotFoundException {
 *                 return new FileInputStream("someFile");
 *             }
 *         });
 *     } catch (PrivilegedActionException e) {
 *         // e.getException() should be an instance of FileNotFoundException,
 *         // as only "checked" exceptions will be "wrapped" in a
 *         // PrivilegedActionException.
 *         throw (FileNotFoundException) e.getException();
 *     }
 *     ...normal code here...
 *  }}
* *

Be *very* careful in your use of the "privileged" construct, and * always remember to make the privileged code section as small as possible. * *

Note that checkPermission always performs security checks * within the context of the currently executing thread. * Sometimes a security check that should be made within a given context * will actually need to be done from within a * different context (for example, from within a worker thread). * The {@link #getContext() getContext} method and * AccessControlContext class are provided * for this situation. The getContext method takes a "snapshot" * of the current calling context, and places * it in an AccessControlContext object, which it returns. A sample call is * the following: * * 

 *
 * AccessControlContext acc = AccessController.getContext()
 *
 *
* *

* AccessControlContext itself has a checkPermission method * that makes access decisions based on the context it encapsulates, * rather than that of the current execution thread. * Code within a different context can thus call that method on the * previously-saved AccessControlContext object. A sample call is the * following: * * 

 *
 * acc.checkPermission(permission)
 *
 *
* *

There are also times where you don't know a priori which permissions * to check the context against. In these cases you can use the * doPrivileged method that takes a context: * * 

 {@code
 * somemethod() {
 *     AccessController.doPrivileged(new PrivilegedAction() {
 *         public Object run() {
 *             // Code goes here. Any permission checks within this
 *             // run method will require that the intersection of the
 *             // callers protection domain and the snapshot's
 *             // context have the desired permission.
 *         }
 *     }, acc);
 *     ...normal code here...
 * }}
 *
 * @see AccessControlContext
 *
 * @author Li Gong
 * @author Roland Schemers
 */

public final class AccessController {

    /**
     * Don't allow anyone to instantiate an AccessController
     */
    private AccessController() { }

    /**
     * Performs the specified PrivilegedAction with privileges
     * enabled. The action is performed with all of the permissions
     * possessed by the caller's protection domain.
     *
     * 
 If the action's run method throws an (unchecked)
     * exception, it will propagate through this method.
     *
     * 
 Note that any DomainCombiner associated with the current
     * AccessControlContext will be ignored while the action is performed.
     *
     * @param action the action to be performed.
     *
     * @return the value returned by the action's run method.
     *
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction,AccessControlContext)
     * @see #doPrivileged(PrivilegedExceptionAction)
     * @see #doPrivilegedWithCombiner(PrivilegedAction)
     * @see java.security.DomainCombiner
     */

    @CallerSensitive
    public static native  T doPrivileged(PrivilegedAction action);

    /**
     * Performs the specified PrivilegedAction with privileges
     * enabled. The action is performed with all of the permissions
     * possessed by the caller's protection domain.
     *
     * 
 If the action's run method throws an (unchecked)
     * exception, it will propagate through this method.
     *
     * 
 This method preserves the current AccessControlContext's
     * DomainCombiner (which may be null) while the action is performed.
     *
     * @param action the action to be performed.
     *
     * @return the value returned by the action's run method.
     *
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction)
     * @see java.security.DomainCombiner
     *
     * @since 1.6
     */
    @CallerSensitive
    public static  T doPrivilegedWithCombiner(PrivilegedAction action) {
        AccessControlContext acc = getStackAccessControlContext();
        if (acc == null) {
            return AccessController.doPrivileged(action);
        }
        DomainCombiner dc = acc.getAssignedCombiner();
        return AccessController.doPrivileged(action, preserveCombiner(dc, Reflection.getCallerClass()));
    }


    /**
     * Performs the specified PrivilegedAction with privileges
     * enabled and restricted by the specified
     * AccessControlContext.
     * The action is performed with the intersection of the permissions
     * possessed by the caller's protection domain, and those possessed
     * by the domains represented by the specified
     * AccessControlContext.
     * 

     * If the action's run method throws an (unchecked) exception,
     * it will propagate through this method.
     *
     * @param action the action to be performed.
     * @param context an access control context
     *                representing the restriction to be applied to the
     *                caller's domain's privileges before performing
     *                the specified action.  If the context is
     *                null,
     *                then no additional restriction is applied.
     *
     * @return the value returned by the action's run method.
     *
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction)
     * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
     */
    @CallerSensitive
    public static native  T doPrivileged(PrivilegedAction action,
                                            AccessControlContext context);

    /**
     * Performs the specified PrivilegedExceptionAction with
     * privileges enabled.  The action is performed with all of the
     * permissions possessed by the caller's protection domain.
     *
     * 
 If the action's run method throws an unchecked
     * exception, it will propagate through this method.
     *
     * 
 Note that any DomainCombiner associated with the current
     * AccessControlContext will be ignored while the action is performed.
     *
     * @param action the action to be performed
     *
     * @return the value returned by the action's run method
     *
     * @exception PrivilegedActionException if the specified action's
     *         run method threw a checked exception
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction)
     * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
     * @see #doPrivilegedWithCombiner(PrivilegedExceptionAction)
     * @see java.security.DomainCombiner
     */
    @CallerSensitive
    public static native  T
        doPrivileged(PrivilegedExceptionAction action)
        throws PrivilegedActionException;


    /**
     * Performs the specified PrivilegedExceptionAction with
     * privileges enabled.  The action is performed with all of the
     * permissions possessed by the caller's protection domain.
     *
     * 
 If the action's run method throws an unchecked
     * exception, it will propagate through this method.
     *
     * 
 This method preserves the current AccessControlContext's
     * DomainCombiner (which may be null) while the action is performed.
     *
     * @param action the action to be performed.
     *
     * @return the value returned by the action's run method
     *
     * @exception PrivilegedActionException if the specified action's
     *         run method threw a checked exception
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction)
     * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
     * @see java.security.DomainCombiner
     *
     * @since 1.6
     */
    @CallerSensitive
    public static  T doPrivilegedWithCombiner
        (PrivilegedExceptionAction action) throws PrivilegedActionException {

        AccessControlContext acc = getStackAccessControlContext();
        if (acc == null) {
            return AccessController.doPrivileged(action);
        }
        DomainCombiner dc = acc.getAssignedCombiner();
        return AccessController.doPrivileged(action, preserveCombiner(dc, Reflection.getCallerClass()));
    }

    /**
     * preserve the combiner across the doPrivileged call
     */
    private static AccessControlContext preserveCombiner(DomainCombiner combiner,
                                                         final Class caller) {
        ProtectionDomain callerPd = doPrivileged
            (new PrivilegedAction() {
            public ProtectionDomain run() {
                return caller.getProtectionDomain();
            }
        });

        // perform 'combine' on the caller of doPrivileged,
        // even if the caller is from the bootclasspath
        ProtectionDomain[] pds = new ProtectionDomain[] {callerPd};
        if (combiner == null) {
            return new AccessControlContext(pds);
        } else {
            return new AccessControlContext(combiner.combine(pds, null),
                                            combiner);
        }
    }


    /**
     * Performs the specified PrivilegedExceptionAction with
     * privileges enabled and restricted by the specified
     * AccessControlContext.  The action is performed with the
     * intersection of the permissions possessed by the caller's
     * protection domain, and those possessed by the domains represented by the
     * specified AccessControlContext.
     * 

     * If the action's run method throws an unchecked
     * exception, it will propagate through this method.
     *
     * @param action the action to be performed
     * @param context an access control context
     *                representing the restriction to be applied to the
     *                caller's domain's privileges before performing
     *                the specified action.  If the context is
     *                null,
     *                then no additional restriction is applied.
     *
     * @return the value returned by the action's run method
     *
     * @exception PrivilegedActionException if the specified action's
     *         run method
     *         threw a checked exception
     * @exception NullPointerException if the action is null
     *
     * @see #doPrivileged(PrivilegedAction)
     * @see #doPrivileged(PrivilegedExceptionAction,AccessControlContext)
     */
    @CallerSensitive
    public static native  T
        doPrivileged(PrivilegedExceptionAction action,
                     AccessControlContext context)
        throws PrivilegedActionException;

    /**
     * Returns the AccessControl context. i.e., it gets
     * the protection domains of all the callers on the stack,
     * starting at the first class with a non-null
     * ProtectionDomain.
     *
     * @return the access control context based on the current stack or
     *         null if there was only privileged system code.
     */

    private static native AccessControlContext getStackAccessControlContext();

    /**
     * Returns the "inherited" AccessControl context. This is the context
     * that existed when the thread was created. Package private so
     * AccessControlContext can use it.
     */

    static native AccessControlContext getInheritedAccessControlContext();

    /**
     * This method takes a "snapshot" of the current calling context, which
     * includes the current Thread's inherited AccessControlContext,
     * and places it in an AccessControlContext object. This context may then
     * be checked at a later point, possibly in another thread.
     *
     * @see AccessControlContext
     *
     * @return the AccessControlContext based on the current context.
     */

    public static AccessControlContext getContext()
    {
        AccessControlContext acc = getStackAccessControlContext();
        if (acc == null) {
            // all we had was privileged system code. We don't want
            // to return null though, so we construct a real ACC.
            return new AccessControlContext(null, true);
        } else {
            return acc.optimize();
        }
    }

    /**
     * Determines whether the access request indicated by the
     * specified permission should be allowed or denied, based on
     * the current AccessControlContext and security policy.
     * This method quietly returns if the access request
     * is permitted, or throws an AccessControlException otherwise. The
     * getPermission method of the AccessControlException returns the
     * perm Permission object instance.
     *
     * @param perm the requested permission.
     *
     * @exception AccessControlException if the specified permission
     *            is not permitted, based on the current security policy.
     * @exception NullPointerException if the specified permission
     *            is null and is checked based on the
     *            security policy currently in effect.
     */

    public static void checkPermission(Permission perm)
                 throws AccessControlException
    {
        //System.err.println("checkPermission "+perm);
        //Thread.currentThread().dumpStack();

        if (perm == null) {
            throw new NullPointerException("permission can't be null");
        }

        AccessControlContext stack = getStackAccessControlContext();
        // if context is null, we had privileged system code on the stack.
        if (stack == null) {
            Debug debug = AccessControlContext.getDebug();
            boolean dumpDebug = false;
            if (debug != null) {
                dumpDebug = !Debug.isOn("codebase=");
                dumpDebug &= !Debug.isOn("permission=") ||
                    Debug.isOn("permission=" + perm.getClass().getCanonicalName());
            }

            if (dumpDebug && Debug.isOn("stack")) {
                Thread.currentThread().dumpStack();
            }

            if (dumpDebug && Debug.isOn("domain")) {
                debug.println("domain (context is null)");
            }

            if (dumpDebug) {
                debug.println("access allowed "+perm);
            }
            return;
        }

        AccessControlContext acc = stack.optimize();
        acc.checkPermission(perm);
    }
}