1 /* SecurityManager.java -- security checks for privileged actions
2 Copyright (C) 1998, 1999, 2001, 2002 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
41 import java
.awt
.AWTPermission
;
43 import java
.io
.FileDescriptor
;
44 import java
.io
.FilePermission
;
45 import java
.lang
.reflect
.Member
;
46 import java
.net
.InetAddress
;
47 import java
.net
.SocketPermission
;
48 import java
.security
.AllPermission
;
49 import java
.security
.Permission
;
50 import java
.security
.Security
;
51 import java
.security
.SecurityPermission
;
52 import java
.util
.PropertyPermission
;
55 * SecurityManager is a class you can extend to create your own Java
56 * security policy. By default, there is no SecurityManager installed in
57 * 1.1, which means that all things are permitted to all people. The security
58 * manager, if set, is consulted before doing anything with potentially
59 * dangerous results, and throws a <code>SecurityException</code> if the
60 * action is forbidden.
62 * <p>A typical check is as follows, just before the dangerous operation:<br>
64 * SecurityManager sm = System.getSecurityManager();
66 * sm.checkABC(<em>argument</em>, ...);
68 * Note that this is thread-safe, by caching the security manager in a local
69 * variable rather than risking a NullPointerException if the mangager is
70 * changed between the check for null and before the permission check.
72 * <p>The special method <code>checkPermission</code> is a catchall, and
73 * the default implementation calls
74 * <code>AccessController.checkPermission</code>. In fact, all the other
75 * methods default to calling checkPermission.
77 * <p>Sometimes, the security check needs to happen from a different context,
78 * such as when called from a worker thread. In such cases, use
79 * <code>getSecurityContext</code> to take a snapshot that can be passed
80 * to the worker thread:<br>
82 * Object context = null;
83 * SecurityManager sm = System.getSecurityManager();
85 * context = sm.getSecurityContext(); // defaults to an AccessControlContext
86 * // now, in worker thread
88 * sm.checkPermission(permission, context);
91 * <p>Permissions fall into these categories: File, Socket, Net, Security,
92 * Runtime, Property, AWT, Reflect, and Serializable. Each of these
93 * permissions have a property naming convention, that follows a hierarchical
94 * naming convention, to make it easy to grant or deny several permissions
95 * at once. Some permissions also take a list of permitted actions, such
96 * as "read" or "write", to fine-tune control even more. The permission
97 * <code>java.security.AllPermission</code> grants all permissions.
99 * <p>The default methods in this class deny all things to all people. You
100 * must explicitly grant permission for anything you want to be legal when
101 * subclassing this class.
103 * @author John Keiser
104 * @author Eric Blake <ebb9@email.byu.edu>
106 * @see SecurityException
107 * @see #checkTopLevelWindow(Object)
108 * @see System#getSecurityManager()
109 * @see System#setSecurityManager(SecurityManager)
110 * @see AccessController
111 * @see AccessControlContext
112 * @see AccessControlException
114 * @see BasicPermission
115 * @see java.io.FilePermission
116 * @see java.net.SocketPermission
117 * @see java.util.PropertyPermission
118 * @see RuntimePermission
119 * @see java.awt.AWTPermission
121 * @see SecurityPermission
122 * @see ProtectionDomain
124 * @status still missing 1.4 functionality
126 public class SecurityManager
129 * Tells whether or not the SecurityManager is currently performing a
131 * @deprecated Use {@link #checkPermission(Permission)} instead.
133 protected boolean inCheck
;
136 * Construct a new security manager. There may be a security check, of
137 * <code>RuntimePermission("createSecurityManager")</code>.
139 * @throws SecurityException if permission is denied
141 public SecurityManager()
143 SecurityManager sm
= System
.getSecurityManager();
145 sm
.checkPermission(new RuntimePermission("createSecurityManager"));
149 * Tells whether or not the SecurityManager is currently performing a
152 * @return true if the SecurityManager is in a security check
154 * @deprecated use {@link #checkPermission(Permission)} instead
156 public boolean getInCheck()
162 * Get a list of all the classes currently executing methods on the Java
163 * stack. getClassContext()[0] is the currently executing method (ie. the
164 * class that CALLED getClassContext, not SecurityManager).
166 * @return an array of classes on the Java execution stack
168 protected Class
[] getClassContext()
170 return VMSecurityManager
.getClassContext();
174 * Find the ClassLoader of the first non-system class on the execution
175 * stack. A non-system class is one whose ClassLoader is not equal to
176 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
177 * will return null in three cases:<br><nl>
178 * <li>All methods on the stack are from system classes</li>
179 * <li>All methods on the stack up to the first "privileged" caller, as
180 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
181 * are from system classes</li>
182 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
185 * @return the most recent non-system ClassLoader on the execution stack
186 * @deprecated use {@link #checkPermission(Permission)} instead
188 protected ClassLoader
currentClassLoader()
190 return VMSecurityManager
.currentClassLoader();
194 * Find the first non-system class on the execution stack. A non-system
195 * class is one whose ClassLoader is not equal to
196 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
197 * will return null in three cases:<br><nl>
198 * <li>All methods on the stack are from system classes</li>
199 * <li>All methods on the stack up to the first "privileged" caller, as
200 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
201 * are from system classes</li>
202 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
205 * @return the most recent non-system Class on the execution stack
206 * @deprecated use {@link #checkPermission(Permission)} instead
208 protected Class
currentLoadedClass()
210 int i
= classLoaderDepth();
211 return i
>= 0 ?
getClassContext()[i
] : null;
215 * Get the depth of a particular class on the execution stack.
217 * @param className the fully-qualified name to search for
218 * @return the index of the class on the stack, or -1
219 * @deprecated use {@link #checkPermission(Permission)} instead
221 protected int classDepth(String className
)
223 Class
[] c
= getClassContext();
224 for (int i
= 0; i
< c
.length
; i
++)
225 if (className
.equals(c
[i
].getName()))
231 * Get the depth on the execution stack of the most recent non-system class.
232 * A non-system class is one whose ClassLoader is not equal to
233 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
234 * will return -1 in three cases:<br><nl>
235 * <li>All methods on the stack are from system classes</li>
236 * <li>All methods on the stack up to the first "privileged" caller, as
237 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
238 * are from system classes</li>
239 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
242 * @return the index of the most recent non-system Class on the stack
243 * @deprecated use {@link #checkPermission(Permission)} instead
245 protected int classLoaderDepth()
249 checkPermission(new AllPermission());
251 catch (SecurityException e
)
253 Class
[] c
= getClassContext();
254 for (int i
= 0; i
< c
.length
; i
++)
255 if (c
[i
].getClassLoader() != null)
256 // XXX Check if c[i] is AccessController, or a system class.
263 * Tell whether the specified class is on the execution stack.
265 * @param className the fully-qualified name of the class to find
266 * @return whether the specified class is on the execution stack
267 * @deprecated use {@link #checkPermission(Permission)} instead
269 protected boolean inClass(String className
)
271 return classDepth(className
) != -1;
275 * Tell whether there is a class loaded with an explicit ClassLoader on
278 * @return whether a class with an explicit ClassLoader is on the stack
279 * @deprecated use {@link #checkPermission(Permission)} instead
281 protected boolean inClassLoader()
283 return classLoaderDepth() != -1;
287 * Get an implementation-dependent Object that contains enough information
288 * about the current environment to be able to perform standard security
289 * checks later. This is used by trusted methods that need to verify that
290 * their callers have sufficient access to perform certain operations.
292 * <p>Currently the only methods that use this are checkRead() and
293 * checkConnect(). The default implementation returns an
294 * <code>AccessControlContext</code>.
296 * @return a security context
297 * @see #checkConnect(String, int, Object)
298 * @see #checkRead(String, Object)
299 * @see AccessControlContext
300 * @see AccessController#getContext()
302 public Object
getSecurityContext()
304 // XXX Should be: return AccessController.getContext();
305 return new SecurityContext(getClassContext());
309 * Check if the current thread is allowed to perform an operation that
310 * requires the specified <code>Permission</code>. This defaults to
311 * <code>AccessController.checkPermission</code>.
313 * @param perm the <code>Permission</code> required
314 * @throws SecurityException if permission is denied
315 * @throws NullPointerException if perm is null
318 public void checkPermission(Permission perm
)
320 // XXX Should be: AccessController.checkPermission(perm);
321 throw new SecurityException("Operation not allowed");
325 * Check if the current thread is allowed to perform an operation that
326 * requires the specified <code>Permission</code>. This is done in a
327 * context previously returned by <code>getSecurityContext()</code>. The
328 * default implementation expects context to be an AccessControlContext,
329 * and it calls <code>AccessControlContext.checkPermission(perm)</code>.
331 * @param perm the <code>Permission</code> required
332 * @param context a security context
333 * @throws SecurityException if permission is denied, or if context is
334 * not an AccessControlContext
335 * @throws NullPointerException if perm is null
336 * @see #getSecurityContext()
337 * @see AccessControlContext#checkPermission(Permission)
340 public void checkPermission(Permission perm
, Object context
)
343 // if (! (context instanceof AccessControlContext))
344 // throw new SecurityException("Missing context");
345 // ((AccessControlContext) context).checkPermission(perm);
346 throw new SecurityException("Operation not allowed");
350 * Check if the current thread is allowed to create a ClassLoader. This
351 * method is called from ClassLoader.ClassLoader(), and checks
352 * <code>RuntimePermission("createClassLoader")</code>. If you override
353 * this, you should call <code>super.checkCreateClassLoader()</code> rather
354 * than throwing an exception.
356 * @throws SecurityException if permission is denied
357 * @see ClassLoader#ClassLoader()
359 public void checkCreateClassLoader()
361 checkPermission(new RuntimePermission("createClassLoader"));
365 * Check if the current thread is allowed to modify another Thread. This is
366 * called by Thread.stop(), suspend(), resume(), interrupt(), destroy(),
367 * setPriority(), setName(), and setDaemon(). The default implementation
368 * checks <code>RuntimePermission("modifyThread") on system threads (ie.
369 * threads in ThreadGroup with a null parent), and returns silently on
372 * <p>If you override this, you must do two things. First, call
373 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing
374 * requirements. Second, if the calling thread has
375 * <code>RuntimePermission("modifyThread")</code>, return silently, so that
376 * core classes (the Classpath library!) can modify any thread.
378 * @param t the other Thread to check
379 * @throws SecurityException if permission is denied
380 * @throws NullPointerException if t is null
382 * @see Thread#suspend()
383 * @see Thread#resume()
384 * @see Thread#setPriority(int)
385 * @see Thread#setName(String)
386 * @see Thread#setDaemon(boolean)
388 public void checkAccess(Thread t
)
390 if (t
.group
!= null && t
.group
.getParent() != null)
391 checkPermission(new RuntimePermission("modifyThread"));
395 * Check if the current thread is allowed to modify a ThreadGroup. This is
396 * called by Thread.Thread() (to add a thread to the ThreadGroup),
397 * ThreadGroup.ThreadGroup() (to add this ThreadGroup to a parent),
398 * ThreadGroup.stop(), suspend(), resume(), interrupt(), destroy(),
399 * setDaemon(), and setMaxPriority(). The default implementation
400 * checks <code>RuntimePermission("modifyThread") on the system group (ie.
401 * the one with a null parent), and returns silently on other groups.
403 * <p>If you override this, you must do two things. First, call
404 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing
405 * requirements. Second, if the calling thread has
406 * <code>RuntimePermission("modifyThreadGroup")</code>, return silently,
407 * so that core classes (the Classpath library!) can modify any thread.
409 * @param g the ThreadGroup to check
410 * @throws SecurityException if permission is denied
411 * @throws NullPointerException if g is null
412 * @see Thread#Thread()
413 * @see ThreadGroup#ThreadGroup()
414 * @see ThreadGroup#stop()
415 * @see ThreadGroup#suspend()
416 * @see ThreadGroup#resume()
417 * @see ThreadGroup#interrupt()
418 * @see ThreadGroup#setDaemon(boolean)
419 * @see ThreadGroup#setMaxPriority(int)
421 public void checkAccess(ThreadGroup g
)
423 if (g
.getParent() != null)
424 checkPermission(new RuntimePermission("modifyThreadGroup"));
428 * Check if the current thread is allowed to exit the JVM with the given
429 * status. This method is called from Runtime.exit() and Runtime.halt().
430 * The default implementation checks
431 * <code>RuntimePermission("exitVM")</code>. If you override this, call
432 * <code>super.checkExit</code> rather than throwing an exception.
434 * @param status the status to exit with
435 * @throws SecurityException if permission is denied
436 * @see Runtime#exit(int)
437 * @see Runtime#halt(int)
439 public void checkExit(int status
)
441 checkPermission(new RuntimePermission("exitVM"));
445 * Check if the current thread is allowed to execute the given program. This
446 * method is called from Runtime.exec(). If the name is an absolute path,
447 * the default implementation checks
448 * <code>FilePermission(program, "execute")</code>, otherwise it checks
449 * <code>FilePermission("<<ALL FILES>>", "execute")</code>. If
450 * you override this, call <code>super.checkExec</code> rather than
451 * throwing an exception.
453 * @param program the name of the program to exec
454 * @throws SecurityException if permission is denied
455 * @throws NullPointerException if program is null
456 * @see Runtime#exec(String[], String[], File)
458 public void checkExec(String program
)
460 if (! program
.equals(new File(program
).getAbsolutePath()))
461 program
= "<<ALL FILES>>";
462 checkPermission(new FilePermission(program
, "execute"));
466 * Check if the current thread is allowed to link in the given native
467 * library. This method is called from Runtime.load() (and hence, by
468 * loadLibrary() as well). The default implementation checks
469 * <code>RuntimePermission("loadLibrary." + filename)</code>. If you
470 * override this, call <code>super.checkLink</code> rather than throwing
473 * @param filename the full name of the library to load
474 * @throws SecurityException if permission is denied
475 * @throws NullPointerException if filename is null
476 * @see Runtime#load(String)
478 public void checkLink(String filename
)
480 // Use the toString() hack to do the null check.
481 checkPermission(new RuntimePermission("loadLibrary."
482 + filename
.toString()));
486 * Check if the current thread is allowed to read the given file using the
487 * FileDescriptor. This method is called from
488 * FileInputStream.FileInputStream(). The default implementation checks
489 * <code>RuntimePermission("readFileDescriptor")</code>. If you override
490 * this, call <code>super.checkRead</code> rather than throwing an
493 * @param desc the FileDescriptor representing the file to access
494 * @throws SecurityException if permission is denied
495 * @throws NullPointerException if desc is null
496 * @see FileInputStream#FileInputStream(FileDescriptor)
498 public void checkRead(FileDescriptor desc
)
501 throw new NullPointerException();
502 checkPermission(new RuntimePermission("readFileDescriptor"));
506 * Check if the current thread is allowed to read the given file. This
507 * method is called from FileInputStream.FileInputStream(),
508 * RandomAccessFile.RandomAccessFile(), File.exists(), canRead(), isFile(),
509 * isDirectory(), lastModified(), length() and list(). The default
510 * implementation checks <code>FilePermission(filename, "read")</code>. If
511 * you override this, call <code>super.checkRead</code> rather than
512 * throwing an exception.
514 * @param filename the full name of the file to access
515 * @throws SecurityException if permission is denied
516 * @throws NullPointerException if filename is null
518 * @see FileInputStream#FileInputStream(String)
519 * @see RandomAccessFile#RandomAccessFile(String)
521 public void checkRead(String filename
)
523 checkPermission(new FilePermission(filename
, "read"));
527 * Check if the current thread is allowed to read the given file. using the
528 * given security context. The context must be a result of a previous call
529 * to <code>getSecurityContext()</code>. The default implementation checks
530 * <code>AccessControlContext.checkPermission(new FilePermission(filename,
531 * "read"))</code>. If you override this, call <code>super.checkRead</code>
532 * rather than throwing an exception.
534 * @param filename the full name of the file to access
535 * @param context the context to determine access for
536 * @throws SecurityException if permission is denied, or if context is
537 * not an AccessControlContext
538 * @throws NullPointerException if filename is null
539 * @see #getSecurityContext()
540 * @see AccessControlContext#checkPermission(Permission)
542 public void checkRead(String filename
, Object context
)
545 // if (! (context instanceof AccessControlContext))
546 // throw new SecurityException("Missing context");
547 // AccessControlContext ac = (AccessControlContext) context;
548 // ac.checkPermission(new FilePermission(filename, "read"));
549 throw new SecurityException("Cannot read files via file names.");
553 * Check if the current thread is allowed to write the given file using the
554 * FileDescriptor. This method is called from
555 * FileOutputStream.FileOutputStream(). The default implementation checks
556 * <code>RuntimePermission("writeFileDescriptor")</code>. If you override
557 * this, call <code>super.checkWrite</code> rather than throwing an
560 * @param desc the FileDescriptor representing the file to access
561 * @throws SecurityException if permission is denied
562 * @throws NullPointerException if desc is null
563 * @see FileOutputStream#FileOutputStream(FileDescriptor)
565 public void checkWrite(FileDescriptor desc
)
568 throw new NullPointerException();
569 checkPermission(new RuntimePermission("writeFileDescriptor"));
573 * Check if the current thread is allowed to write the given file. This
574 * method is called from FileOutputStream.FileOutputStream(),
575 * RandomAccessFile.RandomAccessFile(), File.canWrite(), mkdir(), and
576 * renameTo(). The default implementation checks
577 * <code>FilePermission(filename, "write")</code>. If you override this,
578 * call <code>super.checkWrite</code> rather than throwing an exception.
580 * @param filename the full name of the file to access
581 * @throws SecurityException if permission is denied
582 * @throws NullPointerException if filename is null
584 * @see File#canWrite()
586 * @see File#renameTo()
587 * @see FileOutputStream#FileOutputStream(String)
588 * @see RandomAccessFile#RandomAccessFile(String)
590 public void checkWrite(String filename
)
592 checkPermission(new FilePermission(filename
, "write"));
596 * Check if the current thread is allowed to delete the given file. This
597 * method is called from File.delete(). The default implementation checks
598 * <code>FilePermission(filename, "delete")</code>. If you override this,
599 * call <code>super.checkDelete</code> rather than throwing an exception.
601 * @param filename the full name of the file to delete
602 * @throws SecurityException if permission is denied
603 * @throws NullPointerException if filename is null
606 public void checkDelete(String filename
)
608 checkPermission(new FilePermission(filename
, "delete"));
612 * Check if the current thread is allowed to connect to a given host on a
613 * given port. This method is called from Socket.Socket(). A port number
614 * of -1 indicates the caller is attempting to determine an IP address, so
615 * the default implementation checks
616 * <code>SocketPermission(host, "resolve")</code>. Otherwise, the default
617 * implementation checks
618 * <code>SocketPermission(host + ":" + port, "connect")</code>. If you
619 * override this, call <code>super.checkConnect</code> rather than throwing
622 * @param host the host to connect to
623 * @param port the port to connect on
624 * @throws SecurityException if permission is denied
625 * @throws NullPointerException if host is null
626 * @see Socket#Socket()
628 public void checkConnect(String host
, int port
)
631 checkPermission(new SocketPermission(host
, "resolve"));
633 // Use the toString() hack to do the null check.
634 checkPermission(new SocketPermission(host
.toString() + ":" + port
,
639 * Check if the current thread is allowed to connect to a given host on a
640 * given port, using the given security context. The context must be a
641 * result of a previous call to <code>getSecurityContext</code>. A port
642 * number of -1 indicates the caller is attempting to determine an IP
643 * address, so the default implementation checks
644 * <code>AccessControlContext.checkPermission(new SocketPermission(host,
645 * "resolve"))</code>. Otherwise, the default implementation checks
646 * <code>AccessControlContext.checkPermission(new SocketPermission(host
647 * + ":" + port, "connect"))</code>. If you override this, call
648 * <code>super.checkConnect</code> rather than throwing an exception.
650 * @param host the host to connect to
651 * @param port the port to connect on
652 * @param context the context to determine access for
653 * @throws SecurityException if permission is denied, or if context is
654 * not an AccessControlContext
655 * @throws NullPointerException if host is null
656 * @see #getSecurityContext()
657 * @see AccessControlContext#checkPermission(Permission)
659 public void checkConnect(String host
, int port
, Object securityContext
)
662 // if (! (context instanceof AccessControlContext))
663 // throw new SecurityException("Missing context");
664 // AccessControlContext ac = (AccessControlContext) context;
666 // ac.checkPermission(new SocketPermission(host, "resolve"));
668 // // Use the toString() hack to do the null check.
669 // ac.checkPermission(new SocketPermission(host.toString + ":" +port,
671 throw new SecurityException("Cannot make network connections.");
675 * Check if the current thread is allowed to listen to a specific port for
676 * data. This method is called by ServerSocket.ServerSocket(). The default
677 * implementation checks
678 * <code>SocketPermission("localhost:" + (port == 0 ? "1024-" : "" + port),
679 * "listen")</code>. If you override this, call
680 * <code>super.checkListen</code> rather than throwing an exception.
682 * @param port the port to listen on
683 * @throws SecurityException if permission is denied
684 * @see ServerSocket#ServerSocket(int)
686 public void checkListen(int port
)
688 checkPermission(new SocketPermission("localhost:"
689 + (port
== 0 ?
"1024-" : "" +port
),
694 * Check if the current thread is allowed to accept a connection from a
695 * particular host on a particular port. This method is called by
696 * ServerSocket.implAccept(). The default implementation checks
697 * <code>SocketPermission(host + ":" + port, "accept")</code>. If you
698 * override this, call <code>super.checkAccept</code> rather than throwing
701 * @param host the host which wishes to connect
702 * @param port the port the connection will be on
703 * @throws SecurityException if permission is denied
704 * @throws NullPointerException if host is null
705 * @see ServerSocket#accept()
707 public void checkAccept(String host
, int port
)
709 // Use the toString() hack to do the null check.
710 checkPermission(new SocketPermission(host
.toString() + ":" + port
,
715 * Check if the current thread is allowed to read and write multicast to
716 * a particular address. The default implementation checks
717 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>.
718 * If you override this, call <code>super.checkMulticast</code> rather than
719 * throwing an exception.
721 * @param addr the address to multicast to
722 * @throws SecurityException if permission is denied
723 * @throws NullPointerException if host is null
726 public void checkMulticast(InetAddress addr
)
728 checkPermission(new SocketPermission(addr
.getHostAddress(),
733 *Check if the current thread is allowed to read and write multicast to
734 * a particular address with a particular ttl (time-to-live) value. The
735 * default implementation ignores ttl, and checks
736 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>.
737 * If you override this, call <code>super.checkMulticast</code> rather than
738 * throwing an exception.
740 * @param addr the address to multicast to
741 * @param ttl value in use for multicast send
742 * @throws SecurityException if permission is denied
743 * @throws NullPointerException if host is null
745 * @deprecated use {@link #checkPermission(Permission)} instead
747 public void checkMulticast(InetAddress addr
, byte ttl
)
749 checkPermission(new SocketPermission(addr
.getHostAddress(),
754 * Check if the current thread is allowed to read or write all the system
755 * properties at once. This method is called by System.getProperties()
756 * and setProperties(). The default implementation checks
757 * <code>PropertyPermission("*", "read,write")</code>. If you override
758 * this, call <code>super.checkPropertiesAccess</code> rather than
759 * throwing an exception.
761 * @throws SecurityException if permission is denied
762 * @see System#getProperties()
763 * @see System#setProperties(Properties)
765 public void checkPropertiesAccess()
767 checkPermission(new PropertyPermission("*", "read,write"));
771 * Check if the current thread is allowed to read a particular system
772 * property (writes are checked directly via checkPermission). This method
773 * is called by System.getProperty() and setProperty(). The default
774 * implementation checks <code>PropertyPermission(key, "read")</code>. If
775 * you override this, call <code>super.checkPropertyAccess</code> rather
776 * than throwing an exception.
778 * @throws SecurityException if permission is denied
779 * @throws NullPointerException if key is null
780 * @throws IllegalArgumentException if key is ""
781 * @see System#getProperty(String)
783 public void checkPropertyAccess(String key
)
785 checkPermission(new PropertyPermission(key
, "read"));
789 * Check if the current thread is allowed to create a top-level window. If
790 * it is not, the operation should still go through, but some sort of
791 * nonremovable warning should be placed on the window to show that it
792 * is untrusted. This method is called by Window.Window(). The default
793 * implementation checks
794 * <code>AWTPermission("showWindowWithoutWarningBanner")</code>, and returns
795 * true if no exception was thrown. If you override this, use
796 * <code>return super.checkTopLevelWindow</code> rather than returning
799 * @param window the window to create
800 * @return true if there is permission to show the window without warning
801 * @throws NullPointerException if window is null
802 * @see Window#Window(Frame)
804 public boolean checkTopLevelWindow(Object window
)
807 throw new NullPointerException();
810 checkPermission(new AWTPermission("showWindowWithoutWarningBanner"));
813 catch (SecurityException e
)
820 * Check if the current thread is allowed to create a print job. This
821 * method is called by Toolkit.getPrintJob(). The default implementation
822 * checks <code>RuntimePermission("queuePrintJob")</code>. If you override
823 * this, call <code>super.checkPrintJobAccess</code> rather than throwing
826 * @throws SecurityException if permission is denied
827 * @see Toolkit#getPrintJob(Frame, String, Properties)
830 public void checkPrintJobAccess()
832 checkPermission(new RuntimePermission("queuePrintJob"));
836 * Check if the current thread is allowed to use the system clipboard. This
837 * method is called by Toolkit.getSystemClipboard(). The default
838 * implementation checks <code>AWTPermission("accessClipboard")</code>. If
839 * you override this, call <code>super.checkSystemClipboardAccess</code>
840 * rather than throwing an exception.
842 * @throws SecurityException if permission is denied
843 * @see Toolkit#getSystemClipboard()
846 public void checkSystemClipboardAccess()
848 checkPermission(new AWTPermission("accessClipboard"));
852 * Check if the current thread is allowed to use the AWT event queue. This
853 * method is called by Toolkit.getSystemEventQueue(). The default
854 * implementation checks <code>AWTPermission("accessEventQueue")</code>.
855 * you override this, call <code>super.checkAwtEventQueueAccess</code>
856 * rather than throwing an exception.
858 * @throws SecurityException if permission is denied
859 * @see Toolkit#getSystemEventQueue()
862 public void checkAwtEventQueueAccess()
864 // Should be: checkPermission(new AWTPermission("accessEventQueue"));
865 throw new SecurityException("Cannot access the AWT event queue.");
869 * Check if the current thread is allowed to access the specified package
870 * at all. This method is called by ClassLoader.loadClass() in user-created
871 * ClassLoaders. The default implementation gets a list of all restricted
872 * packages, via <code>Security.getProperty("package.access")</code>. Then,
873 * if packageName starts with or equals any restricted package, it checks
874 * <code>RuntimePermission("accessClassInPackage." + packageName)</code>.
875 * If you override this, you should call
876 * <code>super.checkPackageAccess</code> before doing anything else.
878 * @param packageName the package name to check access to
879 * @throws SecurityException if permission is denied
880 * @throws NullPointerException if packageName is null
881 * @see ClassLoader#loadClass(String, boolean)
882 * @see Security#getProperty(String)
884 public void checkPackageAccess(String packageName
)
886 checkPackageList(packageName
, "access", "accessClassInPackage.");
890 * Check if the current thread is allowed to define a class into the
891 * specified package. This method is called by ClassLoader.loadClass() in
892 * user-created ClassLoaders. The default implementation gets a list of all
893 * restricted packages, via
894 * <code>Security.getProperty("package.definition")</code>. Then, if
895 * packageName starts with or equals any restricted package, it checks
896 * <code>RuntimePermission("defineClassInPackage." + packageName)</code>.
897 * If you override this, you should call
898 * <code>super.checkPackageDefinition</code> before doing anything else.
900 * @param packageName the package name to check access to
901 * @throws SecurityException if permission is denied
902 * @throws NullPointerException if packageName is null
903 * @see ClassLoader#loadClass(String, boolean)
904 * @see Security#getProperty(String)
906 public void checkPackageDefinition(String packageName
)
908 checkPackageList(packageName
, "definition", "defineClassInPackage.");
912 * Check if the current thread is allowed to set the current socket factory.
913 * This method is called by Socket.setSocketImplFactory(),
914 * ServerSocket.setSocketFactory(), and URL.setURLStreamHandlerFactory().
915 * The default implementation checks
916 * <code>RuntimePermission("setFactory")</code>. If you override this, call
917 * <code>super.checkSetFactory</code> rather than throwing an exception.
919 * @throws SecurityException if permission is denied
920 * @see Socket#setSocketImplFactory(SocketImplFactory)
921 * @see ServerSocket#setSocketFactory(SocketImplFactory)
922 * @see URL#setURLStreamHandlerFactory(URLStreamHandlerFactory)
924 public void checkSetFactory()
926 checkPermission(new RuntimePermission("setFactory"));
930 * Check if the current thread is allowed to get certain types of Methods,
931 * Fields and Constructors from a Class object. This method is called by
932 * Class.getMethod[s](), Class.getField[s](), Class.getConstructor[s],
933 * Class.getDeclaredMethod[s](), Class.getDeclaredField[s](), and
934 * Class.getDeclaredConstructor[s](). The default implementation allows
935 * PUBLIC access, and access to classes defined by the same classloader as
936 * the code performing the reflection. Otherwise, it checks
937 * <code>RuntimePermission("accessDeclaredMembers")</code>. If you override
938 * this, do not call <code>super.checkMemberAccess</code>, as this would
939 * mess up the stack depth check that determines the ClassLoader requesting
942 * @param c the Class to check
943 * @param memberType either DECLARED or PUBLIC
944 * @throws SecurityException if permission is denied, including when
945 * memberType is not DECLARED or PUBLIC
946 * @throws NullPointerException if c is null
948 * @see Member#DECLARED
952 public void checkMemberAccess(Class c
, int memberType
)
955 throw new NullPointerException();
956 if (memberType
== Member
.PUBLIC
)
958 // XXX Allow access to classes created by same classloader before next
960 checkPermission(new RuntimePermission("accessDeclaredMembers"));
964 * Test whether a particular security action may be taken. The default
965 * implementation checks <code>SecurityPermission(action)</code>. If you
966 * override this, call <code>super.checkSecurityAccess</code> rather than
967 * throwing an exception.
969 * @param action the desired action to take
970 * @throws SecurityException if permission is denied
971 * @throws NullPointerException if action is null
972 * @throws IllegalArgumentException if action is ""
975 public void checkSecurityAccess(String action
)
977 checkPermission(new SecurityPermission(action
));
981 * Get the ThreadGroup that a new Thread should belong to by default. Called
982 * by Thread.Thread(). The default implementation returns the current
983 * ThreadGroup of the current Thread. <STRONG>Spec Note:</STRONG> it is not
984 * clear whether the new Thread is guaranteed to pass the
985 * checkAccessThreadGroup() test when using this ThreadGroup, but I presume
988 * @return the ThreadGroup to put the new Thread into
991 public ThreadGroup
getThreadGroup()
993 return Thread
.currentThread().getThreadGroup();
997 * Helper that checks a comma-separated list of restricted packages, from
998 * <code>Security.getProperty("package.definition")</code>, for the given
999 * package access permission. If packageName starts with or equals any
1000 * restricted package, it checks
1001 * <code>RuntimePermission(permission + packageName)</code>.
1003 * @param packageName the package name to check access to
1004 * @param restriction the list of restrictions, after "package."
1005 * @param permission the base permission, including the '.'
1006 * @throws SecurityException if permission is denied
1007 * @throws NullPointerException if packageName is null
1008 * @see #checkPackageAccess(String)
1009 * @see #checkPackageDefinition(String)
1011 void checkPackageList(String packageName
, String restriction
,
1014 // Use the toString() hack to do the null check.
1015 Permission p
= new RuntimePermission(permission
+ packageName
.toString());
1016 String list
= Security
.getProperty("package." + restriction
);
1019 while (! "".equals(packageName
))
1021 for (int index
= list
.indexOf(packageName
);
1022 index
!= -1; index
= list
.indexOf(packageName
, index
+ 1))
1024 // Exploit package visibility for speed.
1025 int packageNameCount
= packageName
.length();
1026 if (index
+ packageNameCount
== list
.length()
1027 || list
.charAt(index
+ packageNameCount
) == ',')
1033 int index
= packageName
.lastIndexOf('.');
1034 packageName
= index
< 0 ?
"" : packageName
.substring(0, index
);
1037 } // class SecurityManager
1039 // XXX This class is unnecessary.
1040 class SecurityContext
{
1042 SecurityContext(Class
[] classes
) {
1043 this.classes
= classes
;