1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
|
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package java.security;
import java.security.*;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.StringTokenizer;
/**
* This class is for security permissions.
* A SecurityPermission contains a name (also referred to as a "target name")
* but no actions list; you either have the named permission
* or you don't.
* <P>
* The target name is the name of a security configuration parameter (see below).
* Currently the SecurityPermission object is used to guard access
* to the Policy, Security, Provider, Signer, and Identity
* objects.
* <P>
* The following table lists all the possible SecurityPermission target names,
* and for each provides a description of what the permission allows
* and a discussion of the risks of granting code the permission.
*
* <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
* <tr>
* <th>Permission Target Name</th>
* <th>What the Permission Allows</th>
* <th>Risks of Allowing this Permission</th>
* </tr>
*
* <tr>
* <td>createAccessControlContext</td>
* <td>Creation of an AccessControlContext</td>
* <td>This allows someone to instantiate an AccessControlContext
* with a {@code DomainCombiner}. Extreme care must be taken when
* granting this permission. Malicious code could create a DomainCombiner
* that augments the set of permissions granted to code, and even grant the
* code {@link java.security.AllPermission}.</td>
* </tr>
*
* <tr>
* <td>getDomainCombiner</td>
* <td>Retrieval of an AccessControlContext's DomainCombiner</td>
* <td>This allows someone to retrieve an AccessControlContext's
* {@code DomainCombiner}. Since DomainCombiners may contain
* sensitive information, this could potentially lead to a privacy leak.</td>
* </tr>
*
* <tr>
* <td>getPolicy</td>
* <td>Retrieval of the system-wide security policy (specifically, of the
* currently-installed Policy object)</td>
* <td>This allows someone to query the policy via the
* {@code getPermissions} call,
* which discloses which permissions would be granted to a given CodeSource.
* While revealing the policy does not compromise the security of
* the system, it does provide malicious code with additional information
* which it may use to better aim an attack. It is wise
* not to divulge more information than necessary.</td>
* </tr>
*
* <tr>
* <td>setPolicy</td>
* <td>Setting of the system-wide security policy (specifically,
* the Policy object)</td>
* <td>Granting this permission is extremely dangerous, as malicious
* code may grant itself all the necessary permissions it needs
* to successfully mount an attack on the system.</td>
* </tr>
*
* <tr>
* <td>createPolicy.{policy type}</td>
* <td>Getting an instance of a Policy implementation from a provider</td>
* <td>Granting this permission enables code to obtain a Policy object.
* Malicious code may query the Policy object to determine what permissions
* have been granted to code other than itself. </td>
* </tr>
*
* <tr>
* <td>getProperty.{key}</td>
* <td>Retrieval of the security property with the specified key</td>
* <td>Depending on the particular key for which access has
* been granted, the code may have access to the list of security
* providers, as well as the location of the system-wide and user
* security policies. while revealing this information does not
* compromise the security of the system, it does provide malicious
* code with additional information which it may use to better aim
* an attack.
</td>
* </tr>
*
* <tr>
* <td>setProperty.{key}</td>
* <td>Setting of the security property with the specified key</td>
* <td>This could include setting a security provider or defining
* the location of the system-wide security policy. Malicious
* code that has permission to set a new security provider may
* set a rogue provider that steals confidential information such
* as cryptographic private keys. In addition, malicious code with
* permission to set the location of the system-wide security policy
* may point it to a security policy that grants the attacker
* all the necessary permissions it requires to successfully mount
* an attack on the system.
</td>
* </tr>
*
* <tr>
* <td>insertProvider</td>
* <td>Addition of a new provider</td>
* <td>This would allow somebody to introduce a possibly
* malicious provider (e.g., one that discloses the private keys passed
* to it) as the highest-priority provider. This would be possible
* because the Security object (which manages the installed providers)
* currently does not check the integrity or authenticity of a provider
* before attaching it. The "insertProvider" permission subsumes the
* "insertProvider.{provider name}" permission (see the section below for
* more information).
* </td>
* </tr>
*
* <tr>
* <td>removeProvider.{provider name}</td>
* <td>Removal of the specified provider</td>
* <td>This may change the behavior or disable execution of other
* parts of the program. If a provider subsequently requested by the
* program has been removed, execution may fail. Also, if the removed
* provider is not explicitly requested by the rest of the program, but
* it would normally be the provider chosen when a cryptography service
* is requested (due to its previous order in the list of providers),
* a different provider will be chosen instead, or no suitable provider
* will be found, thereby resulting in program failure.</td>
* </tr>
*
* <tr>
* <td>clearProviderProperties.{provider name}</td>
* <td>"Clearing" of a Provider so that it no longer contains the properties
* used to look up services implemented by the provider</td>
* <td>This disables the lookup of services implemented by the provider.
* This may thus change the behavior or disable execution of other
* parts of the program that would normally utilize the Provider, as
* described under the "removeProvider.{provider name}" permission.</td>
* </tr>
*
* <tr>
* <td>putProviderProperty.{provider name}</td>
* <td>Setting of properties for the specified Provider</td>
* <td>The provider properties each specify the name and location
* of a particular service implemented by the provider. By granting
* this permission, you let code replace the service specification
* with another one, thereby specifying a different implementation.</td>
* </tr>
*
* <tr>
* <td>removeProviderProperty.{provider name}</td>
* <td>Removal of properties from the specified Provider</td>
* <td>This disables the lookup of services implemented by the
* provider. They are no longer accessible due to removal of the properties
* specifying their names and locations. This
* may change the behavior or disable execution of other
* parts of the program that would normally utilize the Provider, as
* described under the "removeProvider.{provider name}" permission.</td>
* </tr>
*
* </table>
*
* <P>
* The following permissions have been superseded by newer permissions or are
* associated with classes that have been deprecated: {@link Identity},
* {@link IdentityScope}, {@link Signer}. Use of them is discouraged. See the
* applicable classes for more information.
*
* <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
* <tr>
* <th>Permission Target Name</th>
* <th>What the Permission Allows</th>
* <th>Risks of Allowing this Permission</th>
* </tr>
*
* <tr>
* <td>insertProvider.{provider name}</td>
* <td>Addition of a new provider, with the specified name</td>
* <td>Use of this permission is discouraged from further use because it is
* possible to circumvent the name restrictions by overriding the
* {@link java.security.Provider#getName} method. Also, there is an equivalent
* level of risk associated with granting code permission to insert a provider
* with a specific name, or any name it chooses. Users should use the
* "insertProvider" permission instead.
* <p>This would allow somebody to introduce a possibly
* malicious provider (e.g., one that discloses the private keys passed
* to it) as the highest-priority provider. This would be possible
* because the Security object (which manages the installed providers)
* currently does not check the integrity or authenticity of a provider
* before attaching it.</td>
* </tr>
*
* <tr>
* <td>setSystemScope</td>
* <td>Setting of the system identity scope</td>
* <td>This would allow an attacker to configure the system identity scope with
* certificates that should not be trusted, thereby granting applet or
* application code signed with those certificates privileges that
* would have been denied by the system's original identity scope.</td>
* </tr>
*
* <tr>
* <td>setIdentityPublicKey</td>
* <td>Setting of the public key for an Identity</td>
* <td>If the identity is marked as "trusted", this allows an attacker to
* introduce a different public key (e.g., its own) that is not trusted
* by the system's identity scope, thereby granting applet or
* application code signed with that public key privileges that
* would have been denied otherwise.</td>
* </tr>
*
* <tr>
* <td>setIdentityInfo</td>
* <td>Setting of a general information string for an Identity</td>
* <td>This allows attackers to set the general description for
* an identity. This may trick applications into using a different
* identity than intended or may prevent applications from finding a
* particular identity.</td>
* </tr>
*
* <tr>
* <td>addIdentityCertificate</td>
* <td>Addition of a certificate for an Identity</td>
* <td>This allows attackers to set a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes trusted to a wider audience than it otherwise would be.</td>
* </tr>
*
* <tr>
* <td>removeIdentityCertificate</td>
* <td>Removal of a certificate for an Identity</td>
* <td>This allows attackers to remove a certificate for
* an identity's public key. This is dangerous because it affects
* the trust relationship across the system. This public key suddenly
* becomes considered less trustworthy than it otherwise would be.</td>
* </tr>
*
* <tr>
* <td>printIdentity</td>
* <td>Viewing the name of a principal
* and optionally the scope in which it is used, and whether
* or not it is considered "trusted" in that scope</td>
* <td>The scope that is printed out may be a filename, in which case
* it may convey local system information. For example, here's a sample
* printout of an identity named "carol", who is
* marked not trusted in the user's identity database:<br>
* carol[/home/luehe/identitydb.obj][not trusted]</td>
*</tr>
*
* <tr>
* <td>getSignerPrivateKey</td>
* <td>Retrieval of a Signer's private key</td>
* <td>It is very dangerous to allow access to a private key; private
* keys are supposed to be kept secret. Otherwise, code can use the
* private key to sign various files and claim the signature came from
* the Signer.</td>
* </tr>
*
* <tr>
* <td>setSignerKeyPair</td>
* <td>Setting of the key pair (public key and private key) for a Signer</td>
* <td>This would allow an attacker to replace somebody else's (the "target's")
* keypair with a possibly weaker keypair (e.g., a keypair of a smaller
* keysize). This also would allow the attacker to listen in on encrypted
* communication between the target and its peers. The target's peers
* might wrap an encryption session key under the target's "new" public
* key, which would allow the attacker (who possesses the corresponding
* private key) to unwrap the session key and decipher the communication
* data encrypted under that session key.</td>
* </tr>
*
* </table>
*
* @see java.security.BasicPermission
* @see java.security.Permission
* @see java.security.Permissions
* @see java.security.PermissionCollection
* @see java.lang.SecurityManager
*
*
* @author Marianne Mueller
* @author Roland Schemers
*/
public final class SecurityPermission extends BasicPermission {
private static final long serialVersionUID = 5236109936224050470L;
/**
* Creates a new SecurityPermission with the specified name.
* The name is the symbolic name of the SecurityPermission. An asterisk
* may appear at the end of the name, following a ".", or by itself, to
* signify a wildcard match.
*
* @param name the name of the SecurityPermission
*
* @throws NullPointerException if {@code name} is {@code null}.
* @throws IllegalArgumentException if {@code name} is empty.
*/
public SecurityPermission(String name)
{
super(name);
}
/**
* Creates a new SecurityPermission object with the specified name.
* The name is the symbolic name of the SecurityPermission, and the
* actions String is currently unused and should be null.
*
* @param name the name of the SecurityPermission
* @param actions should be null.
*
* @throws NullPointerException if {@code name} is {@code null}.
* @throws IllegalArgumentException if {@code name} is empty.
*/
public SecurityPermission(String name, String actions)
{
super(name, actions);
}
}
|
