@Override public PermissionCollection getPermissions(CodeSource codeSource) { return codeSource == null ? Policy.UNSUPPORTED_EMPTY_COLLECTION : getPermissions(new ProtectionDomain(codeSource, null)); }
private ProtectionDomain getPD(CodeSource cs) { if (cs == null) { return null; } // need to cache PDs, otherwise every class from a given CodeSource // will have it's own ProtectionDomain, which does not look right. ProtectionDomain pd; synchronized (pds) { if ((pd = pds.get(cs)) != null) { return pd; } PermissionCollection perms = getPermissions(cs); pd = new ProtectionDomain(cs, perms, this, null); pds.put(cs, pd); } return pd; } }
private PermissionCollection getPermissionCollection(Subject subject) { return getPolicy().getPermissions( new ProtectionDomain( new CodeSource(null, (Certificate[]) null), null, null, subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()]) ) ); }
private ProtectionDomain get(String name) { URL url = url(name); if (url==null) return null; ProtectionDomain pd = null; synchronized (cache) { pd = cache.get(url); if (pd == null) { CodeSource cs = new CodeSource(url,(CodeSigner []) null); pd = new ProtectionDomain(cs, null, this, null); cache.put(url, pd); } } return pd; }
private boolean hasPermission(Account account, Deployment deployment, ServletInfo servletInfo, Permission permission) { CodeSource codeSource = servletInfo.getServletClass().getProtectionDomain().getCodeSource(); ProtectionDomain domain = new ProtectionDomain(codeSource, null, null, getGrantedRoles(account, deployment)); return hasPermission(domain, permission); }
public static boolean hasAccess(String uri, Subject subject) { return getPolicy().implies( new ProtectionDomain( new CodeSource(null, (Certificate[]) null), null, null, subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()]) ), new WebResourcePermission(uri, "GET") ); } }
private void hasPermission(EJBComponent ejbComponent, ComponentView componentView, Method method, SecurityIdentity securityIdentity) { MethodInterfaceType methodIntfType = getMethodInterfaceType(componentView.getPrivateData(MethodIntf.class)); EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType); ProtectionDomain domain = new ProtectionDomain (componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity)); Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy(); if (!policy.implies(domain, permission)) { throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method,ejbComponent.getComponentName()); } }
private void doPermissionCheckInContext(PermissionCheckEntityInformation entityInformation, PermissibleAction action) { final Policy policy = Policy.getPolicy(); final Principal[] principals = getCallerPrincipals(); final CodeSource codeSource = entityInformation.getEntity().getClass().getProtectionDomain().getCodeSource(); final ProtectionDomain pd = new ProtectionDomain( codeSource, null, null, principals ); // the action is known as 'method name' in JACC final EJBMethodPermission jaccPermission = new EJBMethodPermission( entityInformation.getEntityName(), action.getImpliedActions()[0], null, null ); if ( ! policy.implies( pd, jaccPermission) ) { throw new SecurityException( String.format( "JACC denied permission to [%s.%s] for [%s]", entityInformation.getEntityName(), action.getImpliedActions()[0], join( principals ) ) ); } }
classData, 0, classData.length, targetClassLoader, new ProtectionDomain(new CodeSource(null, (Certificate[]) null), new Permissions()));
/** * Define a class given its bytes * * @param container the container from which the class data has been read * may be a directory or a jar/zip file. * * @param classData the bytecode data for the class * @param classname the name of the class * * @return the Class instance created from the given data * * @throws IOException if the class data cannot be read. */ protected Class defineClassFromData(File container, byte[] classData, String classname) throws IOException { definePackage(container, classname); ProtectionDomain currentPd = Project.class.getProtectionDomain(); String classResource = getClassFilename(classname); CodeSource src = new CodeSource(FILE_UTILS.getFileURL(container), getCertificates(container, classResource)); ProtectionDomain classesPd = new ProtectionDomain(src, currentPd.getPermissions(), this, currentPd.getPrincipals()); return defineClass(classname, classData, 0, classData.length, classesPd); }
ProtectionDomain pd = new ProtectionDomain(null, perms);
/** * Define a class given its bytes * * @param container the container from which the class data has been read * may be a directory or a jar/zip file. * * @param classData the bytecode data for the class * @param classname the name of the class * * @return the Class instance created from the given data * * @throws IOException if the class data cannot be read. */ protected Class<?> defineClassFromData(final File container, final byte[] classData, final String classname) throws IOException { definePackage(container, classname); final ProtectionDomain currentPd = Project.class.getProtectionDomain(); final String classResource = getClassFilename(classname); final CodeSource src = new CodeSource(FILE_UTILS.getFileURL(container), getCertificates(container, classResource)); final ProtectionDomain classesPd = new ProtectionDomain(src, currentPd.getPermissions(), this, currentPd.getPrincipals()); return defineClass(classname, classData, 0, classData.length, classesPd); }
@Override public TransportGuaranteeType transportGuarantee(TransportGuaranteeType currentConnGuarantee, TransportGuaranteeType configuredRequiredGuarantee, final HttpServletRequest request) { final ProtectionDomain domain = new ProtectionDomain(null, null, null, null); final String[] httpMethod = new String[] {request.getMethod()}; final String canonicalURI = getCanonicalURI(request);
public boolean isCallerInRole(final String roleName) throws IllegalStateException { if (isSecurityDomainKnown()) { if (enableJacc) { Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy(); ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity())); return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName)); } else { return checkCallerSecurityIdentityRole(roleName); } } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked((PrivilegedAction<Boolean>) () -> serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName)); } else { return this.serverSecurityManager.isCallerInRole(getComponentName(), policyContextID, securityMetaData.getSecurityRoles(), securityMetaData.getSecurityRoleLinks(), roleName); } }
@Before public void setUp() throws Exception { final ProtectionDomain empty = new ProtectionDomain(null, new Permissions()); provider = new SecurityContextProvider() { private final AccessControlContext acc = new AccessControlContext( new ProtectionDomain[] { empty }); @Override public AccessControlContext getAccessControlContext() { return acc; } }; DefaultResourceLoader drl = new DefaultResourceLoader(); Resource config = drl .getResource("/org/springframework/beans/factory/support/security/callbacks.xml"); beanFactory = new DefaultListableBeanFactory(); new XmlBeanDefinitionReader(beanFactory).loadBeanDefinitions(config); beanFactory.setSecurityContextProvider(provider); }
private static ProtectionDomain prepareDomain(ProtectionDomain domain, ClassLoader loader) { if (domain == null) { return null; } return new ProtectionDomain(domain.getCodeSource(), domain.getPermissions(), loader, domain.getPrincipals()); }
return super.defineClass(name, wovenBytes, 0, wovenBytes.length); } else { ProtectionDomain protectionDomain = new ProtectionDomain(codeSource, null); return super.defineClass(name, wovenBytes, 0, wovenBytes.length, protectionDomain);
/** * All future actions that are executed through the named class will be checked against the given {@code * permissions}. * * @throws SecurityException Permissions are already confined for the {@code className} */ public static void confine(String className, Permissions permissions) { Sandbox.confine(className, new ProtectionDomain(null, permissions)); }
static AccessControlContext contextWithPermissions(Permission ... perms) { Permissions permissions = new Permissions(); for (Permission perm : perms) permissions.add(perm); return new AccessControlContext( new ProtectionDomain[] { new ProtectionDomain(null, permissions) }); }
private boolean checkWithPolicy(Permission ejbPerm, Subject subject, Role role) { Principal[] principals = this.getPrincipals(subject, role); ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals); return Policy.getPolicy().implies(pd, ejbPerm); } }