KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > java > security > SecurityPermission


1 /*
2  * @(#)SecurityPermission.java 1.27 03/12/19
3  *
4  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6  */

7
8 package java.security;
9
10 import java.security.*;
11 import java.util.Enumeration JavaDoc;
12 import java.util.Hashtable JavaDoc;
13 import java.util.StringTokenizer JavaDoc;
14
15 /**
16  * This class is for security permissions.
17  * A SecurityPermission contains a name (also referred to as a "target name")
18  * but no actions list; you either have the named permission
19  * or you don't.
20  * <P>
21  * The target name is the name of a security configuration parameter (see below).
22  * Currently the SecurityPermission object is used to guard access
23  * to the Policy, Security, Provider, Signer, and Identity
24  * objects.
25  * <P>
26  * The following table lists all the possible SecurityPermission target names,
27  * and for each provides a description of what the permission allows
28  * and a discussion of the risks of granting code the permission.
29  * <P>
30  *
31  * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
32  * <tr>
33  * <th>Permission Target Name</th>
34  * <th>What the Permission Allows</th>
35  * <th>Risks of Allowing this Permission</th>
36  * </tr>
37  *
38  * <tr>
39  * <td>createAccessControlContext</td>
40  * <td>Creation of an AccessControlContext</td>
41  * <td>This allows someone to instantiate an AccessControlContext
42  * with a <code>DomainCombiner</code>. Since DomainCombiners are given
43  * a reference to the ProtectionDomains currently on the stack,
44  * this could potentially lead to a privacy leak if the DomainCombiner
45  * is malicious.</td>
46  * </tr>
47  *
48  * <tr>
49  * <td>getDomainCombiner</td>
50  * <td>Retrieval of an AccessControlContext's DomainCombiner</td>
51  * <td>This allows someone to retrieve an AccessControlContext's
52  * <code>DomainCombiner</code>. Since DomainCombiners may contain
53  * sensitive information, this could potentially lead to a privacy leak.</td>
54  * </tr>
55  *
56  * <tr>
57  * <td>getPolicy</td>
58  * <td>Retrieval of the system-wide security policy (specifically, of the
59  * currently-installed Policy object)</td>
60  * <td>This allows someone to query the policy via the
61  * <code>getPermissions</code> call,
62  * which discloses which permissions would be granted to a given CodeSource.
63  * While revealing the policy does not compromise the security of
64  * the system, it does provide malicious code with additional information
65  * which it may use to better aim an attack. It is wise
66  * not to divulge more information than necessary.</td>
67  * </tr>
68  *
69  * <tr>
70  * <td>setPolicy</td>
71  * <td>Setting of the system-wide security policy (specifically,
72  * the Policy object)</td>
73  * <td>Granting this permission is extremely dangerous, as malicious
74  * code may grant itself all the necessary permissions it needs
75  * to successfully mount an attack on the system.</td>
76  * </tr>
77  *
78  * <tr>
79  * <td>getProperty.{key}</td>
80  * <td>Retrieval of the security property with the specified key</td>
81  * <td>Depending on the particular key for which access has
82  * been granted, the code may have access to the list of security
83  * providers, as well as the location of the system-wide and user
84  * security policies. while revealing this information does not
85  * compromise the security of the system, it does provide malicious
86  * code with additional information which it may use to better aim
87  * an attack.
88 </td>
89  * </tr>
90  *
91  * <tr>
92  * <td>setProperty.{key}</td>
93  * <td>Setting of the security property with the specified key</td>
94  * <td>This could include setting a security provider or defining
95  * the location of the the system-wide security policy. Malicious
96  * code that has permission to set a new security provider may
97  * set a rogue provider that steals confidential information such
98  * as cryptographic private keys. In addition, malicious code with
99  * permission to set the location of the system-wide security policy
100  * may point it to a security policy that grants the attacker
101  * all the necessary permissions it requires to successfully mount
102  * an attack on the system.
103 </td>
104  * </tr>
105  *
106  * <tr>
107  * <td>insertProvider.{provider name}</td>
108  * <td>Addition of a new provider, with the specified name</td>
109  * <td>This would allow somebody to introduce a possibly
110  * malicious provider (e.g., one that discloses the private keys passed
111  * to it) as the highest-priority provider. This would be possible
112  * because the Security object (which manages the installed providers)
113  * currently does not check the integrity or authenticity of a provider
114  * before attaching it.</td>
115  * </tr>
116  *
117  * <tr>
118  * <td>removeProvider.{provider name}</td>
119  * <td>Removal of the specified provider</td>
120  * <td>This may change the behavior or disable execution of other
121  * parts of the program. If a provider subsequently requested by the
122  * program has been removed, execution may fail. Also, if the removed
123  * provider is not explicitly requested by the rest of the program, but
124  * it would normally be the provider chosen when a cryptography service
125  * is requested (due to its previous order in the list of providers),
126  * a different provider will be chosen instead, or no suitable provider
127  * will be found, thereby resulting in program failure.</td>
128  * </tr>
129  *
130  * <tr>
131  * <td>setSystemScope</td>
132  * <td>Setting of the system identity scope</td>
133  * <td>This would allow an attacker to configure the system identity scope with
134  * certificates that should not be trusted, thereby granting applet or
135  * application code signed with those certificates privileges that
136  * would have been denied by the system's original identity scope</td>
137  * </tr>
138  *
139  * <tr>
140  * <td>setIdentityPublicKey</td>
141  * <td>Setting of the public key for an Identity</td>
142  * <td>If the identity is marked as "trusted", this allows an attacker to
143  * introduce a different public key (e.g., its own) that is not trusted
144  * by the system's identity scope, thereby granting applet or
145  * application code signed with that public key privileges that
146  * would have been denied otherwise.</td>
147  * </tr>
148  *
149  * <tr>
150  * <td>setIdentityInfo</td>
151  * <td>Setting of a general information string for an Identity</td>
152  * <td>This allows attackers to set the general description for
153  * an identity. This may trick applications into using a different
154  * identity than intended or may prevent applications from finding a
155  * particular identity.</td>
156  * </tr>
157  *
158  * <tr>
159  * <td>addIdentityCertificate</td>
160  * <td>Addition of a certificate for an Identity</td>
161  * <td>This allows attackers to set a certificate for
162  * an identity's public key. This is dangerous because it affects
163  * the trust relationship across the system. This public key suddenly
164  * becomes trusted to a wider audience than it otherwise would be.</td>
165  * </tr>
166  *
167  * <tr>
168  * <td>removeIdentityCertificate</td>
169  * <td>Removal of a certificate for an Identity</td>
170  * <td>This allows attackers to remove a certificate for
171  * an identity's public key. This is dangerous because it affects
172  * the trust relationship across the system. This public key suddenly
173  * becomes considered less trustworthy than it otherwise would be.</td>
174  * </tr>
175  *
176  * <tr>
177  * <td>printIdentity</td>
178  * <td>Viewing the name of a principal
179  * and optionally the scope in which it is used, and whether
180  * or not it is considered "trusted" in that scope</td>
181  * <td>The scope that is printed out may be a filename, in which case
182  * it may convey local system information. For example, here's a sample
183  * printout of an identity named "carol", who is
184  * marked not trusted in the user's identity database:<br>
185  * carol[/home/luehe/identitydb.obj][not trusted]</td>
186  *</tr>
187  *
188  * <tr>
189  * <td>clearProviderProperties.{provider name}</td>
190  * <td>"Clearing" of a Provider so that it no longer contains the properties
191  * used to look up services implemented by the provider</td>
192  * <td>This disables the lookup of services implemented by the provider.
193  * This may thus change the behavior or disable execution of other
194  * parts of the program that would normally utilize the Provider, as
195  * described under the "removeProvider.{provider name}" permission.</td>
196  * </tr>
197  *
198  * <tr>
199  * <td>putProviderProperty.{provider name}</td>
200  * <td>Setting of properties for the specified Provider</td>
201  * <td>The provider properties each specify the name and location
202  * of a particular service implemented by the provider. By granting
203  * this permission, you let code replace the service specification
204  * with another one, thereby specifying a different implementation.</td>
205  * </tr>
206  *
207  * <tr>
208  * <td>removeProviderProperty.{provider name}</td>
209  * <td>Removal of properties from the specified Provider</td>
210  * <td>This disables the lookup of services implemented by the
211  * provider. They are no longer accessible due to removal of the properties
212  * specifying their names and locations. This
213  * may change the behavior or disable execution of other
214  * parts of the program that would normally utilize the Provider, as
215  * described under the "removeProvider.{provider name}" permission.</td>
216  * </tr>
217  *
218  * <tr>
219  * <td>getSignerPrivateKey</td>
220  * <td>Retrieval of a Signer's private key</td>
221  * <td>It is very dangerous to allow access to a private key; private
222  * keys are supposed to be kept secret. Otherwise, code can use the
223  * private key to sign various files and claim the signature came from
224  * the Signer.</td>
225  * </tr>
226  *
227  * <tr>
228  * <td>setSignerKeyPair</td>
229  * <td>Setting of the key pair (public key and private key) for a Signer</td>
230  * <td>This would allow an attacker to replace somebody else's (the "target's")
231  * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
232  * keysize). This also would allow the attacker to listen in on encrypted
233  * communication between the target and its peers. The target's peers
234  * might wrap an encryption session key under the target's "new" public
235  * key, which would allow the attacker (who possesses the corresponding
236  * private key) to unwrap the session key and decipher the communication
237  * data encrypted under that session key.</td>
238  * </tr>
239  *
240  * </table>
241  *
242  * @see java.security.BasicPermission
243  * @see java.security.Permission
244  * @see java.security.Permissions
245  * @see java.security.PermissionCollection
246  * @see java.lang.SecurityManager
247  *
248  * @version 1.27 03/12/19
249  *
250  * @author Marianne Mueller
251  * @author Roland Schemers
252  */

253
254 public final class SecurityPermission extends BasicPermission JavaDoc {
255
256     private static final long serialVersionUID = 5236109936224050470L;
257
258     /**
259      * Creates a new SecurityPermission with the specified name.
260      * The name is the symbolic name of the SecurityPermission. An asterisk
261      * may appear at the end of the name, following a ".", or by itself, to
262      * signify a wildcard match.
263      *
264      * @param name the name of the SecurityPermission
265      */

266
267     public SecurityPermission(String JavaDoc name)
268     {
269     super(name);
270     }
271
272     /**
273      * Creates a new SecurityPermission object with the specified name.
274      * The name is the symbolic name of the SecurityPermission, and the
275      * actions String is currently unused and should be null.
276      *
277      * @param name the name of the SecurityPermission
278      * @param actions should be null.
279      */

280
281     public SecurityPermission(String JavaDoc name, String JavaDoc actions)
282     {
283     super(name, actions);
284     }
285 }
286
Popular Tags