SecurityPermission


1   /*
2    * @(#)SecurityPermission.java  1.27 03/12/19
3    *
4    * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5    * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6    */
7   
8   package java.security;
9   
10  import java.security.*;
11  import java.util.Enumeration  ;
12  import java.util.Hashtable  ;
13  import java.util.StringTokenizer  ;
14  
15  /**
16   * This class is for security permissions.
17   * A SecurityPermission contains a name (also referred to as a "target name")
18   * but no actions list; you either have the named permission
19   * or you don't.
20   * <P>
21   * The target name is the name of a security configuration parameter (see below).
22   * Currently the SecurityPermission object is used to guard access
23   * to the Policy, Security, Provider, Signer, and Identity
24   * objects.
25   * <P>
26   * The following table lists all the possible SecurityPermission target names,
27   * and for each provides a description of what the permission allows
28   * and a discussion of the risks of granting code the permission.
29   * <P>
30   *
31   * <table border=1 cellpadding=5 summary="target name,what the permission allows, and associated risks">
32   * <tr>
33   * <th>Permission Target Name</th>
34   * <th>What the Permission Allows</th>
35   * <th>Risks of Allowing this Permission</th>
36   * </tr>
37   *
38   * <tr>
39   *   <td>createAccessControlContext</td>
40   *   <td>Creation of an AccessControlContext</td>
41   *   <td>This allows someone to instantiate an AccessControlContext
42   * with a <code>DomainCombiner</code>.  Since DomainCombiners are given
43   * a reference to the ProtectionDomains currently on the stack,
44   * this could potentially lead to a privacy leak if the DomainCombiner
45   * is malicious.</td>
46   * </tr>
47   *
48   * <tr>
49   *   <td>getDomainCombiner</td>
50   *   <td>Retrieval of an AccessControlContext's DomainCombiner</td>
51   *   <td>This allows someone to retrieve an AccessControlContext's
52   * <code>DomainCombiner</code>.  Since DomainCombiners may contain
53   * sensitive information, this could potentially lead to a privacy leak.</td>
54   * </tr>
55   *
56   * <tr>
57   *   <td>getPolicy</td>
58   *   <td>Retrieval of the system-wide security policy (specifically, of the
59   * currently-installed Policy object)</td>
60   *   <td>This allows someone to query the policy via the
61   * <code>getPermissions</code> call,
62   * which discloses which permissions would be granted to a given CodeSource.
63   * While revealing the policy does not compromise the security of
64   * the system, it does provide malicious code with additional information
65   * which it may use to better aim an attack. It is wise
66   * not to divulge more information than necessary.</td>
67   * </tr>
68   *
69   * <tr>
70   *   <td>setPolicy</td>
71   *   <td>Setting of the system-wide security policy (specifically,
72   * the Policy object)</td>
73   *   <td>Granting this permission is extremely dangerous, as malicious
74   * code may grant itself all the necessary permissions it needs
75   * to successfully mount an attack on the system.</td>
76   * </tr>
77   *
78   * <tr>
79   *   <td>getProperty.{key}</td>
80   *   <td>Retrieval of the security property with the specified key</td>
81   *   <td>Depending on the particular key for which access has
82   * been granted, the code may have access to the list of security
83   * providers, as well as the location of the system-wide and user
84   * security policies.  while revealing this information does not
85   * compromise the security of the system, it does provide malicious
86   * code with additional information which it may use to better aim
87   * an attack.
88  </td>
89   * </tr>
90   *
91   * <tr>
92   *   <td>setProperty.{key}</td>
93   *   <td>Setting of the security property with the specified key</td>
94   *   <td>This could include setting a security provider or defining
95   * the location of the the system-wide security policy.  Malicious
96   * code that has permission to set a new security provider may
97   * set a rogue provider that steals confidential information such
98   * as cryptographic private keys. In addition, malicious code with
99   * permission to set the location of the system-wide security policy
100  * may point it to a security policy that grants the attacker
101  * all the necessary permissions it requires to successfully mount
102  * an attack on the system.
103 </td>
104  * </tr>
105  *
106  * <tr>
107  *   <td>insertProvider.{provider name}</td>
108  *   <td>Addition of a new provider, with the specified name</td>
109  *   <td>This would allow somebody to introduce a possibly
110  * malicious provider (e.g., one that discloses the private keys passed
111  * to it) as the highest-priority provider. This would be possible
112  * because the Security object (which manages the installed providers)
113  * currently does not check the integrity or authenticity of a provider
114  * before attaching it.</td>
115  * </tr>
116  *
117  * <tr>
118  *   <td>removeProvider.{provider name}</td>
119  *   <td>Removal of the specified provider</td>
120  *   <td>This may change the behavior or disable execution of other
121  * parts of the program. If a provider subsequently requested by the
122  * program has been removed, execution may fail. Also, if the removed
123  * provider is not explicitly requested by the rest of the program, but
124  * it would normally be the provider chosen when a cryptography service
125  * is requested (due to its previous order in the list of providers),
126  * a different provider will be chosen instead, or no suitable provider
127  * will be found, thereby resulting in program failure.</td>
128  * </tr>
129  *
130  * <tr>
131  *   <td>setSystemScope</td>
132  *   <td>Setting of the system identity scope</td>
133  *   <td>This would allow an attacker to configure the system identity scope with
134  * certificates that should not be trusted, thereby granting applet or
135  * application code signed with those certificates privileges that
136  * would have been denied by the system's original identity scope</td>
137  * </tr>
138  *
139  * <tr>
140  *   <td>setIdentityPublicKey</td>
141  *   <td>Setting of the public key for an Identity</td>
142  *   <td>If the identity is marked as "trusted", this allows an attacker to
143  * introduce a different public key (e.g., its own) that is not trusted
144  * by the system's identity scope, thereby granting applet or
145  * application code signed with that public key privileges that
146  * would have been denied otherwise.</td>
147  * </tr>
148  *
149  * <tr>
150  *   <td>setIdentityInfo</td>
151  *   <td>Setting of a general information string for an Identity</td>
152  *   <td>This allows attackers to set the general description for
153  * an identity.  This may trick applications into using a different
154  * identity than intended or may prevent applications from finding a
155  * particular identity.</td>
156  * </tr>
157  *
158  * <tr>
159  *   <td>addIdentityCertificate</td>
160  *   <td>Addition of a certificate for an Identity</td>
161  *   <td>This allows attackers to set a certificate for
162  * an identity's public key.  This is dangerous because it affects
163  * the trust relationship across the system. This public key suddenly
164  * becomes trusted to a wider audience than it otherwise would be.</td>
165  * </tr>
166  *
167  * <tr>
168  *   <td>removeIdentityCertificate</td>
169  *   <td>Removal of a certificate for an Identity</td>
170  *   <td>This allows attackers to remove a certificate for
171  * an identity's public key. This is dangerous because it affects
172  * the trust relationship across the system. This public key suddenly
173  * becomes considered less trustworthy than it otherwise would be.</td>
174  * </tr>
175  *
176  * <tr>
177  *  <td>printIdentity</td>
178  *  <td>Viewing the name of a principal
179  * and optionally the scope in which it is used, and whether
180  * or not it is considered "trusted" in that scope</td>
181  *  <td>The scope that is printed out may be a filename, in which case
182  * it may convey local system information. For example, here's a sample
183  * printout of an identity named "carol", who is
184  * marked not trusted in the user's identity database:<br>
185  *   carol[/home/luehe/identitydb.obj][not trusted]</td>
186  *</tr>
187  * 
188  * <tr>
189  *   <td>clearProviderProperties.{provider name}</td>
190  *   <td>"Clearing" of a Provider so that it no longer contains the properties
191  * used to look up services implemented by the provider</td>
192  *   <td>This disables the lookup of services implemented by the provider.
193  * This may thus change the behavior or disable execution of other
194  * parts of the program that would normally utilize the Provider, as
195  * described under the "removeProvider.{provider name}" permission.</td>
196  * </tr>
197  *
198  * <tr>
199  *   <td>putProviderProperty.{provider name}</td>
200  *   <td>Setting of properties for the specified Provider</td>
201  *   <td>The provider properties each specify the name and location
202  * of a particular service implemented by the provider. By granting
203  * this permission, you let code replace the service specification
204  * with another one, thereby specifying a different implementation.</td>
205  * </tr>
206  *
207  * <tr>
208  *   <td>removeProviderProperty.{provider name}</td>
209  *   <td>Removal of properties from the specified Provider</td>
210  *   <td>This disables the lookup of services implemented by the
211  * provider. They are no longer accessible due to removal of the properties
212  * specifying their names and locations. This
213  * may change the behavior or disable execution of other
214  * parts of the program that would normally utilize the Provider, as
215  * described under the "removeProvider.{provider name}" permission.</td>
216  * </tr>
217  *
218  * <tr>
219  *   <td>getSignerPrivateKey</td>
220  *   <td>Retrieval of a Signer's private key</td>
221  *   <td>It is very dangerous to allow access to a private key; private
222  * keys are supposed to be kept secret. Otherwise, code can use the
223  * private key to sign various files and claim the signature came from
224  * the Signer.</td>
225  * </tr>
226  *
227  * <tr>
228  *   <td>setSignerKeyPair</td>
229  *   <td>Setting of the key pair (public key and private key) for a Signer</td>
230  *   <td>This would allow an attacker to replace somebody else's (the "target's")
231  * keypair with a possibly weaker keypair (e.g., a keypair of a smaller
232  * keysize).  This also would allow the attacker to listen in on encrypted
233  * communication between the target and its peers. The target's peers
234  * might wrap an encryption session key under the target's "new" public
235  * key, which would allow the attacker (who possesses the corresponding
236  * private key) to unwrap the session key and decipher the communication
237  * data encrypted under that session key.</td>
238  * </tr>
239  *
240  * </table>
241  *
242  * @see java.security.BasicPermission
243  * @see java.security.Permission
244  * @see java.security.Permissions
245  * @see java.security.PermissionCollection
246  * @see java.lang.SecurityManager
247  *
248  * @version 1.27 03/12/19
249  *
250  * @author Marianne Mueller
251  * @author Roland Schemers
252  */
253 
254 public final class SecurityPermission extends BasicPermission   {
255 
256     private static final long serialVersionUID = 5236109936224050470L;
257 
258     /**
259      * Creates a new SecurityPermission with the specified name.
260      * The name is the symbolic name of the SecurityPermission. An asterisk
261      * may appear at the end of the name, following a ".", or by itself, to
262      * signify a wildcard match.
263      *
264      * @param name the name of the SecurityPermission
265      */
266 
267     public SecurityPermission(String   name)
268     {
269     super(name);
270     }
271 
272     /**
273      * Creates a new SecurityPermission object with the specified name.
274      * The name is the symbolic name of the SecurityPermission, and the
275      * actions String is currently unused and should be null.
276      *
277      * @param name the name of the SecurityPermission
278      * @param actions should be null.
279      */
280 
281     public SecurityPermission(String   name, String   actions)
282     {
283     super(name, actions);
284     }
285 }
286
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags