KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > javax > security > auth > kerberos > DelegationPermission


1 /*
2  * @(#)DelegationPermission.java 1.9 03/12/19
3  *
4  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
5  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
6  */
7
8 package javax.security.auth.kerberos;
9
10 import java.util.*;
11 import java.security.Permission JavaDoc;
12 import java.security.BasicPermission JavaDoc;
13 import java.security.PermissionCollection JavaDoc;
14 import java.io.ObjectStreamField JavaDoc;
15 import java.io.ObjectOutputStream JavaDoc;
16 import java.io.ObjectInputStream JavaDoc;
17 import java.io.IOException JavaDoc;
18
19 /**
20  * This class is used to restrict the usage of the Kerberos
21  * delegation model, ie: forwardable and proxiable tickets.
22  * <p>
23  * The target name of this <code>Permission</code> specifies a pair of
24  * kerberos service principals. The first is the subordinate service principal
25  * being entrusted to use the TGT. The second service principal designates
26  * the target service the subordinate service principal is to
27  * interact with on behalf of the initiating KerberosPrincipal. This
28  * latter service principal is specified to restrict the use of a
29  * proxiable ticket.
30  * <p>
31  * For example, to specify the "host" service use of a forwardable TGT the
32  * target permission is specified as follows:
33  * <p>
34  * <pre>
35  * DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"krbtgt/EXAMPLE.COM@EXAMPLE.COM\"");
36  * </pre>
37  * <p>
38  * To give the "backup" service a proxiable nfs service ticket the target permission
39  * might be specified:
40  * <p>
41  * <pre>
42  * DelegationPermission("\"backup/bar.example.com@EXAMPLE.COM\" \"nfs/home.EXAMPLE.COM@EXAMPLE.COM\"");
43  * </pre>
44  *
45  * @since JDK1.4
46  */
47
48 public final class DelegationPermission extends BasicPermission JavaDoc
49     implements java.io.Serializable JavaDoc {
50
51     private static final long serialVersionUID = 883133252142523922L;
52
53     private transient String JavaDoc subordinate, service;
54
55     /**
56      * Create a new <code>DelegationPermission</code>
57      * with the specified subordinate and target principals.
58      *
59      * <p>
60      *
61      * @param principals the name of the subordinate and target principals
62      */
63     public DelegationPermission(String JavaDoc principals) {
64     super(principals);
65     init(principals);
66     }
67
68     /**
69      * Create a new <code>DelegationPermission</code>
70      * with the specified subordinate and target principals.
71      * <p>
72      *
73      * @param principals the name of the subordinate and target principals
74      * <p>
75      * @param actions should be null.
76      */
77     public DelegationPermission(String JavaDoc principals, String JavaDoc actions) {
78     super(principals, actions);
79     init(principals);
80     }
81
82
83     /**
84      * Initialize the DelegationPermission object.
85      */
86     private void init(String JavaDoc target) {
87
88     StringTokenizer t = null;
89     if (!target.startsWith("\"")) {
90         throw new IllegalArgumentException JavaDoc
91         ("service principal [" + target +
92          "] syntax invalid: " +
93          "improperly quoted");
94     } else {
95         t = new StringTokenizer(target, "\"", false);
96         subordinate = t.nextToken();
97         if (t.countTokens() == 2) {
98         t.nextToken(); // bypass whitespace
99 service = t.nextToken();
100         } else if (t.countTokens() > 0) {
101         throw new IllegalArgumentException JavaDoc
102             ("service principal [" + t.nextToken() +
103              "] syntax invalid: " +
104              "improperly quoted");
105         }
106     }
107     }
108         
109     /**
110      * Checks if this Kerberos delegation permission object "implies" the
111      * specified permission.
112      * <P>
113      * If none of the above are true, <code>implies</code> returns false.
114      * @param p the permission to check against.
115      *
116      * @return true if the specified permission is implied by this object,
117      * false if not.
118      */
119     public boolean implies(Permission JavaDoc p) {
120     if (!(p instanceof DelegationPermission JavaDoc))
121         return false;
122
123     DelegationPermission JavaDoc that = (DelegationPermission JavaDoc) p;
124     if (this.subordinate.equals(that.subordinate) &&
125         this.service.equals(that.service))
126         return true;
127
128     return false;
129     }
130     
131     
132     /**
133      * Checks two DelegationPermission objects for equality.
134      * <P>
135      * @param obj the object to test for equality with this object.
136      *
137      * @return true if <i>obj</i> is a DelegationPermission, and
138      * has the same subordinate and service principal as this.
139      * DelegationPermission object.
140      */
141     public boolean equals(Object JavaDoc obj) {
142     if (obj == this)
143         return true;
144
145     if (! (obj instanceof DelegationPermission JavaDoc))
146         return false;
147
148     DelegationPermission JavaDoc that = (DelegationPermission JavaDoc) obj;
149     return implies(that);
150     }
151
152     /**
153      * Returns the hash code value for this object.
154      *
155      * @return a hash code value for this object.
156      */
157
158     public int hashCode() {
159     return getName().hashCode();
160     }
161     
162
163     /**
164      * Returns a PermissionCollection object for storing
165      * DelegationPermission objects.
166      * <br>
167      * DelegationPermission objects must be stored in a manner that
168      * allows them to be inserted into the collection in any order, but
169      * that also enables the PermissionCollection implies method to
170      * be implemented in an efficient (and consistent) manner.
171      *
172      * @return a new PermissionCollection object suitable for storing
173      * DelegationPermissions.
174      */
175
176     public PermissionCollection JavaDoc newPermissionCollection() {
177     return new KrbDelegationPermissionCollection();
178     }
179
180     /**
181      * WriteObject is called to save the state of the DelegationPermission
182      * to a stream. The actions are serialized, and the superclass
183      * takes care of the name.
184      */
185     private synchronized void writeObject(java.io.ObjectOutputStream JavaDoc s)
186         throws IOException JavaDoc
187     {
188     s.defaultWriteObject();
189     }
190
191     /**
192      * readObject is called to restore the state of the
193      * DelegationPermission from a stream.
194      */
195     private synchronized void readObject(java.io.ObjectInputStream JavaDoc s)
196          throws IOException JavaDoc, ClassNotFoundException JavaDoc
197     {
198     // Read in the action, then initialize the rest
199 s.defaultReadObject();
200     init(getName());
201     }
202
203     /*
204       public static void main(String args[]) throws Exception {
205       DelegationPermission this_ =
206       new DelegationPermission(args[0]);
207       DelegationPermission that_ =
208       new DelegationPermission(args[1]);
209       System.out.println("-----\n");
210       System.out.println("this.implies(that) = " + this_.implies(that_));
211       System.out.println("-----\n");
212       System.out.println("this = "+this_);
213       System.out.println("-----\n");
214       System.out.println("that = "+that_);
215       System.out.println("-----\n");
216       
217       KrbDelegationPermissionCollection nps =
218       new KrbDelegationPermissionCollection();
219       nps.add(this_);
220       nps.add(new DelegationPermission("\"host/foo.example.com@EXAMPLE.COM\" \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));
221       try {
222       nps.add(new DelegationPermission("host/foo.example.com@EXAMPLE.COM \"CN=Gary Ellison/OU=JSN/O=SUNW/L=Palo Alto/ST=CA/C=US\""));
223       } catch (Exception e) {
224       System.err.println(e);
225       }
226       
227       System.out.println("nps.implies(that) = " + nps.implies(that_));
228       System.out.println("-----\n");
229       
230       Enumeration e = nps.elements();
231       
232       while (e.hasMoreElements()) {
233       DelegationPermission x =
234       (DelegationPermission) e.nextElement();
235       System.out.println("nps.e = " + x);
236       }
237       }
238     */
239 }
240
241
242 final class KrbDelegationPermissionCollection extends PermissionCollection JavaDoc
243     implements java.io.Serializable JavaDoc {
244
245     // Not serialized; see serialization section at end of class.
246 private transient List perms;
247
248     public KrbDelegationPermissionCollection() {
249     perms = new ArrayList();
250     }
251
252     
253     /**
254      * Check and see if this collection of permissions implies the permissions
255      * expressed in "permission".
256      *
257      * @param p the Permission object to compare
258      *
259      * @return true if "permission" is a proper subset of a permission in
260      * the collection, false if not.
261      */
262
263     public boolean implies(Permission JavaDoc permission) {
264     if (! (permission instanceof DelegationPermission JavaDoc))
265         return false;
266
267     DelegationPermission JavaDoc np = (DelegationPermission JavaDoc) permission;
268     synchronized (this) {
269         int len = perms.size();
270         for (int i = 0; i < len; i++) {
271         DelegationPermission JavaDoc x = (DelegationPermission JavaDoc) perms.get(i);
272         if (x.implies(np))
273             return true;
274         }
275     }
276     return false;
277
278     }
279
280     /**
281      * Adds a permission to the DelegationPermissions. The key for
282      * the hash is the name.
283      *
284      * @param permission the Permission object to add.
285      *
286      * @exception IllegalArgumentException - if the permission is not a
287      * DelegationPermission
288      *
289      * @exception SecurityException - if this PermissionCollection object
290      * has been marked readonly
291      */
292
293     public void add(Permission JavaDoc permission) {
294     if (! (permission instanceof DelegationPermission JavaDoc))
295         throw new IllegalArgumentException JavaDoc("invalid permission: "+
296                            permission);
297     if (isReadOnly())
298         throw new SecurityException JavaDoc("attempt to add a Permission to a readonly PermissionCollection");
299
300     synchronized (this) {
301         perms.add(0, permission);
302     }
303     }
304
305     /**
306      * Returns an enumeration of all the DelegationPermission objects
307      * in the container.
308      *
309      * @return an enumeration of all the DelegationPermission objects.
310      */
311
312     public Enumeration elements() {
313         // Convert Iterator into Enumeration
314 synchronized (this) {
315         return Collections.enumeration(perms);
316     }
317     }
318
319     private static final long serialVersionUID = -3383936936589966948L;
320
321     // Need to maintain serialization interoperability with earlier releases,
322 // which had the serializable field:
323 // private Vector permissions;
324 /**
325      * @serialField permissions java.util.Vector
326      * A list of DelegationPermission objects.
327      */
328     private static final ObjectStreamField JavaDoc[] serialPersistentFields = {
329         new ObjectStreamField JavaDoc("permissions", Vector.class),
330     };
331
332     /**
333      * @serialData "permissions" field (a Vector containing the DelegationPermissions).
334      */
335     /*
336      * Writes the contents of the perms field out as a Vector for
337      * serialization compatibility with earlier releases.
338      */
339     private void writeObject(ObjectOutputStream JavaDoc out) throws IOException JavaDoc {
340     // Don't call out.defaultWriteObject()
341
342     // Write out Vector
343 Vector permissions = new Vector(perms.size());
344
345     synchronized (this) {
346         permissions.addAll(perms);
347     }
348
349         ObjectOutputStream.PutField JavaDoc pfields = out.putFields();
350         pfields.put("permissions", permissions);
351         out.writeFields();
352     }
353
354     /*
355      * Reads in a Vector of DelegationPermissions and saves them in the perms field.
356      */
357     private void readObject(ObjectInputStream JavaDoc in) throws IOException JavaDoc,
358     ClassNotFoundException JavaDoc {
359     // Don't call defaultReadObject()
360
361     // Read in serialized fields
362 ObjectInputStream.GetField JavaDoc gfields = in.readFields();
363
364     // Get the one we want
365 Vector permissions = (Vector)gfields.get("permissions", null);
366     perms = new ArrayList(permissions.size());
367     perms.addAll(permissions);
368     }
369 }
370
Popular Tags