java.security.AccessControlContext Java Examples

@Override
@SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"})
public Object clone() {
    // Note that only references to the configurations are copied.
    try {
        SSLConfiguration config = (SSLConfiguration)super.clone();
        if (handshakeListeners != null) {
            config.handshakeListeners =
                (HashMap<HandshakeCompletedListener, AccessControlContext>)
                        handshakeListeners.clone();
        }

        return config;
    } catch (CloneNotSupportedException cnse) {
        // unlikely
    }

    return null;    // unlikely
}
 

public static void main(String[] args) throws Exception {

        ProtectionDomain domain = new ProtectionDomain(null, null);

        AccessController.doPrivileged(new PrivilegedAction<Object>() {
            public Object run() {

                // this initialize ProxyLazyValues
                UIManager.getLookAndFeel();

                return null;
            }
        }, new AccessControlContext(new ProtectionDomain[]{domain}));

        weakRef = new WeakReference<ProtectionDomain>(domain);
        domain = null;

        Util.generateOOME();

        if (weakRef.get() != null) {
            throw new RuntimeException("Memory leak found!");
        }
        System.out.println("Test passed");
    }
 

public static void main(String[]args) throws Exception {
    final DomainCombiner dc = new DomainCombiner() {
        @Override
        public ProtectionDomain[] combine(ProtectionDomain[] currentDomains, ProtectionDomain[] assignedDomains) {
            return currentDomains; // basically a no-op
        }
    };

    // Get an instance of the saved ACC
    AccessControlContext saved = AccessController.getContext();
    // Simulate the stack ACC with a DomainCombiner attached
    AccessControlContext stack = new AccessControlContext(AccessController.getContext(), dc);

    // Now try to run JavaSecurityAccess.doIntersectionPrivilege() and assert
    // whether the DomainCombiner from the stack ACC is preserved
    boolean ret = SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Boolean>() {
        @Override
        public Boolean run() {
            return dc == AccessController.getContext().getDomainCombiner();
        }
    }, stack, saved);

    if (!ret) {
        System.exit(1);
    }
}
 

/**
 * Executes the given command on one of the channel group's pooled threads.
 */
@Override
public final void execute(Runnable task) {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        // when a security manager is installed then the user's task
        // must be run with the current calling context
        final AccessControlContext acc = AccessController.getContext();
        final Runnable delegate = task;
        task = new Runnable() {
            @Override
            public void run() {
                AccessController.doPrivileged(new PrivilegedAction<Void>() {
                    @Override
                    public Void run() {
                        delegate.run();
                        return null;
                    }
                }, acc);
            }
        };
    }
    executeOnPooledThread(task);
}
 

private ClassLoader getClassLoader(final ObjectName name) {
    if(clr == null){
        return null;
    }
    // Restrict to getClassLoader permission only
    Permissions permissions = new Permissions();
    permissions.add(new MBeanPermission("*", null, name, "getClassLoader"));
    ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
    ProtectionDomain[] domains = {protectionDomain};
    AccessControlContext ctx = new AccessControlContext(domains);
    ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
        public ClassLoader run() {
            return clr.getClassLoader(name);
        }
    }, ctx);
    return loader;
}
 

public static void main(String[]args) throws Exception {
    final DomainCombiner dc = new DomainCombiner() {
        @Override
        public ProtectionDomain[] combine(ProtectionDomain[] currentDomains, ProtectionDomain[] assignedDomains) {
            return currentDomains; // basically a no-op
        }
    };

    // Get an instance of the saved ACC
    AccessControlContext saved = AccessController.getContext();
    // Simulate the stack ACC with a DomainCombiner attached
    AccessControlContext stack = new AccessControlContext(AccessController.getContext(), dc);

    // Now try to run JavaSecurityAccess.doIntersectionPrivilege() and assert
    // whether the DomainCombiner from the stack ACC is preserved
    boolean ret = SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Boolean>() {
        @Override
        public Boolean run() {
            return dc == AccessController.getContext().getDomainCombiner();
        }
    }, stack, saved);

    if (!ret) {
        System.exit(1);
    }
}
 

private static void checkMBeanTrustPermission(final Class<?> theClass)
    throws SecurityException {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        Permission perm = new MBeanTrustPermission("register");
        PrivilegedAction<ProtectionDomain> act =
            new PrivilegedAction<ProtectionDomain>() {
                public ProtectionDomain run() {
                    return theClass.getProtectionDomain();
                }
            };
        ProtectionDomain pd = AccessController.doPrivileged(act);
        AccessControlContext acc =
            new AccessControlContext(new ProtectionDomain[] { pd });
        sm.checkPermission(perm, acc);
    }
}
 

/**
 * Add the given bean to the list of disposable beans in this factory,
 * registering its DisposableBean interface and/or the given destroy method
 * to be called on factory shutdown (if applicable). Only applies to singletons.
 * @param beanName the name of the bean
 * @param bean the bean instance
 * @param mbd the bean definition for the bean
 * @see RootBeanDefinition#isSingleton
 * @see RootBeanDefinition#getDependsOn
 * @see #registerDisposableBean
 * @see #registerDependentBean
 */
protected void registerDisposableBeanIfNecessary(String beanName, Object bean, RootBeanDefinition mbd) {
	AccessControlContext acc = (System.getSecurityManager() != null ? getAccessControlContext() : null);
	if (!mbd.isPrototype() && requiresDestruction(bean, mbd)) {
		if (mbd.isSingleton()) {
			// Register a DisposableBean implementation that performs all destruction
			// work for the given bean: DestructionAwareBeanPostProcessors,
			// DisposableBean interface, custom destroy method.
			registerDisposableBean(beanName,
					new DisposableBeanAdapter(bean, beanName, mbd, getBeanPostProcessors(), acc));
		}
		else {
			// A bean with a custom scope...
			Scope scope = this.scopes.get(mbd.getScope());
			if (scope == null) {
				throw new IllegalStateException("No Scope registered for scope '" + mbd.getScope() + "'");
			}
			scope.registerDestructionCallback(beanName,
					new DisposableBeanAdapter(bean, beanName, mbd, getBeanPostProcessors(), acc));
		}
	}
}
 

/**
 * Executes the given command on one of the channel group's pooled threads.
 */
@Override
public final void execute(Runnable task) {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        // when a security manager is installed then the user's task
        // must be run with the current calling context
        final AccessControlContext acc = AccessController.getContext();
        final Runnable delegate = task;
        task = new Runnable() {
            @Override
            public void run() {
                AccessController.doPrivileged(new PrivilegedAction<Void>() {
                    @Override
                    public Void run() {
                        delegate.run();
                        return null;
                    }
                }, acc);
            }
        };
    }
    executeOnPooledThread(task);
}
 

/**
 * Retrieves the ServiceCreds for the specified server principal from
 * the Subject in the specified AccessControlContext. If not found, and if
 * useSubjectCredsOnly is false, then obtain from a LoginContext.
 *
 * NOTE: This method is also used by JSSE Kerberos Cipher Suites
 */
public static ServiceCreds getServiceCreds(GSSCaller caller,
    String serverPrincipal, AccessControlContext acc)
            throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
        sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
}
 

void nativeQueueSurfaceDataRunnable(AppContext appContext,
                                    final Component c, final Runnable r)
{
    synchronized(this) {
        if (runnableList == null) {
            runnableList = new LinkedList<Runnable>();
        }
        runnableList.add(new Runnable() {
            public void run() {
                AccessControlContext stack = AccessController.getContext();
                AccessControlContext acc =
                    AWTAccessor.getComponentAccessor().getAccessControlContext(c);
                javaSecurityAccess.doIntersectionPrivilege(new PrivilegedAction<Void>() {
                    public Void run() {
                        r.run();
                        return null;
                    }
                }, stack, acc);
            }
        });
    }
    scheduleProcessingRunnable(appContext);
}
 

/**
 * Verify that the given AccessControlContext has permission to
 * accept this connection.
 */
void checkAcceptPermission(SecurityManager sm,
                           AccessControlContext acc)
{
    /*
     * Note: no need to synchronize on cache-related fields, since this
     * method only gets called from the ConnectionHandler's thread.
     */
    if (sm != cacheSecurityManager) {
        okContext = null;
        authCache = new WeakHashMap<AccessControlContext,
                                    Reference<AccessControlContext>>();
        cacheSecurityManager = sm;
    }
    if (acc.equals(okContext) || authCache.containsKey(acc)) {
        return;
    }
    InetAddress addr = socket.getInetAddress();
    String host = (addr != null) ? addr.getHostAddress() : "*";

    sm.checkAccept(host, socket.getPort());

    authCache.put(acc, new SoftReference<AccessControlContext>(acc));
    okContext = acc;
}
 

public static void main(String[]args) throws Exception {
    final DomainCombiner dc = new DomainCombiner() {
        @Override
        public ProtectionDomain[] combine(ProtectionDomain[] currentDomains, ProtectionDomain[] assignedDomains) {
            return currentDomains; // basically a no-op
        }
    };

    // Get an instance of the saved ACC
    AccessControlContext saved = AccessController.getContext();
    // Simulate the stack ACC with a DomainCombiner attached
    AccessControlContext stack = new AccessControlContext(AccessController.getContext(), dc);

    // Now try to run JavaSecurityAccess.doIntersectionPrivilege() and assert
    // whether the DomainCombiner from the stack ACC is preserved
    boolean ret = SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Boolean>() {
        @Override
        public Boolean run() {
            return dc == AccessController.getContext().getDomainCombiner();
        }
    }, stack, saved);

    if (!ret) {
        System.exit(1);
    }
}
 

Object invoke() throws Exception {
    AccessControlContext acc = this.acc;
    if ((acc == null) && (System.getSecurityManager() != null)) {
        throw new SecurityException("AccessControlContext is not set");
    }
    try {
        return AccessController.doPrivileged(
                new PrivilegedExceptionAction<Object>() {
                    public Object run() throws Exception {
                        return invokeInternal();
                    }
                },
                acc
        );
    }
    catch (PrivilegedActionException exception) {
        throw exception.getException();
    }
}
 

/**
 * create a context that can read any directories (recursively)
 * mentioned in the class path. In the case of a jar, it has to
 * be the directory containing the jar, not just the jar, as jar
 * files might refer to other jar files.
 */

private static AccessControlContext getContext(File[] cp)
    throws MalformedURLException
{
    PathPermissions perms =
        new PathPermissions(cp);

    ProtectionDomain domain =
        new ProtectionDomain(new CodeSource(perms.getCodeBase(),
            (java.security.cert.Certificate[]) null),
        perms);

    AccessControlContext acc =
        new AccessControlContext(new ProtectionDomain[] { domain });

    return acc;
}
 

public static void main(String[]args) throws Exception {
    final DomainCombiner dc = new DomainCombiner() {
        @Override
        public ProtectionDomain[] combine(ProtectionDomain[] currentDomains, ProtectionDomain[] assignedDomains) {
            return currentDomains; // basically a no-op
        }
    };

    // Get an instance of the saved ACC
    AccessControlContext saved = AccessController.getContext();
    // Simulate the stack ACC with a DomainCombiner attached
    AccessControlContext stack = new AccessControlContext(AccessController.getContext(), dc);

    // Now try to run JavaSecurityAccess.doIntersectionPrivilege() and assert
    // whether the DomainCombiner from the stack ACC is preserved
    boolean ret = SharedSecrets.getJavaSecurityAccess().doIntersectionPrivilege(new PrivilegedAction<Boolean>() {
        @Override
        public Boolean run() {
            return dc == AccessController.getContext().getDomainCombiner();
        }
    }, stack, saved);

    if (!ret) {
        System.exit(1);
    }
}
 

private Class<?> loadClass(final String className)
    throws ClassNotFoundException {
    AccessControlContext stack = AccessController.getContext();
    final ClassNotFoundException[] caughtException = new ClassNotFoundException[1];

    Class c = javaSecurityAccess.doIntersectionPrivilege(new PrivilegedAction<Class<?>>() {

        @Override
        public Class<?> run() {
            try {
                ReflectUtil.checkPackageAccess(className);
                return Class.forName(className);
            } catch (ClassNotFoundException e) {
                final ClassLoaderRepository clr =
                    getClassLoaderRepository();
                try {
                    if (clr == null) throw new ClassNotFoundException(className);
                    return clr.loadClass(className);
                } catch (ClassNotFoundException ex) {
                    caughtException[0] = ex;
                }
            }
            return null;
        }
    }, stack, acc);

    if (caughtException[0] != null) {
        throw caughtException[0];
    }

    return c;
}
 

/**
 * Version for InnocuousForkJoinWorkerThread
 */
ForkJoinWorkerThread(ForkJoinPool pool, ThreadGroup threadGroup,
                     AccessControlContext acc) {
    super(threadGroup, null, "aForkJoinWorkerThread");
    U.putOrderedObject(this, INHERITEDACCESSCONTROLCONTEXT, acc);
    eraseThreadLocals(); // clear before registering
    this.pool = pool;
    this.workQueue = pool.registerWorker(this);
}
 

static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name)
    throws GSSException {

    final String serverPrinc = (name == null? null:
        name.getKrb5PrincipalName().getName());
    final AccessControlContext acc = AccessController.getContext();

    ServiceCreds creds = null;
    try {
        creds = AccessController.doPrivileged(
                    new PrivilegedExceptionAction<ServiceCreds>() {
            public ServiceCreds run() throws Exception {
                return Krb5Util.getServiceCreds(
                    caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,
                    serverPrinc, acc);
            }});
    } catch (PrivilegedActionException e) {
        GSSException ge =
            new GSSException(GSSException.NO_CRED, -1,
                "Attempt to obtain new ACCEPT credentials failed!");
        ge.initCause(e.getException());
        throw ge;
    }

    if (creds == null)
        throw new GSSException(GSSException.NO_CRED, -1,
                               "Failed to find any Kerberos credentails");

    if (name == null) {
        String fullName = creds.getName();
        if (fullName != null) {
            name = Krb5NameElement.getInstance(fullName,
                                   Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL);
        }
    }

    return new Krb5AcceptCredential(name, creds);
}
 

/**
 * Verify that the current access control context has permission to
 * accept the connection being dispatched by the current thread.
 */
protected void checkAcceptPermission(AccessControlContext acc) {
    SecurityManager sm = System.getSecurityManager();
    if (sm == null) {
        return;
    }
    ConnectionHandler h = threadConnectionHandler.get();
    if (h == null) {
        throw new Error(
            "checkAcceptPermission not in ConnectionHandler thread");
    }
    h.checkAcceptPermission(sm, acc);
}
 

/**
 * Get the AccessControlContext of the domain combiner created with
 * the supplied subject, i.e. an AccessControlContext with the domain
 * combiner created with the supplied subject and where the caller's
 * context has been removed.
 */
public static AccessControlContext
    getDomainCombinerContext(Subject subject) {
    return new AccessControlContext(
        new AccessControlContext(new ProtectionDomain[0]),
        new JMXSubjectDomainCombiner(subject));
}
 

protected final AccessControlContext getSystemTaskControllerContext(String taskName, Principal principal)
{
    final Subject subject = getSystemTaskSubject(taskName, principal);
    return AccessController.doPrivileged
            (new PrivilegedAction<AccessControlContext>()
            {
                @Override
                public AccessControlContext run()
                {
                    return new AccessControlContext
                            (AccessController.getContext(),
                             new SubjectDomainCombiner(subject));
                }
            }, null);
}
 

URLClassLoader(URL[] urls, ClassLoader parent,
               AccessControlContext acc) {
    super(parent);
    // this is to make the stack depth consistent with 1.1
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
        security.checkCreateClassLoader();
    }
    ucp = new URLClassPath(urls);
    this.acc = acc;
}
 

URLClassLoader(URL[] urls, AccessControlContext acc) {
    super();
    // this is to make the stack depth consistent with 1.1
    SecurityManager security = System.getSecurityManager();
    if (security != null) {
        security.checkCreateClassLoader();
    }
    this.acc = acc;
    ucp = new URLClassPath(urls, acc);
}
 

private static AccessControlContext getAccessControlContextFrom(Object src) {
    return src instanceof Component ?
        ((Component)src).getAccessControlContext() :
        src instanceof MenuComponent ?
            ((MenuComponent)src).getAccessControlContext() :
            src instanceof TrayIcon ?
                ((TrayIcon)src).getAccessControlContext() :
                null;
}
 

/**
 * Version for InnocuousForkJoinWorkerThread
 */
ForkJoinWorkerThread(ForkJoinPool pool, ThreadGroup threadGroup,
                     AccessControlContext acc) {
    super(threadGroup, null, "aForkJoinWorkerThread");
    U.putOrderedObject(this, INHERITEDACCESSCONTROLCONTEXT, acc);
    eraseThreadLocals(); // clear before registering
    this.pool = pool;
    this.workQueue = pool.registerWorker(this);
}
 

/**
 * Creates a new instance of URLClassLoader for the specified
 * URLs and default parent class loader. If a security manager is
 * installed, the {@code loadClass} method of the URLClassLoader
 * returned by this method will invoke the
 * {@code SecurityManager.checkPackageAccess} before
 * loading the class.
 *
 * @param urls the URLs to search for classes and resources
 * @exception  NullPointerException if {@code urls} is {@code null}.
 * @return the resulting class loader
 */
public static URLClassLoader newInstance(final URL[] urls) {
    // Save the caller's context
    final AccessControlContext acc = AccessController.getContext();
    // Need a privileged block to create the class loader
    URLClassLoader ucl = AccessController.doPrivileged(
        new PrivilegedAction<URLClassLoader>() {
            public URLClassLoader run() {
                return new FactoryURLClassLoader(urls, acc);
            }
        });
    return ucl;
}
 

@Override
public Object run() {
    Utils.readFile(filename);

    AccessControlContext acc = AccessController.getContext();
    Subject subject = Subject.getSubject(acc);
    ReadPropertyAction readProperty = new ReadPropertyAction();
    if (anotherSubject != null) {
        return Subject.doAs(anotherSubject, readProperty);
    } else {
        return Subject.doAs(subject, readProperty);
    }
}
 

public void init(String serverName,
    AccessControlContext acc, ProtocolVersion protocolVersion,
    SecureRandom rand) throws IOException {

    if (impl != null) {
        impl.init(serverName, acc, protocolVersion, rand);
    }
}
 

/**
 * Get the AccessControlContext of the domain combiner created with
 * the supplied subject, i.e. an AccessControlContext with the domain
 * combiner created with the supplied subject and where the caller's
 * context has been removed.
 */
public static AccessControlContext
    getDomainCombinerContext(Subject subject) {
    return new AccessControlContext(
        new AccessControlContext(new ProtectionDomain[0]),
        new JMXSubjectDomainCombiner(subject));
}