java.security.AccessControlException Java Examples
The following examples show how to use
java.security.AccessControlException.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: SecurityAwareTransformerFactory.java From ignite with Apache License 2.0 | 6 votes |
|
/** {@inheritDoc} */
@Override public IgniteClosure<E, R> create() {
final IgniteClosure<E, R> cl = original.create();
return new IgniteClosure<E, R>() {
/** {@inheritDoc} */
@Override public R apply(E e) {
IgniteSecurity security = ignite.context().security();
try (OperationSecurityContext c = security.withContext(subjectId)) {
IgniteSandbox sandbox = security.sandbox();
return sandbox.enabled() ? sandbox.execute(() -> cl.apply(e)) : cl.apply(e);
}
catch (AccessControlException ace) {
logAccessDeniedMessage(ace);
throw ace;
}
}
};
}
Example #2
| Source File: NonPublicProxyClass.java From openjdk-8-source with GNU General Public License v2.0 | 6 votes |
|
private void newProxyInstance() {
// expect newProxyInstance to succeed if it's in the same runtime package
int i = proxyClass.getName().lastIndexOf('.');
String pkg = (i != -1) ? proxyClass.getName().substring(0, i) : "";
boolean hasAccess = pkg.isEmpty() || hasAccess();
try {
Proxy.newProxyInstance(loader, interfaces, handler);
if (!hasAccess) {
throw new RuntimeException("ERROR: Proxy.newProxyInstance should fail " + proxyClass);
}
} catch (AccessControlException e) {
if (hasAccess) {
throw e;
}
if (e.getPermission().getClass() != ReflectPermission.class ||
!e.getPermission().getName().equals(NEW_PROXY_IN_PKG + pkg)) {
throw e;
}
}
}
Example #3
| Source File: FolderServiceImpl.java From document-management-software with GNU Lesser General Public License v3.0 | 6 votes |
|
@Override
public void paste(long[] docIds, long folderId, String action) throws ServerException {
Session session = ServiceUtil.validateSession(getThreadLocalRequest());
FolderDAO fdao = (FolderDAO) Context.get().getBean(FolderDAO.class);
Folder folder = fdao.findFolder(folderId);
if (!fdao.isWriteEnabled(folder.getId(), session.getUserId()))
throw new AccessControlException("Cannot write in folder " + folder.getName());
if (action.equals(Clipboard.CUT))
cut(session, docIds, folder.getId());
else if (action.equals(Clipboard.COPY))
copy(session, docIds, folder.getId());
}
Example #4
| Source File: InternalWorkbook.java From lams with GNU General Public License v2.0 | 6 votes |
|
/**
* creates the WriteAccess record containing the logged in user's name
*/
private static WriteAccessRecord createWriteAccess() {
WriteAccessRecord retval = new WriteAccessRecord();
String defaultUserName = "POI";
try {
String username = System.getProperty("user.name");
// Google App engine returns null for user.name, see Bug 53974
if(username == null) {
username = defaultUserName;
}
retval.setUsername(username);
} catch (AccessControlException e) {
LOG.log(POILogger.WARN, "can't determine user.name", e);
// AccessControlException can occur in a restricted context
// (client applet/jws application or restricted security server)
retval.setUsername(defaultUserName);
}
return retval;
}
Example #5
| Source File: AbstractSecurityService.java From tomee with Apache License 2.0 | 6 votes |
|
@Override
public boolean isCallerAuthorized(final Method method, final InterfaceType type) {
final ThreadContext threadContext = ThreadContext.getThreadContext();
final BeanContext beanContext = threadContext.getBeanContext();
try {
final String ejbName = beanContext.getEjbName();
String name = type == null ? null : type.getSpecName();
if ("LocalBean".equals(name) || "LocalBeanHome".equals(name)) {
name = null;
}
final Identity currentIdentity = clientIdentity.get();
final SecurityContext securityContext;
if (currentIdentity == null) {
securityContext = threadContext.get(SecurityContext.class);
} else {
securityContext = new SecurityContext(currentIdentity.getSubject());
}
securityContext.acc.checkPermission(new EJBMethodPermission(ejbName, name, method));
} catch (final AccessControlException e) {
return false;
}
return true;
}
Example #6
| Source File: VelocityResponseWriterTest.java From lucene-solr with Apache License 2.0 | 6 votes |
|
@Test
@Ignore("SOLR-14025: Velocity's SecureUberspector addresses this")
public void testSandboxIntersection() throws Exception {
assumeTrue("This test only works with security manager", System.getSecurityManager() != null);
VelocityResponseWriter vrw = new VelocityResponseWriter();
NamedList<String> nl = new NamedList<>();
nl.add("template.base.dir", getFile("velocity").getAbsolutePath());
vrw.init(nl);
SolrQueryRequest req = req(VelocityResponseWriter.TEMPLATE,"sandbox_intersection");
SolrQueryResponse rsp = new SolrQueryResponse();
StringWriter buf = new StringWriter();
try {
vrw.write(buf, req, rsp);
fail("template broke outside the box, retrieved: " + buf);
} catch (MethodInvocationException e) {
assertNotNull(e.getCause());
assertEquals(AccessControlException.class, e.getCause().getClass());
// expected failure, can't get outside the box
}
}
Example #7
| Source File: NonPublicProxyClass.java From openjdk-8 with GNU General Public License v2.0 | 6 votes |
|
private void newProxyInstance() {
// expect newProxyInstance to succeed if it's in the same runtime package
int i = proxyClass.getName().lastIndexOf('.');
String pkg = (i != -1) ? proxyClass.getName().substring(0, i) : "";
boolean hasAccess = pkg.isEmpty() || hasAccess();
try {
Proxy.newProxyInstance(loader, interfaces, handler);
if (!hasAccess) {
throw new RuntimeException("ERROR: Proxy.newProxyInstance should fail " + proxyClass);
}
} catch (AccessControlException e) {
if (hasAccess) {
throw e;
}
if (e.getPermission().getClass() != ReflectPermission.class ||
!e.getPermission().getName().equals(NEW_PROXY_IN_PKG + pkg)) {
throw e;
}
}
}
Example #8
| Source File: TestSetResourceBundle.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
/**
* Test the LoggingPermission("control") is required.
* @param loggerName The logger to use.
*/
public static void testPermission(String loggerName) {
if (System.getSecurityManager() != null) {
throw new Error("Security manager is already set");
}
Policy.setPolicy(new SimplePolicy(TestCase.PERMISSION));
System.setSecurityManager(new SecurityManager());
final ResourceBundle bundle = ResourceBundle.getBundle(LIST_BUNDLE_NAME);
Logger foobar = Logger.getLogger(loggerName);
try {
foobar.setResourceBundle(bundle);
throw new RuntimeException("Permission not checked!");
} catch (AccessControlException x) {
if (x.getPermission() instanceof LoggingPermission) {
if ("control".equals(x.getPermission().getName())) {
System.out.println("Got expected exception: " + x);
return;
}
}
throw new RuntimeException("Unexpected exception: "+x, x);
}
}
Example #9
| Source File: ServiceAuthorizationManager.java From hadoop-gpu with Apache License 2.0 | 6 votes |
|
/**
* Check if the given {@link Subject} has all of necessary {@link Permission}
* set.
*
* @param user <code>Subject</code> to be authorized
* @param permissions <code>Permission</code> set
* @throws AuthorizationException if the authorization failed
*/
private static void checkPermission(final Subject user,
final Permission... permissions)
throws AuthorizationException {
try{
Subject.doAs(user,
new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
try {
for(Permission permission : permissions) {
AccessController.checkPermission(permission);
}
} catch (AccessControlException ace) {
LOG.info("Authorization failed for " +
UserGroupInformation.getCurrentUGI(), ace);
throw new AuthorizationException(ace);
}
return null;
}
}
);
} catch (PrivilegedActionException e) {
throw new AuthorizationException(e.getException());
}
}
Example #10
| Source File: TikaProcessorTest.java From jesterj with Apache License 2.0 | 6 votes |
|
@Test
public void testExceptionToIgnoreFromTika() throws ParserConfigurationException, IOException, SAXException, TikaException {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
DocumentBuilder builder = factory.newDocumentBuilder();
ByteArrayInputStream input = new ByteArrayInputStream(XML_CONFIG.getBytes("UTF-8"));
org.w3c.dom.Document doc = builder.parse(input);
TikaProcessor proc = new TikaProcessor.Builder().named("foo").appendingSuffix("_tk").truncatingTextTo(20)
.configuredWith(doc)
.build();
expect(mockDocument.getRawData()).andThrow(new AccessControlException("Oh no you don't!"));
replay();
proc.processDocument(mockDocument);
}
Example #11
| Source File: bug6484091.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
|
public static void main(String[] args) {
File dir = FileSystemView.getFileSystemView().getDefaultDirectory();
printDirContent(dir);
System.setSecurityManager(new SecurityManager());
// The next test cases use 'dir' obtained without SecurityManager
try {
printDirContent(dir);
throw new RuntimeException("Dir content was derived bypass SecurityManager");
} catch (AccessControlException e) {
// It's a successful situation
}
}
Example #12
| Source File: TestSetResourceBundle.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
|
/**
* Test the LoggingPermission("control") is required.
* @param loggerName The logger to use.
*/
public static void testPermission(String loggerName) {
if (System.getSecurityManager() != null) {
throw new Error("Security manager is already set");
}
Policy.setPolicy(new SimplePolicy(TestCase.PERMISSION));
System.setSecurityManager(new SecurityManager());
final ResourceBundle bundle = ResourceBundle.getBundle(LIST_BUNDLE_NAME);
Logger foobar = Logger.getLogger(loggerName);
try {
foobar.setResourceBundle(bundle);
throw new RuntimeException("Permission not checked!");
} catch (AccessControlException x) {
if (x.getPermission() instanceof LoggingPermission) {
if ("control".equals(x.getPermission().getName())) {
System.out.println("Got expected exception: " + x);
return;
}
}
throw new RuntimeException("Unexpected exception: "+x, x);
}
}
Example #13
| Source File: SecurityTestSupport.java From groovy with Apache License 2.0 | 6 votes |
|
protected void executeScript(Class scriptClass, Permission missingPermission) {
try {
Script script = InvokerHelper.createScript(scriptClass, new Binding());
script.run();
//InvokerHelper.runScript(scriptClass, null);
} catch (AccessControlException ace) {
if (missingPermission != null && missingPermission.implies(ace.getPermission())) {
return;
} else {
fail(ace.toString());
}
}
if (missingPermission != null) {
fail("Should catch an AccessControlException");
}
}
Example #14
| Source File: FilterWithSecurityManagerTest.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that setting process-wide filter is checked by security manager.
*/
@Test
public void testGlobalFilter() throws Exception {
if (ObjectInputFilter.Config.getSerialFilter() == null) {
return;
}
try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
ObjectInputStream ois = new ObjectInputStream(bais)) {
ObjectInputFilter.Config.setSerialFilter(filter);
assertFalse(setSecurityManager,
"When SecurityManager exists, without "
+ "java.security.SerializablePermission(serialFilter) Exception should be thrown");
Object o = ois.readObject();
} catch (AccessControlException ex) {
assertTrue(setSecurityManager);
assertTrue(ex.getMessage().contains("java.io.SerializablePermission"));
assertTrue(ex.getMessage().contains("serialFilter"));
}
}
Example #15
| Source File: ClientRMService.java From hadoop with Apache License 2.0 | 6 votes |
|
private String checkReservationACLs(String queueName, String auditConstant)
throws YarnException {
UserGroupInformation callerUGI;
try {
callerUGI = UserGroupInformation.getCurrentUser();
} catch (IOException ie) {
RMAuditLogger.logFailure("UNKNOWN", auditConstant, queueName,
"ClientRMService", "Error getting UGI");
throw RPCUtil.getRemoteException(ie);
}
// Check if user has access on the managed queue
if (!queueACLsManager.checkAccess(callerUGI, QueueACL.SUBMIT_APPLICATIONS,
queueName)) {
RMAuditLogger.logFailure(
callerUGI.getShortUserName(),
auditConstant,
"User doesn't have permissions to "
+ QueueACL.SUBMIT_APPLICATIONS.toString(), "ClientRMService",
AuditConstants.UNAUTHORIZED_USER);
throw RPCUtil.getRemoteException(new AccessControlException("User "
+ callerUGI.getShortUserName() + " cannot perform operation "
+ QueueACL.SUBMIT_APPLICATIONS.name() + " on queue" + queueName));
}
return callerUGI.getShortUserName();
}
Example #16
| Source File: NonPublicProxyClass.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
|
private void newProxyInstance() {
// expect newProxyInstance to succeed if it's in the same runtime package
int i = proxyClass.getName().lastIndexOf('.');
String pkg = (i != -1) ? proxyClass.getName().substring(0, i) : "";
boolean hasAccess = pkg.isEmpty() || hasAccess();
try {
Proxy.newProxyInstance(loader, interfaces, handler);
if (!hasAccess) {
throw new RuntimeException("ERROR: Proxy.newProxyInstance should fail " + proxyClass);
}
} catch (AccessControlException e) {
if (hasAccess) {
throw e;
}
if (e.getPermission().getClass() != ReflectPermission.class ||
!e.getPermission().getName().equals(NEW_PROXY_IN_PKG + pkg)) {
throw e;
}
}
}
Example #17
| Source File: TestMoveApplication.java From hadoop with Apache License 2.0 | 6 votes |
|
@Test
public void testMoveRejectedByPermissions() throws Exception {
failMove = true;
// Submit application
final Application application = new Application("user1", resourceManager);
application.submit();
final ClientRMService clientRMService = resourceManager.getClientRMService();
try {
UserGroupInformation.createRemoteUser("otheruser").doAs(
new PrivilegedExceptionAction<MoveApplicationAcrossQueuesResponse>() {
@Override
public MoveApplicationAcrossQueuesResponse run() throws Exception {
return clientRMService.moveApplicationAcrossQueues(
MoveApplicationAcrossQueuesRequest.newInstance(
application.getApplicationId(), "newqueue"));
}
});
fail("Should have hit exception");
} catch (Exception ex) {
assertEquals(AccessControlException.class, ex.getCause().getCause().getClass());
}
}
Example #18
| Source File: GetAuthenticatorTest.java From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
|
public static void main (String args[]) throws Exception {
Authenticator defaultAuth = Authenticator.getDefault();
if (defaultAuth != null) {
throw new RuntimeException("Unexpected authenticator: null expected");
}
MyAuthenticator auth = new MyAuthenticator();
Authenticator.setDefault(auth);
defaultAuth = Authenticator.getDefault();
if (defaultAuth != auth) {
throw new RuntimeException("Unexpected authenticator: auth expected");
}
System.setSecurityManager(new SecurityManager());
try {
defaultAuth = Authenticator.getDefault();
throw new RuntimeException("Expected security exception not raised");
} catch (AccessControlException s) {
System.out.println("Got expected exception: " + s);
if (!s.getPermission().equals(new NetPermission("requestPasswordAuthentication"))) {
throw new RuntimeException("Unexpected permission check: " + s.getPermission());
}
}
System.out.println("Test passed with default authenticator "
+ defaultAuth);
}
Example #19
| Source File: FilterWithSecurityManagerTest.java From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
|
/**
* Test that setting process-wide filter is checked by security manager.
*/
@Test
public void testGlobalFilter() throws Exception {
ObjectInputFilter global = ObjectInputFilter.Config.getSerialFilter();
try {
ObjectInputFilter.Config.setSerialFilter(filter);
assertFalse(setSecurityManager,
"When SecurityManager exists, without "
+ "java.io.SerializablePermission(serialFilter) "
+ "IllegalStateException should be thrown");
} catch (AccessControlException ex) {
assertTrue(setSecurityManager);
assertTrue(ex.getMessage().contains("java.io.SerializablePermission"));
assertTrue(ex.getMessage().contains("serialFilter"));
} catch (IllegalStateException ise) {
// ISE should occur only if global filter already set
Assert.assertNotNull(global, "Global filter should be non-null");
}
}
Example #20
| Source File: SystemPrivilegesPermissionTest.java From spliceengine with GNU Affero General Public License v3.0 | 6 votes |
|
/**
* Runs a privileged user action for a given principal.
*/
private void execute(SystemPrincipal principal,
PrivilegedAction action,
boolean isGrantExpected) {
//println();
//println(" testing action " + action);
final RunAsPrivilegedUserAction runAsPrivilegedUserAction
= new RunAsPrivilegedUserAction(principal, action);
try {
AccessController.doPrivileged(runAsPrivilegedUserAction);
//println(" Congrats! access granted " + action);
if (!isGrantExpected) {
fail("expected AccessControlException");
}
} catch (AccessControlException ace) {
//println(" Yikes! " + ace.getMessage());
if (isGrantExpected) {
//fail("caught AccessControlException");
throw ace;
}
}
}
Example #21
| Source File: GanttProject.java From ganttproject with GNU General Public License v3.0 | 6 votes |
|
public void setAskForSave(boolean afs) {
if (isOnlyViewer) {
return;
}
fireProjectModified(afs);
String title = getTitle();
askForSave = afs;
try {
if (System.getProperty("mrj.version") != null) {
rootPane.putClientProperty("windowModified", Boolean.valueOf(afs));
// see http://developer.apple.com/qa/qa2001/qa1146.html
} else {
if (askForSave) {
if (!title.endsWith(" *")) {
setTitle(title + " *");
}
}
}
} catch (AccessControlException e) {
// This can happen when running in a sandbox (Java WebStart)
System.err.println(e + ": " + e.getMessage());
}
}
Example #22
| Source File: RestServiceImpl.java From peer-os with Apache License 2.0 | 6 votes |
|
@RolesAllowed( { "Peer-Management|Delete", "Peer-Management|Update" } )
@Override
public Response cancelForRegistrationRequest( final String peerId, Boolean force )
{
try
{
peerManager.doCancelRequest( peerId, force );
}
catch ( Exception e )
{
if ( e.getClass() == AccessControlException.class )
{
LOGGER.error( e.getMessage() );
return Response.status( Response.Status.INTERNAL_SERVER_ERROR ).
entity( JsonUtil.GSON.toJson( "You don't have permission to perform this operation" ) ).build();
}
return Response.status( Response.Status.BAD_REQUEST ).entity( e.getMessage() ).build();
}
return Response.ok().build();
}
Example #23
| Source File: BaseDefaultLoggerFinderTest.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
static TestLoggerFinder getLoggerFinder(Class<?> expectedClass) {
LoggerFinder provider = null;
try {
TestLoggerFinder.sequencer.incrementAndGet();
provider = LoggerFinder.getLoggerFinder();
} catch(AccessControlException a) {
throw a;
}
ErrorStream.errorStream.store();
System.out.println("*** Actual LoggerFinder class is: " + provider.getClass().getName());
expectedClass.cast(provider);
return TestLoggerFinder.class.cast(provider);
}
Example #24
| Source File: KeyTab.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
sun.security.krb5.internal.ktab.KeyTab takeSnapshot() {
try {
return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
} catch (AccessControlException ace) {
if (file != null) {
// It's OK to show the name if caller specified it
throw ace;
} else {
AccessControlException ace2 = new AccessControlException(
"Access to default keytab denied (modified exception)");
ace2.setStackTrace(ace.getStackTrace());
throw ace2;
}
}
}
Example #25
| Source File: CacheSandboxTest.java From ignite with Apache License 2.0 | 5 votes |
|
/** */
@Test
public void testEntryProcessor() {
entryProcessorOperations(grid(CLNT_ALLOWED_WRITE_PROP)).forEach(this::runOperation);
entryProcessorOperations(grid(CLNT_FORBIDDEN_WRITE_PROP))
.forEach(r -> runForbiddenOperation(r, AccessControlException.class));
}
Example #26
| Source File: KeyPermissions.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
|
@Override
public void checkPermission(Permission perm) {
if (perm instanceof PrivateCredentialPermission) {
if (!perm.getName().startsWith("javax.security.auth.kerberos.")) {
throw new AccessControlException(
"I don't like this", perm);
}
}
}
Example #27
| Source File: RepositoryManager.java From rapidminer-studio with GNU Affero General Public License v3.0 | 5 votes |
|
/**
* Add a repository as a special resource repository. The ordering is determined by the {@code before} or {@code after}
* parameters. Only one should not be {@code null}. If both are {@code null} or not {@code null}, or if the referenced name can not be found, the new repository
* will simply be sorted to the end.
* <p>
* <strong>Note:</strong> only signed extensions can call this method outside the core!
*
* @param repository
* the repository to add
* @param before
* the name of the repository the new repository should be inserted in front of; can be {@code null}
* @param after
* the name of the repository the new repository should be inserted after; can be {@code null}
* @since 9.0.0
*/
public void addSpecialRepository(Repository repository, String before, String after) {
try {
// only signed extensions are allowed to add special repositories
if (System.getSecurityManager() != null) {
AccessController.checkPermission(new RuntimePermission(PluginSandboxPolicy.RAPIDMINER_INTERNAL_PERMISSION));
}
} catch (AccessControlException e) {
return;
}
int insertionIndex = -1;
if (before == null && after != null) {
insertionIndex = SPECIAL_RESOURCE_REPOSITORY_NAMES.indexOf(after);
// sort to end (-1) or after the actual position
if (insertionIndex != -1) {
insertionIndex++;
}
} else if (after == null && before != null) {
// insert at that specific index; sorted to the end automatically if reference point not found
insertionIndex = SPECIAL_RESOURCE_REPOSITORY_NAMES.indexOf(before);
}
if (insertionIndex == -1) {
SPECIAL_RESOURCE_REPOSITORY_NAMES.add(repository.getName());
} else {
SPECIAL_RESOURCE_REPOSITORY_NAMES.add(insertionIndex, repository.getName());
}
addRepository(repository);
}
Example #28
| Source File: SAAJUtil.java From openjdk-8-source with GNU General Public License v2.0 | 5 votes |
|
public static boolean getSystemBoolean(String arg) {
try {
return Boolean.getBoolean(arg);
} catch (AccessControlException ex) {
return false;
}
}
Example #29
| Source File: Tests.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
@Test
public void testFactoryMethodUsingIteratorNoPermission() {
ServiceLoader<S2> sl = doPrivileged(loadAction(S2.class), noPermissions());
try {
sl.iterator().next();
assertTrue(false);
} catch (ServiceConfigurationError e) {
assertTrue(e.getCause() instanceof AccessControlException);
}
}
Example #30
| Source File: KeyPermissions.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
|
@Override
public void checkPermission(Permission perm) {
if (perm instanceof PrivateCredentialPermission) {
if (!perm.getName().startsWith("javax.security.auth.kerberos.")) {
throw new AccessControlException(
"I don't like this", perm);
}
}
}
