You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2012/06/29 15:01:38 UTC
svn commit: r1355351 [1/2] - in /river/jtsk/trunk: ./
qa/src/com/sun/jini/qa/harness/
qa/src/com/sun/jini/test/spec/security/basicproxypreparer/
src/com/sun/jini/start/ src/net/jini/security/policy/
src/org/apache/river/api/security/ test/src/org/apach...
Author: peter_firmstone
Date: Fri Jun 29 13:01:32 2012
New Revision: 1355351
URL: http://svn.apache.org/viewvc?rev=1355351&view=rev
Log:
Refactoring for release, clean up and decrease size of new public api.
Separated RemotePolicy implementation from DynamicPolicyProvider.
Version numbers and documentation still requires update prior to release.
Added:
river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java (with props)
river/jtsk/trunk/src/org/apache/river/api/security/DelegatePermission.java (with props)
river/jtsk/trunk/src/org/apache/river/api/security/DelegateSecurityManager.java (with props)
river/jtsk/trunk/src/org/apache/river/api/security/RemotePolicyProvider.java (with props)
river/jtsk/trunk/src/org/apache/river/api/security/ScalableNestedPolicy.java
- copied, changed from r1337505, river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicy.java
river/jtsk/trunk/test/src/org/apache/river/api/security/DelegatePermissionTest.java (with props)
river/jtsk/trunk/test/src/org/apache/river/api/security/DelegateSecurityManagerTest.java (with props)
Removed:
river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicy.java
Modified:
river/jtsk/trunk/build.xml
river/jtsk/trunk/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java
river/jtsk/trunk/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
river/jtsk/trunk/src/com/sun/jini/start/AggregatePolicyProvider.java
river/jtsk/trunk/src/com/sun/jini/start/LoaderSplitPolicyProvider.java
river/jtsk/trunk/src/net/jini/security/policy/DynamicPolicyProvider.java
river/jtsk/trunk/src/net/jini/security/policy/PolicyFileProvider.java
river/jtsk/trunk/src/org/apache/river/api/security/CachingSecurityManager.java
river/jtsk/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java
river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPermissions.java
river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicyFile.java
river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyParser.java
river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyScanner.java
river/jtsk/trunk/src/org/apache/river/api/security/PermissionGrantBuilder.java
river/jtsk/trunk/src/org/apache/river/api/security/PermissionGrantBuilderImp.java
river/jtsk/trunk/src/org/apache/river/api/security/PrincipalGrant.java
river/jtsk/trunk/src/org/apache/river/api/security/RemotePolicy.java
river/jtsk/trunk/src/org/apache/river/api/security/RevocablePolicy.java
river/jtsk/trunk/src/org/apache/river/api/security/package.html
Modified: river/jtsk/trunk/build.xml
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/build.xml?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/build.xml (original)
+++ river/jtsk/trunk/build.xml Fri Jun 29 13:01:32 2012
@@ -2181,12 +2181,14 @@
<mkdir dir="${test.classes.dir}"/>
<mkdir dir="${test.results.dir}"/>
<copy file="dep-libs/high-scale-lib/high-scale-lib.jar" todir="test/lib"/>
+ <copy file="dep-libs/rc-libs/reference-collections-1.0.0.jar" todir="test/lib"/>
</target>
<target name="clean-tests" depends="">
<delete dir="${test.classes.dir}" quiet="true"/>
<delete dir="${test.results.dir}" quiet="true"/>
<delete file="test/lib/high-scale-lib.jar" quiet="true"/>
+ <delete file="test/lib/reference-collections-1.0.0.jar" quiet="true"/>
</target>
<target name="compile-tests" depends="compile,prep-tests">
Modified: river/jtsk/trunk/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java (original)
+++ river/jtsk/trunk/qa/src/com/sun/jini/qa/harness/MergedPolicyProvider.java Fri Jun 29 13:01:32 2012
@@ -20,6 +20,7 @@ package com.sun.jini.qa.harness;
import java.security.CodeSource;
import java.security.Permission;
import java.security.PermissionCollection;
+import java.security.Permissions;
import java.security.Policy;
import java.security.ProtectionDomain;
@@ -29,16 +30,19 @@ import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
+import java.util.NavigableSet;
import java.util.StringTokenizer;
+import java.util.TreeSet;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
-import org.apache.river.api.security.ConcurrentPermissions;
-import org.apache.river.api.security.ConcurrentPolicy;
-
import net.jini.security.policy.PolicyInitializationException;
import net.jini.security.policy.PolicyFileProvider;
+import org.apache.river.api.security.AbstractPolicy;
+import org.apache.river.api.security.ConcurrentPolicyFile;
import org.apache.river.api.security.PermissionGrant;
+import org.apache.river.api.security.ScalableNestedPolicy;
/**
* Security policy provider that delegates to a collection of underlying
@@ -48,7 +52,7 @@ import org.apache.river.api.security.Per
* access to the same file, a check for read,write access would still
* fail.
*/
-public class MergedPolicyProvider extends Policy implements ConcurrentPolicy{
+public class MergedPolicyProvider extends AbstractPolicy implements ScalableNestedPolicy{
/** class state */
// private static final Lock lock = new ReentrantLock();; // protects first
@@ -87,7 +91,7 @@ public class MergedPolicyProvider extend
Collection<Policy> policies = new ArrayList<Policy>();
try {
if (p1 != null) {
- policies.add(new PolicyFileProvider());
+ policies.add(new ConcurrentPolicyFile());
}
if (p2 != null) {
StringTokenizer tok = new StringTokenizer(p2, ", ");
@@ -116,7 +120,7 @@ public class MergedPolicyProvider extend
*/
public PermissionCollection getPermissions(CodeSource source) {
if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
- PermissionCollection pc = new ConcurrentPermissions();
+ PermissionCollection pc = new Permissions();
Iterator<Policy> it = policies.iterator();
while (it.hasNext()){
Policy policy = it.next();
@@ -127,25 +131,6 @@ public class MergedPolicyProvider extend
}
}
return pc;
-// Iterator it = policies.iterator();
-// if (it.hasNext()) {
-// PermissionCollection pc =
-// ((Policy) it.next()).getPermissions(source);
-// while (it.hasNext()) {
-// PermissionCollection pc2 =
-// ((Policy) it.next()).getPermissions(source);
-// Enumeration en = pc2.elements();
-// while (en.hasMoreElements()) {
-// Permission perm = (Permission) en.nextElement();
-// if (!pc.implies(perm)) {
-// pc.add(perm);
-// }
-// }
-// }
-// return pc;
-// } else {
-// throw new IllegalStateException("No policies in provider");
-// }
}
/**
@@ -155,76 +140,23 @@ public class MergedPolicyProvider extend
*
* @param domain the <code>ProtectionDomain</code>
*/
-// public PermissionCollection getPermissions(ProtectionDomain domain) {
-// Iterator it = policies.iterator();
-// ArrayList list = new ArrayList(64);
-// boolean first = false;
-//// lock.lock();
-//// try {
-// if (it.hasNext()) {
-// PermissionCollection pc =
-// ((Policy) it.next()).getPermissions(domain);
-// if (first) {
-// first = false;
-// Enumeration en = pc.elements();
-// list.add("BASE PERMISSIONS for domain " + domain);
-// while (en.hasMoreElements()) {
-// Permission perm = (Permission) en.nextElement();
-// list.add(perm.toString());
-// }
-// first = true;
-// }
-// while (it.hasNext()) {
-// PermissionCollection pc2 =
-// ((Policy) it.next()).getPermissions(domain);
-// Enumeration en = pc2.elements();
-// while (en.hasMoreElements()) {
-// Permission perm = (Permission) en.nextElement();
-// if (!pc.implies(perm)) {
-// if (first) {
-// first = false;
-// list.add("checking " + perm + " and adding");
-// first = true;
-// }
-// pc.add(perm);
-// } else {
-// if (first) {
-// first = false;
-// list.add("checking " + perm + " and not adding");
-// first = true;
-// }
-// }
-// }
-// }
-// if (first) {
-// first = false;
-// for (int i = 0; i < list.size(); i++) {
-// System.out.println((String) list.get(i));
-// }
-// first = true;
-// }
-// return pc;
-// } else {
-// throw new IllegalStateException("No policies in provider");
-// }
-//// }finally{
-//// lock.unlock();
-//// }
-// }
-
public PermissionCollection getPermissions(ProtectionDomain domain) {
if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
- PermissionCollection pc = new ConcurrentPermissions();
- Iterator<Policy> it = policies.iterator();
- while (it.hasNext()){
- Policy policy = it.next();
- PermissionCollection col = policy.getPermissions(domain);
- Enumeration<Permission> e = col.elements();
- while(e.hasMoreElements()){
- pc.add(e.nextElement());
- }
- }
- return pc;
+ Collection<PermissionGrant> grants = getPermissionGrants(domain);
+ NavigableSet<Permission> perms = new TreeSet<Permission>(comparator);
+ processGrants(grants, null, true, perms);
+ return convert(perms, 32, 0.75F, 1, 8);
+// PermissionCollection pc = new ConcurrentPermissions();
+// Iterator<Policy> it = policies.iterator();
+// while (it.hasNext()){
+// Policy policy = it.next();
+// PermissionCollection col = policy.getPermissions(domain);
+// Enumeration<Permission> e = col.elements();
+// while(e.hasMoreElements()){
+// pc.add(e.nextElement());
+// }
+// }
+// return pc;
}
/**
@@ -260,69 +192,42 @@ public class MergedPolicyProvider extend
}
}
- public boolean isConcurrent() {
+ public Collection<PermissionGrant> getPermissionGrants(ProtectionDomain domain) {
if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+ Collection<PermissionGrant> perms = null;
Iterator<Policy> it = policies.iterator();
while (it.hasNext()){
Policy p = it.next();
- if (p instanceof ConcurrentPolicy){
- if (!((ConcurrentPolicy)p).isConcurrent()) return false;
+ if (p instanceof ScalableNestedPolicy){
+ Collection<PermissionGrant> g = ((ScalableNestedPolicy)p).getPermissionGrants(domain);
+ if (perms == null) {
+ perms = g;
+ } else {
+ perms.addAll(g);
+ }
} else {
- return false;
- }
- }
- return true;
- }
-
- public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) {
- if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
- List<PermissionGrant[]> perms = new ArrayList<PermissionGrant[]>(policies.size());
- Iterator<Policy> it = policies.iterator();
- int arrayLength = 0;
- while (it.hasNext()){
- Policy p = it.next();
- if (p instanceof ConcurrentPolicy){
- PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants(domain);
- arrayLength = arrayLength + g.length;
- perms.add(g);
+ if (perms == null ) perms = new LinkedList<PermissionGrant>();
+ perms.add(extractGrantFromPolicy(p, domain));
}
}
- PermissionGrant [] result = new PermissionGrant[arrayLength];
- int index = 0;
- Iterator<PermissionGrant[]> grants = perms.iterator();
- while (grants.hasNext()){
- PermissionGrant [] g = grants.next();
- int l = g.length;
- for (int i = 0; i < l; i++, index++){
- result[index] = g[i];
- }
- }
- return result;
+ return perms;
}
- public PermissionGrant[] getPermissionGrants() {
- if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
- List<PermissionGrant[]> perms = new ArrayList<PermissionGrant[]>(policies.size());
- Iterator<Policy> it = policies.iterator();
- int arrayLength = 0;
- while (it.hasNext()){
- Policy p = it.next();
- if (p instanceof ConcurrentPolicy){
- PermissionGrant [] g = ((ConcurrentPolicy)p).getPermissionGrants();
- arrayLength = arrayLength + g.length;
- perms.add(g);
- }
- }
- PermissionGrant [] result = new PermissionGrant[arrayLength];
- int index = 0;
- Iterator<PermissionGrant[]> grants = perms.iterator();
- while (grants.hasNext()){
- PermissionGrant [] g = grants.next();
- int l = g.length;
- for (int i = 0; i < l; i++, index++){
- result[index] = g[i];
- }
- }
- return result;
- }
+// public Collection<PermissionGrant> getPermissionGrants(boolean descend) {
+// if (policies.isEmpty()) throw new IllegalStateException("No policies in provider");
+// Collection<PermissionGrant> perms = null;
+// Iterator<Policy> it = policies.iterator();
+// while (it.hasNext()){
+// Policy p = it.next();
+// if (p instanceof ScalableNestedPolicy){
+// Collection<PermissionGrant> g = ((ScalableNestedPolicy)p).getPermissionGrants(descend);
+// if (perms == null) {
+// perms = g;
+// continue;
+// }
+// perms.addAll(g);
+// }
+// }
+// return perms;
+// }
}
Modified: river/jtsk/trunk/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td (original)
+++ river/jtsk/trunk/qa/src/com/sun/jini/test/spec/security/basicproxypreparer/PrepareProxy_Test.td Fri Jun 29 13:01:32 2012
@@ -6,4 +6,4 @@ com.sun.jini.qa.harness.runkitserver=fal
com.sun.jini.qa.harness.shared=false
#testjvmargs=-Xdebug,\
#-Xrunjdwp:transport=dt_socket+,address=8000+,server=y+,suspend=y,\
-#${testjvmargs}
\ No newline at end of file
+#${testjvmargs}
Modified: river/jtsk/trunk/src/com/sun/jini/start/AggregatePolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/com/sun/jini/start/AggregatePolicyProvider.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/com/sun/jini/start/AggregatePolicyProvider.java (original)
+++ river/jtsk/trunk/src/com/sun/jini/start/AggregatePolicyProvider.java Fri Jun 29 13:01:32 2012
@@ -40,7 +40,7 @@ import java.util.concurrent.ConcurrentMa
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import net.jini.security.SecurityContext;
-import org.apache.river.api.security.ConcurrentPolicy;
+import org.apache.river.api.security.ScalableNestedPolicy;
import net.jini.security.policy.DynamicPolicy;
import net.jini.security.policy.PolicyInitializationException;
import net.jini.security.policy.SecurityContextSource;
@@ -48,6 +48,9 @@ import org.apache.river.api.security.Per
import au.net.zeus.collection.RC;
import au.net.zeus.collection.Ref;
import au.net.zeus.collection.Referrer;
+import java.util.Collection;
+import java.util.LinkedList;
+import org.apache.river.api.security.AbstractPolicy;
/**
* Security policy provider which supports associating security sub-policies
@@ -77,7 +80,7 @@ import au.net.zeus.collection.Referrer;
* @since 2.0
*/
public class AggregatePolicyProvider
- extends Policy implements DynamicPolicy, SecurityContextSource, ConcurrentPolicy
+ extends AbstractPolicy implements DynamicPolicy, SecurityContextSource, ScalableNestedPolicy
{
private static final String mainPolicyClassProperty =
"com.sun.jini.start.AggregatePolicyProvider.mainPolicyClass";
@@ -231,30 +234,24 @@ public class AggregatePolicyProvider
public void refresh() {
getCurrentSubPolicy().refresh();
}
-
- public boolean isConcurrent() {
- Policy p = getCurrentSubPolicy();
- if (p instanceof ConcurrentPolicy){
- return ((ConcurrentPolicy)p).isConcurrent();
- }
- return false;
- }
- public PermissionGrant[] getPermissionGrants(ProtectionDomain domain) {
+ public Collection<PermissionGrant> getPermissionGrants(ProtectionDomain domain) {
Policy p = getCurrentSubPolicy();
- if (p instanceof ConcurrentPolicy){
- return ((ConcurrentPolicy)p).getPermissionGrants(domain);
- }
- return new PermissionGrant[0];
+ if (p instanceof ScalableNestedPolicy){
+ return ((ScalableNestedPolicy)p).getPermissionGrants(domain);
+ }
+ Collection<PermissionGrant> c = new LinkedList<PermissionGrant>();
+ c.add(extractGrantFromPolicy(p,domain));
+ return c;
}
- public PermissionGrant[] getPermissionGrants() {
- Policy p = getCurrentSubPolicy();
- if (p instanceof ConcurrentPolicy){
- return ((ConcurrentPolicy)p).getPermissionGrants();
- }
- return new PermissionGrant[0];
- }
+// public Collection<PermissionGrant> getPermissionGrants(boolean recursive) {
+// Policy p = getCurrentSubPolicy();
+// if (p instanceof ScalableNestedPolicy){
+// return ((ScalableNestedPolicy)p).getPermissionGrants(recursive);
+// }
+// throw new UnsupportedOperationException("sub policy doesn't implement ScalableNestedPolicy");
+// }
/**
* Changes sub-policy association with given class loader. If
Modified: river/jtsk/trunk/src/com/sun/jini/start/LoaderSplitPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/com/sun/jini/start/LoaderSplitPolicyProvider.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/com/sun/jini/start/LoaderSplitPolicyProvider.java (original)
+++ river/jtsk/trunk/src/com/sun/jini/start/LoaderSplitPolicyProvider.java Fri Jun 29 13:01:32 2012
@@ -18,7 +18,6 @@
package com.sun.jini.start;
-import com.sun.jini.collection.WeakIdentityMap;
import net.jini.security.policy.DynamicPolicy;
import java.security.AccessController;
import java.security.AllPermission;
@@ -30,10 +29,9 @@ import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
-import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
-import org.apache.river.api.security.ConcurrentPolicy;
+import org.apache.river.api.security.ScalableNestedPolicy;
import org.apache.river.api.security.PermissionGrant;
import au.net.zeus.collection.RC;
import au.net.zeus.collection.Ref;
Modified: river/jtsk/trunk/src/net/jini/security/policy/DynamicPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/net/jini/security/policy/DynamicPolicyProvider.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/net/jini/security/policy/DynamicPolicyProvider.java (original)
+++ river/jtsk/trunk/src/net/jini/security/policy/DynamicPolicyProvider.java Fri Jun 29 13:01:32 2012
@@ -18,10 +18,10 @@
package net.jini.security.policy;
-import org.apache.river.api.security.ConcurrentPolicy;
+import java.lang.ref.WeakReference;
+import org.apache.river.api.security.AbstractPolicy;
+import org.apache.river.api.security.ScalableNestedPolicy;
import org.apache.river.api.security.ConcurrentPolicyFile;
-import java.io.IOException;
-import java.rmi.RemoteException;
import org.apache.river.api.security.CachingSecurityManager;
import java.security.AccessController;
import java.security.AllPermission;
@@ -29,7 +29,6 @@ import java.security.CodeSource;
import java.security.Guard;
import java.security.Permission;
import java.security.PermissionCollection;
-import java.security.Permissions;
import java.security.Policy;
import java.security.Principal;
import java.security.PrivilegedAction;
@@ -37,22 +36,19 @@ import java.security.ProtectionDomain;
import java.security.Security;
import java.security.UnresolvedPermission;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
-import java.util.Comparator;
+import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
-import java.util.List;
+import java.util.LinkedList;
import java.util.NavigableSet;
-import java.util.Set;
import java.util.TreeSet;
+import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
-import org.apache.river.api.security.ConcurrentPermissions;
import net.jini.security.GrantPermission;
-import org.apache.river.api.security.PermissionComparator;
import org.apache.river.api.security.PermissionGrant;
import org.apache.river.api.security.PermissionGrantBuilder;
import org.apache.river.api.security.RemotePolicy;
@@ -142,19 +138,18 @@ import org.apache.river.api.security.Rev
* @see RemotePolicy
*/
-public class DynamicPolicyProvider extends Policy implements RemotePolicy,
- RevocablePolicy {
- private static final Permission ALL_PERMISSION = new AllPermission();
+public class DynamicPolicyProvider extends AbstractPolicy implements
+ RevocablePolicy, ScalableNestedPolicy {
private static final String basePolicyClassProperty =
"net.jini.security.policy.DynamicPolicyProvider.basePolicyClass";
private static final String defaultBasePolicyClass =
"org.apache.river.api.security.ConcurrentPolicyFile";
// "net.jini.security.policy.PolicyFileProvider";
- private static final ProtectionDomain sysDomain =
- AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() {
-
- public ProtectionDomain run() { return Object.class.getProtectionDomain(); }
- });
+// private static final ProtectionDomain sysDomain =
+// AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>() {
+//
+// public ProtectionDomain run() { return Object.class.getProtectionDomain(); }
+// });
private static final String revocationSupported =
"net.jini.security.policy.DynamicPolicyProvider.revocation";
private static final Logger logger = Logger.getLogger("net.jini.security.policy");
@@ -166,36 +161,19 @@ public class DynamicPolicyProvider exten
return DynamicPolicyProvider.class.getProtectionDomain();
}
});
-
- /*
- * Copy referent before use.
- *
- * Reference update Protected by grantLock, this array reference must only
- * be copied or replaced, it must never be read directly or operated on
- * unless holding grantLock.
- * Local methods must first copy the reference before using the array in
- * loops etc in case the reference is updated.
- * This is important, to prevent the update of the remotePolicyGrant's from
- * causing executing threads from being blocked.
- */
- private volatile PermissionGrant[] remotePolicyGrants; // Write protected by grantLock.
- /* This lock protects write updating of remotePolicyGrants reference */
- private final Object grantLock;
+
private final Policy basePolicy; // refresh protected by transactionWriteLock
// DynamicPolicy grant's for Proxy's.
private final Collection<PermissionGrant> dynamicPolicyGrants;
private final boolean basePolicyIsDynamic; // Don't use cache if true.
private final boolean revokeable;
private final boolean basePolicyIsRemote;
- private final boolean basePolicyIsConcurrent;
- private final Comparator<Permission> comparator = new PermissionComparator();
private final boolean loggable;
// do something about some domain permissions for this domain so we can
// avoid dead locks due to bug 4911907
private final Guard revokePermission;
- private final Permission implementsPermissionGrant;
private final Guard protectionDomainPermission;
@@ -250,13 +228,9 @@ public class DynamicPolicyProvider exten
throw new PolicyInitializationException(
"unable to construct base policy", e);
}
- dynamicPolicyGrants = new CopyOnWriteArrayList<PermissionGrant>();
-
- remotePolicyGrants = new PermissionGrant[0];
+ dynamicPolicyGrants = Collections.newSetFromMap(new ConcurrentHashMap<PermissionGrant,Boolean>(64));
loggable = logger.isLoggable(Level.FINEST);
- grantLock = new Object();
revokePermission = new PolicyPermission("REVOKE");
- implementsPermissionGrant = new PolicyPermission("implementPermissionGrant");
protectionDomainPermission = new RuntimePermission("getProtectionDomain");
if (basePolicy instanceof DynamicPolicy) {
DynamicPolicy dp = (DynamicPolicy) basePolicy;
@@ -272,8 +246,6 @@ public class DynamicPolicyProvider exten
revokeable = revoke.equals(tRue);
}
basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false;
- basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy
- ? ((ConcurrentPolicy) basePolicy).isConcurrent() : false;
policyPermissions = basePolicy.getPermissions(policyDomain);
policyPermissions.setReadOnly();
}
@@ -288,13 +260,11 @@ public class DynamicPolicyProvider exten
* <code>null</code>
*/
public DynamicPolicyProvider(Policy basePolicy){
+ if (basePolicy == null) throw new NullPointerException("null basePolicy prohibited");
this.basePolicy = basePolicy;
- dynamicPolicyGrants = new CopyOnWriteArrayList<PermissionGrant>();
- remotePolicyGrants = new PermissionGrant[0];
+ dynamicPolicyGrants = Collections.newSetFromMap(new ConcurrentHashMap<PermissionGrant,Boolean>(64));
loggable = logger.isLoggable(Level.FINEST);
- grantLock = new Object();
revokePermission = new PolicyPermission("REVOKE");
- implementsPermissionGrant = new PolicyPermission("implementPermissionGrant");
protectionDomainPermission = new RuntimePermission("getProtectionDomain");
if (basePolicy instanceof DynamicPolicy) {
DynamicPolicy dp = (DynamicPolicy) basePolicy;
@@ -310,8 +280,6 @@ public class DynamicPolicyProvider exten
revokeable = true;
}
basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false;
- basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy
- ? ((ConcurrentPolicy) basePolicy).isConcurrent() : false;
policyPermissions = basePolicy.getPermissions(policyDomain);
policyPermissions.setReadOnly();
}
@@ -374,60 +342,6 @@ Put the policy providers and all referen
public boolean revokeSupported() {
return revokeable;
}
-
- private PermissionCollection convert(NavigableSet<Permission> permissions, int initialCapacity, float loadFactor, int concurrencyLevel, int unresolvedCapacity){
- PermissionCollection pc =
- new ConcurrentPermissions(initialCapacity, loadFactor,
- concurrencyLevel, unresolvedCapacity);
- // The descending iterator is for SocketPermission.
- Iterator<Permission> it = permissions.descendingIterator();
- while (it.hasNext()) {
- pc.add(it.next());
- }
- return pc;
- }
-
- private NavigableSet<Permission> processGrants(PermissionGrant[] grant, Class permClass, boolean stopIfAll)
- {
- NavigableSet<Permission> set = new TreeSet<Permission>(comparator);
- int l = grant.length;
- if (permClass == null)
- {
- for (int i = 0; i < l; i++)
- {
- if ( stopIfAll && grant[i].isPrivileged()){
- set.add(ALL_PERMISSION);
- return set;
- }
- Iterator<Permission> it = grant[i].getPermissions().iterator();
- while (it.hasNext())
- {
- Permission p = it.next();
- set.add(p);
- }
- }
- }
- else
- {
- for (int i = 0; i < l; i++)
- {
- if ( stopIfAll && grant[i].isPrivileged()){
- set.add(ALL_PERMISSION);
- return set;
- }
- Iterator<Permission> it = grant[i].getPermissions().iterator();
- while (it.hasNext())
- {
- Permission p = it.next();
- if (permClass.isInstance(p)|| p instanceof UnresolvedPermission)
- {
- set.add(p);
- }
- }
- }
- }
- return set;
- }
@Override
public PermissionCollection getPermissions(CodeSource codesource) {
@@ -436,85 +350,83 @@ Put the policy providers and all referen
* by a ProtectionDomain. In this case during construction of a
* ProtectionDomain. Static Permissions are irrevocable.
*/
- NavigableSet<Permission> permissions = null;
- if (!basePolicyIsConcurrent || codesource == null) {
- permissions = new TreeSet<Permission>(comparator);
- PermissionCollection pc = basePolicy.getPermissions(codesource);
- Enumeration<Permission> enu = pc.elements();
- while (enu.hasMoreElements()){
- permissions.add(enu.nextElement());
- }
- }else{
- ProtectionDomain pd = new ProtectionDomain(codesource, null);
- PermissionGrant [] grants = ((ConcurrentPolicy) basePolicy).getPermissionGrants(pd);
- permissions = processGrants(grants, null, true);
- }
-// if (revokeable == true) return convert(permissions);
+ return basePolicy.getPermissions(codesource);
+// NavigableSet<Permission> permissions = new TreeSet<Permission>(comparator);
+// if (!(basePolicy instanceof ScalableNestedPolicy) || codesource == null) {
+// PermissionCollection pc = basePolicy.getPermissions(codesource);
+// Enumeration<Permission> enu = pc.elements();
+// while (enu.hasMoreElements()){
+// permissions.add(enu.nextElement());
+// }
+// }else{
+// ProtectionDomain pd = new ProtectionDomain(codesource, null);
+// Collection<PermissionGrant> grants = ((ScalableNestedPolicy) basePolicy).getPermissionGrants(pd, true);
+// processGrants(grants, null, true, permissions);
+// }
+//// if (revokeable == true) return convert(permissions);
+//// Iterator<PermissionGrant> dynamicGrants = dynamicPolicyGrants.iterator();
+//// while (dynamicGrants.hasNext()){
+//// PermissionGrant p = dynamicGrants.next();
+//// if ( p.implies(codesource, null) ){
+//// // Only use the trusted grantCache.
+//// Collection<Permission> perms = p.getPermissions();
+//// Iterator<Permission> it = perms.iterator();
+//// while (it.hasNext()){
+//// permissions.add(it.next());
+//// }
+//// }
+//// }
+// return convert(permissions, 16, 0.75F, 16, 16);
+ }
+
+ @Override
+ public PermissionCollection getPermissions(ProtectionDomain domain) {
+// if (domain == policyDomain) return policyPermissions;
+ /* Note: we can return revokeable permissions, the ProtectionDomain
+ * only temporarily merges the permissions for toString(), for debugging.
+ */
+ Collection<PermissionGrant> pgc = getPermissionGrants(domain);
+ NavigableSet<Permission> permissions = new TreeSet<Permission>(comparator);
+ processGrants(pgc, null, true, permissions);
+// if (!(basePolicy instanceof ScalableNestedPolicy)) {
+// permissions = new TreeSet<Permission>(comparator);
+// PermissionCollection pc = basePolicy.getPermissions(domain);
+// Enumeration<Permission> enu = pc.elements();
+// while (enu.hasMoreElements()){
+// permissions.add(enu.nextElement());
+// }
+// }else{
+// Collection<PermissionGrant> grants =
+// ((ScalableNestedPolicy) basePolicy).getPermissionGrants(domain, true);
+// permissions = new TreeSet<Permission>(comparator);
+// processGrants(grants, null, false, permissions);
+// }
+//// PermissionGrant [] grantsRefCopy = remotePolicyGrants; // Interim updates not seen.
+//// int l = grantsRefCopy.length;
+//// for ( int i = 0; i < l; i++ ){
+//// if ( grantsRefCopy[i].implies(domain) ){
+//// Collection<Permission> perms = grantsRefCopy[i].getPermissions();
+//// Iterator<Permission> it = perms.iterator();
+//// while (it.hasNext()){
+//// permissions.add(it.next());
+//// }
+//// }
+//// }
// Iterator<PermissionGrant> dynamicGrants = dynamicPolicyGrants.iterator();
// while (dynamicGrants.hasNext()){
// PermissionGrant p = dynamicGrants.next();
-// if ( p.implies(codesource, null) ){
+// if ( p.implies(domain) ){
// // Only use the trusted grantCache.
-// Collection<Permission> perms = p.getPermissions();
+// Collection<Permission> perms = p.getPermissions();
// Iterator<Permission> it = perms.iterator();
// while (it.hasNext()){
// permissions.add(it.next());
// }
// }
// }
- return convert(permissions, 16, 0.75F, 16, 16);
- }
-
- @Override
- public PermissionCollection getPermissions(ProtectionDomain domain) {
- if (domain == policyDomain) return policyPermissions;
- /* Note: we can return revokeable permissions, the ProtectionDomain
- * only temporarily merges the permissions for toString(), for debugging.
- */
- NavigableSet<Permission> permissions = null;
- if (!basePolicyIsConcurrent) {
- permissions = new TreeSet<Permission>(comparator);
- PermissionCollection pc = basePolicy.getPermissions(domain);
- Enumeration<Permission> enu = pc.elements();
- while (enu.hasMoreElements()){
- permissions.add(enu.nextElement());
- }
- }else{
- PermissionGrant [] grants =
- ((ConcurrentPolicy) basePolicy).getPermissionGrants(domain);
- permissions = processGrants(grants, null, false);
- }
- PermissionGrant [] grantsRefCopy = remotePolicyGrants; // Interim updates not seen.
- int l = grantsRefCopy.length;
- for ( int i = 0; i < l; i++ ){
- if ( grantsRefCopy[i].implies(domain) ){
- Collection<Permission> perms = grantsRefCopy[i].getPermissions();
- Iterator<Permission> it = perms.iterator();
- while (it.hasNext()){
- permissions.add(it.next());
- }
- }
- }
- Iterator<PermissionGrant> dynamicGrants = dynamicPolicyGrants.iterator();
- while (dynamicGrants.hasNext()){
- PermissionGrant p = dynamicGrants.next();
- if ( p.implies(domain) ){
- // Only use the trusted grantCache.
- Collection<Permission> perms = p.getPermissions();
- Iterator<Permission> it = perms.iterator();
- while (it.hasNext()){
- permissions.add(it.next());
- }
- }
- }
- return convert(permissions, 16, 0.75F, 16, 16);
- }
-
- /* River-26 Mark Brouwer suggested making UmbrellaPermission's expandable
- * from Dynamic Grants.
- */
- private void expandUmbrella(PermissionCollection pc) {
- PolicyFileProvider.expandUmbrella(pc);
+ PermissionCollection pc = convert(permissions, 32, 0.75F, 1, 8);
+ expandUmbrella(pc);
+ return pc;
}
@Override
@@ -551,14 +463,13 @@ Put the policy providers and all referen
* this could then be inadvertantly cached and passed to a ProtectionDomain
* constructor, preventing Revocation.
*/
- NavigableSet<Permission> permissions = null; // Keep as small as possible.
+ NavigableSet<Permission> permissions = new TreeSet<Permission>(comparator); // Keep as small as possible.
/* If GrantPermission is being requested, we must get all Permission objects
* and add them to the underlying collection.
*
*/
Class permClass = permission instanceof GrantPermission ? null : permission.getClass();
- if (!basePolicyIsConcurrent) {
- permissions = new TreeSet<Permission>(comparator);
+ if (!(basePolicy instanceof ScalableNestedPolicy)) {
PermissionCollection pc = basePolicy.getPermissions(domain);
Enumeration<Permission> enu = pc.elements();
while (enu.hasMoreElements()){
@@ -571,27 +482,27 @@ Put the policy providers and all referen
}
}
}else{
- PermissionGrant [] grants = ((ConcurrentPolicy) basePolicy).getPermissionGrants(domain);
- permissions = processGrants(grants, permClass, true);
+ Collection<PermissionGrant> grants = ((ScalableNestedPolicy) basePolicy).getPermissionGrants(domain);
+ processGrants(grants, permClass, true, permissions);
if (permissions.contains(ALL_PERMISSION)) return true;
}
- PermissionGrant[] grantsRefCopy = remotePolicyGrants; // In case the grants volatile reference is updated.
-// if (thread.isInterrupted()) return false;
- int l = grantsRefCopy.length;
- for ( int i = 0; i < l; i++){
- if (grantsRefCopy[i].implies(domain)) {
- Collection<Permission> perms = grantsRefCopy[i].getPermissions();
- Iterator<Permission> it = perms.iterator();
- while (it.hasNext()){
- Permission p = it.next();
- if ( permClass == null){
- permissions.add(p);
- } else if ( permClass.isInstance(permission) || permission instanceof UnresolvedPermission){
- permissions.add(p);
- }
- }
- }
- }
+// PermissionGrant[] grantsRefCopy = remotePolicyGrants; // In case the grants volatile reference is updated.
+//// if (thread.isInterrupted()) return false;
+// int l = grantsRefCopy.length;
+// for ( int i = 0; i < l; i++){
+// if (grantsRefCopy[i].implies(domain)) {
+// Collection<Permission> perms = grantsRefCopy[i].getPermissions();
+// Iterator<Permission> it = perms.iterator();
+// while (it.hasNext()){
+// Permission p = it.next();
+// if ( permClass == null){
+// permissions.add(p);
+// } else if ( permClass.isInstance(permission) || permission instanceof UnresolvedPermission){
+// permissions.add(p);
+// }
+// }
+// }
+// }
// if (thread.isInterrupted()) return false;
Iterator<PermissionGrant> grants = dynamicPolicyGrants.iterator();
while (grants.hasNext()){
@@ -613,10 +524,10 @@ Put the policy providers and all referen
PermissionCollection pc = null;
if (permClass != null){
- pc =convert(permissions, 1, 0.75F, 1, 16);
+ pc =convert(permissions, 4, 0.75F, 1, 2);
} else {
// GrantPermission
- pc = convert(permissions, 24, 0.75F, 1, 16);
+ pc = convert(permissions, 4, 0.75F, 1, 2);
expandUmbrella(pc);
}
return pc.implies(permission);
@@ -627,8 +538,8 @@ Put the policy providers and all referen
* the cache and refreshes the underlying Policy, it also removes any
* grants for ProtectionDomains that no longer exist.
*
- * If a CachingSecurityManager has been set, this method will clear it's
- * checked cache.
+ * If a CachingSecurityManager has been set, this method will clear its
+ * cache.
*
*/
@@ -744,138 +655,54 @@ Put the policy providers and all referen
}
return removed.toArray(new Permission[removed.size()]);
}
-
- private static void checkNullElements(Object[] array) {
- int l = array.length;
- for (int i = 0; i < l; i++) {
- if (array[i] == null) {
- throw new NullPointerException();
- }
- }
- }
- public void replace(PermissionGrant[] grants) throws IOException {
- /* If the base policy is also remote, each will manage their own
- * permissions independantly, so we do not delegate to the underlying policy.
- * Any underlying local policy file permissions should be propagated up
- * into each policy, which means there will be duplication of some
- * policy information.
- * It seems logical in the case of multiple remote policies that each
- * could be the responsiblity of a different administrator. If these
- * separate policy's were to be combined, there may be some cases
- * where two permissions combined also implied a third permission, that
- * neither administrator intended to grant.
- */
- // because PermissionGrant's are given references to ProtectionDomain's
- // we must check the caller has this permission.
- try {
- protectionDomainPermission.checkGuard(null);
- // Delegating to the underlying policy is not supported.
- processRemotePolicyGrants(grants);
- // If we get to here, the caller has permission.
- } catch (SecurityException e){
- throw new RemoteException("Policy update failed", (Throwable) e);
- } catch (NullPointerException e) {
- throw new RemoteException("Policy update failed", (Throwable) e);
- }
- }
-
- /**
- * This method checks that the PermissionGrant's are authorised to be
- * granted by it's caller, if it Fails, it will throw a SecurityException
- * or AccessControlException.
- *
- *
- *
- * The PermissionGrant should not be requested for it's Permission's
- * again, since doing so would risk an escallation of privelege attack if the
- * PermissionGrant implementation was mutable.
- *
- * @param grants
- * @return map of checked grants.
- */
- private void
- checkCallerHasGrants(Collection<PermissionGrant> grants) throws SecurityException {
- Iterator<PermissionGrant> grantsItr = grants.iterator();
- while (grantsItr.hasNext()){
- PermissionGrant grant = grantsItr.next();
- Collection<Permission> permCol = grant.getPermissions();
- Permission[] perms = permCol.toArray(new Permission [permCol.size()]);
- checkNullElements(perms);
- Guard g = new GrantPermission(perms);
- g.checkGuard(this);
- }
- }
-
- /**
- * Any grants must first be checked for PermissionGrants, checkCallerHasGrants has
- * been provided for this purpose, then prior to calling this method,
- * the PermissionGrant's must be added to the grantsCache.
- *
- * processRemotePolicyGrants places the PermissionGrant's in the remotePolicyGrants array. It is
- * recommended that only this method be used to update the remotePolicyGrants
- * reference.
- *
- * @param grants
- */
- private void processRemotePolicyGrants(PermissionGrant[] grants) {
- // This is slightly naughty calling a remotePolicyGrants method, however if it
- // changes between now and gaining the lock, only the length of the
- // HashSet is potentially not optimal, keeping the HashSet creation
- // outside of the lock reduces the lock held duration.
- Set<ProtectionDomain> domains = new HashSet<ProtectionDomain>();
- int l = grants.length;
- for (int i = 0; i < l; i++ ){
- if (grants[i] == null ) throw new NullPointerException("null PermissionGrant prohibited");
- // This causes a ProtectionDomain security check.
- final Class c = grants[i].getClass();
- List<ProtectionDomain> doms = AccessController.doPrivileged(
- new PrivilegedAction<List<ProtectionDomain>>() {
- public List<ProtectionDomain> run() {
- Class[] classes = c.getDeclaredClasses();
- List<ProtectionDomain> domains = new ArrayList<ProtectionDomain>();
- int l = classes.length;
- for ( int i = 0; i < l; i++ ){
- domains.add(classes[i].getProtectionDomain());
- }
- return domains;
- }
- });
- domains.addAll(doms);
+ @Override
+ public Collection<PermissionGrant> getPermissionGrants(ProtectionDomain domain) {
+ Collection<PermissionGrant> grants = null;
+ if (basePolicy instanceof ScalableNestedPolicy){
+ grants = ((ScalableNestedPolicy)basePolicy).getPermissionGrants(domain);
+ } else {
+ grants = new LinkedList<PermissionGrant>();
+ grants.add(extractGrantFromPolicy(basePolicy, domain));
}
- Iterator<ProtectionDomain> it = domains.iterator();
+ Iterator<PermissionGrant> it = dynamicPolicyGrants.iterator();
while (it.hasNext()){
- if ( ! it.next().implies(implementsPermissionGrant)) {
- throw new SecurityException("Missing permission: "
- + implementsPermissionGrant.toString());
- }
- }
- HashSet<PermissionGrant> holder
- = new HashSet<PermissionGrant>(grants.length);
- holder.addAll(Arrays.asList(grants));
- checkCallerHasGrants(holder);
- PermissionGrant[] old = null;
- synchronized (grantLock) {
- old = remotePolicyGrants;
- PermissionGrant[] updated = new PermissionGrant[holder.size()];
- remotePolicyGrants = holder.toArray(updated);
- }
- Collection<PermissionGrant> oldGrants = new HashSet<PermissionGrant>(old.length);
- oldGrants.addAll(Arrays.asList(old));
- oldGrants.removeAll(holder);
- // Collect removed Permission's to notify CachingSecurityManager.
- Set<Permission> removed = new HashSet<Permission>(120);
- Iterator<PermissionGrant> rgi = oldGrants.iterator();
- while (rgi.hasNext()){
- PermissionGrant g = rgi.next();
- removed.addAll(g.getPermissions());
+ grants.add(it.next());
}
-
- SecurityManager sm = System.getSecurityManager();
- if (sm instanceof CachingSecurityManager) {
- ((CachingSecurityManager) sm).clearCache();
- }
- // oldGrants now only has the grants which have been removed.
+ return grants;
+ }
+
+// @Override
+// public Collection<PermissionGrant> getPermissionGrants(boolean recursive) {
+// Collection<PermissionGrant> grants = null;
+// if ( recursive ){
+// if (!(basePolicy instanceof ScalableNestedPolicy)){
+// throw new UnsupportedOperationException
+// ("base policy doesn't implement ScalableNestedPolicy");
+// }
+// grants = ((ScalableNestedPolicy)basePolicy).getPermissionGrants(recursive);
+// } else {
+// grants = new LinkedList<PermissionGrant>();
+// }
+// grants.addAll(dynamicPolicyGrants);
+// return grants;
+// }
+
+ @Override
+ public boolean revoke(PermissionGrant p) {
+ revokePermission.checkGuard(null);
+ return dynamicPolicyGrants.remove(p);
+ }
+
+ @Override
+ public boolean grant(PermissionGrant p) {
+ Collection<Permission> perms = p.getPermissions();
+ GrantPermission guard = new GrantPermission(perms.toArray(new Permission [perms.size()]));
+ guard.checkGuard(null);
+ // Since PermissionGrant receives a ProtectionDomain instance, we
+ // must check if the caller has that permission.
+ protectionDomainPermission.checkGuard(null);
+ return dynamicPolicyGrants.add(p);
}
}
Modified: river/jtsk/trunk/src/net/jini/security/policy/PolicyFileProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/net/jini/security/policy/PolicyFileProvider.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/net/jini/security/policy/PolicyFileProvider.java (original)
+++ river/jtsk/trunk/src/net/jini/security/policy/PolicyFileProvider.java Fri Jun 29 13:01:32 2012
@@ -18,6 +18,7 @@
package net.jini.security.policy;
+import org.apache.river.api.security.AbstractPolicy;
import java.security.AccessController;
import java.security.CodeSource;
import java.security.Permission;
@@ -57,7 +58,7 @@ import net.jini.security.GrantPermission
* <code>net.jini.security.policy.PolicyFileProvider.basePolicyClass</code>
* security property is not set.
*/
-public class PolicyFileProvider extends Policy {
+public class PolicyFileProvider extends AbstractPolicy {
private static final String basePolicyClassProperty =
"net.jini.security.policy.PolicyFileProvider.basePolicyClass";
@@ -67,7 +68,6 @@ public class PolicyFileProvider extends
// "sun.security.provider.PolicyFile";
private static final String policyProperty = "java.security.policy";
private static final Object propertyLock = new Object();
- private static final Permission umbrella = new UmbrellaGrantPermission();
private final String policyFile;
private final Policy basePolicy;
@@ -277,25 +277,6 @@ public class PolicyFileProvider extends
// force resolution of GrantPermission and UmbrellaGrantPermission
new GrantPermission(umbrella);
}
-
- static void expandUmbrella(PermissionCollection pc) {
- if (pc.implies(umbrella)) {
- // Don't use Set, avoid calling equals and hashCode on SocketPermission.
- Collection<Permission> perms = new ArrayList<Permission>(120);
- Enumeration<Permission> e = pc.elements();
- while (e.hasMoreElements()){
- Permission p = e.nextElement();
- // Avoid unintended granting of GrantPermission
- // and recursive UmbrellaGrantPermission
- if ( p instanceof GrantPermission ||
- p instanceof UmbrellaGrantPermission){
- continue;
- }
- perms.add(p);
- }
- pc.add(new GrantPermission(perms.toArray(new Permission[perms.size()])));
- }
- }
/** Resets policyProperty system property, removing it if the value to set
* is null. We do this in a privileged block to make sure that the operation
Added: river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java?rev=1355351&view=auto
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java (added)
+++ river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java Fri Jun 29 13:01:32 2012
@@ -0,0 +1,249 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.river.api.security;
+
+import java.lang.ref.WeakReference;
+import java.security.AllPermission;
+import java.security.Guard;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Policy;
+import java.security.ProtectionDomain;
+import java.security.UnresolvedPermission;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Comparator;
+import java.util.Enumeration;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.NavigableSet;
+import java.util.Set;
+import java.util.TreeSet;
+import net.jini.security.GrantPermission;
+import net.jini.security.policy.UmbrellaGrantPermission;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * A common superclass with utility methods for policy providers.
+ *
+ * @author Peter Firmstone.
+ */
+public abstract class AbstractPolicy extends Policy {
+ protected final Permission umbrella = new UmbrellaGrantPermission();
+ protected final Permission ALL_PERMISSION = new AllPermission();
+ protected final Comparator<Permission> comparator = new PermissionComparator();
+
+ protected AbstractPolicy() {
+ }
+
+ /**
+ * This method checks that the PermissionGrant's are authorised to be
+ * granted by it's caller, if it Fails, it will throw a SecurityException
+ * or AccessControlException.
+ *
+ * The PermissionGrant should not be requested for it's Permissions
+ * again, since doing so would risk an escalation of privilege attack if the
+ * PermissionGrant implementation was mutable.
+ *
+ * @param grants
+ * @return map of checked grants.
+ */
+ protected final void checkCallerHasGrants(Collection<PermissionGrant> grants) throws SecurityException {
+ Iterator<PermissionGrant> grantsItr = grants.iterator();
+ while (grantsItr.hasNext()) {
+ PermissionGrant grant = grantsItr.next();
+ Collection<Permission> permCol = grant.getPermissions();
+ Permission[] perms = permCol.toArray(new Permission[permCol.size()]);
+ checkNullElements(perms);
+ Guard g = new GrantPermission(perms);
+ g.checkGuard(this);
+ }
+ }
+
+ /**
+ * Checks array for null elements
+ * @param array
+ * @throws NullPointerException
+ */
+ protected final void checkNullElements(Object[] array) throws NullPointerException {
+ int l = array.length;
+ for (int i = 0; i < l; i++) {
+ if (array[i] == null) {
+ throw new NullPointerException();
+ }
+ }
+ }
+
+ /**
+ * Creates an optimised PermissionCollection, firstly all permissions should
+ * be sorted using {@link PermissionComparator}, this ensures that any
+ * SocketPermission will be ordered to avoid reverse DNS calls if possible.
+ *
+ * Other parameters enable the underlying {@link ConcurrentHashMap}
+ * to be optimised, these parameters use identical names.
+ *
+ * @param permissions
+ * @param initialCapacity
+ * @param loadFactor
+ * @param concurrencyLevel
+ * @param unresolvedCapacity Capacity of Map used to store
+ * UnresolvedPermission instances
+ * @return
+ * @throws IllegalArgumentException if the initial capacity is
+ * negative or the load factor or concurrencyLevel are
+ * nonpositive.
+ */
+ protected final PermissionCollection convert(NavigableSet<Permission> permissions,
+ int initialCapacity,
+ float loadFactor,
+ int concurrencyLevel,
+ int unresolvedCapacity)
+ throws IllegalArgumentException {
+ PermissionCollection pc = new ConcurrentPermissions(initialCapacity, loadFactor, concurrencyLevel, unresolvedCapacity);
+ // The descending iterator is for SocketPermission.
+ Iterator<Permission> it = permissions.descendingIterator();
+ while (it.hasNext()) {
+ pc.add(it.next());
+ }
+ return pc;
+ }
+
+ /** River-26 Mark Brouwer suggested making UmbrellaPermission's expandable
+ * from Dynamic Grants.
+ * @param pc PermissionCollection containing UmbrellaPermission's to be
+ * expanded.
+ */
+ protected final void expandUmbrella(PermissionCollection pc) {
+ if (pc.implies(umbrella)) {
+ // Don't use Set, avoid calling equals and hashCode on SocketPermission.
+ Collection<Permission> perms = new ArrayList<Permission>(120);
+ Enumeration<Permission> e = pc.elements();
+ while (e.hasMoreElements()){
+ Permission p = e.nextElement();
+ // Avoid unintended granting of GrantPermission
+ // and recursive UmbrellaGrantPermission
+ if ( p instanceof GrantPermission ||
+ p instanceof UmbrellaGrantPermission){
+ continue;
+ }
+ perms.add(p);
+ }
+ pc.add(new GrantPermission(perms.toArray(new Permission[perms.size()])));
+ }
+ }
+
+ /** River-26 Mark Brouwer suggested making UmbrellaPermission's expandable
+ * from Dynamic Grants.
+ * @param perms Collection containing UmbrellaPermission's to be
+ * expanded. Note a Set will prevent duplicate GrantPermission objects,
+ * caveat emptor, a TreeSet using a PermissionComparator should
+ * be used to avoid calling equals on Permission objects with broken
+ * equals implementations like SocketPermission.
+ *
+ * A policy administrator would usually expect that an
+ * UmbrellaGrantPermission only grant Permissions for a specific
+ * Policy and not expanded to merged or aggregate policies, which
+ * may cause unforseen or unexpected Permission grants. For that reason
+ * this method removes UmbrellaGrantPermission.
+ *
+ * This expansion would probably be best performed in a PermissionGrant.
+ */
+// protected final void expandUmbrella(Set<Permission> perms){
+// if (perms.remove(umbrella)){
+// Collection<Permission> grantPerms = new ArrayList<Permission>(perms.size()-1);
+// Iterator<Permission> it = perms.iterator();
+// while (it.hasNext()){
+// Permission p = it.next();
+// if ( p instanceof GrantPermission ||
+// p instanceof UmbrellaGrantPermission){
+// continue;
+// }
+// grantPerms.add(p);
+// }
+// perms.addAll(grantPerms);
+// }
+// }
+
+ /**
+ * Adds Permission objects contained in PermissionGrant's to a NavigableSet
+ * that is sorted using a PermissionComparator.
+ *
+ * This method doesn't perform any checks on the conditions of the
+ * PermissionGrant's, it simply collects their Permission objects.
+ *
+ * @param grant array of PermissionGrants.
+ * @param permClass optionally only add Permission objects that use this
+ * class or UnresolvedPermission.
+ * @param stopIfAll if true returns immediately when AllPermission is
+ * found.
+ * @param setToAddPerms Permission objects extracted from grant will be
+ * added to this set.
+ */
+ protected final void processGrants(Collection<PermissionGrant> grant,
+ Class permClass,
+ boolean stopIfAll,
+ NavigableSet<Permission> setToAddPerms) {
+// if (grant == null) return;
+ Iterator<PermissionGrant> grants = grant.iterator();
+ if (permClass == null) {
+ while (grants.hasNext()) {
+ PermissionGrant g = grants.next();
+ if (stopIfAll && g.isPrivileged()) {
+ setToAddPerms.add(ALL_PERMISSION);
+ return;
+ }
+ Iterator<Permission> it = g.getPermissions().iterator();
+ while (it.hasNext()) {
+ Permission p = it.next();
+ setToAddPerms.add(p);
+ }
+ }
+ } else {
+ while (grants.hasNext()) {
+ PermissionGrant g = grants.next();
+ if (stopIfAll && g.isPrivileged()) {
+ setToAddPerms.add(ALL_PERMISSION);
+ return;
+ }
+ Iterator<Permission> it = g.getPermissions().iterator();
+ while (it.hasNext()) {
+ Permission p = it.next();
+ if (permClass.isInstance(p) || p instanceof UnresolvedPermission) {
+ setToAddPerms.add(p);
+ }
+ }
+ }
+ }
+ }
+
+ protected PermissionGrant extractGrantFromPolicy(Policy p, ProtectionDomain domain){
+ Collection<Permission> perms = new LinkedList<Permission>();
+ PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
+ pgb.setDomain(new WeakReference<ProtectionDomain>(domain));
+ PermissionCollection pc = p.getPermissions(domain);
+ Enumeration<Permission> en = pc.elements();
+ while (en.hasMoreElements()){
+ perms.add(en.nextElement());
+ }
+ pgb.permissions(perms.toArray(new Permission[perms.size()]));
+ pgb.context(PermissionGrantBuilder.PROTECTIONDOMAIN);
+ return pgb.build();
+ }
+
+}
Propchange: river/jtsk/trunk/src/org/apache/river/api/security/AbstractPolicy.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: river/jtsk/trunk/src/org/apache/river/api/security/CachingSecurityManager.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/CachingSecurityManager.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/CachingSecurityManager.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/CachingSecurityManager.java Fri Jun 29 13:01:32 2012
@@ -18,18 +18,9 @@
package org.apache.river.api.security;
-import java.security.Permission;
-import java.util.Set;
-
/**
- * The CachingSecurityManager is designed to enable the use of DelegatePermission
- * for Delegate Objects to encapsulate security sensitive objects using
- * Li Gong's method guard pattern.
- *
- * In this manner we can prevent references to security sensitive object's from
- * escaping.
- *
- * See "Inside Java 2 Platform Security" 2nd Edition, ISBN:0-201-78791-1, page 176.
+ * A CachingSecurityManager caches the result of check permission calls for
+ * AccessControlContexts.
*
* @author Peter Firmstone.
* @since 2.2.1
@@ -37,13 +28,9 @@ import java.util.Set;
public interface CachingSecurityManager {
/**
- * This method clears permissions from the checked cache, it should be
- * called after calling Policy.refresh();
- *
- * If the Set provided contains permissions, only those of the same
- * class will be removed from the checked cache.
- *
- * If the Set is null, the checked cache is cleared completely.
+ * Clears permissions from the checked cache, it must be
+ * called after calling Policy.refresh(); It is recommended that it
+ * be called by a Policy provider, rather than application code.
*
* @throws java.lang.InterruptedException
* @throws java.util.concurrent.ExecutionException
Modified: river/jtsk/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/CombinerSecurityManager.java Fri Jun 29 13:01:32 2012
@@ -489,7 +489,7 @@ extends SecurityManager implements Cachi
/* Unfortunately we don't know exactly which domain has failed
* in fact, multiple domains may fail the permission check since
* they are executed concurrently, for that reason, we'll print
- * all failed domains on the stack.
+ * all domains on the stack.
*/
StringBuilder sb = new StringBuilder(800);
sb.append("DomainCombinerSecurityManager full stack: \n");
@@ -552,13 +552,7 @@ extends SecurityManager implements Cachi
* @return
*/
protected boolean checkPermission(ProtectionDomain pd, Permission p){
- boolean result = pd.implies(p);
- //TODO: Enable support for Delegates in a subclass.
-// if (!result && p instanceof DelegatePermission ){
-// Permission candidate = ((DelegatePermission)p).getPermission();
-// result = pd.implies(candidate);
-// }
- return result;
+ return pd.implies(p);
}
}
Modified: river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPermissions.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPermissions.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPermissions.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPermissions.java Fri Jun 29 13:01:32 2012
@@ -40,24 +40,24 @@ import java.util.concurrent.atomic.Atomi
/**
- * ConcurrentPermissions is a replacement for java.security.Permissions.
+ * ConcurrentPermissions is a drop in replacement for java.security.Permissions
*
- * This was originally intended to be used as a policy cache, it turns out
- * that a policy cache is not needed, due to the efficiency of package private
+ * ConcurrentPermissions was originally intended to be used as a policy cache, it turns out
+ * that a policy cache was not needed, due to the efficiency of package private
* URIGrant.implies(ProtectionDomain pd). Scalability is better without
* a policy cache because PermissionGrant's are immutable, have no mutable shared
- * state and are therefore not likely to causing cache misses.
+ * state and are therefore not likely to cause cache misses.
*
- * The only reason this class still exists is due to an unknown bug in
+ * The first reason this class exists is due to an unknown bug in
* java.security.Permissions not resolving
* permission com.sun.jini.phoenix.ExecOptionPermission "*";
* in UnresolvedPermission. This occurs in start tests using Phoenix and
- * defaultphoenix.policy in the qa suite.
+ * defaultphoenix.policy in the qa suite. The second reason is performance
+ * tuning for concurrency or to avoid unnecessary collection resizing,
+ * a method in AbstractPolicy is provided so external policy providers can
+ * take advantage, without this class being public.
*
- * This class may be removed in a future version of River, it is only public
- * because it is required by DynamicPolicyProvider and resides in this
- * package because it is also used by ConcurrentPolicyFile and requires access
- * to package private utility classes as well.
+ * This class may be removed in a future version of River.
*
* If there is heavy contention for one Permission class
* type, concurrency may suffer due to internal synchronization.
@@ -78,7 +78,7 @@ import java.util.concurrent.atomic.Atomi
* @since 2.2.1
* @serial permsMap
*/
-public final class ConcurrentPermissions extends PermissionCollection
+final class ConcurrentPermissions extends PermissionCollection
implements Serializable {
private static final long serialVersionUID=1L;
@@ -101,14 +101,14 @@ implements Serializable {
* a Permissions object instance to handle all UnresolvedPermissions.
*/
- public ConcurrentPermissions(){
+ ConcurrentPermissions(){
permsMap = new ConcurrentHashMap<Class<?>, PermissionCollection>();
// Bite the bullet, get the pain out of the way in the beginning!
unresolved = new PermissionPendingResolutionCollection();
allPermission = false;
}
- public ConcurrentPermissions(int initialCapacity, float loadFactor, int concurrencyLevel, int unresolvedClassCount){
+ ConcurrentPermissions(int initialCapacity, float loadFactor, int concurrencyLevel, int unresolvedClassCount){
permsMap = new ConcurrentHashMap<Class<?>, PermissionCollection>
(initialCapacity, loadFactor, concurrencyLevel);
// Bite the bullet, get the pain out of the way in the beginning!
Modified: river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicyFile.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicyFile.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicyFile.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/ConcurrentPolicyFile.java Fri Jun 29 13:01:32 2012
@@ -27,6 +27,7 @@
package org.apache.river.api.security;
import java.io.File;
+import java.lang.ref.WeakReference;
import java.net.URL;
import java.security.AccessController;
import java.security.AllPermission;
@@ -43,17 +44,17 @@ import java.security.ProtectionDomain;
import java.security.SecurityPermission;
import java.security.UnresolvedPermission;
import java.util.ArrayList;
+import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Enumeration;
import java.util.Iterator;
+import java.util.LinkedList;
import java.util.List;
import java.util.NavigableSet;
import java.util.Properties;
import java.util.TreeSet;
-import org.apache.river.api.security.PermissionComparator;
import net.jini.security.policy.PolicyInitializationException;
-import org.apache.river.api.security.PermissionGrant;
/**
@@ -162,7 +163,7 @@ import org.apache.river.api.security.Per
* @since 2.2.1
*/
-public class ConcurrentPolicyFile extends Policy implements ConcurrentPolicy {
+public class ConcurrentPolicyFile extends Policy implements ScalableNestedPolicy {
/**
* System property for dynamically added policy location.
@@ -441,25 +442,35 @@ public class ConcurrentPolicyFile extend
}
}
- public boolean isConcurrent() {
- return true;
- }
-
- public PermissionGrant[] getPermissionGrants(ProtectionDomain pd) {
+ public Collection<PermissionGrant> getPermissionGrants(ProtectionDomain pd) {
PermissionGrant [] grants = grantArray; // copy volatile reference target.
int l = grants.length;
- List<PermissionGrant> applicable = new ArrayList<PermissionGrant>(l); // Always too large, never too small.
+ List<PermissionGrant> applicable = new LinkedList<PermissionGrant>();
for (int i =0; i < l; i++){
if (grants[i].implies(pd)){
applicable.add(grants[i]);
}
}
- return applicable.toArray(new PermissionGrant[applicable.size()]);
+ // Merge any static permissions.
+ PermissionCollection pc = pd != null ? pd.getPermissions() : null;
+ if (pc != null){
+ PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
+ pgb.setDomain(new WeakReference<ProtectionDomain>(pd));
+ pgb.context(PermissionGrantBuilder.PROTECTIONDOMAIN);
+ Collection<Permission> perms = new LinkedList<Permission>();
+ Enumeration<Permission> en = pc.elements();
+ while (en.hasMoreElements()){
+ perms.add(en.nextElement());
+ }
+ pgb.permissions(perms.toArray(new Permission[perms.size()]));
+ applicable.add(pgb.build());
+ }
+ return applicable;
}
- public PermissionGrant[] getPermissionGrants() {
- PermissionGrant [] grants = grantArray; // copy volatile reference target.
- return grants.clone();
- }
+// public Collection<PermissionGrant> getPermissionGrants(boolean recursive) {
+// PermissionGrant [] grants = grantArray; // copy volatile reference target.
+// return new LinkedList<PermissionGrant>(Arrays.asList(grants));
+// }
}
Modified: river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyParser.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyParser.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyParser.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyParser.java Fri Jun 29 13:01:32 2012
@@ -84,7 +84,7 @@ class DefaultPolicyParser implements Pol
* {@link org.apache.river.imp.security.policy.util.DefaultPolicyScanner DefaultPolicyScanner}
* is used.
*/
- public DefaultPolicyParser() {
+ DefaultPolicyParser() {
scanner = new DefaultPolicyScanner();
}
@@ -182,7 +182,7 @@ class DefaultPolicyParser implements Pol
* @see DefaultPolicyScanner.PermissionEntry
* @see org.apache.river.imp.security.policy.util.PolicyUtils
*/
- protected PermissionGrant resolveGrant(DefaultPolicyScanner.GrantEntry ge,
+ PermissionGrant resolveGrant(DefaultPolicyScanner.GrantEntry ge,
KeyStore ks, Properties system, boolean resolve) throws Exception {
if ( ge == null ) return null;
/*
@@ -308,7 +308,7 @@ class DefaultPolicyParser implements Pol
* or to get a Certificate,
* or to newBuilder an instance of a successfully found class
*/
- protected Permission resolvePermission(
+ Permission resolvePermission(
DefaultPolicyScanner.PermissionEntry pe,
DefaultPolicyScanner.GrantEntry ge, KeyStore ks, Properties system,
boolean resolve) throws Exception {
@@ -355,7 +355,7 @@ class DefaultPolicyParser implements Pol
/**
* Combined setter of all required fields.
*/
- public PermissionExpander(DefaultPolicyScanner.GrantEntry ge,
+ PermissionExpander(DefaultPolicyScanner.GrantEntry ge,
KeyStore ks) {
this.ge = ge;
this.ks = ks;
Modified: river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyScanner.java
URL: http://svn.apache.org/viewvc/river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyScanner.java?rev=1355351&r1=1355350&r2=1355351&view=diff
==============================================================================
--- river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyScanner.java (original)
+++ river/jtsk/trunk/src/org/apache/river/api/security/DefaultPolicyScanner.java Fri Jun 29 13:01:32 2012
@@ -25,6 +25,7 @@ package org.apache.river.api.security;
import java.io.IOException;
import java.io.Reader;
import java.io.StreamTokenizer;
+import java.io.StringReader;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
@@ -95,12 +96,12 @@ class DefaultPolicyScanner {
/**
* Configures passed tokenizer accordingly to supported syntax.
*/
- protected StreamTokenizer configure(StreamTokenizer st) {
+ StreamTokenizer configure(StreamTokenizer st) {
st.slashSlashComments(true);
st.slashStarComments(true);
- st.wordChars('_', '_');
- st.wordChars('$', '$');
- return st;
+ st.wordChars('_', '_');
+ st.wordChars('$', '$');
+ return st;
}
/**
@@ -120,7 +121,7 @@ class DefaultPolicyScanner {
* @throws InvalidFormatException
* if unexpected or unknown token encountered
*/
- public void scanStream(Reader r, Collection<GrantEntry> grantEntries,
+ void scanStream(Reader r, Collection<GrantEntry> grantEntries,
List<KeystoreEntry> keystoreEntries) throws IOException,
InvalidFormatException {
StreamTokenizer st = configure(new StreamTokenizer(r));
@@ -165,7 +166,7 @@ class DefaultPolicyScanner {
* @throws InvalidFormatException
* if unexpected or unknown token encountered
*/
- protected KeystoreEntry readKeystoreEntry(StreamTokenizer st)
+ KeystoreEntry readKeystoreEntry(StreamTokenizer st)
throws IOException, InvalidFormatException {
String url = null, type = null;
if (st.nextToken() == '"') {
@@ -205,7 +206,7 @@ class DefaultPolicyScanner {
* @throws InvalidFormatException
* if unexpected or unknown token encountered
*/
- protected GrantEntry readGrantEntry(StreamTokenizer st) throws IOException,
+ GrantEntry readGrantEntry(StreamTokenizer st) throws IOException,
InvalidFormatException {
String signer = null, codebase = null;
Collection<PrincipalEntry> principals = new ArrayList<PrincipalEntry>();
@@ -268,7 +269,7 @@ class DefaultPolicyScanner {
* @throws InvalidFormatException
* if unexpected or unknown token encountered
*/
- protected PrincipalEntry readPrincipalEntry(StreamTokenizer st)
+ PrincipalEntry readPrincipalEntry(StreamTokenizer st)
throws IOException, InvalidFormatException {
String classname = null, name = null;
if (st.nextToken() == StreamTokenizer.TT_WORD) {
@@ -308,7 +309,7 @@ class DefaultPolicyScanner {
* @throws InvalidFormatException
* if unexpected or unknown token encountered
*/
- protected Collection<PermissionEntry> readPermissionEntries(
+ Collection<PermissionEntry> readPermissionEntries(
StreamTokenizer st) throws IOException, InvalidFormatException {
Collection<PermissionEntry> permissions = new HashSet<PermissionEntry>();
parsing: while (true) {
@@ -365,12 +366,12 @@ class DefaultPolicyScanner {
return permissions;
}
-
+
/**
* Formats a detailed description of tokenizer status: current token,
* current line number, etc.
*/
- protected String composeStatus(StreamTokenizer st) {
+ String composeStatus(StreamTokenizer st) {
return st.toString();
}
@@ -384,7 +385,7 @@ class DefaultPolicyScanner {
* Should not be <code>null</code>- use the overloaded
* single-parameter method instead.
*/
- protected final void handleUnexpectedToken(StreamTokenizer st,
+ final void handleUnexpectedToken(StreamTokenizer st,
String message) throws InvalidFormatException {
throw new InvalidFormatException(Messages.getString("security.8F", //$NON-NLS-1$
composeStatus(st), message));
@@ -397,7 +398,7 @@ class DefaultPolicyScanner {
* @param st
* a tokenizer holding the erroneous token
*/
- protected final void handleUnexpectedToken(StreamTokenizer st)
+ final void handleUnexpectedToken(StreamTokenizer st)
throws InvalidFormatException {
throw new InvalidFormatException(Messages.getString("security.90", //$NON-NLS-1$
composeStatus(st)));
@@ -417,7 +418,7 @@ class DefaultPolicyScanner {
* @see org.apache.river.imp.security.policy.util.DefaultPolicyParser
* @see org.apache.river.imp.security.policy.util.DefaultPolicyScanner
*/
- public static class KeystoreEntry {
+ static class KeystoreEntry {
/**
* The URL part of keystore clause.
@@ -448,14 +449,14 @@ class DefaultPolicyScanner {
/**
* @return the url
*/
- public String getUrl() {
+ String getUrl() {
return url;
}
/**
* @return the type
*/
- public String getType() {
+ String getType() {
return type;
}
}
@@ -467,7 +468,7 @@ class DefaultPolicyScanner {
* @see org.apache.river.imp.security.policy.util.DefaultPolicyParser
* @see org.apache.river.imp.security.policy.util.DefaultPolicyScanner
*/
- public static class GrantEntry {
+ static class GrantEntry {
/**
* The signers part of grant clause. This is a comma-separated list of
@@ -513,14 +514,14 @@ class DefaultPolicyScanner {
/**
* @return the signers
*/
- public String getSigners() {
+ String getSigners() {
return signers;
}
/**
* @return the codebase
*/
- public String getCodebase(Properties system) {
+ String getCodebase(Properties system) {
if (system == null) return codebase;
try {
return PolicyUtils.expand(codebase, system);
@@ -534,14 +535,14 @@ class DefaultPolicyScanner {
/**
* @return the principals
*/
- public Collection<PrincipalEntry> getPrincipals(Properties system) {
+ Collection<PrincipalEntry> getPrincipals(Properties system) {
return principals;
}
/**
* @return the permissions
*/
- public Collection<PermissionEntry> getPermissions() {
+ Collection<PermissionEntry> getPermissions() {
return permissions;
}
@@ -555,7 +556,7 @@ class DefaultPolicyScanner {
* @see org.apache.river.imp.security.policy.util.DefaultPolicyParser
* @see org.apache.river.imp.security.policy.util.DefaultPolicyScanner
*/
- public static class PrincipalEntry {
+ static class PrincipalEntry {
/**
* Wildcard value denotes any class and/or any name.
@@ -593,14 +594,14 @@ class DefaultPolicyScanner {
/**
* @return the klass
*/
- public String getKlass() {
+ String getKlass() {
return klass;
}
/**
* @return the name
*/
- public String getName() {
+ String getName() {
return name;
}
}
@@ -613,7 +614,7 @@ class DefaultPolicyScanner {
* @see org.apache.river.imp.security.policy.util.DefaultPolicyParser
* @see org.apache.river.imp.security.policy.util.DefaultPolicyScanner
*/
- public static class PermissionEntry {
+ static class PermissionEntry {
/**
* The classname part of permission clause.
@@ -662,28 +663,28 @@ class DefaultPolicyScanner {
/**
* @return the klass
*/
- public String getKlass() {
+ String getKlass() {
return klass;
}
/**
* @return the name
*/
- public String getName() {
+ String getName() {
return name;
}
/**
* @return the actions
*/
- public String getActions() {
+ String getActions() {
return actions;
}
/**
* @return the signers
*/
- public String getSigners() {
+ String getSigners() {
return signers;
}
}