diff --git a/src/share/classes/java/net/HttpURLConnection.java b/src/share/classes/java/net/HttpURLConnection.java index d52c26789faa4bd8763f992f248cadb8e661d846..193b9cef1c1d89b7c867e9de913b5d49b631feba 100644 --- a/src/share/classes/java/net/HttpURLConnection.java +++ b/src/share/classes/java/net/HttpURLConnection.java @@ -50,6 +50,18 @@ import java.util.Date; * Proxy settings as well as * various other settings. *
+ *+ * Security permissions + *
+ * If a security manager is installed, and if a method is called which results in an + * attempt to open a connection, the caller must possess either:- + *
+ * If automatic redirection is enabled, and this request is redirected to another + * destination, then the caller must also have permission to connect to the + * redirected host/URL. * * @see java.net.HttpURLConnection#disconnect() * @since JDK1.1 diff --git a/src/share/classes/java/net/HttpURLPermission.java b/src/share/classes/java/net/HttpURLPermission.java new file mode 100644 index 0000000000000000000000000000000000000000..52d6e79344a776ad15b70a0b738e3ba29dd266c3 --- /dev/null +++ b/src/share/classes/java/net/HttpURLPermission.java @@ -0,0 +1,406 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package java.net; + +import java.io.ObjectInputStream; +import java.io.IOException; +import java.util.List; +import java.util.ArrayList; +import java.util.Collections; +import java.security.Permission; + +/** + * Represents permission to access a resource or set of resources defined by a + * given http or https url, and for a given set of user-settable request methods + * and request headers. The name of the permission is the url string. + * The actions string is a concatenation of the request methods and headers. + * The range of method and header names is not restricted by this class. + *
The url
+ * The url string is also used to instantiate a {@link URI} object which is + * used for comparison with other HttpURLPermission instances. Therefore, any + * references in this specification to url, mean this URI object. + * The path component of the url comprises a sequence of path segments, separated + * by '/' characters. The path is specified in a similar way to the path + * in {@link java.io.FilePermission}. There are three different ways + * as the following examples show: + *
Example url | Description |
---|---|
http://www.oracle.com/a/b/c.html | + *A url which identifies a specific (single) resource | + *
http://www.oracle.com/a/b/* | + *The '*' character refers to all resources in the same "directory" - in + * other words all resources with the same number of path components, and + * which only differ in the final path component, represented by the '*'. + * | + *
http://www.oracle.com/a/b/- + * | The '-' character refers to all resources recursively below the + * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this + * example). + * | + *
+ * The '*' and '-' may only be specified in the final segment of a path and must be + * the only character in that segment. Any query or fragment components of the + * url are ignored when constructing HttpURLPermissions. + *
+ * As a special case, urls of the form, "http:*" or "https:*" are accepted to + * mean any url of the given scheme. + *
The actions string
+ * The actions string of a HttpURLPermission is a concatenation of the method list + * and the request headers list. These are lists of the permitted HTTP request + * methods and permitted request headers of the permission (respectively). The two lists + * are separated by a colon ':' character and elements of each list are comma separated. + * Some examples are: + *
+ * "POST,GET,DELETE" + * "GET:X-Foo-Request,X-Bar-Request" + * "POST,GET:Header1,Header2" + *+ * The first example specifies the methods: POST, GET and DELETE, but no request headers. + * The second example specifies one request method and two headers. The third + * example specifies two request methods, and two headers. + *
+ * The colon separator need not be present if the request headers list is empty. + * No white-space is permitted in the actions string. The action strings supplied to + * the HttpURLPermission constructors are case-insensitive and are normalized by converting + * method names to upper-case and header names to the form defines in RFC2616 (lower case + * with initial letter of each word capitalized). Either list can contain a wild-card '*' + * character which signifies all request methods or headers respectively. + *
+ * Note. Depending on the context of use, some request methods and headers may be permitted
+ * at all times, and others may not be permitted at any time. For example, the
+ * HTTP protocol handler might disallow certain headers such as Content-Length
+ * from being set by application code, regardless of whether the security policy
+ * in force, permits it.
+ *
+ * @since 1.8
+ */
+public final class HttpURLPermission extends Permission {
+
+ private static final long serialVersionUID = -2702463814894478682L;
+
+ private transient URI uri;
+ private transient List
+ * where method-names is the list of methods separated by commas
+ * and header-names is the list of permitted headers separated by commas.
+ * There is no white space in the returned String. If header-names is empty
+ * then the colon separator will not be present.
+ */
+ public String getActions() {
+ return actions;
+ }
+
+ /**
+ * Checks if this HttpURLPermission implies the given permission.
+ * Specifically, the following checks are done as if in the
+ * following sequence:
+ *
+ * Some examples of how paths are matched are shown below:
+ *
+ *
+ * "method-names : header-names"
+ *
+ *
+ *
+ *
+ */
+ public boolean implies(Permission p) {
+ if (! (p instanceof HttpURLPermission)) {
+ return false;
+ }
+
+ HttpURLPermission that = (HttpURLPermission)p;
+
+ if (!this.methods.get(0).equals("*") &&
+ Collections.indexOfSubList(this.methods, that.methods) == -1) {
+ return false;
+ }
+
+ if (this.requestHeaders.isEmpty() && !that.requestHeaders.isEmpty()) {
+ return false;
+ }
+
+ if (!this.requestHeaders.isEmpty() &&
+ !this.requestHeaders.get(0).equals("*") &&
+ Collections.indexOfSubList(this.requestHeaders,
+ that.requestHeaders) == -1) {
+ return false;
+ }
+
+ if (this.uri.equals(that.uri)) {
+ return true;
+ }
+
+ if (!this.uri.getScheme().equals(that.uri.getScheme())) {
+ return false;
+ }
+
+ if (this.uri.getSchemeSpecificPart().equals("*")) {
+ return true;
+ }
+
+ String thisAuthority = this.uri.getAuthority();
+
+ if (thisAuthority != null &&
+ !thisAuthority.equals(that.uri.getAuthority())) {
+ return false;
+ }
+
+ String thispath = this.uri.getPath();
+ String thatpath = that.uri.getPath();
+
+ if (thispath.endsWith("/-")) {
+ String thisprefix = thispath.substring(0, thispath.length() - 1);
+ return thatpath.startsWith(thisprefix);
+ }
+
+ if (thispath.endsWith("/*")) {
+ String thisprefix = thispath.substring(0, thispath.length() - 1);
+ if (!thatpath.startsWith(thisprefix)) {
+ return false;
+ }
+ String thatsuffix = thatpath.substring(thisprefix.length());
+ // suffix must not contain '/' chars
+ if (thatsuffix.indexOf('/') != -1) {
+ return false;
+ }
+ if (thatsuffix.equals("-")) {
+ return false;
+ }
+ return true;
+ }
+ return false;
+ }
+
+
+ /**
+ * Returns true if, this.getActions().equals(p.getActions())
+ * and p's url equals this's url. Returns false otherwise.
+ */
+ public boolean equals(Object p) {
+ if (!(p instanceof HttpURLPermission)) {
+ return false;
+ }
+ HttpURLPermission that = (HttpURLPermission)p;
+ return this.getActions().equals(that.getActions()) &&
+ this.uri.equals(that.uri);
+ }
+
+ /**
+ * Returns a hashcode calculated from the hashcode of the
+ * actions String and the url
+ */
+ public int hashCode() {
+ return getActions().hashCode() + uri.hashCode();
+ }
+
+
+ private List
+ * this's path p's path match
+ * /a/b /a/b yes
+ * /a/b/* /a/b/c yes
+ * /a/b/* /a/b/c/d no
+ * /a/b/- /a/b/c/d yes
+ * /a/b/- /a/b/c/d/e yes
+ * /a/b/- /a/b/c/* yes
+ * /a/b/* /a/b/c/- no