diff --git a/src/share/classes/java/security/Principal.java b/src/share/classes/java/security/Principal.java
index fb29acaa1ba71f5f99bdb9e93e0b59c97a4a7948..48938cfdd0716498338bc1d9cda3e191018b417f 100644
--- a/src/share/classes/java/security/Principal.java
+++ b/src/share/classes/java/security/Principal.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 1998, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
package java.security;
+import javax.security.auth.Subject;
+
/**
* This interface represents the abstract notion of a principal, which
* can be used to represent any entity, such as an individual, a
@@ -45,7 +47,6 @@ public interface Principal {
*
* @return true if the principal passed in is the same as that
* encapsulated by this principal, and false otherwise.
-
*/
public boolean equals(Object another);
@@ -69,4 +70,24 @@ public interface Principal {
* @return the name of this principal.
*/
public String getName();
+
+ /**
+ * Returns true if the specified subject is implied by this principal.
+ *
+ *
The default implementation of this method returns true if
+ * {@code subject} is non-null and contains at least one principal that
+ * is equal to this principal.
+ *
+ *
Subclasses may override this with a different implementation, if
+ * necessary.
+ *
+ * @return true if {@code subject} is non-null and is
+ * implied by this principal, or false otherwise.
+ * @since 1.8
+ */
+ public default boolean implies(Subject subject) {
+ if (subject == null)
+ return false;
+ return subject.getPrincipals().contains(this);
+ }
}
diff --git a/src/share/classes/sun/security/provider/PolicyFile.java b/src/share/classes/sun/security/provider/PolicyFile.java
index 74e18c36ea8b5e893b0227fbc870d7eee6cbd243..5ea389b51e9dbc30b3ea550462f2080b1dfb3e21 100644
--- a/src/share/classes/sun/security/provider/PolicyFile.java
+++ b/src/share/classes/sun/security/provider/PolicyFile.java
@@ -31,13 +31,7 @@ import java.net.MalformedURLException;
import java.net.URL;
import java.net.URI;
import java.util.*;
-import java.util.Enumeration;
-import java.util.List;
-import java.util.StringTokenizer;
-import java.util.ArrayList;
-import java.util.ListIterator;
import java.text.MessageFormat;
-import com.sun.security.auth.PrincipalComparator;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
@@ -46,19 +40,7 @@ import javax.security.auth.x500.X500Principal;
import java.io.FilePermission;
import java.net.SocketPermission;
import java.net.NetPermission;
-import java.util.PropertyPermission;
import java.util.concurrent.atomic.AtomicReference;
-/*
-import javax.security.auth.AuthPermission;
-import javax.security.auth.kerberos.ServicePermission;
-import javax.security.auth.kerberos.DelegationPermission;
-import java.io.SerializablePermission;
-import java.util.logging.LoggingPermission;
-import java.sql.SQLPermission;
-import java.lang.reflect.ReflectPermission;
-import javax.sound.sampled.AudioPermission;
-import javax.net.ssl.SSLPermission;
-*/
import sun.misc.JavaSecurityProtectionDomainAccess;
import static sun.misc.JavaSecurityProtectionDomainAccess.ProtectionDomainCache;
import sun.misc.SharedSecrets;
@@ -794,12 +776,9 @@ public class PolicyFile extends java.security.Policy {
debug.println("Adding policy entry: ");
debug.println(" signedBy " + ge.signedBy);
debug.println(" codeBase " + ge.codeBase);
- if (ge.principals != null && ge.principals.size() > 0) {
- ListIterator li =
- ge.principals.listIterator();
- while (li.hasNext()) {
- PolicyParser.PrincipalEntry pppe = li.next();
- debug.println(" " + pppe.toString());
+ if (ge.principals != null) {
+ for (PolicyParser.PrincipalEntry pppe : ge.principals) {
+ debug.println(" " + pppe.toString());
}
}
}
@@ -955,11 +934,15 @@ public class PolicyFile extends java.security.Policy {
InvocationTargetException
{
//XXX we might want to keep a hash of created factories...
- Class> pc = Class.forName(type);
+ Class> pc = Class.forName(type, false, null);
Permission answer = getKnownInstance(pc, name, actions);
if (answer != null) {
return answer;
}
+ if (!Permission.class.isAssignableFrom(pc)) {
+ // not the right subtype
+ throw new ClassCastException(type + " is not a Permission");
+ }
if (name == null && actions == null) {
try {
@@ -1001,7 +984,6 @@ public class PolicyFile extends java.security.Policy {
*/
private static final Permission getKnownInstance(Class> claz,
String name, String actions) {
- // XXX shorten list to most popular ones?
if (claz.equals(FilePermission.class)) {
return new FilePermission(name, actions);
} else if (claz.equals(SocketPermission.class)) {
@@ -1014,30 +996,6 @@ public class PolicyFile extends java.security.Policy {
return new NetPermission(name, actions);
} else if (claz.equals(AllPermission.class)) {
return SecurityConstants.ALL_PERMISSION;
-/*
- } else if (claz.equals(ReflectPermission.class)) {
- return new ReflectPermission(name, actions);
- } else if (claz.equals(SecurityPermission.class)) {
- return new SecurityPermission(name, actions);
- } else if (claz.equals(PrivateCredentialPermission.class)) {
- return new PrivateCredentialPermission(name, actions);
- } else if (claz.equals(AuthPermission.class)) {
- return new AuthPermission(name, actions);
- } else if (claz.equals(ServicePermission.class)) {
- return new ServicePermission(name, actions);
- } else if (claz.equals(DelegationPermission.class)) {
- return new DelegationPermission(name, actions);
- } else if (claz.equals(SerializablePermission.class)) {
- return new SerializablePermission(name, actions);
- } else if (claz.equals(AudioPermission.class)) {
- return new AudioPermission(name, actions);
- } else if (claz.equals(SSLPermission.class)) {
- return new SSLPermission(name, actions);
- } else if (claz.equals(LoggingPermission.class)) {
- return new LoggingPermission(name, actions);
- } else if (claz.equals(SQLPermission.class)) {
- return new SQLPermission(name, actions);
-*/
} else {
return null;
}
@@ -1079,7 +1037,7 @@ public class PolicyFile extends java.security.Policy {
if (cert != null) {
if (vcerts == null)
- vcerts = new ArrayList();
+ vcerts = new ArrayList<>();
vcerts.add(cert);
}
}
@@ -1329,7 +1287,7 @@ public class PolicyFile extends java.security.Policy {
List entryPs = entry.getPrincipals();
if (debug != null) {
- ArrayList accPs = new ArrayList<>();
+ List accPs = new ArrayList<>();
if (principals != null) {
for (int i = 0; i < principals.length; i++) {
accPs.add(new PolicyParser.PrincipalEntry
@@ -1368,79 +1326,72 @@ public class PolicyFile extends java.security.Policy {
// has principals. see if policy entry principals match
// principals in current ACC
- for (int i = 0; i < entryPs.size(); i++) {
- PolicyParser.PrincipalEntry pppe = entryPs.get(i);
-
- // see if principal entry is a PrincipalComparator
-
- try {
- Class> pClass = Class.forName
- (pppe.principalClass,
- true,
- Thread.currentThread().getContextClassLoader());
-
- if (!PrincipalComparator.class.isAssignableFrom(pClass)) {
-
- // common case - dealing with regular Principal class.
- // see if policy entry principal is in current ACC
+ for (PolicyParser.PrincipalEntry pppe : entryPs) {
- if (!checkEntryPs(principals, pppe)) {
- if (debug != null) {
- debug.println("evaluation (principals) failed");
- }
+ // Check for wildcards
+ if (pppe.isWildcardClass()) {
+ // a wildcard class matches all principals in current ACC
+ continue;
+ }
- // policy entry principal not in current ACC -
- // immediately return and go to next policy entry
- return;
+ if (pppe.isWildcardName()) {
+ // a wildcard name matches any principal with the same class
+ for (Principal p : principals) {
+ if (pppe.principalClass.equals(p.getClass().getName())) {
+ continue;
}
+ }
+ if (debug != null) {
+ debug.println("evaluation (principal name wildcard) failed");
+ }
+ // policy entry principal not in current ACC -
+ // immediately return and go to next policy entry
+ return;
+ }
- } else {
+ Set pSet = new HashSet<>(Arrays.asList(principals));
+ Subject subject = new Subject(true, pSet,
+ Collections.EMPTY_SET,
+ Collections.EMPTY_SET);
+ try {
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ Class> pClass = Class.forName(pppe.principalClass, false, cl);
+ if (!Principal.class.isAssignableFrom(pClass)) {
+ // not the right subtype
+ throw new ClassCastException(pppe.principalClass +
+ " is not a Principal");
+ }
- // dealing with a PrincipalComparator
+ Constructor> c = pClass.getConstructor(PARAMS1);
+ Principal p = (Principal)c.newInstance(new Object[] {
+ pppe.principalName });
- Constructor> c = pClass.getConstructor(PARAMS1);
- PrincipalComparator pc = (PrincipalComparator)c.newInstance
- (new Object[] { pppe.principalName });
+ if (debug != null) {
+ debug.println("found Principal " + p.getClass().getName());
+ }
+ // check if the Principal implies the current
+ // thread's principals
+ if (!p.implies(subject)) {
if (debug != null) {
- debug.println("found PrincipalComparator " +
- pc.getClass().getName());
+ debug.println("evaluation (principal implies) failed");
}
- // check if the PrincipalComparator
- // implies the current thread's principals
-
- Set pSet = new HashSet<>(principals.length);
- for (int j = 0; j < principals.length; j++) {
- pSet.add(principals[j]);
- }
- Subject subject = new Subject(true,
- pSet,
- Collections.EMPTY_SET,
- Collections.EMPTY_SET);
-
- if (!pc.implies(subject)) {
- if (debug != null) {
- debug.println
- ("evaluation (principal comparator) failed");
- }
-
- // policy principal does not imply the current Subject -
- // immediately return and go to next policy entry
- return;
- }
+ // policy principal does not imply the current Subject -
+ // immediately return and go to next policy entry
+ return;
}
} catch (Exception e) {
- // fall back to regular principal comparison.
+ // fall back to default principal comparison.
// see if policy entry principal is in current ACC
if (debug != null) {
e.printStackTrace();
}
- if (!checkEntryPs(principals, pppe)) {
+ if (!pppe.implies(subject)) {
if (debug != null) {
- debug.println("evaluation (principals) failed");
+ debug.println("evaluation (default principal implies) failed");
}
// policy entry principal not in current ACC -
@@ -1450,7 +1401,7 @@ public class PolicyFile extends java.security.Policy {
}
// either the principal information matched,
- // or the PrincipalComparator.implies succeeded.
+ // or the Principal.implies succeeded.
// continue loop and test the next policy principal
}
@@ -1484,47 +1435,6 @@ public class PolicyFile extends java.security.Policy {
}
}
- /**
- * This method returns, true, if the principal in the policy entry,
- * pppe, is part of the current thread's principal array, pList.
- * This method also returns, true, if the policy entry's principal
- * is appropriately wildcarded.
- *
- * Note that the provided pppe argument may have
- * wildcards (*) for both the Principal class and name.
- *
- * @param pList an array of principals from the current thread's
- * AccessControlContext.
- *
- * @param pppe a Principal specified in a policy grant entry.
- *
- * @return true if the current thread's pList "contains" the
- * principal in the policy entry, pppe. This method
- * also returns true if the policy entry's principal
- * appropriately wildcarded.
- */
- private boolean checkEntryPs(Principal[] pList,
- PolicyParser.PrincipalEntry pppe) {
-
- for (int i = 0; i < pList.length; i++) {
-
- if (pppe.principalClass.equals
- (PolicyParser.PrincipalEntry.WILDCARD_CLASS) ||
- pppe.principalClass.equals
- (pList[i].getClass().getName())) {
-
- if (pppe.principalName.equals
- (PolicyParser.PrincipalEntry.WILDCARD_NAME) ||
- pppe.principalName.equals
- (pList[i].getName())) {
-
- return true;
- }
- }
- }
- return false;
- }
-
/**
*
*
@@ -1568,8 +1478,7 @@ public class PolicyFile extends java.security.Policy {
sb.append(sp.getSelfName().substring(startIndex, v));
// expand SELF
- ListIterator pli =
- entryPs.listIterator();
+ Iterator pli = entryPs.iterator();
while (pli.hasNext()) {
PolicyParser.PrincipalEntry pppe = pli.next();
String[][] principalInfo = getPrincipalInfo(pppe,pdp);
@@ -1596,8 +1505,8 @@ public class PolicyFile extends java.security.Policy {
try {
// first try to instantiate the permission
perms.add(getInstance(sp.getSelfType(),
- sb.toString(),
- sp.getSelfActions()));
+ sb.toString(),
+ sp.getSelfActions()));
} catch (ClassNotFoundException cnfe) {
// ok, the permission is not in the bootclasspath.
// before we add an UnresolvedPermission, check to see
@@ -1673,10 +1582,7 @@ public class PolicyFile extends java.security.Policy {
// 2) the entry's Principal name is wildcarded only
// 3) the entry's Principal class and name are wildcarded
- if (!pe.principalClass.equals
- (PolicyParser.PrincipalEntry.WILDCARD_CLASS) &&
- !pe.principalName.equals
- (PolicyParser.PrincipalEntry.WILDCARD_NAME)) {
+ if (!pe.isWildcardClass() && !pe.isWildcardName()) {
// build an info array for the principal
// from the Policy entry
@@ -1685,24 +1591,19 @@ public class PolicyFile extends java.security.Policy {
info[0][1] = pe.principalName;
return info;
- } else if (!pe.principalClass.equals
- (PolicyParser.PrincipalEntry.WILDCARD_CLASS) &&
- pe.principalName.equals
- (PolicyParser.PrincipalEntry.WILDCARD_NAME)) {
+ } else if (!pe.isWildcardClass() && pe.isWildcardName()) {
// build an info array for every principal
// in the current domain which has a principal class
// that is equal to policy entry principal class name
List plist = new ArrayList<>();
for (int i = 0; i < pdp.length; i++) {
- if(pe.principalClass.equals(pdp[i].getClass().getName()))
+ if (pe.principalClass.equals(pdp[i].getClass().getName()))
plist.add(pdp[i]);
}
String[][] info = new String[plist.size()][2];
int i = 0;
- java.util.Iterator pIterator = plist.iterator();
- while (pIterator.hasNext()) {
- Principal p = pIterator.next();
+ for (Principal p : plist) {
info[i][0] = p.getClass().getName();
info[i][1] = p.getName();
i++;
@@ -1763,7 +1664,7 @@ public class PolicyFile extends java.security.Policy {
// Done
return certs;
- ArrayList userCertList = new ArrayList<>();
+ List userCertList = new ArrayList<>();
i = 0;
while (i < certs.length) {
userCertList.add(certs[i]);
@@ -1889,10 +1790,8 @@ public class PolicyFile extends java.security.Policy {
if (principals == null || principals.isEmpty() || keystore == null)
return true;
- ListIterator i = principals.listIterator();
- while (i.hasNext()) {
- PolicyParser.PrincipalEntry pppe = i.next();
- if (pppe.principalClass.equals(PolicyParser.REPLACE_NAME)) {
+ for (PolicyParser.PrincipalEntry pppe : principals) {
+ if (pppe.isReplaceName()) {
// perform replacement
// (only X509 replacement is possible now)
@@ -2241,8 +2140,7 @@ public class PolicyFile extends java.security.Policy {
if (this.certs == null) {
// extract the signer certs
- ArrayList signerCerts =
- new ArrayList<>();
+ List signerCerts = new ArrayList<>();
i = 0;
while (i < certs.length) {
signerCerts.add(certs[i]);
@@ -2406,11 +2304,10 @@ public class PolicyFile extends java.security.Policy {
private java.util.Random random;
PolicyInfo(int numCaches) {
- policyEntries = new ArrayList();
+ policyEntries = new ArrayList<>();
identityPolicyEntries =
Collections.synchronizedList(new ArrayList(2));
- aliasMapping = Collections.synchronizedMap(
- new HashMap