net.jini.security.policy

Class DynamicPolicyProvider

java.lang.Object

java.security.Policy

net.jini.security.policy.DynamicPolicyProvider

All Implemented Interfaces:

DynamicPolicy

public class DynamicPolicyProvider
extends Policy
implements DynamicPolicy

Security policy provider that supports dynamic granting of permissions at run-time. This provider is designed as a wrapper to layer dynamic grant functionality on top of an underlying policy provider. If the underlying provider does not implement the DynamicPolicy interface, then its permission mappings are assumed to change only when its refresh method is called. Permissions are granted on the granularity of class loader; granting a permission requires (of the calling context) GrantPermission for that permission.

Since:

2.0

Author:

Sun Microsystems, Inc.

Nested Class Summary

Nested classes/interfaces inherited from class java.security.Policy

Policy.Parameters

Field Summary

Fields inherited from class java.security.Policy

UNSUPPORTED_EMPTY_COLLECTION

Constructor Summary

Constructors

Constructor and Description
DynamicPolicyProvider() Creates a new DynamicPolicyProvider instance that wraps a default underlying policy.
DynamicPolicyProvider(Policy basePolicy) Creates a new DynamicPolicyProvider instance that wraps around the given non-null base policy object.

Method Summary

Modifier and Type	Method and Description
Permission[]	getGrants(Class cl, Principal[] principals) If this security policy provider supports dynamic permission grants, returns a new array containing the cumulative set of permissions dynamically granted to protection domains (including ones not yet created) that are associated with the class loader of the given class and possess at least the given set of principals.
PermissionCollection	getPermissions(CodeSource source) Behaves as specified by Policy.getPermissions(CodeSource).
PermissionCollection	getPermissions(ProtectionDomain domain) Behaves as specified by Policy.getPermissions(ProtectionDomain).
void	grant(Class cl, Principal[] principals, Permission[] permissions) If this security policy provider supports dynamic permission grants, grants the specified permissions to all protection domains (including ones not yet created) that are associated with the class loader of the given class and possess at least the given set of principals.
boolean	grantSupported() Returns true if this policy provider supports dynamic permission grants; returns false otherwise.
boolean	implies(ProtectionDomain domain, Permission permission) Behaves as specified by Policy.implies(java.security.ProtectionDomain, java.security.Permission).
void	refresh() Behaves as specified by Policy.refresh().

Methods inherited from class java.security.Policy

getInstance, getInstance, getInstance, getParameters, getPolicy, getProvider, getType, setPolicy

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

DynamicPolicyProvider

public DynamicPolicyProvider()
                      throws PolicyInitializationException

Creates a new DynamicPolicyProvider instance that wraps a default underlying policy. The underlying policy is created as follows: if the net.jini.security.policy.DynamicPolicyProvider.basePolicyClass security property is set, then its value is interpreted as the class name of the base (underlying) policy provider; otherwise, a default class name of "net.jini.security.policy.PolicyFileProvider" is used. The base policy is then instantiated using the no-arg public constructor of the named class. If the base policy class is not found, is not instantiable via a public no-arg constructor, or if invocation of its constructor fails, then a PolicyInitializationException is thrown.

Note that this constructor requires the appropriate "getProperty" SecurityPermission to read the net.jini.security.policy.DynamicPolicyProvider.basePolicyClass security property, and may require "accessClassInPackage.*" RuntimePermissions, depending on the package of the base policy class.

Throws:

PolicyInitializationException - if unable to construct the base policy

SecurityException - if there is a security manager and the calling context does not have adequate permissions to read the net.jini.security.policy.DynamicPolicyProvider.basePolicyClass security property, or if the calling context does not have adequate permissions to access the base policy class

DynamicPolicyProvider

public DynamicPolicyProvider(Policy basePolicy)

Creates a new DynamicPolicyProvider instance that wraps around the given non-null base policy object.

Parameters:

basePolicy - base policy object containing information about non-dynamic grants

Throws:

NullPointerException - if basePolicy is null

Method Detail

getPermissions

public PermissionCollection getPermissions(CodeSource source)

Behaves as specified by Policy.getPermissions(CodeSource).

Overrides:

getPermissions in class Policy

getPermissions

public PermissionCollection getPermissions(ProtectionDomain domain)

Behaves as specified by Policy.getPermissions(ProtectionDomain).

Overrides:

getPermissions in class Policy

implies

public boolean implies(ProtectionDomain domain,
                       Permission permission)

Behaves as specified by Policy.implies(java.security.ProtectionDomain, java.security.Permission).

Overrides:

implies in class Policy

refresh

public void refresh()

Behaves as specified by Policy.refresh().

Overrides:

refresh in class Policy

grantSupported

public boolean grantSupported()

Description copied from interface: DynamicPolicy

Returns true if this policy provider supports dynamic permission grants; returns false otherwise. Note that this method may return different values for a given DynamicPolicy instance, depending on context. For example, a policy provider that delegates to different underlying policy implementations depending on thread state would return true from this method when the current delegate supports dynamic permission grants, but return false when another delegate lacking such support is in effect.

Specified by:

grantSupported in interface DynamicPolicy

Returns:

true if policy supports dynamic permission grants under current context, false otherwise

grant

public void grant(Class cl,
                  Principal[] principals,
                  Permission[] permissions)

Description copied from interface: DynamicPolicy

If this security policy provider supports dynamic permission grants, grants the specified permissions to all protection domains (including ones not yet created) that are associated with the class loader of the given class and possess at least the given set of principals. If the given class is null, then the grant applies across all protection domains that possess at least the specified principals. If the list of principals is null or empty, then principals are effectively ignored in determining the protection domains to which the grant applies. If this policy provider does not support dynamic permission grants, then no permissions are granted and an UnsupportedOperationException is thrown.

The given class, if non-null, must belong to either the system domain or a protection domain whose associated class loader is non-null. If the class does not belong to such a protection domain, then no permissions are granted and an UnsupportedOperationException is thrown.

If a security manager is installed, its checkPermission method is called with a GrantPermission containing the permissions to grant; if the permission check fails, then no permissions are granted and the resulting SecurityException is thrown. The principals and permissions arrays passed in are neither modified nor retained; subsequent changes to the arrays have no effect on the grant operation.

Specified by:

grant in interface DynamicPolicy

Parameters:

cl - class to grant permissions to the class loader of, or null if granting across all class loaders

principals - if non-null, minimum set of principals to which grants apply

permissions - if non-null, permissions to grant

getGrants

public Permission[] getGrants(Class cl,
                              Principal[] principals)

Description copied from interface: DynamicPolicy

If this security policy provider supports dynamic permission grants, returns a new array containing the cumulative set of permissions dynamically granted to protection domains (including ones not yet created) that are associated with the class loader of the given class and possess at least the given set of principals. If the given class is null, then this method returns the cumulative set of permissions dynamically granted across all protection domains that possess at least the specified principals (i.e., through calls to the grant method where the specified class was null). If the list of principals is null or empty, then the permissions returned reflect only grants not qualified by principals (i.e., those performed through calls to the grant method where the specified principals array was null or empty). If this policy provider does not support dynamic permission grants, then an UnsupportedOperationException is thrown.

The given class, if non-null, must belong to either the system domain or a protection domain whose associated class loader is non-null. If the class does not belong to such a protection domain, then an UnsupportedOperationException is thrown.

Specified by:

getGrants in interface DynamicPolicy

Parameters:

cl - class to query the permissions dynamically granted to the class loader of, or null if querying permissions granted across all class loaders

principals - if non-null, principals to query dynamic grants for

Returns:

new array containing the permissions dynamically granted to the indicated class loader (if any) and principals