1 /* SecurityManager.java -- security checks for privileged actions
2 Copyright (C) 1998, 1999, 2001, 2002, 2005 Free Software Foundation, Inc.
4 This file is part of GNU Classpath.
6 GNU Classpath is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2, or (at your option)
11 GNU Classpath is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with GNU Classpath; see the file COPYING. If not, write to the
18 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
21 Linking this library statically or dynamically with other modules is
22 making a combined work based on this library. Thus, the terms and
23 conditions of the GNU General Public License cover the whole
26 As a special exception, the copyright holders of this library give you
27 permission to link this library with independent modules to produce an
28 executable, regardless of the license terms of these independent
29 modules, and to copy and distribute the resulting executable under
30 terms of your choice, provided that you also meet, for each linked
31 independent module, the terms and conditions of the license of that
32 module. An independent module is a module which is not derived from
33 or based on this library. If you modify this library, you may extend
34 this exception to your version of the library, but you are not
35 obligated to do so. If you do not wish to do so, delete this
36 exception statement from your version. */
41 import gnu.classpath.VMStackWalker;
43 import java.awt.AWTPermission;
45 import java.io.FileDescriptor;
46 import java.io.FilePermission;
47 import java.lang.reflect.Member;
48 import java.net.InetAddress;
49 import java.net.SocketPermission;
50 import java.security.AccessControlContext;
51 import java.security.AccessController;
52 import java.security.AllPermission;
53 import java.security.Permission;
54 import java.security.PrivilegedAction;
55 import java.security.Security;
56 import java.security.SecurityPermission;
57 import java.util.PropertyPermission;
58 import java.util.StringTokenizer;
61 * SecurityManager is a class you can extend to create your own Java
62 * security policy. By default, there is no SecurityManager installed in
63 * 1.1, which means that all things are permitted to all people. The security
64 * manager, if set, is consulted before doing anything with potentially
65 * dangerous results, and throws a <code>SecurityException</code> if the
66 * action is forbidden.
68 * <p>A typical check is as follows, just before the dangerous operation:<br>
70 * SecurityManager sm = System.getSecurityManager();
72 * sm.checkABC(<em>argument</em>, ...);
74 * Note that this is thread-safe, by caching the security manager in a local
75 * variable rather than risking a NullPointerException if the mangager is
76 * changed between the check for null and before the permission check.
78 * <p>The special method <code>checkPermission</code> is a catchall, and
79 * the default implementation calls
80 * <code>AccessController.checkPermission</code>. In fact, all the other
81 * methods default to calling checkPermission.
83 * <p>Sometimes, the security check needs to happen from a different context,
84 * such as when called from a worker thread. In such cases, use
85 * <code>getSecurityContext</code> to take a snapshot that can be passed
86 * to the worker thread:<br>
88 * Object context = null;
89 * SecurityManager sm = System.getSecurityManager();
91 * context = sm.getSecurityContext(); // defaults to an AccessControlContext
92 * // now, in worker thread
94 * sm.checkPermission(permission, context);
97 * <p>Permissions fall into these categories: File, Socket, Net, Security,
98 * Runtime, Property, AWT, Reflect, and Serializable. Each of these
99 * permissions have a property naming convention, that follows a hierarchical
100 * naming convention, to make it easy to grant or deny several permissions
101 * at once. Some permissions also take a list of permitted actions, such
102 * as "read" or "write", to fine-tune control even more. The permission
103 * <code>java.security.AllPermission</code> grants all permissions.
105 * <p>The default methods in this class deny all things to all people. You
106 * must explicitly grant permission for anything you want to be legal when
107 * subclassing this class.
109 * @author John Keiser
110 * @author Eric Blake (ebb9@email.byu.edu)
112 * @see SecurityException
113 * @see #checkTopLevelWindow(Object)
114 * @see System#getSecurityManager()
115 * @see System#setSecurityManager(SecurityManager)
116 * @see AccessController
117 * @see AccessControlContext
118 * @see AccessControlException
120 * @see BasicPermission
121 * @see java.io.FilePermission
122 * @see java.net.SocketPermission
123 * @see java.util.PropertyPermission
124 * @see RuntimePermission
125 * @see java.awt.AWTPermission
127 * @see SecurityPermission
128 * @see ProtectionDomain
130 * @status still missing 1.4 functionality
132 public class SecurityManager
135 * The current security manager. This is located here instead of in
136 * System, to avoid security problems, as well as bootstrap issues.
137 * Make sure to access it in a thread-safe manner; it is package visible
138 * to avoid overhead in java.lang.
140 static volatile SecurityManager current;
143 * Tells whether or not the SecurityManager is currently performing a
145 * @deprecated Use {@link #checkPermission(Permission)} instead.
147 protected boolean inCheck;
150 * Construct a new security manager. There may be a security check, of
151 * <code>RuntimePermission("createSecurityManager")</code>.
153 * @throws SecurityException if permission is denied
155 public SecurityManager()
157 SecurityManager sm = System.getSecurityManager();
159 sm.checkPermission(new RuntimePermission("createSecurityManager"));
163 * Tells whether or not the SecurityManager is currently performing a
166 * @return true if the SecurityManager is in a security check
168 * @deprecated use {@link #checkPermission(Permission)} instead
170 public boolean getInCheck()
176 * Get a list of all the classes currently executing methods on the Java
177 * stack. getClassContext()[0] is the currently executing method (ie. the
178 * class that CALLED getClassContext, not SecurityManager).
180 * @return an array of classes on the Java execution stack
182 protected Class[] getClassContext()
184 Class[] stack1 = VMStackWalker.getClassContext();
185 Class[] stack2 = new Class[stack1.length - 1];
186 System.arraycopy(stack1, 1, stack2, 0, stack1.length - 1);
191 * Find the ClassLoader of the first non-system class on the execution
192 * stack. A non-system class is one whose ClassLoader is not equal to
193 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
194 * will return null in three cases:
197 * <li>All methods on the stack are from system classes</li>
198 * <li>All methods on the stack up to the first "privileged" caller, as
199 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
200 * are from system classes</li>
201 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
204 * @return the most recent non-system ClassLoader on the execution stack
205 * @deprecated use {@link #checkPermission(Permission)} instead
207 protected ClassLoader currentClassLoader()
209 Class cl = currentLoadedClass();
210 return cl != null ? cl.getClassLoader() : null;
214 * Find the first non-system class on the execution stack. A non-system
215 * class is one whose ClassLoader is not equal to
216 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
217 * will return null in three cases:
220 * <li>All methods on the stack are from system classes</li>
221 * <li>All methods on the stack up to the first "privileged" caller, as
222 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
223 * are from system classes</li>
224 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
227 * @return the most recent non-system Class on the execution stack
228 * @deprecated use {@link #checkPermission(Permission)} instead
230 protected Class currentLoadedClass()
232 int i = classLoaderDepth();
233 return i >= 0 ? getClassContext()[i] : null;
237 * Get the depth of a particular class on the execution stack.
239 * @param className the fully-qualified name to search for
240 * @return the index of the class on the stack, or -1
241 * @deprecated use {@link #checkPermission(Permission)} instead
243 protected int classDepth(String className)
245 Class[] c = getClassContext();
246 for (int i = 0; i < c.length; i++)
247 if (className.equals(c[i].getName()))
253 * Get the depth on the execution stack of the most recent non-system class.
254 * A non-system class is one whose ClassLoader is not equal to
255 * {@link ClassLoader#getSystemClassLoader()} or its ancestors. This
256 * will return -1 in three cases:
259 * <li>All methods on the stack are from system classes</li>
260 * <li>All methods on the stack up to the first "privileged" caller, as
261 * created by {@link AccessController.doPrivileged(PrivilegedAction)},
262 * are from system classes</li>
263 * <li>A check of <code>java.security.AllPermission</code> succeeds.</li>
266 * @return the index of the most recent non-system Class on the stack
267 * @deprecated use {@link #checkPermission(Permission)} instead
269 protected int classLoaderDepth()
273 checkPermission(new AllPermission());
275 catch (SecurityException e)
277 Class[] c = getClassContext();
278 for (int i = 0; i < c.length; i++)
279 if (c[i].getClassLoader() != null)
280 // XXX Check if c[i] is AccessController, or a system class.
287 * Tell whether the specified class is on the execution stack.
289 * @param className the fully-qualified name of the class to find
290 * @return whether the specified class is on the execution stack
291 * @deprecated use {@link #checkPermission(Permission)} instead
293 protected boolean inClass(String className)
295 return classDepth(className) != -1;
299 * Tell whether there is a class loaded with an explicit ClassLoader on
302 * @return whether a class with an explicit ClassLoader is on the stack
303 * @deprecated use {@link #checkPermission(Permission)} instead
305 protected boolean inClassLoader()
307 return classLoaderDepth() != -1;
311 * Get an implementation-dependent Object that contains enough information
312 * about the current environment to be able to perform standard security
313 * checks later. This is used by trusted methods that need to verify that
314 * their callers have sufficient access to perform certain operations.
316 * <p>Currently the only methods that use this are checkRead() and
317 * checkConnect(). The default implementation returns an
318 * <code>AccessControlContext</code>.
320 * @return a security context
321 * @see #checkConnect(String, int, Object)
322 * @see #checkRead(String, Object)
323 * @see AccessControlContext
324 * @see AccessController#getContext()
326 public Object getSecurityContext()
328 return AccessController.getContext();
332 * Check if the current thread is allowed to perform an operation that
333 * requires the specified <code>Permission</code>. This defaults to
334 * <code>AccessController.checkPermission</code>.
336 * @param perm the <code>Permission</code> required
337 * @throws SecurityException if permission is denied
338 * @throws NullPointerException if perm is null
341 public void checkPermission(Permission perm)
343 AccessController.checkPermission(perm);
347 * Check if the current thread is allowed to perform an operation that
348 * requires the specified <code>Permission</code>. This is done in a
349 * context previously returned by <code>getSecurityContext()</code>. The
350 * default implementation expects context to be an AccessControlContext,
351 * and it calls <code>AccessControlContext.checkPermission(perm)</code>.
353 * @param perm the <code>Permission</code> required
354 * @param context a security context
355 * @throws SecurityException if permission is denied, or if context is
356 * not an AccessControlContext
357 * @throws NullPointerException if perm is null
358 * @see #getSecurityContext()
359 * @see AccessControlContext#checkPermission(Permission)
362 public void checkPermission(Permission perm, Object context)
364 if (! (context instanceof AccessControlContext))
365 throw new SecurityException("Missing context");
366 ((AccessControlContext) context).checkPermission(perm);
370 * Check if the current thread is allowed to create a ClassLoader. This
371 * method is called from ClassLoader.ClassLoader(), and checks
372 * <code>RuntimePermission("createClassLoader")</code>. If you override
373 * this, you should call <code>super.checkCreateClassLoader()</code> rather
374 * than throwing an exception.
376 * @throws SecurityException if permission is denied
377 * @see ClassLoader#ClassLoader()
379 public void checkCreateClassLoader()
381 checkPermission(new RuntimePermission("createClassLoader"));
385 * Check if the current thread is allowed to modify another Thread. This is
386 * called by Thread.stop(), suspend(), resume(), interrupt(), destroy(),
387 * setPriority(), setName(), and setDaemon(). The default implementation
388 * checks <code>RuntimePermission("modifyThread")</code> on system threads
389 * (ie. threads in ThreadGroup with a null parent), and returns silently on
392 * <p>If you override this, you must do two things. First, call
393 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing
394 * requirements. Second, if the calling thread has
395 * <code>RuntimePermission("modifyThread")</code>, return silently, so that
396 * core classes (the Classpath library!) can modify any thread.
398 * @param thread the other Thread to check
399 * @throws SecurityException if permission is denied
400 * @throws NullPointerException if thread is null
402 * @see Thread#suspend()
403 * @see Thread#resume()
404 * @see Thread#setPriority(int)
405 * @see Thread#setName(String)
406 * @see Thread#setDaemon(boolean)
408 public void checkAccess(Thread thread)
410 if (thread.getThreadGroup() != null
411 && thread.getThreadGroup().getParent() != null)
412 checkPermission(new RuntimePermission("modifyThread"));
416 * Check if the current thread is allowed to modify a ThreadGroup. This is
417 * called by Thread.Thread() (to add a thread to the ThreadGroup),
418 * ThreadGroup.ThreadGroup() (to add this ThreadGroup to a parent),
419 * ThreadGroup.stop(), suspend(), resume(), interrupt(), destroy(),
420 * setDaemon(), and setMaxPriority(). The default implementation
421 * checks <code>RuntimePermission("modifyThread")</code> on the system group
422 * (ie. the one with a null parent), and returns silently on other groups.
424 * <p>If you override this, you must do two things. First, call
425 * <code>super.checkAccess(t)</code>, to make sure you are not relaxing
426 * requirements. Second, if the calling thread has
427 * <code>RuntimePermission("modifyThreadGroup")</code>, return silently,
428 * so that core classes (the Classpath library!) can modify any thread.
430 * @param g the ThreadGroup to check
431 * @throws SecurityException if permission is denied
432 * @throws NullPointerException if g is null
433 * @see Thread#Thread()
434 * @see ThreadGroup#ThreadGroup()
435 * @see ThreadGroup#stop()
436 * @see ThreadGroup#suspend()
437 * @see ThreadGroup#resume()
438 * @see ThreadGroup#interrupt()
439 * @see ThreadGroup#setDaemon(boolean)
440 * @see ThreadGroup#setMaxPriority(int)
442 public void checkAccess(ThreadGroup g)
444 if (g.getParent() != null)
445 checkPermission(new RuntimePermission("modifyThreadGroup"));
449 * Check if the current thread is allowed to exit the JVM with the given
450 * status. This method is called from Runtime.exit() and Runtime.halt().
451 * The default implementation checks
452 * <code>RuntimePermission("exitVM")</code>. If you override this, call
453 * <code>super.checkExit</code> rather than throwing an exception.
455 * @param status the status to exit with
456 * @throws SecurityException if permission is denied
457 * @see Runtime#exit(int)
458 * @see Runtime#halt(int)
460 public void checkExit(int status)
462 checkPermission(new RuntimePermission("exitVM"));
466 * Check if the current thread is allowed to execute the given program. This
467 * method is called from Runtime.exec(). If the name is an absolute path,
468 * the default implementation checks
469 * <code>FilePermission(program, "execute")</code>, otherwise it checks
470 * <code>FilePermission("<<ALL FILES>>", "execute")</code>. If
471 * you override this, call <code>super.checkExec</code> rather than
472 * throwing an exception.
474 * @param program the name of the program to exec
475 * @throws SecurityException if permission is denied
476 * @throws NullPointerException if program is null
477 * @see Runtime#exec(String[], String[], File)
479 public void checkExec(String program)
481 if (! program.equals(new File(program).getAbsolutePath()))
482 program = "<<ALL FILES>>";
483 checkPermission(new FilePermission(program, "execute"));
487 * Check if the current thread is allowed to link in the given native
488 * library. This method is called from Runtime.load() (and hence, by
489 * loadLibrary() as well). The default implementation checks
490 * <code>RuntimePermission("loadLibrary." + filename)</code>. If you
491 * override this, call <code>super.checkLink</code> rather than throwing
494 * @param filename the full name of the library to load
495 * @throws SecurityException if permission is denied
496 * @throws NullPointerException if filename is null
497 * @see Runtime#load(String)
499 public void checkLink(String filename)
501 // Use the toString() hack to do the null check.
502 checkPermission(new RuntimePermission("loadLibrary."
503 + filename.toString()));
507 * Check if the current thread is allowed to read the given file using the
508 * FileDescriptor. This method is called from
509 * FileInputStream.FileInputStream(). The default implementation checks
510 * <code>RuntimePermission("readFileDescriptor")</code>. If you override
511 * this, call <code>super.checkRead</code> rather than throwing an
514 * @param desc the FileDescriptor representing the file to access
515 * @throws SecurityException if permission is denied
516 * @throws NullPointerException if desc is null
517 * @see FileInputStream#FileInputStream(FileDescriptor)
519 public void checkRead(FileDescriptor desc)
522 throw new NullPointerException();
523 checkPermission(new RuntimePermission("readFileDescriptor"));
527 * Check if the current thread is allowed to read the given file. This
528 * method is called from FileInputStream.FileInputStream(),
529 * RandomAccessFile.RandomAccessFile(), File.exists(), canRead(), isFile(),
530 * isDirectory(), lastModified(), length() and list(). The default
531 * implementation checks <code>FilePermission(filename, "read")</code>. If
532 * you override this, call <code>super.checkRead</code> rather than
533 * throwing an exception.
535 * @param filename the full name of the file to access
536 * @throws SecurityException if permission is denied
537 * @throws NullPointerException if filename is null
539 * @see FileInputStream#FileInputStream(String)
540 * @see RandomAccessFile#RandomAccessFile(String)
542 public void checkRead(String filename)
544 checkPermission(new FilePermission(filename, "read"));
548 * Check if the current thread is allowed to read the given file. using the
549 * given security context. The context must be a result of a previous call
550 * to <code>getSecurityContext()</code>. The default implementation checks
551 * <code>AccessControlContext.checkPermission(new FilePermission(filename,
552 * "read"))</code>. If you override this, call <code>super.checkRead</code>
553 * rather than throwing an exception.
555 * @param filename the full name of the file to access
556 * @param context the context to determine access for
557 * @throws SecurityException if permission is denied, or if context is
558 * not an AccessControlContext
559 * @throws NullPointerException if filename is null
560 * @see #getSecurityContext()
561 * @see AccessControlContext#checkPermission(Permission)
563 public void checkRead(String filename, Object context)
565 if (! (context instanceof AccessControlContext))
566 throw new SecurityException("Missing context");
567 AccessControlContext ac = (AccessControlContext) context;
568 ac.checkPermission(new FilePermission(filename, "read"));
572 * Check if the current thread is allowed to write the given file using the
573 * FileDescriptor. This method is called from
574 * FileOutputStream.FileOutputStream(). The default implementation checks
575 * <code>RuntimePermission("writeFileDescriptor")</code>. If you override
576 * this, call <code>super.checkWrite</code> rather than throwing an
579 * @param desc the FileDescriptor representing the file to access
580 * @throws SecurityException if permission is denied
581 * @throws NullPointerException if desc is null
582 * @see FileOutputStream#FileOutputStream(FileDescriptor)
584 public void checkWrite(FileDescriptor desc)
587 throw new NullPointerException();
588 checkPermission(new RuntimePermission("writeFileDescriptor"));
592 * Check if the current thread is allowed to write the given file. This
593 * method is called from FileOutputStream.FileOutputStream(),
594 * RandomAccessFile.RandomAccessFile(), File.canWrite(), mkdir(), and
595 * renameTo(). The default implementation checks
596 * <code>FilePermission(filename, "write")</code>. If you override this,
597 * call <code>super.checkWrite</code> rather than throwing an exception.
599 * @param filename the full name of the file to access
600 * @throws SecurityException if permission is denied
601 * @throws NullPointerException if filename is null
603 * @see File#canWrite()
605 * @see File#renameTo()
606 * @see FileOutputStream#FileOutputStream(String)
607 * @see RandomAccessFile#RandomAccessFile(String)
609 public void checkWrite(String filename)
611 checkPermission(new FilePermission(filename, "write"));
615 * Check if the current thread is allowed to delete the given file. This
616 * method is called from File.delete(). The default implementation checks
617 * <code>FilePermission(filename, "delete")</code>. If you override this,
618 * call <code>super.checkDelete</code> rather than throwing an exception.
620 * @param filename the full name of the file to delete
621 * @throws SecurityException if permission is denied
622 * @throws NullPointerException if filename is null
625 public void checkDelete(String filename)
627 checkPermission(new FilePermission(filename, "delete"));
631 * Check if the current thread is allowed to connect to a given host on a
632 * given port. This method is called from Socket.Socket(). A port number
633 * of -1 indicates the caller is attempting to determine an IP address, so
634 * the default implementation checks
635 * <code>SocketPermission(host, "resolve")</code>. Otherwise, the default
636 * implementation checks
637 * <code>SocketPermission(host + ":" + port, "connect")</code>. If you
638 * override this, call <code>super.checkConnect</code> rather than throwing
641 * @param host the host to connect to
642 * @param port the port to connect on
643 * @throws SecurityException if permission is denied
644 * @throws NullPointerException if host is null
645 * @see Socket#Socket()
647 public void checkConnect(String host, int port)
650 checkPermission(new SocketPermission(host, "resolve"));
652 // Use the toString() hack to do the null check.
653 checkPermission(new SocketPermission(host.toString() + ":" + port,
658 * Check if the current thread is allowed to connect to a given host on a
659 * given port, using the given security context. The context must be a
660 * result of a previous call to <code>getSecurityContext</code>. A port
661 * number of -1 indicates the caller is attempting to determine an IP
662 * address, so the default implementation checks
663 * <code>AccessControlContext.checkPermission(new SocketPermission(host,
664 * "resolve"))</code>. Otherwise, the default implementation checks
665 * <code>AccessControlContext.checkPermission(new SocketPermission(host
666 * + ":" + port, "connect"))</code>. If you override this, call
667 * <code>super.checkConnect</code> rather than throwing an exception.
669 * @param host the host to connect to
670 * @param port the port to connect on
671 * @param context the context to determine access for
673 * @throws SecurityException if permission is denied, or if context is
674 * not an AccessControlContext
675 * @throws NullPointerException if host is null
677 * @see #getSecurityContext()
678 * @see AccessControlContext#checkPermission(Permission)
680 public void checkConnect(String host, int port, Object context)
682 if (! (context instanceof AccessControlContext))
683 throw new SecurityException("Missing context");
684 AccessControlContext ac = (AccessControlContext) context;
686 ac.checkPermission(new SocketPermission(host, "resolve"));
688 // Use the toString() hack to do the null check.
689 ac.checkPermission(new SocketPermission(host.toString() + ":" + port,
694 * Check if the current thread is allowed to listen to a specific port for
695 * data. This method is called by ServerSocket.ServerSocket(). The default
696 * implementation checks
697 * <code>SocketPermission("localhost:" + (port == 0 ? "1024-" : "" + port),
698 * "listen")</code>. If you override this, call
699 * <code>super.checkListen</code> rather than throwing an exception.
701 * @param port the port to listen on
702 * @throws SecurityException if permission is denied
703 * @see ServerSocket#ServerSocket(int)
705 public void checkListen(int port)
707 checkPermission(new SocketPermission("localhost:"
708 + (port == 0 ? "1024-" : "" +port),
713 * Check if the current thread is allowed to accept a connection from a
714 * particular host on a particular port. This method is called by
715 * ServerSocket.implAccept(). The default implementation checks
716 * <code>SocketPermission(host + ":" + port, "accept")</code>. If you
717 * override this, call <code>super.checkAccept</code> rather than throwing
720 * @param host the host which wishes to connect
721 * @param port the port the connection will be on
722 * @throws SecurityException if permission is denied
723 * @throws NullPointerException if host is null
724 * @see ServerSocket#accept()
726 public void checkAccept(String host, int port)
728 // Use the toString() hack to do the null check.
729 checkPermission(new SocketPermission(host.toString() + ":" + port,
734 * Check if the current thread is allowed to read and write multicast to
735 * a particular address. The default implementation checks
736 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>.
737 * If you override this, call <code>super.checkMulticast</code> rather than
738 * throwing an exception.
740 * @param addr the address to multicast to
741 * @throws SecurityException if permission is denied
742 * @throws NullPointerException if host is null
745 public void checkMulticast(InetAddress addr)
747 checkPermission(new SocketPermission(addr.getHostAddress(),
752 *Check if the current thread is allowed to read and write multicast to
753 * a particular address with a particular ttl (time-to-live) value. The
754 * default implementation ignores ttl, and checks
755 * <code>SocketPermission(addr.getHostAddress(), "accept,connect")</code>.
756 * If you override this, call <code>super.checkMulticast</code> rather than
757 * throwing an exception.
759 * @param addr the address to multicast to
760 * @param ttl value in use for multicast send
761 * @throws SecurityException if permission is denied
762 * @throws NullPointerException if host is null
764 * @deprecated use {@link #checkPermission(Permission)} instead
766 public void checkMulticast(InetAddress addr, byte ttl)
768 checkPermission(new SocketPermission(addr.getHostAddress(),
773 * Check if the current thread is allowed to read or write all the system
774 * properties at once. This method is called by System.getProperties()
775 * and setProperties(). The default implementation checks
776 * <code>PropertyPermission("*", "read,write")</code>. If you override
777 * this, call <code>super.checkPropertiesAccess</code> rather than
778 * throwing an exception.
780 * @throws SecurityException if permission is denied
781 * @see System#getProperties()
782 * @see System#setProperties(Properties)
784 public void checkPropertiesAccess()
786 checkPermission(new PropertyPermission("*", "read,write"));
790 * Check if the current thread is allowed to read a particular system
791 * property (writes are checked directly via checkPermission). This method
792 * is called by System.getProperty() and setProperty(). The default
793 * implementation checks <code>PropertyPermission(key, "read")</code>. If
794 * you override this, call <code>super.checkPropertyAccess</code> rather
795 * than throwing an exception.
797 * @param key the key of the property to check
799 * @throws SecurityException if permission is denied
800 * @throws NullPointerException if key is null
801 * @throws IllegalArgumentException if key is ""
803 * @see System#getProperty(String)
805 public void checkPropertyAccess(String key)
807 checkPermission(new PropertyPermission(key, "read"));
811 * Check if the current thread is allowed to create a top-level window. If
812 * it is not, the operation should still go through, but some sort of
813 * nonremovable warning should be placed on the window to show that it
814 * is untrusted. This method is called by Window.Window(). The default
815 * implementation checks
816 * <code>AWTPermission("showWindowWithoutWarningBanner")</code>, and returns
817 * true if no exception was thrown. If you override this, use
818 * <code>return super.checkTopLevelWindow</code> rather than returning
821 * @param window the window to create
822 * @return true if there is permission to show the window without warning
823 * @throws NullPointerException if window is null
824 * @see Window#Window(Frame)
826 public boolean checkTopLevelWindow(Object window)
829 throw new NullPointerException();
832 checkPermission(new AWTPermission("showWindowWithoutWarningBanner"));
835 catch (SecurityException e)
842 * Check if the current thread is allowed to create a print job. This
843 * method is called by Toolkit.getPrintJob(). The default implementation
844 * checks <code>RuntimePermission("queuePrintJob")</code>. If you override
845 * this, call <code>super.checkPrintJobAccess</code> rather than throwing
848 * @throws SecurityException if permission is denied
849 * @see Toolkit#getPrintJob(Frame, String, Properties)
852 public void checkPrintJobAccess()
854 checkPermission(new RuntimePermission("queuePrintJob"));
858 * Check if the current thread is allowed to use the system clipboard. This
859 * method is called by Toolkit.getSystemClipboard(). The default
860 * implementation checks <code>AWTPermission("accessClipboard")</code>. If
861 * you override this, call <code>super.checkSystemClipboardAccess</code>
862 * rather than throwing an exception.
864 * @throws SecurityException if permission is denied
865 * @see Toolkit#getSystemClipboard()
868 public void checkSystemClipboardAccess()
870 checkPermission(new AWTPermission("accessClipboard"));
874 * Check if the current thread is allowed to use the AWT event queue. This
875 * method is called by Toolkit.getSystemEventQueue(). The default
876 * implementation checks <code>AWTPermission("accessEventQueue")</code>.
877 * you override this, call <code>super.checkAwtEventQueueAccess</code>
878 * rather than throwing an exception.
880 * @throws SecurityException if permission is denied
881 * @see Toolkit#getSystemEventQueue()
884 public void checkAwtEventQueueAccess()
886 checkPermission(new AWTPermission("accessEventQueue"));
890 * Check if the current thread is allowed to access the specified package
891 * at all. This method is called by ClassLoader.loadClass() in user-created
892 * ClassLoaders. The default implementation gets a list of all restricted
893 * packages, via <code>Security.getProperty("package.access")</code>. Then,
894 * if packageName starts with or equals any restricted package, it checks
895 * <code>RuntimePermission("accessClassInPackage." + packageName)</code>.
896 * If you override this, you should call
897 * <code>super.checkPackageAccess</code> before doing anything else.
899 * @param packageName the package name to check access to
900 * @throws SecurityException if permission is denied
901 * @throws NullPointerException if packageName is null
902 * @see ClassLoader#loadClass(String, boolean)
903 * @see Security#getProperty(String)
905 public void checkPackageAccess(String packageName)
907 checkPackageList(packageName, "package.access", "accessClassInPackage.");
911 * Check if the current thread is allowed to define a class into the
912 * specified package. This method is called by ClassLoader.loadClass() in
913 * user-created ClassLoaders. The default implementation gets a list of all
914 * restricted packages, via
915 * <code>Security.getProperty("package.definition")</code>. Then, if
916 * packageName starts with or equals any restricted package, it checks
917 * <code>RuntimePermission("defineClassInPackage." + packageName)</code>.
918 * If you override this, you should call
919 * <code>super.checkPackageDefinition</code> before doing anything else.
921 * @param packageName the package name to check access to
922 * @throws SecurityException if permission is denied
923 * @throws NullPointerException if packageName is null
924 * @see ClassLoader#loadClass(String, boolean)
925 * @see Security#getProperty(String)
927 public void checkPackageDefinition(String packageName)
929 checkPackageList(packageName, "package.definition", "defineClassInPackage.");
933 * Check if the current thread is allowed to set the current socket factory.
934 * This method is called by Socket.setSocketImplFactory(),
935 * ServerSocket.setSocketFactory(), and URL.setURLStreamHandlerFactory().
936 * The default implementation checks
937 * <code>RuntimePermission("setFactory")</code>. If you override this, call
938 * <code>super.checkSetFactory</code> rather than throwing an exception.
940 * @throws SecurityException if permission is denied
941 * @see Socket#setSocketImplFactory(SocketImplFactory)
942 * @see ServerSocket#setSocketFactory(SocketImplFactory)
943 * @see URL#setURLStreamHandlerFactory(URLStreamHandlerFactory)
945 public void checkSetFactory()
947 checkPermission(new RuntimePermission("setFactory"));
951 * Check if the current thread is allowed to get certain types of Methods,
952 * Fields and Constructors from a Class object. This method is called by
953 * Class.getMethod[s](), Class.getField[s](), Class.getConstructor[s],
954 * Class.getDeclaredMethod[s](), Class.getDeclaredField[s](), and
955 * Class.getDeclaredConstructor[s](). The default implementation allows
956 * PUBLIC access, and access to classes defined by the same classloader as
957 * the code performing the reflection. Otherwise, it checks
958 * <code>RuntimePermission("accessDeclaredMembers")</code>. If you override
959 * this, do not call <code>super.checkMemberAccess</code>, as this would
960 * mess up the stack depth check that determines the ClassLoader requesting
963 * @param c the Class to check
964 * @param memberType either DECLARED or PUBLIC
965 * @throws SecurityException if permission is denied, including when
966 * memberType is not DECLARED or PUBLIC
967 * @throws NullPointerException if c is null
969 * @see Member#DECLARED
973 public void checkMemberAccess(Class c, int memberType)
976 throw new NullPointerException();
977 if (memberType == Member.PUBLIC)
979 // XXX Allow access to classes created by same classloader before next
981 checkPermission(new RuntimePermission("accessDeclaredMembers"));
985 * Test whether a particular security action may be taken. The default
986 * implementation checks <code>SecurityPermission(action)</code>. If you
987 * override this, call <code>super.checkSecurityAccess</code> rather than
988 * throwing an exception.
990 * @param action the desired action to take
991 * @throws SecurityException if permission is denied
992 * @throws NullPointerException if action is null
993 * @throws IllegalArgumentException if action is ""
996 public void checkSecurityAccess(String action)
998 checkPermission(new SecurityPermission(action));
1002 * Get the ThreadGroup that a new Thread should belong to by default. Called
1003 * by Thread.Thread(). The default implementation returns the current
1004 * ThreadGroup of the current Thread. <STRONG>Spec Note:</STRONG> it is not
1005 * clear whether the new Thread is guaranteed to pass the
1006 * checkAccessThreadGroup() test when using this ThreadGroup, but I presume
1009 * @return the ThreadGroup to put the new Thread into
1012 public ThreadGroup getThreadGroup()
1014 return Thread.currentThread().getThreadGroup();
1018 * Helper that checks a comma-separated list of restricted packages, from
1019 * <code>Security.getProperty("package.definition")</code>, for the given
1020 * package access permission. If packageName starts with or equals any
1021 * restricted package, it checks
1022 * <code>RuntimePermission(permission + packageName)</code>.
1024 * @param packageName the package name to check access to
1025 * @param restriction "package.access" or "package.definition"
1026 * @param permission the base permission, including the '.'
1027 * @throws SecurityException if permission is denied
1028 * @throws NullPointerException if packageName is null
1029 * @see #checkPackageAccess(String)
1030 * @see #checkPackageDefinition(String)
1032 void checkPackageList(String packageName, final String restriction,
1035 if (packageName == null)
1036 throw new NullPointerException();
1038 String list = (String)AccessController.doPrivileged(new PrivilegedAction()
1042 return Security.getProperty(restriction);
1046 if (list == null || list.equals(""))
1049 String packageNamePlusDot = packageName + ".";
1051 StringTokenizer st = new StringTokenizer(list, ",");
1052 while (st.hasMoreTokens())
1054 if (packageNamePlusDot.startsWith(st.nextToken()))
1056 Permission p = new RuntimePermission(permission + packageName);