001 /* MBeanPermission.java -- Permissions controlling server access. 002 Copyright (C) 2006 Free Software Foundation, Inc. 003 004 This file is part of GNU Classpath. 005 006 GNU Classpath is free software; you can redistribute it and/or modify 007 it under the terms of the GNU General Public License as published by 008 the Free Software Foundation; either version 2, or (at your option) 009 any later version. 010 011 GNU Classpath is distributed in the hope that it will be useful, but 012 WITHOUT ANY WARRANTY; without even the implied warranty of 013 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 014 General Public License for more details. 015 016 You should have received a copy of the GNU General Public License 017 along with GNU Classpath; see the file COPYING. If not, write to the 018 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 019 02110-1301 USA. 020 021 Linking this library statically or dynamically with other modules is 022 making a combined work based on this library. Thus, the terms and 023 conditions of the GNU General Public License cover the whole 024 combination. 025 026 As a special exception, the copyright holders of this library give you 027 permission to link this library with independent modules to produce an 028 executable, regardless of the license terms of these independent 029 modules, and to copy and distribute the resulting executable under 030 terms of your choice, provided that you also meet, for each linked 031 independent module, the terms and conditions of the license of that 032 module. An independent module is a module which is not derived from 033 or based on this library. If you modify this library, you may extend 034 this exception to your version of the library, but you are not 035 obligated to do so. If you do not wish to do so, delete this 036 exception statement from your version. */ 037 038 package javax.management; 039 040 import java.security.Permission; 041 042 import java.io.IOException; 043 import java.io.ObjectInputStream; 044 045 import java.util.HashSet; 046 import java.util.Iterator; 047 import java.util.Set; 048 import java.util.TreeSet; 049 050 /** 051 * <p> 052 * Represents the permissions required to perform 053 * operations using the {@link MBeanServer}. As with 054 * all {@link java.security.Permission} objects, an 055 * instance of this class either represents a permission 056 * already held or one that is required to access a 057 * particular service. In the case of {@link MBeanPermission}s, 058 * implication checks are made using an instance of this class 059 * when a user requests an operation from the server, and a 060 * {@link SecurityManager} is in place. 061 * </p> 062 * <p> 063 * An {@link MBeanPermission} consists of four elements, 064 * which all have to match for the permission to be implied. 065 * These are as follows: 066 * </p> 067 * <ol> 068 * <li><strong>The action</strong>. For a required permission, 069 * this is a single value. For a permission held by the user, 070 * this is a list of comma-separated actions (with spaces allowed), 071 * or <code>*</code> (representing all actions). {@link #getActions()} 072 * returns this value.</li> 073 * <li><strong>The class name</strong>. For a required permission, 074 * this is the class name of the bean being accessed, if any. If 075 * a bean isn't involved in this action, the value is <code>null</code>. 076 * For a permission held by the user, it has one of three values: 077 * <ol> 078 * <li>The empty string, implying any class.</li> 079 * <li><code>*</code>, also implying any class.</li> 080 * <li>A class name pattern, which may specify a single class 081 * (e.g. <code>java.lang.Object</code>) or a series of classes 082 * using the wildcard character <code>*</code> (e.g. 083 * <code>javax.swing.*</code>.)</li> 084 * </ol></li> 085 * <li><strong>The member</strong>. For a required permission, 086 * this is the member of the bean being accessed (an attribute 087 * or operation), if any. If a member of the bean isn't involved 088 * in this action, the value is <code>null</code>. 089 * For a permission held by the user, it has one of three values: 090 * <ol> 091 * <li>The empty string, implying any member.</li> 092 * <li><code>*</code>, also implying any member.</li> 093 * <li>The name of a member.</li> 094 * </ol></li> 095 * <li>The object name</strong>. For a required permission, 096 * this is the {@link ObjectName} of the bean being accessed, if 097 * any. If a bean isn't involved in this action, the value is 098 * <code>null</code>. The name may not be a pattern. 099 * For a permission held by the user, it may be the empty 100 * string (allowing everything) or an {@link ObjectName} 101 * pattern. 102 * </li></ol> 103 * {@link #getName()} returns the latter three of these as a 104 * single string: 105 * </p> 106 * <p><code>className#member[objectName]</code></p> 107 * <p> 108 * where <code>""</code> is disallowed, as, although any of 109 * the elements may be omitted, not all of them should be 110 * left out simultaneously. <code>"-"</code> is used to 111 * represent <code>null</code>. When this occurs in a 112 * required permission, anything may match it. When this 113 * forms part of a permission held by the user, it only 114 * matches another <code>null</code> value. 115 * </p> 116 * <p>The list of valid actions is as follows:</p> 117 * <ul> 118 * <li>addNotificationListener</li> 119 * <li>getAttribute</li> 120 * <li>getClassLoader</li> 121 * <li>getClassLoaderFor</li> 122 * <li>getClassLoaderRepository</li> 123 * <li>getDomains</li> 124 * <li>getMBeanInfo</li> 125 * <li>getObjectInstance</li> 126 * <li>instantiate</li> 127 * <li>invoke</li> 128 * <li>isInstanceOf</li> 129 * <li>queryMBeans</li> 130 * <li>queryNames</li> 131 * <li>registerMBean</li> 132 * <li>removeNotificationListener</li> 133 * <li>setAttribute</li> 134 * <li>unregisterMBean</li> 135 * </ul> 136 * 137 * @author Andrew John Hughes (gnu_andrew@member.fsf.org) 138 * @since 1.5 139 */ 140 public class MBeanPermission 141 extends Permission 142 { 143 144 /** 145 * Compatible with JDK 1.5 146 */ 147 private static final long serialVersionUID = -2416928705275160661L; 148 149 /** 150 * The list of actions associated with this permission. 151 */ 152 private String actions; 153 154 /** 155 * The list of actions as an ordered set. 156 */ 157 private transient Set actionSet; 158 159 /** 160 * The set of valid actions. 161 */ 162 private static final Set validSet; 163 164 /** 165 * Initialise the set of valid actions. 166 */ 167 static 168 { 169 validSet = new HashSet(); 170 validSet.add("addNotificationListener"); 171 validSet.add("getAttribute"); 172 validSet.add("getClassLoader"); 173 validSet.add("getClassLoaderFor"); 174 validSet.add("getClassLoaderRepository"); 175 validSet.add("getDomains"); 176 validSet.add("getMBeanInfo"); 177 validSet.add("getObjectInstance"); 178 validSet.add("instantiate"); 179 validSet.add("invoke"); 180 validSet.add("isInstanceOf"); 181 validSet.add("queryMBeans"); 182 validSet.add("queryNames"); 183 validSet.add("registerMBean"); 184 validSet.add("removeNotificationListener"); 185 validSet.add("setAttribute"); 186 validSet.add("unregisterMBean"); 187 } 188 189 /** 190 * Constructs a new {@link MBeanPermission} with the specified name 191 * and actions. The name is of the form <code>className#member[objectName]</code>, 192 * where each element is optional, but a completely empty or <code>null</code> 193 * name is disallowed. Actions are specified as a comma-separated list 194 * and may also not be empty or <code>null</code>. 195 * 196 * @param name the name of the permission. 197 * @param actions the actions associated with this permission. 198 * @throws IllegalArgumentException if the name or actions are invalid. 199 */ 200 public MBeanPermission(String name, String actions) 201 { 202 super(name); 203 if (name == null || name.length() == 0) 204 throw new IllegalArgumentException("The supplied name was null or empty."); 205 if (actions == null || actions.length() == 0) 206 throw new IllegalArgumentException("The supplied action list was null or empty."); 207 this.actions = actions; 208 updateActionSet(); 209 } 210 211 /** 212 * Constructs a new {@link MBeanPermission} with the specified class name, 213 * member, object name and actions. The name of the permission is created 214 * using the form <code>className#member[objectName]</code>, 215 * where each element is optional, but an empty or <code>null</code> 216 * name is disallowed. Actions are specified as a comma-separated list 217 * and may also not be empty or <code>null</code>. 218 * 219 * @param className the name of the class to which this permission applies, 220 * or either <code>null</code> or <code>"-"</code> for a 221 * value which may be implied by any class name, but not 222 * imply any class name itself. 223 * @param member the member of the class to which this permission applies, 224 * or either <code>null</code> or <code>"-"</code> for a 225 * value which may be implied by any member, but not 226 * imply any member itself. 227 * @param objectName the {@link ObjectName} to which this permission applies, 228 * or <code>null</code> for a value which may be implied by 229 * any object name, but not imply any object name itself. 230 * @param actions the actions associated with this permission. 231 */ 232 public MBeanPermission(String className, String member, 233 ObjectName name, String actions) 234 { 235 this((className == null ? "-" : className) + "#" 236 + (member == null ? "-" : member) + "[" 237 + (name == null ? "-" : name.toString()) + "]", actions); 238 } 239 240 /** 241 * Returns true if the given object is also an {@link MBeanPermission} 242 * with the same name and actions. 243 * 244 * @param obj the object to test. 245 * @return true if the object is an {@link MBeanPermission} with 246 * the same name and actions. 247 */ 248 public boolean equals(Object obj) 249 { 250 if (obj instanceof MBeanPermission) 251 { 252 MBeanPermission p = (MBeanPermission) obj; 253 return (p.getName().equals(getName()) && 254 p.getActions().equals(actions)); 255 } 256 return false; 257 } 258 259 /** 260 * Returns the list of actions in alphabetical order. 261 * 262 * @return the list of actions. 263 */ 264 public String getActions() 265 { 266 Iterator it = actionSet.iterator(); 267 StringBuilder builder = new StringBuilder(); 268 while (it.hasNext()) 269 { 270 builder.append(it.next()); 271 if (it.hasNext()) 272 builder.append(","); 273 } 274 return builder.toString(); 275 } 276 277 /** 278 * Returns the hashcode of the permission as the sum 279 * of the hashcodes of the name and actions. 280 * 281 * @return the hashcode of the permission. 282 */ 283 public int hashCode() 284 { 285 return getName().hashCode() + actions.hashCode(); 286 } 287 288 /** 289 * <p> 290 * Returns true if this permission implies the supplied permission. 291 * This happens if the following holds: 292 * </p> 293 * <ul> 294 * <li>The supplied permission is an {@link MBeanPermission}</li> 295 * <li>The supplied permission has either a <code>null</code> classname 296 * or its classname matches the classname of this permission. A 297 * classname of <code>"*"</code> for this permission always matches 298 * the classname of the supplied permission. Generally, <code>'*'</code> 299 * acts as a wildcard, so <code>".*"</code> matches <code>'.'</code> 300 * followed by anything.</li> 301 * <li>The supplied permission has either a <code>null</code> member 302 * or its member matches the member of this permission. A member of 303 * <code>"*"</code> for this permission always matches the member 304 * of the supplied permission.</li> 305 * <li>The supplied permission has either a <code>null</code> object name 306 * or its object name matches the object name of this permission. If the 307 * object name of this permission is a pattern, {@link ObjectName#apply(ObjectName)} 308 * may be used as well.</li> 309 * <li>The supplied permission's actions are a subset of the actions 310 * of this permission. If the <code>queryMBeans</code> action is presented, 311 * the <code>queryNames</code> action is implied.</li> 312 * </ul> 313 * 314 * @param p the permission to check that this permission implies. 315 * @return true if this permission implies <code>p</code>. 316 */ 317 public boolean implies(Permission p) 318 { 319 if (p instanceof MBeanPermission) 320 { 321 MBeanPermission mp = (MBeanPermission) p; 322 NameHolder pName = new NameHolder(mp.getName()); 323 NameHolder name = new NameHolder(getName()); 324 if (!(name.equals(pName))) 325 return false; 326 Iterator i = mp.getActionSet().iterator(); 327 while (i.hasNext()) 328 { 329 String nextAction = (String) i.next(); 330 boolean found = actions.contains(nextAction); 331 if (!found) 332 if (nextAction.equals("queryNames")) 333 found = actions.contains("queryMBeans"); 334 if (!found) 335 return false; 336 } 337 return true; 338 } 339 return false; 340 } 341 342 /** 343 * Small helper class to handle deconstruction of the name. 344 * 345 * @author Andrew John Hughes (gnu_andrew@member.fsf.org) 346 */ 347 private class NameHolder 348 { 349 350 /** 351 * The class name. 352 */ 353 private String className; 354 355 /** 356 * The member. 357 */ 358 private String member; 359 360 /** 361 * The object name. 362 */ 363 private ObjectName objectName; 364 365 /** 366 * Constructs a broken-down name from a given name. 367 * 368 * @param name the name to break down. 369 */ 370 public NameHolder(String name) 371 { 372 String objectName = null; 373 int memberIndex = name.indexOf("#"); 374 int onIndex = name.indexOf("["); 375 if (onIndex == -1) 376 { 377 if (memberIndex == -1) 378 className = name; 379 else 380 { 381 className = name.substring(0, memberIndex); 382 member = name.substring(memberIndex + 1); 383 } 384 } 385 else 386 { 387 if (memberIndex == -1) 388 { 389 className = name.substring(0, onIndex); 390 objectName = name.substring(onIndex + 1, 391 name.length() - 1); 392 } 393 else 394 { 395 className = name.substring(0, memberIndex); 396 member = name.substring(memberIndex + 1, onIndex); 397 objectName = name.substring(onIndex + 1, 398 name.length() - 1); 399 } 400 } 401 if (className.equals("-")) 402 className = null; 403 if (member.equals("-")) 404 member = null; 405 if (objectName == null || objectName.equals("-")) 406 this.objectName = null; 407 else 408 try 409 { 410 this.objectName = new ObjectName(objectName); 411 } 412 catch (MalformedObjectNameException e) 413 { 414 throw (Error) 415 (new InternalError("Invalid object name.").initCause(e)); 416 } 417 } 418 419 /** 420 * <p> 421 * Returns true if the supplied object is also a 422 * {@link NameHolder} and the following holds: 423 * </p> 424 * <ul> 425 * <li>The supplied classname is <code>null</code> or the two match. A 426 * classname of <code>"*"</code> for this holder always matches 427 * the classname of the supplied holder. Generally, <code>'*'</code> 428 * acts as a wildcard, so <code>".*"</code> matches <code>'.'</code> 429 * followed by anything.</li> 430 * <li>The supplied name holder has either a <code>null</code> member 431 * or its member matches the member of this name holder. A member of 432 * <code>"*"</code> for this name holder always matches the member 433 * of the supplied name holder.</li> 434 * <li>The supplied name holder has either a <code>null</code> object name 435 * or its object name matches the object name of this name holder. If the 436 * object name of this name holder is a pattern, 437 * {@link ObjectName#apply(ObjectName)} may be used as well.</li> 438 * </ul> 439 * 440 * @param obj the object to compare with this. 441 * @return true if the above holds. 442 */ 443 public boolean equals(Object obj) 444 { 445 if (obj instanceof NameHolder) 446 { 447 NameHolder nh = (NameHolder) obj; 448 boolean cn = false; 449 String ocn = nh.getClassName(); 450 if (ocn == null || className.equals("*")) 451 cn = true; 452 else 453 { 454 int wcIndex = className.indexOf("*"); 455 if (wcIndex != -1) 456 cn = ocn.startsWith(className.substring(0, wcIndex)); 457 else 458 cn = ocn.equals(className); 459 } 460 boolean m = false; 461 String om = nh.getMember(); 462 if (om == null || member.equals("*")) 463 m = true; 464 else 465 m = om.equals(member); 466 boolean on = false; 467 ObjectName oon = nh.getObjectName(); 468 if (oon == null) 469 on = true; 470 else if (objectName.isPattern()) 471 on = objectName.apply(oon); 472 else 473 on = oon.equals(objectName); 474 return (cn && m && on); 475 } 476 return false; 477 } 478 479 /** 480 * Returns the class name. 481 */ 482 public String getClassName() 483 { 484 return className; 485 } 486 487 /** 488 * Returns the member. 489 */ 490 public String getMember() 491 { 492 return member; 493 } 494 495 /** 496 * Returns the object name. 497 */ 498 public ObjectName getObjectName() 499 { 500 return objectName; 501 } 502 } 503 504 /** 505 * Returns the set of actions. 506 * 507 * @return the actions as an ordered set. 508 */ 509 Set getActionSet() 510 { 511 return actionSet; 512 } 513 514 /** 515 * Updates the action set from the current value of 516 * the actions string. 517 */ 518 private void updateActionSet() 519 { 520 String[] actionsArray = actions.split(","); 521 actionSet = new TreeSet(); 522 for (int a = 0; a < actionsArray.length; ++a) 523 actionSet.add(actionsArray[a].trim()); 524 } 525 526 /** 527 * Reads the object from a stream and ensures the incoming 528 * data is valid. 529 * 530 * @param in the input stream. 531 * @throws IOException if an I/O error occurs. 532 * @throws ClassNotFoundException if a class used by the object 533 * can not be found. 534 */ 535 private void readObject(ObjectInputStream in) 536 throws IOException, ClassNotFoundException 537 { 538 in.defaultReadObject(); 539 updateActionSet(); 540 checkActions(); 541 } 542 543 /** 544 * Checks that the actions used in this permission 545 * are from the valid set. 546 * 547 * @throws IllegalArgumentException if the name or actions are invalid. 548 */ 549 private void checkActions() 550 { 551 Iterator it = actionSet.iterator(); 552 while (it.hasNext()) 553 { 554 String action = (String) it.next(); 555 if (!(validSet.contains(action))) 556 throw new IllegalArgumentException("Invalid action " 557 + action + " found."); 558 } 559 } 560 561 } 562