/*
* @(#)JMXSubjectDomainCombiner.java 1.7 04/05/27
*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
*/
package com.sun.jmx.remote.security;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AllPermission;
import java.security.CodeSource;
import java.security.Permissions;
import java.security.ProtectionDomain;
import javax.security.auth.Subject;
import javax.security.auth.SubjectDomainCombiner;
/**
* <p>This class represents an extension to the {@link SubjectDomainCombiner}
* and is used to add a new {@link ProtectionDomain}, comprised of a null
* codesource/signers and an empty permission set, to the access control
* context with which this combiner is combined.</p>
*
* <p>When the {@link #combine} method is called the {@link ProtectionDomain}
* is augmented with the permissions granted to the set of principals present
* in the supplied {@link Subject}.</p>
*/
public class JMXSubjectDomainCombiner extends SubjectDomainCombiner {
public JMXSubjectDomainCombiner(Subject s) {
super(s);
}
public ProtectionDomain[] combine(ProtectionDomain[] current,
ProtectionDomain[] assigned) {
// Add a new ProtectionDomain with the null codesource/signers, and
// the empty permission set, to the end of the array containing the
// 'current' protections domains, i.e. the ones that will be augmented
// with the permissions granted to the set of principals present in
// the supplied subject.
//
ProtectionDomain[] newCurrent;
if (current == null || current.length == 0) {
newCurrent = new ProtectionDomain[1];
newCurrent[0] = pdNoPerms;
} else {
newCurrent = new ProtectionDomain[current.length + 1];
for (int i = 0; i < current.length; i++) {
newCurrent[i] = current[i];
}
newCurrent[current.length] = pdNoPerms;
}
return super.combine(newCurrent, assigned);
}
/**
* A null CodeSource.
*/
private static final CodeSource nullCodeSource =
new CodeSource(null, (java.security.cert.Certificate[]) null);
/**
* A ProtectionDomain with a null CodeSource and an empty permission set.
*/
private static final ProtectionDomain pdNoPerms =
new ProtectionDomain(nullCodeSource, new Permissions());
/**
* A permission set that grants AllPermission.
*/
private static final Permissions allPermissions = new Permissions();
static {
allPermissions.add(new AllPermission());
}
/**
* A ProtectionDomain with a null CodeSource and a permission set that
* grants AllPermission.
*/
private static final ProtectionDomain pdAllPerms =
new ProtectionDomain(nullCodeSource, allPermissions);
/**
* An AccessControlContext that has only system domains on the stack.
*/
private static final AccessControlContext systemACC =
new AccessControlContext(new ProtectionDomain[0]);
/**
* Check if the given AccessControlContext contains only system domains.
*/
private static boolean hasOnlySystemCode(AccessControlContext acc) {
return systemACC.equals(acc);
}
/**
* Get the current AccessControlContext. If all the protection domains
* in the current context are system domains then build a new context
* that combines the subject with a dummy protection domain that forces
* the use of the domain combiner.
*/
public static AccessControlContext getContext(Subject subject) {
AccessControlContext currentACC = AccessController.getContext();
if (hasOnlySystemCode(currentACC)) {
currentACC =
new AccessControlContext(new ProtectionDomain[] {pdAllPerms});
}
return new AccessControlContext(currentACC,
new JMXSubjectDomainCombiner(subject));
}
}
|
