/** * Copyright (C) 2010 EdgyTech LLC. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy of * the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations under * the License. */ package com.edgytech.umongo; /** * * @author antoine */ public class PluginSecurityManager extends SecurityManager { private String pluginDir = null; PluginSecurityManager(String dir) { pluginDir = dir; } /** * This is the basic method that tests whether there is a class loaded by a * ClassLoader anywhere on the stack. If so, it means that that untrusted * code is trying to perform some kind of sensitive operation. We prevent it * from performing that operation by throwing an exception. trusted() is * called by most of the check...() methods below. */ protected void trusted() { if (inClassLoader()) { throw new SecurityException(); } } /** * These are all the specific checks that a security manager can perform. * They all just call one of the methods above and throw a SecurityException * if the operation is not allowed. This SecurityManager subclass is perhaps * a little too restrictive. For example, it doesn't allow loaded code to * read *any* system properties, even though some of them are quite * harmless. */ public void checkCreateClassLoader() { trusted(); } public void checkAccess(Thread g) { trusted(); } public void checkAccess(ThreadGroup g) { trusted(); } public void checkExit(int status) { trusted(); } public void checkExec(String cmd) { trusted(); } public void checkLink(String lib) { trusted(); } public void checkRead(java.io.FileDescriptor fd) { trusted(); } public void checkRead(String file) { // String path = new File(file).getParentFile().getAbsolutePath(); // if (! path.endsWith(pluginDir)) trusted(); } public void checkRead(String file, Object context) { trusted(); } public void checkWrite(java.io.FileDescriptor fd) { trusted(); } public void checkWrite(String file) { trusted(); } public void checkDelete(String file) { trusted(); } public void checkConnect(String host, int port) { trusted(); } public void checkConnect(String host, int port, Object context) { trusted(); } public void checkListen(int port) { trusted(); } public void checkAccept(String host, int port) { trusted(); } public void checkMulticast(java.net.InetAddress maddr) { trusted(); } public void checkMulticast(java.net.InetAddress maddr, byte ttl) { trusted(); } public void checkPropertiesAccess() { trusted(); } public void checkPropertyAccess(String key) { // if (! key.equals("user.dir")) trusted(); } public void checkPrintJobAccess() { trusted(); } public void checkSystemClipboardAccess() { trusted(); } public void checkAwtEventQueueAccess() { trusted(); } public void checkSetFactory() { trusted(); } public void checkMemberAccess(Class clazz, int which) { trusted(); } public void checkSecurityAccess(String provider) { trusted(); } /** * Loaded code can only load classes from java.* packages */ public void checkPackageAccess(String pkg) { if (inClassLoader() && !pkg.startsWith("java.") && !pkg.startsWith("javax.")) { throw new SecurityException(); } } /** * Loaded code can't define classes in java.* or sun.* packages */ public void checkPackageDefinition(String pkg) { if (inClassLoader() && ((pkg.startsWith("java.") || pkg.startsWith("javax.") || pkg.startsWith("sun.")))) { throw new SecurityException(); } } /** * This is the one SecurityManager method that is different from the others. * It indicates whether a top-level window should display an "untrusted" * warning. The window is always allowed to be created, so this method is * not normally meant to throw an exception. It should return true if the * window does not need to display the warning, and false if it does. In * this example, however, our text-based Service classes should never need * to create windows, so we will actually throw an exception to prevent any * windows from being opened. * */ public boolean checkTopLevelWindow(Object window) { trusted(); return true; } }