49 |
49 |
50 /** |
50 /** |
51 * This class represents a default Policy implementation for the |
51 * This class represents a default Policy implementation for the |
52 * "JavaPolicy" type. |
52 * "JavaPolicy" type. |
53 * |
53 * |
54 * Note: |
|
55 * For backward compatibility with JAAS 1.0 it loads |
|
56 * both java.auth.policy and java.policy. However, it |
|
57 * is recommended that java.auth.policy not be used |
|
58 * and that java.policy contain all grant entries including |
|
59 * those that contain principal-based entries. |
|
60 * |
|
61 * <p> This object stores the policy for the entire Java runtime, |
54 * <p> This object stores the policy for the entire Java runtime, |
62 * and is the amalgamation of multiple static policy |
55 * and is the amalgamation of multiple static policy |
63 * configurations that resides in files. |
56 * configurations that resides in files. |
64 * The algorithm for locating the policy file(s) and reading their |
57 * The algorithm for locating the policy file(s) and reading their |
65 * information into this <code>Policy</code> object is: |
58 * information into this <code>Policy</code> object is: |
73 * modules loaded by the platform class loader. If the default policy file |
66 * modules loaded by the platform class loader. If the default policy file |
74 * cannot be loaded, a fatal InternalError is thrown as these permissions |
67 * cannot be loaded, a fatal InternalError is thrown as these permissions |
75 * are needed in order for the runtime to operate correctly. |
68 * are needed in order for the runtime to operate correctly. |
76 * <li> |
69 * <li> |
77 * Loop through the <code>java.security.Security</code> properties, |
70 * Loop through the <code>java.security.Security</code> properties, |
78 * <i>policy.url.1</i>, <i>policy.url.2</i>, ..., |
71 * and <i>policy.url.1</i>, <i>policy.url.2</i>, ..., |
79 * <i>policy.url.X</i>" and |
72 * <i>policy.url.X</i>". These properties are set |
80 * <i>auth.policy.url.1</i>, <i>auth.policy.url.2</i>, ..., |
|
81 * <i>auth.policy.url.X</i>". These properties are set |
|
82 * in the Java security properties file, which is located in the file named |
73 * in the Java security properties file, which is located in the file named |
83 * <JAVA_HOME>/conf/security/java.security. |
74 * <JAVA_HOME>/conf/security/java.security. |
84 * Each property value specifies a <code>URL</code> pointing to a |
75 * Each property value specifies a <code>URL</code> pointing to a |
85 * policy file to be loaded. Read in and load each policy. |
76 * policy file to be loaded. Read in and load each policy. |
86 * |
|
87 * <i>auth.policy.url</i> is supported only for backward compatibility. |
|
88 * |
77 * |
89 * If none of these could be loaded, use a builtin static policy |
78 * If none of these could be loaded, use a builtin static policy |
90 * equivalent to the conf/security/java.policy file. |
79 * equivalent to the conf/security/java.policy file. |
91 * |
80 * |
92 * <li> |
81 * <li> |
96 * If this property is defined, and its use is allowed by the |
85 * If this property is defined, and its use is allowed by the |
97 * security property file (the Security property, |
86 * security property file (the Security property, |
98 * <i>policy.allowSystemProperty</i> is set to <i>true</i>), |
87 * <i>policy.allowSystemProperty</i> is set to <i>true</i>), |
99 * also load that policy. |
88 * also load that policy. |
100 * |
89 * |
101 * <li> |
90 * If the <i>java.security.policy</i> property is defined using |
102 * The <code>java.lang.System</code> property |
|
103 * <i>java.security.auth.policy</i> may also be set to a |
|
104 * <code>URL</code> pointing to another policy file |
|
105 * (which is the case when a user uses the -D switch at runtime). |
|
106 * If this property is defined, and its use is allowed by the |
|
107 * security property file (the Security property, |
|
108 * <i>policy.allowSystemProperty</i> is set to <i>true</i>), |
|
109 * also load that policy. |
|
110 * |
|
111 * <i>java.security.auth.policy</i> is supported only for backward |
|
112 * compatibility. |
|
113 * |
|
114 * If the <i>java.security.policy</i> or |
|
115 * <i>java.security.auth.policy</i> property is defined using |
|
116 * "==" (rather than "="), then load the specified policy file and ignore |
91 * "==" (rather than "="), then load the specified policy file and ignore |
117 * all other configured policies. Note, that the default.policy file is |
92 * all other configured policies. Note, that the default.policy file is |
118 * also loaded, as specified in the first step of the algorithm above. |
93 * also loaded, as specified in the first step of the algorithm above. |
119 * If the specified policy file cannot be loaded, use a builtin static policy |
94 * If the specified policy file cannot be loaded, use a builtin static policy |
120 * equivalent to the default conf/security/java.policy file. |
95 * equivalent to the default conf/security/java.policy file. |
267 private static final String SELF = "${{self}}"; |
242 private static final String SELF = "${{self}}"; |
268 private static final String X500PRINCIPAL = |
243 private static final String X500PRINCIPAL = |
269 "javax.security.auth.x500.X500Principal"; |
244 "javax.security.auth.x500.X500Principal"; |
270 private static final String POLICY = "java.security.policy"; |
245 private static final String POLICY = "java.security.policy"; |
271 private static final String POLICY_URL = "policy.url."; |
246 private static final String POLICY_URL = "policy.url."; |
272 private static final String AUTH_POLICY = "java.security.auth.policy"; |
|
273 private static final String AUTH_POLICY_URL = "auth.policy.url."; |
|
274 |
247 |
275 private static final int DEFAULT_CACHE_SIZE = 1; |
248 private static final int DEFAULT_CACHE_SIZE = 1; |
276 |
249 |
277 // contains the policy grant entries, PD cache, and alias mapping |
250 // contains the policy grant entries, PD cache, and alias mapping |
278 private AtomicReference<PolicyInfo> policyInfo = new AtomicReference<>(); |
251 private AtomicReference<PolicyInfo> policyInfo = new AtomicReference<>(); |
409 } else { |
382 } else { |
410 |
383 |
411 /** |
384 /** |
412 * Caller did not specify URL via Policy.getInstance. |
385 * Caller did not specify URL via Policy.getInstance. |
413 * Read from URLs listed in the java.security properties file. |
386 * Read from URLs listed in the java.security properties file. |
414 * |
|
415 * We call initPolicyFile with POLICY, POLICY_URL and then |
|
416 * call it with AUTH_POLICY and AUTH_POLICY_URL. |
|
417 * So first we will process the JAVA standard policy |
|
418 * and then process the JAVA AUTH Policy. |
|
419 * This is for backward compatibility as well as to handle |
|
420 * cases where the user has a single unified policyfile |
|
421 * with both java policy entries and auth entries |
|
422 */ |
387 */ |
423 |
388 |
424 boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo); |
389 boolean loaded_one = initPolicyFile(POLICY, POLICY_URL, newInfo); |
425 // To maintain strict backward compatibility |
390 // To maintain strict backward compatibility |
426 // we load the static policy only if POLICY load failed |
391 // we load the static policy only if POLICY load failed |
427 if (!loaded_one) { |
392 if (!loaded_one) { |
428 // use static policy if all else fails |
393 // use static policy if all else fails |
429 initStaticPolicy(newInfo); |
394 initStaticPolicy(newInfo); |
430 } |
395 } |
431 |
|
432 initPolicyFile(AUTH_POLICY, AUTH_POLICY_URL, newInfo); |
|
433 } |
396 } |
434 } |
397 } |
435 |
398 |
436 private boolean initPolicyFile(final String propname, final String urlname, |
399 private boolean initPolicyFile(final String propname, final String urlname, |
437 final PolicyInfo newInfo) { |
400 final PolicyInfo newInfo) { |