org.wildfly.security.manager

Class WildFlySecurityManager

java.lang.Object

java.lang.SecurityManager

org.wildfly.security.manager.WildFlySecurityManager

All Implemented Interfaces:

PermissionVerifier

@MetaInfServices(value=java.lang.SecurityManager.class)
public final class WildFlySecurityManager
extends SecurityManager
implements PermissionVerifier

The security manager. This security manager implementation can be switched on and off on a per-thread basis, and additionally logs access violations in a way that should be substantially clearer than most JDK implementations.

Author:

David M. Lloyd

Field Summary

Fields inherited from class java.lang.SecurityManager

inCheck

Fields inherited from interface org.wildfly.security.permission.PermissionVerifier

ALL, NONE

Constructor Summary

Constructors

Constructor and Description
WildFlySecurityManager() Construct a new instance.

Method Summary

Modifier and Type	Method and Description
void	checkAccept(String host, int port)
void	checkAccess(Thread t)
void	checkAccess(ThreadGroup g)
void	checkConnect(String host, int port)
void	checkConnect(String host, int port, Object context)
void	checkCreateClassLoader()
void	checkDelete(String file)
void	checkExec(String cmd)
void	checkExit(int status)
void	checkLink(String lib)
void	checkListen(int port)
void	checkMemberAccess(Class<?> clazz, int which) Deprecated.
void	checkMulticast(InetAddress maddr)
void	checkMulticast(InetAddress maddr, byte ttl) Deprecated.
void	checkPackageAccess(String pkg)
void	checkPackageDefinition(String pkg)
void	checkPermission(Permission perm) Perform a permission check.
void	checkPermission(Permission perm, AccessControlContext context) Perform a permission check.
void	checkPermission(Permission perm, Object context) Perform a permission check.
void	checkPrintJobAccess()
void	checkPropertiesAccess()
void	checkPropertyAccess(String key)
void	checkRead(FileDescriptor fd)
void	checkRead(String file)
void	checkRead(String file, Object context)
void	checkSecurityAccess(String target)
void	checkSetFactory()
void	checkWrite(FileDescriptor fd)
void	checkWrite(String file)
static String	clearPropertyPrivileged(String name) Clear a property, doing a faster permission check that skips having to execute a privileged action frame.
static <T,P> T	doChecked(P parameter, ParametricPrivilegedAction<T,P> action) Perform an action with permission checking enabled.
static <T,P> T	doChecked(P parameter, ParametricPrivilegedAction<T,P> action, AccessControlContext context) Perform an action with permission checking enabled.
static <T,P> T	doChecked(P parameter, ParametricPrivilegedExceptionAction<T,P> action) Perform an action with permission checking enabled.
static <T,P> T	doChecked(P parameter, ParametricPrivilegedExceptionAction<T,P> action, AccessControlContext context) Perform an action with permission checking enabled.
static <T> T	doChecked(PrivilegedAction<T> action) Perform an action with permission checking enabled.
static <T> T	doChecked(PrivilegedAction<T> action, AccessControlContext context) Perform an action with permission checking enabled.
static <T> T	doChecked(PrivilegedExceptionAction<T> action) Perform an action with permission checking enabled.
static <T> T	doChecked(PrivilegedExceptionAction<T> action, AccessControlContext context) Perform an action with permission checking enabled.
static <T,P> T	doPrivilegedWithParameter(P parameter, ParametricPrivilegedAction<T,P> action) Execute a parametric privileged action with the given parameter in a privileged context.
static <T,P> T	doPrivilegedWithParameter(P parameter, ParametricPrivilegedAction<T,P> action, AccessControlContext accessControlContext) Execute a parametric privileged action with the given parameter with the given context.
static <T,P> T	doPrivilegedWithParameter(P parameter, ParametricPrivilegedExceptionAction<T,P> action) Execute a parametric privileged action with the given parameter in a privileged context.
static <T,P> T	doPrivilegedWithParameter(P parameter, ParametricPrivilegedExceptionAction<T,P> action, AccessControlContext accessControlContext) Execute a parametric privileged action with the given parameter with the given context.
static <T,P> T	doUnchecked(P parameter, ParametricPrivilegedAction<T,P> action) Perform an action with permission checking disabled.
static <T,P> T	doUnchecked(P parameter, ParametricPrivilegedAction<T,P> action, AccessControlContext context) Perform an action with permission checking disabled.
static <T,P> T	doUnchecked(P parameter, ParametricPrivilegedExceptionAction<T,P> action) Perform an action with permission checking disabled.
static <T,P> T	doUnchecked(P parameter, ParametricPrivilegedExceptionAction<T,P> action, AccessControlContext context) Perform an action with permission checking disabled.
static <T> T	doUnchecked(PrivilegedAction<T> action) Perform an action with permission checking disabled.
static <T> T	doUnchecked(PrivilegedAction<T> action, AccessControlContext context) Perform an action with permission checking disabled.
static <T> T	doUnchecked(PrivilegedExceptionAction<T> action) Perform an action with permission checking disabled.
static <T> T	doUnchecked(PrivilegedExceptionAction<T> action, AccessControlContext context) Perform an action with permission checking disabled.
static ProtectionDomain	findAccessDenial(Permission permission, ProtectionDomain... domains) Find the protection domain in the given list which denies a permission, or null if the permission check would pass.
static ClassLoader	getClassLoaderPrivileged(Class<?> clazz) Get the class loader for a class, doing a faster permission check that skips having to execute a privileged action frame.
static ClassLoader	getCurrentContextClassLoaderPrivileged() Get the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.
static String	getEnvPropertyPrivileged(String name, String def) Get an environmental property, doing a faster permission check that skips having to execute a privileged action frame.
static String	getPropertyPrivileged(String name, String def) Get a property, doing a faster permission check that skips having to execute a privileged action frame.
static Map<String,String>	getSystemEnvironmentPrivileged() Get the system environment map, doing a faster permission check that skips having to execute a privileged action frame.
static Properties	getSystemPropertiesPrivileged() Get the system properties map, doing a faster permission check that skips having to execute a privileged action frame.
boolean	implies(Permission permission) Determine if the permission is verified by this object.
static void	install() Deprecated.
static boolean	isChecking() Determine whether the security manager is currently checking permissions.
static ClassLoader	setCurrentContextClassLoaderPrivileged(Class<?> clazz) Set the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.
static ClassLoader	setCurrentContextClassLoaderPrivileged(ClassLoader newClassLoader) Set the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.
static String	setPropertyPrivileged(String name, String value) Set a property, doing a faster permission check that skips having to execute a privileged action frame.
static boolean	tryCheckPermission(Permission permission, ProtectionDomain... domains) Try a permission check.

Methods inherited from class java.lang.SecurityManager

checkAwtEventQueueAccess, checkSystemClipboardAccess, checkTopLevelWindow, classDepth, classLoaderDepth, currentClassLoader, currentLoadedClass, getClassContext, getInCheck, getSecurityContext, getThreadGroup, inClass, inClassLoader

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.wildfly.security.permission.PermissionVerifier

and, from, from, from, from, not, or, toPermissionCollection, unless, xor

Constructor Detail

WildFlySecurityManager

public WildFlySecurityManager()
                       throws SecurityException

Construct a new instance. If the caller does not have permission to do so, this method will throw an exception.

Throws:

SecurityException - if the caller does not have permission to create a security manager instance

Method Detail

install

@Deprecated
public static void install()
                                throws SecurityException

Deprecated.

Throws:

SecurityException

isChecking

public static boolean isChecking()

Determine whether the security manager is currently checking permissions.

Returns:

true if the security manager is currently checking permissions

checkPermission

public void checkPermission(Permission perm)
                     throws SecurityException

Perform a permission check.

Specified by:

checkPermission in interface PermissionVerifier

Overrides:

checkPermission in class SecurityManager

Parameters:

perm - the permission to check

Throws:

SecurityException - if the check fails

checkPermission

public void checkPermission(Permission perm,
                            Object context)
                     throws SecurityException

Perform a permission check.

Overrides:

checkPermission in class SecurityManager

Parameters:

perm - the permission to check

context - the security context to use for the check (must be an AccessControlContext instance)

Throws:

SecurityException - if the check fails

findAccessDenial

public static ProtectionDomain findAccessDenial(Permission permission,
                                                ProtectionDomain... domains)

Find the protection domain in the given list which denies a permission, or null if the permission check would pass.

Parameters:

permission - the permission to test

domains - the protection domains to try

Returns:

the first denying protection domain, or null if there is none

tryCheckPermission

public static boolean tryCheckPermission(Permission permission,
                                         ProtectionDomain... domains)

Try a permission check. Any violations will be logged to the org.wildfly.security.access category at a DEBUG level.

Parameters:

permission - the permission to check

domains - the protection domains to try

Returns:

true if the access check succeeded, false otherwise

implies

public boolean implies(Permission permission)

Description copied from interface: PermissionVerifier

Determine if the permission is verified by this object.

Specified by:

implies in interface PermissionVerifier

Parameters:

permission - the permission to verify (must not be null)

Returns:

true if the permission is implied by this verifier, false otherwise

checkPermission

public void checkPermission(Permission perm,
                            AccessControlContext context)
                     throws SecurityException

Perform a permission check.

Parameters:

perm - the permission to check

context - the security context to use for the check

Throws:

SecurityException - if the check fails

checkCreateClassLoader

public void checkCreateClassLoader()

Overrides:

checkCreateClassLoader in class SecurityManager

checkAccess

public void checkAccess(Thread t)

Overrides:

checkAccess in class SecurityManager

checkAccess

public void checkAccess(ThreadGroup g)

Overrides:

checkAccess in class SecurityManager

checkExit

public void checkExit(int status)

Overrides:

checkExit in class SecurityManager

checkExec

public void checkExec(String cmd)

Overrides:

checkExec in class SecurityManager

checkLink

public void checkLink(String lib)

Overrides:

checkLink in class SecurityManager

checkRead

public void checkRead(FileDescriptor fd)

Overrides:

checkRead in class SecurityManager

checkRead

public void checkRead(String file)

Overrides:

checkRead in class SecurityManager

checkRead

public void checkRead(String file,
                      Object context)

Overrides:

checkRead in class SecurityManager

checkWrite

public void checkWrite(FileDescriptor fd)

Overrides:

checkWrite in class SecurityManager

checkWrite

public void checkWrite(String file)

Overrides:

checkWrite in class SecurityManager

checkDelete

public void checkDelete(String file)

Overrides:

checkDelete in class SecurityManager

checkConnect

public void checkConnect(String host,
                         int port)

Overrides:

checkConnect in class SecurityManager

checkConnect

public void checkConnect(String host,
                         int port,
                         Object context)

Overrides:

checkConnect in class SecurityManager

checkListen

public void checkListen(int port)

Overrides:

checkListen in class SecurityManager

checkAccept

public void checkAccept(String host,
                        int port)

Overrides:

checkAccept in class SecurityManager

checkMulticast

public void checkMulticast(InetAddress maddr)

Overrides:

checkMulticast in class SecurityManager

checkMulticast

@Deprecated
public void checkMulticast(InetAddress maddr,
                                       byte ttl)

Deprecated.

Overrides:

checkMulticast in class SecurityManager

checkPropertiesAccess

public void checkPropertiesAccess()

Overrides:

checkPropertiesAccess in class SecurityManager

checkPropertyAccess

public void checkPropertyAccess(String key)

Overrides:

checkPropertyAccess in class SecurityManager

checkPrintJobAccess

public void checkPrintJobAccess()

Overrides:

checkPrintJobAccess in class SecurityManager

checkPackageAccess

public void checkPackageAccess(String pkg)

Overrides:

checkPackageAccess in class SecurityManager

checkPackageDefinition

public void checkPackageDefinition(String pkg)

Overrides:

checkPackageDefinition in class SecurityManager

checkSetFactory

public void checkSetFactory()

Overrides:

checkSetFactory in class SecurityManager

checkMemberAccess

@Deprecated
public void checkMemberAccess(Class<?> clazz,
                                          int which)

Deprecated.

Overrides:

checkMemberAccess in class SecurityManager

checkSecurityAccess

public void checkSecurityAccess(String target)

Overrides:

checkSecurityAccess in class SecurityManager

doChecked

public static <T> T doChecked(PrivilegedAction<T> action)

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

Returns:

the return value of the action

doChecked

public static <T> T doChecked(PrivilegedExceptionAction<T> action)
                       throws PrivilegedActionException

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doChecked

public static <T> T doChecked(PrivilegedAction<T> action,
                              AccessControlContext context)

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

doChecked

public static <T> T doChecked(PrivilegedExceptionAction<T> action,
                              AccessControlContext context)
                       throws PrivilegedActionException

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doChecked

public static <T,P> T doChecked(P parameter,
                                ParametricPrivilegedAction<T,P> action)

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

Returns:

the return value of the action

doChecked

public static <T,P> T doChecked(P parameter,
                                ParametricPrivilegedExceptionAction<T,P> action)
                         throws PrivilegedActionException

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doChecked

public static <T,P> T doChecked(P parameter,
                                ParametricPrivilegedAction<T,P> action,
                                AccessControlContext context)

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

doChecked

public static <T,P> T doChecked(P parameter,
                                ParametricPrivilegedExceptionAction<T,P> action,
                                AccessControlContext context)
                         throws PrivilegedActionException

Perform an action with permission checking enabled. If permission checking is already enabled, the action is simply run.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doUnchecked

public static <T> T doUnchecked(PrivilegedAction<T> action)

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The immediate caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

Returns:

the return value of the action

doUnchecked

public static <T> T doUnchecked(PrivilegedExceptionAction<T> action)
                         throws PrivilegedActionException

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doUnchecked

public static <T> T doUnchecked(PrivilegedAction<T> action,
                                AccessControlContext context)

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The immediate caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

doUnchecked

public static <T> T doUnchecked(PrivilegedExceptionAction<T> action,
                                AccessControlContext context)
                         throws PrivilegedActionException

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

Parameters:

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doUnchecked

public static <T,P> T doUnchecked(P parameter,
                                  ParametricPrivilegedAction<T,P> action)

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The immediate caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

Returns:

the return value of the action

doUnchecked

public static <T,P> T doUnchecked(P parameter,
                                  ParametricPrivilegedExceptionAction<T,P> action)
                           throws PrivilegedActionException

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

doUnchecked

public static <T,P> T doUnchecked(P parameter,
                                  ParametricPrivilegedAction<T,P> action,
                                  AccessControlContext context)

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The immediate caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

doUnchecked

public static <T,P> T doUnchecked(P parameter,
                                  ParametricPrivilegedExceptionAction<T,P> action,
                                  AccessControlContext context)
                           throws PrivilegedActionException

Perform an action with permission checking disabled. If permission checking is already disabled, the action is simply run. The caller must have the doUnchecked runtime permission.

Type Parameters:

T - the action return type

P - the action parameter type

Parameters:

parameter - the parameter to pass to the action

action - the action to perform

context - the access control context to use

Returns:

the return value of the action

Throws:

PrivilegedActionException - if the action threw an exception

getPropertyPrivileged

public static String getPropertyPrivileged(String name,
                                           String def)

Get a property, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

name - the property name

def - the default value if the property is not found

Returns:

the property value, or the default value

getEnvPropertyPrivileged

public static String getEnvPropertyPrivileged(String name,
                                              String def)

Get an environmental property, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

name - the property name

def - the default value if the property is not found

Returns:

the property value, or the default value

setPropertyPrivileged

public static String setPropertyPrivileged(String name,
                                           String value)

Set a property, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

name - the property name

value - the value ot set

Returns:

the previous property value, or null if there was none

clearPropertyPrivileged

public static String clearPropertyPrivileged(String name)

Clear a property, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

name - the property name

Returns:

the previous property value, or null if there was none

getCurrentContextClassLoaderPrivileged

public static ClassLoader getCurrentContextClassLoaderPrivileged()

Get the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.

Returns:

the context class loader

setCurrentContextClassLoaderPrivileged

public static ClassLoader setCurrentContextClassLoaderPrivileged(ClassLoader newClassLoader)

Set the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

newClassLoader - the new class loader to set

Returns:

the previously set context class loader

setCurrentContextClassLoaderPrivileged

public static ClassLoader setCurrentContextClassLoaderPrivileged(Class<?> clazz)

Set the current thread's context class loader, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

clazz - the class whose class loader is the new class loader to set

Returns:

the previously set context class loader

getSystemPropertiesPrivileged

public static Properties getSystemPropertiesPrivileged()

Get the system properties map, doing a faster permission check that skips having to execute a privileged action frame.

Returns:

the system property map

getSystemEnvironmentPrivileged

public static Map<String,String> getSystemEnvironmentPrivileged()

Get the system environment map, doing a faster permission check that skips having to execute a privileged action frame.

Returns:

the system environment map

getClassLoaderPrivileged

public static ClassLoader getClassLoaderPrivileged(Class<?> clazz)

Get the class loader for a class, doing a faster permission check that skips having to execute a privileged action frame.

Parameters:

clazz - the class to check

Returns:

the class loader

doPrivilegedWithParameter

public static <T,P> T doPrivilegedWithParameter(P parameter,
                                                ParametricPrivilegedAction<T,P> action)

Execute a parametric privileged action with the given parameter in a privileged context.

Type Parameters:

T - the action result type

P - the parameter type

Parameters:

parameter - the parameter to send in to the action

action - the action to execute

Returns:

the action result

doPrivilegedWithParameter

public static <T,P> T doPrivilegedWithParameter(P parameter,
                                                ParametricPrivilegedExceptionAction<T,P> action)
                                         throws PrivilegedActionException

Execute a parametric privileged action with the given parameter in a privileged context.

Type Parameters:

T - the action result type

P - the parameter type

Parameters:

parameter - the parameter to send in to the action

action - the action to execute

Returns:

the action result

Throws:

PrivilegedActionException

doPrivilegedWithParameter

public static <T,P> T doPrivilegedWithParameter(P parameter,
                                                ParametricPrivilegedAction<T,P> action,
                                                AccessControlContext accessControlContext)

Execute a parametric privileged action with the given parameter with the given context.

Type Parameters:

T - the action result type

P - the parameter type

Parameters:

parameter - the parameter to send in to the action

action - the action to execute

accessControlContext - the context to use

Returns:

the action result

doPrivilegedWithParameter

public static <T,P> T doPrivilegedWithParameter(P parameter,
                                                ParametricPrivilegedExceptionAction<T,P> action,
                                                AccessControlContext accessControlContext)
                                         throws PrivilegedActionException

Execute a parametric privileged action with the given parameter with the given context.

Type Parameters:

T - the action result type

P - the parameter type

Parameters:

parameter - the parameter to send in to the action

action - the action to execute

accessControlContext - the context to use

Returns:

the action result

Throws:

PrivilegedActionException