org.wildfly.security.manager.WildFlySecurityManager Maven / Gradle / Ivy
/*
* JBoss, Home of Professional Open Source.
* Copyright 2016 Red Hat, Inc., and individual contributors
* as indicated by the @author tags.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.wildfly.security.manager;
import java.io.FileDescriptor;
import java.lang.reflect.Field;
import java.lang.reflect.Member;
import java.net.InetAddress;
import java.security.AccessControlContext;
import java.security.CodeSource;
import java.security.Permission;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
import java.util.Arrays;
import java.util.Map;
import java.util.Properties;
import java.util.PropertyPermission;
import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
import java.util.concurrent.atomic.AtomicLongFieldUpdater;
import java.util.concurrent.atomic.AtomicReferenceFieldUpdater;
import org.kohsuke.MetaInfServices;
import org.wildfly.common.Assert;
import org.wildfly.security.ParametricPrivilegedAction;
import org.wildfly.security.ParametricPrivilegedExceptionAction;
import org.wildfly.security.manager.action.ClearPropertyAction;
import org.wildfly.security.manager.action.GetClassLoaderAction;
import org.wildfly.security.manager.action.GetContextClassLoaderAction;
import org.wildfly.security.manager.action.GetEnvironmentAction;
import org.wildfly.security.manager.action.GetProtectionDomainAction;
import org.wildfly.security.manager.action.GetSystemPropertiesAction;
import org.wildfly.security.manager.action.ReadEnvironmentPropertyAction;
import org.wildfly.security.manager.action.ReadPropertyAction;
import org.wildfly.security.manager.action.SetContextClassLoaderAction;
import org.wildfly.security.manager.action.WritePropertyAction;
import org.wildfly.security.permission.PermissionVerifier;
import sun.misc.Unsafe;
import static java.lang.System.clearProperty;
import static java.lang.System.getProperties;
import static java.lang.System.getProperty;
import static java.lang.System.getSecurityManager;
import static java.lang.System.getenv;
import static java.lang.System.setProperty;
import static java.lang.Thread.currentThread;
import static java.security.AccessController.doPrivileged;
import static java.security.AccessController.getContext;
import static org.wildfly.security.manager.WildFlySecurityManagerPermission.doUncheckedPermission;
import static org.wildfly.security.manager._private.SecurityMessages.access;
/**
* The security manager. This security manager implementation can be switched on and off on a per-thread basis,
* and additionally logs access violations in a way that should be substantially clearer than most JDK implementations.
*
* @author David M. Lloyd
*/
@MetaInfServices(SecurityManager.class)
public final class WildFlySecurityManager extends SecurityManager implements PermissionVerifier {
private static final Permission SECURITY_MANAGER_PERMISSION = new RuntimePermission("setSecurityManager");
private static final Permission PROPERTIES_PERMISSION = new PropertyPermission("*", "read,write");
private static final Permission ENVIRONMENT_PERMISSION = new RuntimePermission("getenv.*");
private static final Permission GET_CLASS_LOADER_PERMISSION = new RuntimePermission("getClassLoader");
private static final Permission SET_CLASS_LOADER_PERMISSION = new RuntimePermission("setClassLoader");
private static final Permission ACCESS_DECLARED_MEMBERS_PERMISSION = new RuntimePermission("accessDeclaredMembers");
private static final boolean LOG_ONLY;
static class Context {
boolean checking = true;
boolean entered = false;
ParametricPrivilegedAction action1;
ParametricPrivilegedExceptionAction action2;
Object parameter;
}
private static final ThreadLocal CTX = new ThreadLocal() {
protected Context initialValue() {
return new Context();
}
};
private static final Unsafe unsafe;
private static final long pdStackOffset;
private static final WildFlySecurityManager INSTANCE;
private static final boolean hasGetCallerClass;
private static final boolean usingStackWalker;
static {
final Field pdField;
try {
// does not need to be accessible
pdField = AccessControlContext.class.getDeclaredField("context");
} catch (NoSuchFieldException e) {
throw new NoSuchFieldError(e.getMessage());
}
if (pdField.getType() != ProtectionDomain[].class) {
throw new Error();
}
try {
unsafe = (Unsafe) doPrivileged(new GetAccessibleDeclaredFieldAction(Unsafe.class, "theUnsafe")).get(null);
} catch (IllegalAccessException e) {
throw new IllegalAccessError(e.getMessage());
}
pdStackOffset = unsafe.objectFieldOffset(pdField);
// Cannot be lambda due to JDK race conditions
//noinspection Convert2Lambda,Anonymous2MethodRef
INSTANCE = doPrivileged(new PrivilegedAction() {
public WildFlySecurityManager run() {
return new WildFlySecurityManager();
}
});
boolean result = false;
try {
/*
* If JDKSpecific.getCallerClass(0) does not return this class assume a fault and fall back to using
* SecurityManager.getClassContext().
*/
result = JDKSpecific.getCallerClass(0) == WildFlySecurityManager.class;
} catch (Throwable ignored) {}
hasGetCallerClass = result;
usingStackWalker = hasGetCallerClass && JDKSpecific.usingStackWalker();
LOG_ONLY = Boolean.parseBoolean(doPrivileged(new ReadPropertyAction("org.wildfly.security.manager.log-only", "false")));
}
/**
* Construct a new instance. If the caller does not have permission to do so, this method will throw an exception.
*
* @throws SecurityException if the caller does not have permission to create a security manager instance
*/
public WildFlySecurityManager() throws SecurityException {
}
@Deprecated
public static void install() throws SecurityException {
if (System.getSecurityManager() instanceof WildFlySecurityManager) return;
System.setSecurityManager(new WildFlySecurityManager());
}
@SuppressWarnings("deprecation")
static Class getCallerClass(int n) {
if (hasGetCallerClass) {
/*
* An additional 1 is added to take into account the call to.
* WildFlySecurityManager.getCallerClass(int);
*
* The individual JDKSpecific.getCallerClass(int) implementations take care
* of any offset they require.
*/
return JDKSpecific.getCallerClass(n + 1);
} else {
/*
* Fixed offset of 2 to take into account the following calls on the call stack: -
* WildFlySecurityManager.getCallStack();
* WildFlySecurityManager.getCallerClass(int);
*/
return getCallStack()[n + 2];
}
}
static Class[] getCallStack() {
return INSTANCE.getClassContext();
}
/**
* Determine whether the security manager is currently checking permissions.
*
* @return {@code true} if the security manager is currently checking permissions
*/
public static boolean isChecking() {
final SecurityManager sm = getSecurityManager();
return sm instanceof WildFlySecurityManager ? doCheck() : sm != null;
}
/**
* Perform a permission check.
*
* @param perm the permission to check
* @throws SecurityException if the check fails
*/
public void checkPermission(final Permission perm) throws SecurityException {
checkPermission(perm, getContext());
}
/**
* Perform a permission check.
*
* @param perm the permission to check
* @param context the security context to use for the check (must be an {@link AccessControlContext} instance)
* @throws SecurityException if the check fails
*/
public void checkPermission(final Permission perm, final Object context) throws SecurityException {
if (context instanceof AccessControlContext) {
checkPermission(perm, (AccessControlContext) context);
} else {
throw access.unknownContext();
}
}
/**
* Find the protection domain in the given list which denies a permission, or {@code null} if the permission
* check would pass.
*
* @param permission the permission to test
* @param domains the protection domains to try
* @return the first denying protection domain, or {@code null} if there is none
*/
public static ProtectionDomain findAccessDenial(final Permission permission, final ProtectionDomain... domains) {
ProtectionDomain deniedDomain = null;
if (domains != null) for (ProtectionDomain domain : domains) {
if (! domain.implies(permission)) {
final CodeSource codeSource = domain.getCodeSource();
final ClassLoader classLoader = domain.getClassLoader();
final Principal[] principals = domain.getPrincipals();
if (principals == null || principals.length == 0) {
access.accessCheckFailed(permission, codeSource, classLoader);
} else {
access.accessCheckFailed(permission, codeSource, classLoader, Arrays.toString(principals));
}
if (access.isTraceEnabled()) {
access.trace(
"Permission check failed (permission \"" + permission + "\" in protection domain " + domain + " )",
new RuntimeException("Exception not thrown, analysis only."));
}
if (deniedDomain == null && ! LOG_ONLY) {
deniedDomain = domain;
}
}
}
return deniedDomain;
}
/**
* Try a permission check. Any violations will be logged to the {@code org.wildfly.security.access} category
* at a {@code DEBUG} level.
*
* @param permission the permission to check
* @param domains the protection domains to try
* @return {@code true} if the access check succeeded, {@code false} otherwise
*/
public static boolean tryCheckPermission(final Permission permission, final ProtectionDomain... domains) {
if (permission.implies(SECURITY_MANAGER_PERMISSION)) {
return false;
}
final Context ctx = CTX.get();
if (ctx.checking) {
if (ctx.entered) {
return true;
}
ctx.entered = true;
try {
final ProtectionDomain deniedDomain = findAccessDenial(permission, domains);
if (deniedDomain != null) {
return false;
}
} finally {
ctx.entered = false;
}
}
return true;
}
public boolean implies(final Permission permission) {
return tryCheckPermission(permission, getProtectionDomainStack(getContext()));
}
/**
* Perform a permission check.
*
* @param perm the permission to check
* @param context the security context to use for the check
* @throws SecurityException if the check fails
*/
public void checkPermission(final Permission perm, final AccessControlContext context) throws SecurityException {
if (perm.implies(SECURITY_MANAGER_PERMISSION)) {
throw access.secMgrChange();
}
final Context ctx = CTX.get();
if (ctx.checking) {
if (ctx.entered) {
return;
}
final ProtectionDomain[] stack;
ctx.entered = true;
try {
stack = getProtectionDomainStack(context);
if (stack != null) {
final ProtectionDomain deniedDomain = findAccessDenial(perm, stack);
if (deniedDomain != null) {
throw access.accessControlException(perm, perm, deniedDomain.getCodeSource(), deniedDomain.getClassLoader());
}
}
} finally {
ctx.entered = false;
}
}
}
private static ProtectionDomain[] getProtectionDomainStack(final AccessControlContext context) {
return (ProtectionDomain[]) unsafe.getObject(context, pdStackOffset);
}
private static boolean doCheck() {
return doCheck(CTX.get());
}
private static boolean doCheck(final WildFlySecurityManager.Context ctx) {
return ctx.checking && ! ctx.entered;
}
public void checkCreateClassLoader() {
if (doCheck()) {
super.checkCreateClassLoader();
}
}
public void checkAccess(final Thread t) {
if (doCheck()) {
super.checkAccess(t);
}
}
public void checkAccess(final ThreadGroup g) {
if (doCheck()) {
super.checkAccess(g);
}
}
public void checkExit(final int status) {
if (doCheck()) {
super.checkExit(status);
}
}
public void checkExec(final String cmd) {
if (doCheck()) {
super.checkExec(cmd);
}
}
public void checkLink(final String lib) {
if (doCheck()) {
super.checkLink(lib);
}
}
public void checkRead(final FileDescriptor fd) {
if (doCheck()) {
super.checkRead(fd);
}
}
public void checkRead(final String file) {
if (doCheck()) {
super.checkRead(file);
}
}
public void checkRead(final String file, final Object context) {
if (doCheck()) {
super.checkRead(file, context);
}
}
public void checkWrite(final FileDescriptor fd) {
if (doCheck()) {
super.checkWrite(fd);
}
}
public void checkWrite(final String file) {
if (doCheck()) {
super.checkWrite(file);
}
}
public void checkDelete(final String file) {
if (doCheck()) {
super.checkDelete(file);
}
}
public void checkConnect(final String host, final int port) {
if (doCheck()) {
super.checkConnect(host, port);
}
}
public void checkConnect(final String host, final int port, final Object context) {
if (doCheck()) {
super.checkConnect(host, port, context);
}
}
public void checkListen(final int port) {
if (doCheck()) {
super.checkListen(port);
}
}
public void checkAccept(final String host, final int port) {
if (doCheck()) {
super.checkAccept(host, port);
}
}
public void checkMulticast(final InetAddress maddr) {
if (doCheck()) {
super.checkMulticast(maddr);
}
}
@Deprecated @SuppressWarnings("deprecation")
public void checkMulticast(final InetAddress maddr, final byte ttl) {
if (doCheck()) {
super.checkMulticast(maddr, ttl);
}
}
public void checkPropertiesAccess() {
if (doCheck()) {
super.checkPropertiesAccess();
}
}
public void checkPropertyAccess(final String key) {
final Context ctx = CTX.get();
if (doCheck(ctx)) {
/*
* Here is our expected stack:
* 0: this method
* 1: java.lang.System.getProperty() (may repeat)
* 2: user code | java.lang.(Boolean|Integer|Long).getXxx()
* 3+: ??? | java.lang.(Boolean|Integer|Long).getXxx() (more)
* n: | user code
*/
Class[] context = getClassContext();
if (context.length < 3) {
super.checkPropertyAccess(key);
return;
}
if (context[1] != System.class) {
super.checkPropertyAccess(key);
return;
}
Class testClass = context[2];
if (context.length >= 4) for (int i = 2; i < context.length; i ++) {
if (context[i] == Boolean.class || context[i] == Integer.class || context[i] == Long.class || context[i] == System.class) {
testClass = context[i + 1];
} else {
break;
}
}
final ProtectionDomain protectionDomain;
final ClassLoader classLoader;
final ClassLoader objectClassLoader;
ctx.entered = true;
try {
protectionDomain = testClass.getProtectionDomain();
classLoader = testClass.getClassLoader();
objectClassLoader = Object.class.getClassLoader();
} finally {
ctx.entered = false;
}
if (classLoader == objectClassLoader) {
// can't trust it, it's gone through more JDK code
super.checkPropertyAccess(key);
return;
}
final PropertyPermission permission = new PropertyPermission(key, "read");
if (protectionDomain.implies(permission)) {
return;
}
checkPermission(permission, getContext());
}
}
public void checkPrintJobAccess() {
if (doCheck()) {
super.checkPrintJobAccess();
}
}
public void checkPackageAccess(final String pkg) {
if (doCheck()) {
super.checkPackageAccess(pkg);
}
}
public void checkPackageDefinition(final String pkg) {
if (doCheck()) {
super.checkPackageDefinition(pkg);
}
}
public void checkSetFactory() {
if (doCheck()) {
super.checkSetFactory();
}
}
private static final Class[] ATOMIC_FIELD_UPDATER_TYPES = new Class[] {
AtomicReferenceFieldUpdater.class, AtomicLongFieldUpdater.class, AtomicIntegerFieldUpdater.class
};
private static boolean isAssignableToOneOf(Class test, Class... expect) {
for (Class clazz : expect) {
if (clazz.isAssignableFrom(test)) return true;
}
return false;
}
@Deprecated @SuppressWarnings("deprecation")
public void checkMemberAccess(final Class clazz, final int which) {
final Context ctx = CTX.get();
if (doCheck(ctx)) {
Assert.checkNotNullParam("class", clazz);
if (which != Member.PUBLIC) {
/* The default sec mgr implementation makes some ugly assumptions about call stack depth that we must
* unfortunately replicate (and improve upon). Here are the stack elements we expect to see:
*
* 0: this method
* 1: java.lang.Class#checkMemberAccess()
* 2: java.lang.Class#getDeclared*() or similar in Class
* 3: user code | java.util.concurrent.Atomic*FieldUpdater (impl)
* 4+: ??? | java.util.concurrent.Atomic*FieldUpdater (possibly more)
* n: ??? | user code
*
* The great irony is that Class is supposed to detect that this method is overridden and fall back to
* a simple permission check, however that doesn't seem to be working in practice.
*/
Class[] context = getClassContext();
int depth = context.length;
if (depth >= 4 && context[1] == Class.class && context[2] == Class.class) {
final ClassLoader objectClassLoader;
final ClassLoader clazzClassLoader;
ClassLoader classLoader;
// get class loaders without permission check
ctx.entered = true;
try {
objectClassLoader = Object.class.getClassLoader();
clazzClassLoader = clazz.getClassLoader();
for (int i = 3; i < depth; i ++) {
classLoader = context[i].getClassLoader();
if (classLoader == objectClassLoader) {
if (isAssignableToOneOf(context[i], ATOMIC_FIELD_UPDATER_TYPES)) {
// keep going
} else {
// unknown JDK class, fall back
checkPermission(ACCESS_DECLARED_MEMBERS_PERMISSION);
return;
}
} else {
if (clazzClassLoader == classLoader) {
// permission granted
return;
} else {
// class loaders differ
checkPermission(ACCESS_DECLARED_MEMBERS_PERMISSION);
return;
}
}
}
} finally {
ctx.entered = false;
}
}
// fall back to paranoid check
checkPermission(ACCESS_DECLARED_MEMBERS_PERMISSION);
}
}
}
public void checkSecurityAccess(final String target) {
if (doCheck()) {
super.checkSecurityAccess(target);
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param action the action to perform
* @param the action return type
* @return the return value of the action
*/
public static T doChecked(PrivilegedAction action) {
final Context ctx = CTX.get();
if (ctx.checking) {
return action.run();
}
ctx.checking = true;
try {
return action.run();
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param action the action to perform
* @param the action return type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doChecked(PrivilegedExceptionAction action) throws PrivilegedActionException {
final Context ctx = CTX.get();
if (ctx.checking) {
try {
return action.run();
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
ctx.checking = true;
try {
return action.run();
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new PrivilegedActionException(e);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @return the return value of the action
*/
public static T doChecked(PrivilegedAction action, AccessControlContext context) {
final Context ctx = CTX.get();
if (ctx.checking) {
return doPrivileged(action, context);
}
ctx.checking = true;
try {
return doPrivileged(action, context);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doChecked(PrivilegedExceptionAction action, AccessControlContext context) throws PrivilegedActionException {
final Context ctx = CTX.get();
if (ctx.checking) {
try {
return doPrivileged(action, context);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
ctx.checking = true;
try {
return doPrivileged(action, context);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param the action return type
* @param the action parameter type
* @return the return value of the action
*/
public static T doChecked(P parameter, ParametricPrivilegedAction action) {
final Context ctx = CTX.get();
if (ctx.checking) {
return action.run(parameter);
}
ctx.checking = true;
try {
return action.run(parameter);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param the action return type
* @param the action parameter type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doChecked(P parameter, ParametricPrivilegedExceptionAction action) throws PrivilegedActionException {
final Context ctx = CTX.get();
if (ctx.checking) {
try {
return action.run(parameter);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
ctx.checking = true;
try {
return action.run(parameter);
} catch (RuntimeException e) {
throw e;
} catch (Exception e) {
throw new PrivilegedActionException(e);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @param the action parameter type
* @return the return value of the action
*/
public static T doChecked(P parameter, ParametricPrivilegedAction action, AccessControlContext context) {
final Context ctx = CTX.get();
if (ctx.checking) {
return doPrivilegedWithParameter(parameter, action, context);
}
ctx.checking = true;
try {
return doPrivilegedWithParameter(parameter, action, context);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking enabled. If permission checking is already enabled, the action is
* simply run.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @param the action parameter type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doChecked(P parameter, ParametricPrivilegedExceptionAction action, AccessControlContext context) throws PrivilegedActionException {
final Context ctx = CTX.get();
if (ctx.checking) {
return doPrivilegedWithParameter(parameter, action, context);
}
ctx.checking = true;
try {
return doPrivilegedWithParameter(parameter, action, context);
} finally {
ctx.checking = false;
}
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The immediate caller must have the {@code doUnchecked} runtime permission.
*
* @param action the action to perform
* @param the action return type
* @return the return value of the action
*/
public static T doUnchecked(PrivilegedAction action) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return action.run();
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return action.run();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivileged(action, getCallerAccessControlContext());
}
return action.run();
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The caller must have the {@code doUnchecked} runtime permission.
*
* @param action the action to perform
* @param the action return type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doUnchecked(PrivilegedExceptionAction action) throws PrivilegedActionException {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
try {
return action.run();
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return action.run();
} catch (Exception e) {
throw new PrivilegedActionException(e);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivileged(action, getCallerAccessControlContext());
}
try {
return action.run();
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The immediate caller must have the {@code doUnchecked} runtime permission.
*
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @return the return value of the action
*/
public static T doUnchecked(PrivilegedAction action, AccessControlContext context) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return doPrivileged(action, context);
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return action.run();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivileged(action, context);
}
return doPrivileged(action, context);
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The caller must have the {@code doUnchecked} runtime permission.
*
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doUnchecked(PrivilegedExceptionAction action, AccessControlContext context) throws PrivilegedActionException {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return doPrivileged(action, context);
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return doPrivileged(action, context);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivileged(action, context);
}
return doPrivileged(action, context);
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The immediate caller must have the {@code doUnchecked} runtime permission.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param the action return type
* @param the action parameter type
* @return the return value of the action
*/
public static T doUnchecked(P parameter, ParametricPrivilegedAction action) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return action.run(parameter);
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return action.run(parameter);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivilegedWithParameter(parameter, action, null);
}
return action.run(parameter);
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The caller must have the {@code doUnchecked} runtime permission.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param the action return type
* @param the action parameter type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doUnchecked(P parameter, ParametricPrivilegedExceptionAction action) throws PrivilegedActionException {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
try {
return action.run(parameter);
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return action.run(parameter);
} catch (Exception e) {
throw new PrivilegedActionException(e);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
// Just doPrivileged as the caller.
return doPrivilegedWithParameter(parameter, action, null);
}
try {
return action.run(parameter);
} catch (Exception e) {
throw new PrivilegedActionException(e);
}
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The immediate caller must have the {@code doUnchecked} runtime permission.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @param the action parameter type
* @return the return value of the action
*/
public static T doUnchecked(P parameter, ParametricPrivilegedAction action, AccessControlContext context) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return doPrivilegedWithParameter(parameter, action, context);
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return doPrivilegedWithParameter(parameter, action, context);
} finally {
ctx.checking = true;
}
}
return doPrivilegedWithParameter(parameter, action, context);
}
/**
* Perform an action with permission checking disabled. If permission checking is already disabled, the action is
* simply run. The caller must have the {@code doUnchecked} runtime permission.
*
* @param parameter the parameter to pass to the action
* @param action the action to perform
* @param context the access control context to use
* @param the action return type
* @param the action parameter type
* @return the return value of the action
* @throws PrivilegedActionException if the action threw an exception
*/
public static T doUnchecked(P parameter, ParametricPrivilegedExceptionAction action, AccessControlContext context) throws PrivilegedActionException {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return doPrivilegedWithParameter(parameter, action, context);
}
ctx.checking = false;
try {
if (sm != null) {
checkPDPermission(getCallerClass(1), doUncheckedPermission);
}
return doPrivilegedWithParameter(parameter, action, context);
} finally {
ctx.checking = true;
}
}
return doPrivilegedWithParameter(parameter, action, context);
}
private static void checkPropertyReadPermission(Class clazz, String propertyName) {
final ProtectionDomain protectionDomain;
final ClassLoader classLoader;
if (getSecurityManager() instanceof WildFlySecurityManager) {
protectionDomain = clazz.getProtectionDomain();
classLoader = clazz.getClassLoader();
} else {
protectionDomain = doPrivileged(new GetProtectionDomainAction(clazz));
classLoader = doPrivileged(new GetClassLoaderAction(clazz));
}
if (protectionDomain.implies(PROPERTIES_PERMISSION)) {
return;
}
final PropertyPermission permission = new PropertyPermission(propertyName, "read");
if (protectionDomain.implies(permission)) {
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
if (! LOG_ONLY) {
throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
}
}
private static void checkEnvPropertyReadPermission(Class clazz, String propertyName) {
final ProtectionDomain protectionDomain;
final ClassLoader classLoader;
if (getSecurityManager() instanceof WildFlySecurityManager) {
protectionDomain = clazz.getProtectionDomain();
classLoader = clazz.getClassLoader();
} else {
protectionDomain = doPrivileged(new GetProtectionDomainAction(clazz));
classLoader = doPrivileged(new GetClassLoaderAction(clazz));
}
if (protectionDomain.implies(ENVIRONMENT_PERMISSION)) {
return;
}
final RuntimePermission permission = new RuntimePermission("getenv." + propertyName);
if (protectionDomain.implies(permission)) {
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
if (! LOG_ONLY) {
throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
}
}
private static void checkPropertyWritePermission(Class clazz, String propertyName) {
final ProtectionDomain protectionDomain;
final ClassLoader classLoader;
if (getSecurityManager() instanceof WildFlySecurityManager) {
protectionDomain = clazz.getProtectionDomain();
classLoader = clazz.getClassLoader();
} else {
protectionDomain = doPrivileged(new GetProtectionDomainAction(clazz));
classLoader = doPrivileged(new GetClassLoaderAction(clazz));
}
if (protectionDomain.implies(PROPERTIES_PERMISSION)) {
return;
}
final PropertyPermission permission = new PropertyPermission(propertyName, "write");
if (protectionDomain.implies(permission)) {
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
if (! LOG_ONLY) {
throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
}
}
private static void checkPDPermission(Class clazz, Permission permission) {
final ProtectionDomain protectionDomain;
final ClassLoader classLoader;
if (getSecurityManager() instanceof WildFlySecurityManager) {
protectionDomain = clazz.getProtectionDomain();
classLoader = clazz.getClassLoader();
} else {
protectionDomain = doPrivileged(new GetProtectionDomainAction(clazz));
classLoader = doPrivileged(new GetClassLoaderAction(clazz));
}
if (protectionDomain.implies(permission)) {
return;
}
access.accessCheckFailed(permission, protectionDomain.getCodeSource(), classLoader);
if (! LOG_ONLY) {
throw access.accessControlException(permission, permission, protectionDomain.getCodeSource(), classLoader);
}
}
/**
* Get a property, doing a faster permission check that skips having to execute a privileged action frame.
*
* @param name the property name
* @param def the default value if the property is not found
* @return the property value, or the default value
*/
public static String getPropertyPrivileged(String name, String def) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return getProperty(name, def);
}
ctx.checking = false;
try {
checkPropertyReadPermission(getCallerClass(1), name);
return getProperty(name, def);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
AccessControlContext context = getCallerAccessControlContext();
return doPrivileged(new ReadPropertyAction(name, def), context);
}
return getProperty(name, def);
}
private static T def(T test, T def) {
return test == null ? def : test;
}
/**
* Get an environmental property, doing a faster permission check that skips having to execute a privileged action frame.
*
* @param name the property name
* @param def the default value if the property is not found
* @return the property value, or the default value
*/
public static String getEnvPropertyPrivileged(String name, String def) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return def(getenv(name), def);
}
ctx.checking = false;
try {
checkEnvPropertyReadPermission(getCallerClass(1), name);
return def(getenv(name), def);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new ReadEnvironmentPropertyAction(name, def), getCallerAccessControlContext());
}
return getenv(name);
}
/**
* Set a property, doing a faster permission check that skips having to execute a privileged action frame.
*
* @param name the property name
* @param value the value ot set
* @return the previous property value, or {@code null} if there was none
*/
public static String setPropertyPrivileged(String name, String value) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return setProperty(name, value);
}
ctx.checking = false;
try {
checkPropertyWritePermission(getCallerClass(1), name);
return setProperty(name, value);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new WritePropertyAction(name, value), getCallerAccessControlContext());
}
return setProperty(name, value);
}
/**
* Clear a property, doing a faster permission check that skips having to execute a privileged action frame.
*
* @param name the property name
* @return the previous property value, or {@code null} if there was none
*/
public static String clearPropertyPrivileged(String name) {
final SecurityManager sm = getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return clearProperty(name);
}
ctx.checking = false;
try {
checkPropertyWritePermission(getCallerClass(1), name);
return clearProperty(name);
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new ClearPropertyAction(name), getCallerAccessControlContext());
}
return clearProperty(name);
}
/**
* Get the current thread's context class loader, doing a faster permission check that skips having to execute a
* privileged action frame.
*
* @return the context class loader
*/
public static ClassLoader getCurrentContextClassLoaderPrivileged() {
final SecurityManager sm = System.getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return currentThread().getContextClassLoader();
}
ctx.checking = false;
try {
checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION);
return currentThread().getContextClassLoader();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(GetContextClassLoaderAction.getInstance(), getCallerAccessControlContext());
}
return currentThread().getContextClassLoader();
}
/**
* Set the current thread's context class loader, doing a faster permission check that skips having to execute a
* privileged action frame.
*
* @param newClassLoader the new class loader to set
* @return the previously set context class loader
*/
public static ClassLoader setCurrentContextClassLoaderPrivileged(ClassLoader newClassLoader) {
final SecurityManager sm = System.getSecurityManager();
final Thread thread = currentThread();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(newClassLoader);
}
ctx.checking = false;
// separate try/finally to guarantee proper exception flow
try {
checkPDPermission(getCallerClass(1), SET_CLASS_LOADER_PERMISSION);
try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(newClassLoader);
}
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new SetContextClassLoaderAction(newClassLoader), ACC_CACHE.get(getCallerClass(1)));
}
try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(newClassLoader);
}
}
/**
* Set the current thread's context class loader, doing a faster permission check that skips having to execute a
* privileged action frame.
*
* @param clazz the class whose class loader is the new class loader to set
* @return the previously set context class loader
*/
public static ClassLoader setCurrentContextClassLoaderPrivileged(final Class clazz) {
final SecurityManager sm = System.getSecurityManager();
final Thread thread = currentThread();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(clazz.getClassLoader());
}
ctx.checking = false;
// separate try/finally to guarantee proper exception flow
try {
final Class caller = getCallerClass(1);
checkPDPermission(caller, SET_CLASS_LOADER_PERMISSION);
checkPDPermission(caller, GET_CLASS_LOADER_PERMISSION);
try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(clazz.getClassLoader());
}
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new SetContextClassLoaderAction(clazz.getClassLoader()), getCallerAccessControlContext());
}
try {
return thread.getContextClassLoader();
} finally {
thread.setContextClassLoader(clazz.getClassLoader());
}
}
/**
* Get the system properties map, doing a faster permission check that skips having to execute a privileged action
* frame.
*
* @return the system property map
*/
public static Properties getSystemPropertiesPrivileged() {
final SecurityManager sm = System.getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return getProperties();
}
ctx.checking = false;
try {
checkPDPermission(getCallerClass(1), PROPERTIES_PERMISSION);
return getProperties();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(GetSystemPropertiesAction.getInstance(), getCallerAccessControlContext());
}
return getProperties();
}
/**
* Get the system environment map, doing a faster permission check that skips having to execute a privileged action
* frame.
*
* @return the system environment map
*/
public static Map getSystemEnvironmentPrivileged() {
final SecurityManager sm = System.getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return getenv();
}
ctx.checking = false;
try {
checkPDPermission(getCallerClass(1), ENVIRONMENT_PERMISSION);
return getenv();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(GetEnvironmentAction.getInstance(), getCallerAccessControlContext());
}
return getenv();
}
/**
* Get the class loader for a class, doing a faster permission check that skips having to execute a privileged action
* frame.
*
* @param clazz the class to check
* @return the class loader
*/
public static ClassLoader getClassLoaderPrivileged(Class clazz) {
final SecurityManager sm = System.getSecurityManager();
if (sm instanceof WildFlySecurityManager) {
final Context ctx = CTX.get();
if (! ctx.checking) {
return clazz.getClassLoader();
}
ctx.checking = false;
try {
checkPDPermission(getCallerClass(1), GET_CLASS_LOADER_PERMISSION);
return clazz.getClassLoader();
} finally {
ctx.checking = true;
}
} else if (sm != null) {
return doPrivileged(new GetClassLoaderAction(clazz), getCallerAccessControlContext());
}
return clazz.getClassLoader();
}
private static final ClassValue ACC_CACHE = new ClassValue() {
protected AccessControlContext computeValue(final Class type) {
final Context ctx = CTX.get();
assert ! ctx.entered;
ctx.entered = true;
try {
return new AccessControlContext(new ProtectionDomain[] { type.getProtectionDomain() });
} finally {
ctx.entered = false;
}
}
};
// Cannot be lambda due to JDK race conditions
@SuppressWarnings("Convert2Lambda")
private static final PrivilegedAction