/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
*
* ***** BEGIN LICENSE BLOCK *****
* Version: MPL 1.1/GPL 2.0
*
* The contents of this file are subject to the Mozilla Public License Version
* 1.1 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
* http://www.mozilla.org/MPL/
*
* Software distributed under the License is distributed on an "AS IS" basis,
* WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
* for the specific language governing rights and limitations under the
* License.
*
* The Original Code is Rhino code, released
* May 6, 1999.
*
* The Initial Developer of the Original Code is
* Netscape Communications Corporation.
* Portions created by the Initial Developer are Copyright (C) 1997-1999
* the Initial Developer. All Rights Reserved.
*
* Contributor(s):
* Norris Boyd
* Igor Bukanov
*
* Alternatively, the contents of this file may be used under the terms of
* the GNU General Public License Version 2 or later (the "GPL"), in which
* case the provisions of the GPL are applicable instead of those above. If
* you wish to allow use of your version of this file only under the terms of
* the GPL and not to allow others to use your version of this file under the
* MPL, indicate your decision by deleting the provisions above and replacing
* them with the notice and other provisions required by the GPL. If you do
* not delete the provisions above, a recipient may use your version of this
* file under either the MPL or the GPL.
*
* ***** END LICENSE BLOCK ***** */
// API class
package org.mozilla.javascript;
/**
* This class describes the support needed to implement security.
* <p>
* Three main pieces of functionality are required to implement
* security for JavaScript. First, it must be possible to define
* classes with an associated security domain. (This security
* domain may be any object incorporating notion of access
* restrictions that has meaning to an embedding; for a client-side
* JavaScript embedding this would typically be
* java.security.ProtectionDomain or similar object depending on an
* origin URL and/or a digital certificate.)
* Next it must be possible to get a security domain object that
* allows a particular action only if all security domains
* associated with code on the current Java stack allows it. And
* finally, it must be possible to execute script code with
* associated security domain injected into Java stack.
* <p>
* These three pieces of functionality are encapsulated in the
* SecurityController class.
*
* @see org.mozilla.javascript.Context#setSecurityController(SecurityController)
* @see java.lang.ClassLoader
* @since 1.5 Release 4
*/
public abstract class SecurityController
{
private static SecurityController global;
// The method must NOT be public or protected
static SecurityController global()
{
return global;
}
/**
* Check if global {@link SecurityController} was already installed.
* @see #initGlobal(SecurityController controller)
*/
public static boolean hasGlobal()
{
return global != null;
}
/**
* Initialize global controller that will be used for all
* security-related operations. The global controller takes precedence
* over already installed {@link Context}-specific controllers and cause
* any subsequent call to
* {@link Context#setSecurityController(SecurityController)}
* to throw an exception.
* <p>
* The method can only be called once.
*
* @see #hasGlobal()
*/
public static void initGlobal(SecurityController controller)
{
if (controller == null) throw new IllegalArgumentException();
if (global != null) {
throw new SecurityException("Cannot overwrite already installed global SecurityController");
}
global = controller;
}
/**
* Get class loader-like object that can be used
* to define classes with the given security context.
* @param parentLoader parent class loader to delegate search for classes
* not defined by the class loader itself
* @param securityDomain some object specifying the security
* context of the code that is defined by the returned class loader.
*/
public abstract GeneratedClassLoader createClassLoader(
ClassLoader parentLoader, Object securityDomain);
/**
* Create {@link GeneratedClassLoader} with restrictions imposed by
* staticDomain and all current stack frames.
* The method uses the SecurityController instance associated with the
* current {@link Context} to construct proper dynamic domain and create
* corresponding class loader.
* <par>
* If no SecurityController is associated with the current {@link Context} ,
* the method calls {@link Context#createClassLoader(ClassLoader parent)}.
*
* @param parent parent class loader. If null,
* {@link Context#getApplicationClassLoader()} will be used.
* @param staticDomain static security domain.
*/
public static GeneratedClassLoader createLoader(
ClassLoader parent, Object staticDomain)
{
Context cx = Context.getContext();
if (parent == null) {
parent = cx.getApplicationClassLoader();
}
SecurityController sc = cx.getSecurityController();
GeneratedClassLoader loader;
if (sc == null) {
loader = cx.createClassLoader(parent);
} else {
Object dynamicDomain = sc.getDynamicSecurityDomain(staticDomain);
loader = sc.createClassLoader(parent, dynamicDomain);
}
return loader;
}
public static Class getStaticSecurityDomainClass() {
SecurityController sc = Context.getContext().getSecurityController();
return sc == null ? null : sc.getStaticSecurityDomainClassInternal();
}
public Class getStaticSecurityDomainClassInternal()
{
return null;
}
/**
* Get dynamic security domain that allows an action only if it is allowed
* by the current Java stack and <i>securityDomain</i>. If
* <i>securityDomain</i> is null, return domain representing permissions
* allowed by the current stack.
*/
public abstract Object getDynamicSecurityDomain(Object securityDomain);
/**
* Call {@link
* Callable#call(Context cx, Scriptable scope, Scriptable thisObj,
* Object[] args)}
* of <i>callable</i> under restricted security domain where an action is
* allowed only if it is allowed according to the Java stack on the
* moment of the <i>execWithDomain</i> call and <i>securityDomain</i>.
* Any call to {@link #getDynamicSecurityDomain(Object)} during
* execution of <tt>callable.call(cx, scope, thisObj, args)</tt>
* should return a domain incorporate restrictions imposed by
* <i>securityDomain</i> and Java stack on the moment of callWithDomain
* invocation.
* <p>
* The method should always be overridden, it is not declared abstract
* for compatibility reasons.
*/
public Object callWithDomain(Object securityDomain, Context cx,
final Callable callable, Scriptable scope,
final Scriptable thisObj, final Object[] args)
{
return execWithDomain(cx, scope, new Script()
{
public Object exec(Context cx, Scriptable scope)
{
return callable.call(cx, scope, thisObj, args);
}
}, securityDomain);
}
/**
* @deprecated The application should not override this method and instead
* override
* {@link #callWithDomain(Object securityDomain, Context cx, Callable callable, Scriptable scope, Scriptable thisObj, Object[] args)}.
*/
public Object execWithDomain(Context cx, Scriptable scope,
Script script, Object securityDomain)
{
throw new IllegalStateException("callWithDomain should be overridden");
}
}