/* -*- Mode: java; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- * * ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0 * * The contents of this file are subject to the Mozilla Public License Version * 1.1 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * http://www.mozilla.org/MPL/ * * Software distributed under the License is distributed on an "AS IS" basis, * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License * for the specific language governing rights and limitations under the * License. * * The Original Code is Rhino code, released * May 6, 1999. * * The Initial Developer of the Original Code is * Netscape Communications Corporation. * Portions created by the Initial Developer are Copyright (C) 1997-1999 * the Initial Developer. All Rights Reserved. * * Contributor(s): * Norris Boyd * Igor Bukanov * * Alternatively, the contents of this file may be used under the terms of * the GNU General Public License Version 2 or later (the "GPL"), in which * case the provisions of the GPL are applicable instead of those above. If * you wish to allow use of your version of this file only under the terms of * the GPL and not to allow others to use your version of this file under the * MPL, indicate your decision by deleting the provisions above and replacing * them with the notice and other provisions required by the GPL. If you do * not delete the provisions above, a recipient may use your version of this * file under either the MPL or the GPL. * * ***** END LICENSE BLOCK ***** */ // API class package org.mozilla.javascript; /** * This class describes the support needed to implement security. *

* Three main pieces of functionality are required to implement * security for JavaScript. First, it must be possible to define * classes with an associated security domain. (This security * domain may be any object incorporating notion of access * restrictions that has meaning to an embedding; for a client-side * JavaScript embedding this would typically be * java.security.ProtectionDomain or similar object depending on an * origin URL and/or a digital certificate.) * Next it must be possible to get a security domain object that * allows a particular action only if all security domains * associated with code on the current Java stack allows it. And * finally, it must be possible to execute script code with * associated security domain injected into Java stack. *

* These three pieces of functionality are encapsulated in the * SecurityController class. * * @see org.mozilla.javascript.Context#setSecurityController(SecurityController) * @see java.lang.ClassLoader * @since 1.5 Release 4 */ public abstract class SecurityController { private static SecurityController global; // The method must NOT be public or protected static SecurityController global() { return global; } /** * Check if global {@link SecurityController} was already installed. * @see #initGlobal(SecurityController controller) */ public static boolean hasGlobal() { return global != null; } /** * Initialize global controller that will be used for all * security-related operations. The global controller takes precedence * over already installed {@link Context}-specific controllers and cause * any subsequent call to * {@link Context#setSecurityController(SecurityController)} * to throw an exception. *

* The method can only be called once. * * @see #hasGlobal() */ public static void initGlobal(SecurityController controller) { if (controller == null) throw new IllegalArgumentException(); if (global != null) { throw new SecurityException("Cannot overwrite already installed global SecurityController"); } global = controller; } /** * Get class loader-like object that can be used * to define classes with the given security context. * @param parentLoader parent class loader to delegate search for classes * not defined by the class loader itself * @param securityDomain some object specifying the security * context of the code that is defined by the returned class loader. */ public abstract GeneratedClassLoader createClassLoader( ClassLoader parentLoader, Object securityDomain); /** * Create {@link GeneratedClassLoader} with restrictions imposed by * staticDomain and all current stack frames. * The method uses the SecurityController instance associated with the * current {@link Context} to construct proper dynamic domain and create * corresponding class loader. * * If no SecurityController is associated with the current {@link Context} , * the method calls {@link Context#createClassLoader(ClassLoader parent)}. * * @param parent parent class loader. If null, * {@link Context#getApplicationClassLoader()} will be used. * @param staticDomain static security domain. */ public static GeneratedClassLoader createLoader( ClassLoader parent, Object staticDomain) { Context cx = Context.getContext(); if (parent == null) { parent = cx.getApplicationClassLoader(); } SecurityController sc = cx.getSecurityController(); GeneratedClassLoader loader; if (sc == null) { loader = cx.createClassLoader(parent); } else { Object dynamicDomain = sc.getDynamicSecurityDomain(staticDomain); loader = sc.createClassLoader(parent, dynamicDomain); } return loader; } public static Class getStaticSecurityDomainClass() { SecurityController sc = Context.getContext().getSecurityController(); return sc == null ? null : sc.getStaticSecurityDomainClassInternal(); } public Class getStaticSecurityDomainClassInternal() { return null; } /** * Get dynamic security domain that allows an action only if it is allowed * by the current Java stack and securityDomain. If * securityDomain is null, return domain representing permissions * allowed by the current stack. */ public abstract Object getDynamicSecurityDomain(Object securityDomain); /** * Call {@link * Callable#call(Context cx, Scriptable scope, Scriptable thisObj, * Object[] args)} * of callable under restricted security domain where an action is * allowed only if it is allowed according to the Java stack on the * moment of the execWithDomain call and securityDomain. * Any call to {@link #getDynamicSecurityDomain(Object)} during * execution of callable.call(cx, scope, thisObj, args) * should return a domain incorporate restrictions imposed by * securityDomain and Java stack on the moment of callWithDomain * invocation. *

* The method should always be overridden, it is not declared abstract * for compatibility reasons. */ public Object callWithDomain(Object securityDomain, Context cx, final Callable callable, Scriptable scope, final Scriptable thisObj, final Object[] args) { return execWithDomain(cx, scope, new Script() { public Object exec(Context cx, Scriptable scope) { return callable.call(cx, scope, thisObj, args); } }, securityDomain); } /** * @deprecated The application should not override this method and instead * override * {@link #callWithDomain(Object securityDomain, Context cx, Callable callable, Scriptable scope, Scriptable thisObj, Object[] args)}. */ public Object execWithDomain(Context cx, Scriptable scope, Script script, Object securityDomain) { throw new IllegalStateException("callWithDomain should be overridden"); } }