The url
* The url string is also used to instantiate a {@link URI} object which is * used for comparison with other HttpURLPermission instances. Therefore, any * references in this specification to url, mean this URI object. * The path component of the url comprises a sequence of path segments, separated * by '/' characters. The path is specified in a similar way to the path * in {@link java.io.FilePermission}. There are three different ways * as the following examples show: *
| Example url | Description |
|---|---|
| http://www.oracle.com/a/b/c.html | *A url which identifies a specific (single) resource | *
| http://www.oracle.com/a/b/* | *The '*' character refers to all resources in the same "directory" - in * other words all resources with the same number of path components, and * which only differ in the final path component, represented by the '*'. * | *
| http://www.oracle.com/a/b/- | *The '-' character refers to all resources recursively below the * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this * example). * | *
* The '*' and '-' may only be specified in the final segment of a path and must be * the only character in that segment. Any query or fragment components of the * url are ignored when constructing HttpURLPermissions. *
* As a special case, urls of the form, "http:*" or "https:*" are accepted to * mean any url of the given scheme. *
The actions string
* The actions string of a HttpURLPermission is a concatenation of the method list * and the request headers list. These are lists of the permitted HTTP request * methods and permitted request headers of the permission (respectively). The two lists * are separated by a colon ':' character and elements of each list are comma separated. * Some examples are: *
* "POST,GET,DELETE" * "GET:X-Foo-Request,X-Bar-Request" * "POST,GET:Header1,Header2" ** The first example specifies the methods: POST, GET and DELETE, but no request headers. * The second example specifies one request method and two headers. The third * example specifies two request methods, and two headers. *
* The colon separator need not be present if the request headers list is empty. * No white-space is permitted in the actions string. The action strings supplied to * the HttpURLPermission constructors are case-insensitive and are normalized by converting * method names to upper-case and header names to the form defines in RFC2616 (lower case * with initial letter of each word capitalized). Either list can contain a wild-card '*' * character which signifies all request methods or headers respectively. *
* Note. Depending on the context of use, some request methods and headers may be permitted
* at all times, and others may not be permitted at any time. For example, the
* HTTP protocol handler might disallow certain headers such as Content-Length
* from being set by application code, regardless of whether the security policy
* in force, permits it.
*
* @since 1.8
*/
public final class HttpURLPermission extends Permission {
private static final long serialVersionUID = -2702463814894478682L;
private transient URI uri;
private transient List
* where method-names is the list of methods separated by commas
* and header-names is the list of permitted headers separated by commas.
* There is no white space in the returned String. If header-names is empty
* then the colon separator will not be present.
*/
public String getActions() {
return actions;
}
/**
* Checks if this HttpURLPermission implies the given permission.
* Specifically, the following checks are done as if in the
* following sequence:
* Some examples of how paths are matched are shown below:
*
* "method-names : header-names"
*
*
*
*
*
*/
public boolean implies(Permission p) {
if (! (p instanceof HttpURLPermission)) {
return false;
}
HttpURLPermission that = (HttpURLPermission)p;
if (!this.methods.get(0).equals("*") &&
Collections.indexOfSubList(this.methods, that.methods) == -1) {
return false;
}
if (this.requestHeaders.isEmpty() && !that.requestHeaders.isEmpty()) {
return false;
}
if (!this.requestHeaders.isEmpty() &&
!this.requestHeaders.get(0).equals("*") &&
Collections.indexOfSubList(this.requestHeaders,
that.requestHeaders) == -1) {
return false;
}
if (this.uri.equals(that.uri)) {
return true;
}
if (!this.uri.getScheme().equals(that.uri.getScheme())) {
return false;
}
if (this.uri.getSchemeSpecificPart().equals("*")) {
return true;
}
String thisAuthority = this.uri.getAuthority();
if (thisAuthority != null &&
!thisAuthority.equals(that.uri.getAuthority())) {
return false;
}
String thispath = this.uri.getPath();
String thatpath = that.uri.getPath();
if (thispath.endsWith("/-")) {
String thisprefix = thispath.substring(0, thispath.length() - 1);
return thatpath.startsWith(thisprefix);
}
if (thispath.endsWith("/*")) {
String thisprefix = thispath.substring(0, thispath.length() - 1);
if (!thatpath.startsWith(thisprefix)) {
return false;
}
String thatsuffix = thatpath.substring(thisprefix.length());
// suffix must not contain '/' chars
if (thatsuffix.indexOf('/') != -1) {
return false;
}
if (thatsuffix.equals("-")) {
return false;
}
return true;
}
return false;
}
/**
* Returns true if, this.getActions().equals(p.getActions())
* and p's url equals this's url. Returns false otherwise.
*/
public boolean equals(Object p) {
if (!(p instanceof HttpURLPermission)) {
return false;
}
HttpURLPermission that = (HttpURLPermission)p;
return this.getActions().equals(that.getActions()) &&
this.uri.equals(that.uri);
}
/**
* Returns a hashcode calculated from the hashcode of the
* actions String and the url
*/
public int hashCode() {
return getActions().hashCode() + uri.hashCode();
}
private Listthis's path p's path match /a/b /a/b yes /a/b/* /a/b/c yes /a/b/* /a/b/c/d no /a/b/- /a/b/c/d yes /a/b/- /a/b/c/d/e yes /a/b/- /a/b/c/* yes /a/b/* /a/b/c/- no