/* * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package java.net; import java.io.ObjectInputStream; import java.io.IOException; import java.util.List; import java.util.ArrayList; import java.util.Collections; import java.security.Permission; /** * Represents permission to access a resource or set of resources defined by a * given http or https url, and for a given set of user-settable request methods * and request headers. The name of the permission is the url string. * The actions string is a concatenation of the request methods and headers. * The range of method and header names is not restricted by this class. *

The url

* The url string is also used to instantiate a {@link URI} object which is * used for comparison with other HttpURLPermission instances. Therefore, any * references in this specification to url, mean this URI object. * The path component of the url comprises a sequence of path segments, separated * by '/' characters. The path is specified in a similar way to the path * in {@link java.io.FilePermission}. There are three different ways * as the following examples show: * * * * * * * * * * * * *
URL Examples
Example urlDescription
http://www.oracle.com/a/b/c.htmlA url which identifies a specific (single) resource
http://www.oracle.com/a/b/*The '*' character refers to all resources in the same "directory" - in * other words all resources with the same number of path components, and * which only differ in the final path component, represented by the '*'. *
http://www.oracle.com/a/b/-The '-' character refers to all resources recursively below the * preceding path (eg. http://www.oracle.com/a/b/c/d/e.html matches this * example). *
*

* The '*' and '-' may only be specified in the final segment of a path and must be * the only character in that segment. Any query or fragment components of the * url are ignored when constructing HttpURLPermissions. *

* As a special case, urls of the form, "http:*" or "https:*" are accepted to * mean any url of the given scheme. *

The actions string

* The actions string of a HttpURLPermission is a concatenation of the method list * and the request headers list. These are lists of the permitted HTTP request * methods and permitted request headers of the permission (respectively). The two lists * are separated by a colon ':' character and elements of each list are comma separated. * Some examples are: *

 *         "POST,GET,DELETE"
 *         "GET:X-Foo-Request,X-Bar-Request"
 *         "POST,GET:Header1,Header2"
 * 
* The first example specifies the methods: POST, GET and DELETE, but no request headers. * The second example specifies one request method and two headers. The third * example specifies two request methods, and two headers. *

* The colon separator need not be present if the request headers list is empty. * No white-space is permitted in the actions string. The action strings supplied to * the HttpURLPermission constructors are case-insensitive and are normalized by converting * method names to upper-case and header names to the form defines in RFC2616 (lower case * with initial letter of each word capitalized). Either list can contain a wild-card '*' * character which signifies all request methods or headers respectively. *

* Note. Depending on the context of use, some request methods and headers may be permitted * at all times, and others may not be permitted at any time. For example, the * HTTP protocol handler might disallow certain headers such as Content-Length * from being set by application code, regardless of whether the security policy * in force, permits it. * * @since 1.8 */ public final class HttpURLPermission extends Permission { private static final long serialVersionUID = -2702463814894478682L; private transient URI uri; private transient List methods; private transient List requestHeaders; // serialized field private String actions; /** * Creates a new HttpURLPermission from a url string and which permits the given * request methods and user-settable request headers. * The name of the permission is its url string. Only the scheme, authority * and path components of the url are used. Any fragment or query * components are ignored. The permissions action string is as specified above. * * @param url the url string * * @param actions the actions string * * @throws IllegalArgumentException if url does not result in a valid {@link URI}, * its scheme is not http or https, or if actions contains white-space. */ public HttpURLPermission(String url, String actions) { super(url); init(actions); } private void init(String actions) { URI uri = parseURI(getName()); int colon = actions.indexOf(':'); if (actions.lastIndexOf(':') != colon) { throw new IllegalArgumentException("invalid actions string"); } String methods, headers; if (colon == -1) { methods = actions; headers = ""; } else { methods = actions.substring(0, colon); headers = actions.substring(colon+1); } List l = normalizeMethods(methods); Collections.sort(l); this.methods = Collections.unmodifiableList(l); l = normalizeHeaders(headers); Collections.sort(l); this.requestHeaders = Collections.unmodifiableList(l); this.actions = actions(); this.uri = uri; } /** * Creates a HttpURLPermission with the given url string and unrestricted * methods and request headers by invoking the two argument * constructor as follows: HttpURLPermission(url, "*:*") * * @param url the url string * * @throws IllegalArgumentException if url does not result in a valid {@link URI} */ public HttpURLPermission(String url) { this(url, "*:*"); } /** * Returns the normalized method list and request * header list, in the form: *

     *      "method-names : header-names"
     * 
*

* where method-names is the list of methods separated by commas * and header-names is the list of permitted headers separated by commas. * There is no white space in the returned String. If header-names is empty * then the colon separator will not be present. */ public String getActions() { return actions; } /** * Checks if this HttpURLPermission implies the given permission. * Specifically, the following checks are done as if in the * following sequence: *

*

Some examples of how paths are matched are shown below: *

* * * * * * * * * *
Examples of Path Matching
this's pathp's pathmatch
/a/b/a/byes
/a/b/*/a/b/cyes
/a/b/*/a/b/c/dno
/a/b/-/a/b/c/dyes
/a/b/-/a/b/c/d/eyes
/a/b/-/a/b/c/*yes
/a/b/*/a/b/c/-no
*/ public boolean implies(Permission p) { if (! (p instanceof HttpURLPermission)) { return false; } HttpURLPermission that = (HttpURLPermission)p; if (!this.methods.get(0).equals("*") && Collections.indexOfSubList(this.methods, that.methods) == -1) { return false; } if (this.requestHeaders.isEmpty() && !that.requestHeaders.isEmpty()) { return false; } if (!this.requestHeaders.isEmpty() && !this.requestHeaders.get(0).equals("*") && Collections.indexOfSubList(this.requestHeaders, that.requestHeaders) == -1) { return false; } if (this.uri.equals(that.uri)) { return true; } if (!this.uri.getScheme().equals(that.uri.getScheme())) { return false; } if (this.uri.getSchemeSpecificPart().equals("*")) { return true; } String thisAuthority = this.uri.getAuthority(); if (thisAuthority != null && !thisAuthority.equals(that.uri.getAuthority())) { return false; } String thispath = this.uri.getPath(); String thatpath = that.uri.getPath(); if (thispath.endsWith("/-")) { String thisprefix = thispath.substring(0, thispath.length() - 1); return thatpath.startsWith(thisprefix); } if (thispath.endsWith("/*")) { String thisprefix = thispath.substring(0, thispath.length() - 1); if (!thatpath.startsWith(thisprefix)) { return false; } String thatsuffix = thatpath.substring(thisprefix.length()); // suffix must not contain '/' chars if (thatsuffix.indexOf('/') != -1) { return false; } if (thatsuffix.equals("-")) { return false; } return true; } return false; } /** * Returns true if, this.getActions().equals(p.getActions()) * and p's url equals this's url. Returns false otherwise. */ public boolean equals(Object p) { if (!(p instanceof HttpURLPermission)) { return false; } HttpURLPermission that = (HttpURLPermission)p; return this.getActions().equals(that.getActions()) && this.uri.equals(that.uri); } /** * Returns a hashcode calculated from the hashcode of the * actions String and the url */ public int hashCode() { return getActions().hashCode() + uri.hashCode(); } private List normalizeMethods(String methods) { List l = new ArrayList<>(); StringBuilder b = new StringBuilder(); for (int i=0; i 0) l.add(s); b = new StringBuilder(); } else if (c == ' ' || c == '\t') { throw new IllegalArgumentException("white space not allowed"); } else { if (c >= 'a' && c <= 'z') { c += 'A' - 'a'; } b.append(c); } } String s = b.toString(); if (s.length() > 0) l.add(s); return l; } private List normalizeHeaders(String headers) { List l = new ArrayList<>(); StringBuilder b = new StringBuilder(); boolean capitalizeNext = true; for (int i=0; i= 'a' && c <= 'z') { if (capitalizeNext) { c += 'A' - 'a'; capitalizeNext = false; } b.append(c); } else if (c == ' ' || c == '\t') { throw new IllegalArgumentException("white space not allowed"); } else if (c == '-') { capitalizeNext = true; b.append(c); } else if (c == ',') { String s = b.toString(); if (s.length() > 0) l.add(s); b = new StringBuilder(); capitalizeNext = true; } else { capitalizeNext = false; b.append(c); } } String s = b.toString(); if (s.length() > 0) l.add(s); return l; } private URI parseURI(String url) { URI u = URI.create(url); String scheme = u.getScheme(); if (!(scheme.equalsIgnoreCase("http") || scheme.equalsIgnoreCase("https"))) { throw new IllegalArgumentException ("unexpected URL scheme"); } if (!u.getSchemeSpecificPart().equals("*")) { u = URI.create(scheme + "://" + u.getRawAuthority() + u.getRawPath()); } return u; } private String actions() { StringBuilder b = new StringBuilder(); for (String s : methods) { b.append(s); } b.append(":"); for (String s : requestHeaders) { b.append(s); } return b.toString(); } /** * restore the state of this object from stream */ private void readObject(ObjectInputStream s) throws IOException, ClassNotFoundException { ObjectInputStream.GetField fields = s.readFields(); String actions = (String)fields.get("actions", null); init(actions); } }