java.net
Class SocketPermission

java.lang.Object
  java.security.Permission
      java.net.SocketPermission

All Implemented Interfaces:

java.security.Guard, Serializable

public final class SocketPermission

extends java.security.Permission

implements Serializable

This class represents access to a network via sockets. A SocketPermission consists of a host specification and a set of "actions" specifying ways to connect to that host. The host is specified as

    host = (hostname | IPv4address | iPv6reference) [:portrange]
    portrange = portnumber | -portnumber | portnumber-[portnumber]
 

The host is expressed as a DNS name, as a numerical IP address, or as "localhost" (for the local machine). The wildcard "*" may be included once in a DNS name host specification. If it is included, it must be in the leftmost position, as in "*.sun.com".

The format of the IPv6reference should follow that specified in RFC 2732: Format for Literal IPv6 Addresses in URLs:

    ipv6reference = "[" IPv6address "]"

For example, you can construct a SocketPermission instance as the following:

    String hostAddress = inetaddress.getHostAddress();
    if (inetaddress instanceof Inet6Address) {
        sp = new SocketPermission("[" + hostAddress + "]:" + port, action);
    } else {
        sp = new SocketPermission(hostAddress + ":" + port, action);
    }
 

or

    String host = url.getHost();
    sp = new SocketPermission(host + ":" + port, action);
 

The full uncompressed form of an IPv6 literal address is also valid.

The port or portrange is optional. A port specification of the form "N-", where N is a port number, signifies all ports numbered N and above, while a specification of the form "-N" indicates all ports numbered N and below.

The possible ways to connect to the host are

 accept
 connect
 listen
 resolve
 

The "listen" action is only meaningful when used with "localhost". The "resolve" action is implied when any of the other actions are present. The action "resolve" refers to host/ip name service lookups.

As an example of the creation and meaning of SocketPermissions, note that if the following permission:

   p1 = new SocketPermission("puffin.eng.sun.com:7777", "connect,accept");
 

is granted to some code, it allows that code to connect to port 7777 on puffin.eng.sun.com, and to accept connections on that port.

Similarly, if the following permission:

   p1 = new SocketPermission("puffin.eng.sun.com:7777", "connect,accept");
   p2 = new SocketPermission("localhost:1024-", "accept,connect,listen");
 

is granted to some code, it allows that code to accept connections on, connect to, or listen on any port between 1024 and 65535 on the local host.

Note: Granting code permission to accept or make connections to remote hosts may be dangerous because malevolent code can then more easily transfer and share confidential data among parties who may not otherwise have access to the data.

Author:

Marianne Mueller, Roland Schemers

See Also:

Permissions, SocketPermission

Field Summary

private static int	ACCEPT Accept a connection from host:port
private String	actions the actions string.
private InetAddress[]	addresses
private static int	ALL All actions
private String	cname
private static int	CONNECT Connect to host:port
private String	hostname
private boolean	init_with_ip
private boolean	invalid
private static int	LISTEN Listen on host:port
private int	mask
private static int	NONE No actions
private static int	PORT_MAX
private static int	PORT_MIN
private int[]	portrange
private static int	PRIV_PORT_MAX
private static int	RESOLVE Resolve DNS queries
private static long	serialVersionUID
private static boolean	trustProxy
private boolean	wildcard

Fields inherited from class java.security.Permission

Constructor Summary

(package private)	SocketPermission(String host, int mask)
	SocketPermission(String host, String action) Creates a new SocketPermission object with the specified actions.

Method Summary

boolean	equals(Object obj) Checks two SocketPermission objects for equality.
String	getActions() Returns the canonical string representation of the actions.
private static String	getActions(int mask) Returns the "canonical string representation" of the actions in the specified mask.
(package private) void	getCanonName() attempt to get the fully qualified domain name
private static String	getHost(String host)
(package private) void	getIP() get IP addresses.
(package private) int	getMask() Return the current action mask.
private static int	getMask(String action) Convert an action string to an integer actions mask.
int	hashCode() Returns the hash code value for this object.
boolean	implies(java.security.Permission p) Checks if this socket permission object "implies" the specified permission.
(package private) boolean	impliesIgnoreMask(SocketPermission that) Checks if the incoming Permission's action are a proper subset of the this object's actions.
private void	init(String host, int mask) Initialize the SocketPermission object.
private boolean	inProxyWeTrust(SocketPermission that)
java.security.PermissionCollection	newPermissionCollection() Returns a new PermissionCollection object for storing SocketPermission objects.
private int[]	parsePort(String port)
private void	readObject(ObjectInputStream s) readObject is called to restore the state of the SocketPermission from a stream.
private void	writeObject(ObjectOutputStream s) WriteObject is called to save the state of the SocketPermission to a stream.

Methods inherited from class java.security.Permission

checkGuard, getName, toString

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Field Detail

serialVersionUID

private static final long serialVersionUID

See Also:

Constant Field Values

CONNECT

private static final int CONNECT

Connect to host:port

See Also:

Constant Field Values

LISTEN

private static final int LISTEN

Listen on host:port

See Also:

Constant Field Values

ACCEPT

private static final int ACCEPT

Accept a connection from host:port

See Also:

Constant Field Values

RESOLVE

private static final int RESOLVE

Resolve DNS queries

See Also:

Constant Field Values

NONE

private static final int NONE

No actions

See Also:

Constant Field Values

ALL

private static final int ALL

All actions

See Also:

Constant Field Values

PORT_MIN

private static final int PORT_MIN

See Also:

Constant Field Values

PORT_MAX

private static final int PORT_MAX

See Also:

Constant Field Values

PRIV_PORT_MAX

private static final int PRIV_PORT_MAX

See Also:

Constant Field Values

mask

private transient int mask

actions

private String actions

the actions string.

hostname

private transient String hostname

cname

private transient String cname

addresses

private transient InetAddress[] addresses

wildcard

private transient boolean wildcard

init_with_ip

private transient boolean init_with_ip

invalid

private transient boolean invalid

portrange

private transient int[] portrange

trustProxy

private static boolean trustProxy

Constructor Detail

SocketPermission

public SocketPermission(String host,
                        String action)

Creates a new SocketPermission object with the specified actions. The host is expressed as a DNS name, or as a numerical IP address. Optionally, a port or a portrange may be supplied (separated from the DNS name or IP address by a colon).

To specify the local machine, use "localhost" as the host. Also note: An empty host String ("") is equivalent to "localhost".

The actions parameter contains a comma-separated list of the actions granted for the specified host (and port(s)). Possible actions are "connect", "listen", "accept", "resolve", or any combination of those. "resolve" is automatically added when any of the other three are specified.

Examples of SocketPermission instantiation are the following:

    nr = new SocketPermission("www.catalog.com", "connect");
    nr = new SocketPermission("www.sun.com:80", "connect");
    nr = new SocketPermission("*.sun.com", "connect");
    nr = new SocketPermission("*.edu", "resolve");
    nr = new SocketPermission("204.160.241.0", "connect");
    nr = new SocketPermission("localhost:1024-65535", "listen");
    nr = new SocketPermission("204.160.241.0:1024-65535", "connect");
 

Parameters:

host - the hostname or IPaddress of the computer, optionally including a colon followed by a port or port range.

action - the action string.

SocketPermission

SocketPermission(String host,
                 int mask)

Method Detail

getHost

private static String getHost(String host)

parsePort

private int[] parsePort(String port)
                 throws Exception

Throws:

Exception

init

private void init(String host,
                  int mask)

Initialize the SocketPermission object. We don't do any DNS lookups as this point, instead we hold off until the implies method is called.

getMask

private static int getMask(String action)

Convert an action string to an integer actions mask.

Parameters:

action - the action string

Returns:

the action mask

getCanonName

void getCanonName()
            throws UnknownHostException

attempt to get the fully qualified domain name

Throws:

UnknownHostException

getIP

void getIP()
     throws UnknownHostException

get IP addresses. Sets invalid to true if we can't get them.

Throws:

UnknownHostException

implies

public boolean implies(java.security.Permission p)

Checks if this socket permission object "implies" the specified permission.

More specifically, this method first ensures that all of the following are true (and returns false if any of them are not):

• p is an instanceof SocketPermission,

• p's actions are a proper subset of this object's actions, and

• p's port range is included in this port range. Note: port range is ignored when p only contains the action, 'resolve'.

Then implies checks each of the following, in order, and for each returns true if the stated condition is true:

• If this object was initialized with a single IP address and one of p's IP addresses is equal to this object's IP address.

• If this object is a wildcard domain (such as *.sun.com), and p's canonical name (the name without any preceding *) ends with this object's canonical host name. For example, *.sun.com implies *.eng.sun.com..

• If this object was not initialized with a single IP address, and one of this object's IP addresses equals one of p's IP addresses.

• If this canonical name equals p's canonical name.

If none of the above are true, implies returns false.

Parameters:

p - the permission to check against.

Returns:

true if the specified permission is implied by this object, false if not.

impliesIgnoreMask

boolean impliesIgnoreMask(SocketPermission that)

Checks if the incoming Permission's action are a proper subset of the this object's actions.

Check, in the following order:

• Checks that "p" is an instanceof a SocketPermission
• Checks that "p"'s actions are a proper subset of the current object's actions.
• Checks that "p"'s port range is included in this port range
• If this object was initialized with an IP address, checks that one of "p"'s IP addresses is equal to this object's IP address.
• If either object is a wildcard domain (i.e., "*.sun.com"), attempt to match based on the wildcard.
• If this object was not initialized with an IP address, attempt to find a match based on the IP addresses in both objects.
• Attempt to match on the canonical hostnames of both objects.

Returns:

true if "permission" is a proper subset of the current object, false if not.

inProxyWeTrust

private boolean inProxyWeTrust(SocketPermission that)

equals

public boolean equals(Object obj)

Checks two SocketPermission objects for equality.

Parameters:

obj - the object to test for equality with this object.

Returns:

true if obj is a SocketPermission, and has the same hostname, port range, and actions as this SocketPermission object. However, port range will be ignored in the comparison if obj only contains the action, 'resolve'.

hashCode

public int hashCode()

Returns the hash code value for this object.

Returns:

a hash code value for this object.

getMask

int getMask()

Return the current action mask.

Returns:

the actions mask.

getActions

private static String getActions(int mask)

Returns the "canonical string representation" of the actions in the specified mask. Always returns present actions in the following order: connect, listen, accept, resolve.

Parameters:

mask - a specific integer action mask to translate into a string

Returns:

the canonical string representation of the actions

getActions

public String getActions()

Returns the canonical string representation of the actions. Always returns present actions in the following order: connect, listen, accept, resolve.

Returns:

the canonical string representation of the actions.

newPermissionCollection

public java.security.PermissionCollection newPermissionCollection()

Returns a new PermissionCollection object for storing SocketPermission objects.

SocketPermission objects must be stored in a manner that allows them to be inserted into the collection in any order, but that also enables the PermissionCollection implies method to be implemented in an efficient (and consistent) manner.

Returns:

a new PermissionCollection object suitable for storing SocketPermissions.

writeObject

private void writeObject(ObjectOutputStream s)
                  throws IOException

WriteObject is called to save the state of the SocketPermission to a stream. The actions are serialized, and the superclass takes care of the name.

Throws:

IOException

readObject

private void readObject(ObjectInputStream s)
                 throws IOException,
                        ClassNotFoundException

readObject is called to restore the state of the SocketPermission from a stream.

Throws:

IOException

ClassNotFoundException