vhardy 02/05/07 02:00:07
Modified: sources/org/apache/batik/util
ApplicationSecurityEnforcer.java
sources/org/apache/batik/script/rhino
BatikSecuritySupport.java
Added: sources/org/apache/batik/util BatikSecurityManager.java
Log:
Added implementation for the getClassContext method in BatikSecuritySupport for Rhino
Revision Changes Path
1.4 +7 -3
xml-batik/sources/org/apache/batik/util/ApplicationSecurityEnforcer.java
Index: ApplicationSecurityEnforcer.java
===================================================================
RCS file:
/home/cvs/xml-batik/sources/org/apache/batik/util/ApplicationSecurityEnforcer.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ApplicationSecurityEnforcer.java 7 May 2002 07:17:11 -0000 1.3
+++ ApplicationSecurityEnforcer.java 7 May 2002 09:00:06 -0000 1.4
@@ -25,7 +25,7 @@
* <br />
*
* @author <a mailto="[EMAIL PROTECTED]">Vincent Hardy</a>
- * @version $Id: ApplicationSecurityEnforcer.java,v 1.3 2002/05/07 07:17:11 hillion
Exp $
+ * @version $Id: ApplicationSecurityEnforcer.java,v 1.4 2002/05/07 09:00:06 vhardy
Exp $
*/
public class ApplicationSecurityEnforcer {
/**
@@ -104,7 +104,7 @@
/**
* Keeps track of the last SecurityManager installed
*/
- protected SecurityManager lastSecurityManagerInstalled;
+ protected BatikSecurityManager lastSecurityManagerInstalled;
/**
* @param appClass class of the applications's main entry point
@@ -148,11 +148,13 @@
// We want to install a SecurityManager.
if (sm == null) {
installSecurityManager();
+ System.err.println("installed SecurityManager");
}
} else {
if (sm != null) {
System.setSecurityManager(null);
lastSecurityManagerInstalled = null;
+ System.err.println("Removed SecurityManager");
}
}
}
@@ -162,7 +164,7 @@
*/
public void installSecurityManager(){
Policy policy = Policy.getPolicy();
- SecurityManager securityManager = new SecurityManager();
+ BatikSecurityManager securityManager = new BatikSecurityManager();
// Specify app's security policy in the
// system property.
@@ -209,6 +211,8 @@
// Forces re-loading of the security policy
policy.refresh();
+
+ System.out.println("Enforcing secure script execution");
}
private void setJarBase(String expandedMainClassName){
1.1
xml-batik/sources/org/apache/batik/util/BatikSecurityManager.java
Index: BatikSecurityManager.java
===================================================================
/*****************************************************************************
* Copyright (C) The Apache Software Foundation. All rights reserved. *
* ------------------------------------------------------------------------- *
* This software is published under the terms of the Apache Software License *
* version 1.1, a copy of which has been included with this distribution in *
* the LICENSE file. *
*****************************************************************************/
package org.apache.batik.util;
/**
* This <tt>SecurityManager</tt> extension exposes the <tt>getClassContext</tt>
* method so that it can be used by the <tt>BatikSecuritySupport</tt> or other
* security related class.
*
* @author <a mailto="[EMAIL PROTECTED]">Vincent Hardy</a>
* @version $Id: BatikSecurityManager.java,v 1.1 2002/05/07 09:00:06 vhardy Exp $
*/
public class BatikSecurityManager extends SecurityManager {
/**
* Returns the current execution stack as an array of classes.
* <p>
* The length of the array is the number of methods on the execution
* stack. The element at index <code>0</code> is the class of the
* currently executing method, the element at index <code>1</code> is
* the class of that method's caller, and so on.
*
* @return the execution stack.
*/
public Class[] getClassContext(){
return super.getClassContext();
}
}
1.2 +87 -72
xml-batik/sources/org/apache/batik/script/rhino/BatikSecuritySupport.java
Index: BatikSecuritySupport.java
===================================================================
RCS file:
/home/cvs/xml-batik/sources/org/apache/batik/script/rhino/BatikSecuritySupport.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- BatikSecuritySupport.java 30 Apr 2002 15:05:18 -0000 1.1
+++ BatikSecuritySupport.java 7 May 2002 09:00:07 -0000 1.2
@@ -1,72 +1,87 @@
-/*****************************************************************************
- * Copyright (C) The Apache Software Foundation. All rights reserved. *
- *---------------------------------------------------------------------------*
- * This software is published under the terms of the Apache Software License *
- * version 1.1, a copy of which has been included with this distribution in *
- * the LICENSE file. *
- *****************************************************************************/
-
-package org.apache.batik.script.rhino;
-
-import java.net.URL;
-import java.net.URLClassLoader;
-
-import org.mozilla.javascript.SecuritySupport;
-
-/**
- * This implementation of the Rhino <tt>SecuritySupport</tt> interface is
- * meant for use within the context of Batik only. It is a partial
- * implementation of the interface that does what is needed by Batik and
- * no more.
- *
- * @author <a href="mailto:[EMAIL PROTECTED]";>Vincent Hardy</a>
- * @version $Id: BatikSecuritySupport.java,v 1.1 2002/04/30 15:05:18 vhardy Exp $
- */
-public class BatikSecuritySupport implements SecuritySupport {
- /**
- * Default constructor
- */
- public BatikSecuritySupport(){
- }
-
- /**
- * Define and load a Java class
- */
- public Class defineClass(String name,
- byte[] data,
- Object securityDomain){
- RhinoClassLoader rcl = (RhinoClassLoader)securityDomain;
- return rcl.defineClass(name, data);
- }
-
- /**
- * Get the current class Context.
- * This implementation always returns null.
- */
- public Class[] getClassContext(){
- return null;
- }
-
- /**
- * Return teh security context associated with the
- * given class.
- * In this implementation, we return the <tt>ClassLoader</tt>
- * which created the input class.
- */
- public Object getSecurityDomain(Class cl){
- return cl.getClassLoader();
- }
-
- /**
- * Return true if the Java class with the given name should
- * be exposed to scripts.
- *
- * In this implementation, this always return true, as
- * security is enforced by the SecurityManager's policy
- * and the Permissions granted by the URLClassLoader
- * used to load classes.
- */
- public boolean visibleToScripts(String fullClassName){
- return true;
- }
-}
+/*****************************************************************************
+ * Copyright (C) The Apache Software Foundation. All rights reserved. *
+ *---------------------------------------------------------------------------*
+ * This software is published under the terms of the Apache Software License *
+ * version 1.1, a copy of which has been included with this distribution in *
+ * the LICENSE file. *
+ *****************************************************************************/
+
+package org.apache.batik.script.rhino;
+
+import java.net.URL;
+import java.net.URLClassLoader;
+
+import org.apache.batik.util.BatikSecurityManager;
+import org.mozilla.javascript.SecuritySupport;
+
+/**
+ * This implementation of the Rhino <tt>SecuritySupport</tt> interface is
+ * meant for use within the context of Batik only. It is a partial
+ * implementation of the interface that does what is needed by Batik and
+ * no more.
+ *
+ * @author <a href="mailto:[EMAIL PROTECTED]";>Vincent Hardy</a>
+ * @version $Id: BatikSecuritySupport.java,v 1.2 2002/05/07 09:00:07 vhardy Exp $
+ */
+public class BatikSecuritySupport implements SecuritySupport {
+ /**
+ * Default constructor
+ */
+ public BatikSecuritySupport(){
+ }
+
+ /**
+ * Define and load a Java class
+ */
+ public Class defineClass(String name,
+ byte[] data,
+ Object securityDomain){
+ RhinoClassLoader rcl = (RhinoClassLoader)securityDomain;
+ return rcl.defineClass(name, data);
+ }
+
+ /**
+ * Get the current class Context.
+ * This relies on the <tt>BatikSecurityManager</tt> class.
+ */
+ public Class[] getClassContext(){
+ SecurityManager sm = System.getSecurityManager();
+ if (sm == null
+ ||
+ !(sm instanceof BatikSecurityManager)){
+ return null;
+ } else {
+ BatikSecurityManager bsm = (BatikSecurityManager)sm;
+ Class[] cc = bsm.getClassContext();
+ Class[] result = cc;
+ if (cc != null && cc.length > 0){
+ result = new Class[cc.length -1];
+ System.arraycopy(cc, 1, result, 0, cc.length - 1);
+ }
+ return result;
+ }
+ }
+
+ /**
+ * Return teh security context associated with the
+ * given class.
+ * In this implementation, we return the <tt>ClassLoader</tt>
+ * which created the input class.
+ */
+ public Object getSecurityDomain(Class cl){
+ return cl.getClassLoader();
+ }
+
+ /**
+ * Return true if the Java class with the given name should
+ * be exposed to scripts.
+ *
+ * In this implementation, this always return true, as
+ * security is enforced by the SecurityManager's policy
+ * and the Permissions granted by the URLClassLoader
+ * used to load classes.
+ */
+ public boolean visibleToScripts(String fullClassName){
+ return true;
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
