com.rmiproxy.security
Class FirewallPermission

java.lang.Object
  |
  +--java.security.Permission
        |
        +--java.security.BasicPermission
              |
              +--com.rmiproxy.security.FirewallPermission

All Implemented Interfaces:

java.security.Guard, java.io.Serializable

public final class FirewallPermission

extends java.security.BasicPermission

This class represents access to an RMI Proxy firewall by client hostname/IP address. A FirewallPermission consists of an action and a host specification. The possible actions are:

"access.package.interface"

access any remote interface via the RMI Proxy (e.g. after lookup, or as a remote parameter or result)

"bind.name"

bind/rebind/unbind name into the RMI Proxy Registry

"execute.package.interface.method"

execute any remote method via the RMI Proxy

"lookup.name"

lookup name in the RMI Proxy Registry

The "action" specified in the policy file may also end with ".*" as a wildcard, e.g. "access.java.rmi.registry.*"

The host is specified as

    host = (hostname | IPaddress)[:portrange]
  portrange = portnumber | -portnumber | portnumber-[portnumber]

The host is expressed as a DNS name, as a numerical IP address, or as "localhost" (for the local machine). The wildcard "*" may be included once in a DNS name host specification. If it is included, it must be in the leftmost position, as in "*.sun.com".

The port or portrange is optional. A port specification of the form "N-", where N is a port number, signifies all ports numbered N and above, while a specification of the form "-N" indicates all ports numbered N and below.

All the above is identical to the hostname specification of java.net.SocketPermission.

When checking permissions, "host" is set to the client hostname/IP address as determined by java.rmi.server.RemoteServer.getClientHost().

All permissions are checked in the access-control context of the codebase of the remote object concerned.

It is possible to form intersections of protection domains, hostnames and actions, so that only hosts within specified domains may perform certain actions within a given protection domain.

Example:

 grant codebase "http://www.rmiproxy.com/beta/" {
  com.rmiproxy.security.FirewallPermission "bind.com.rmiproxy.test.RemoteEcho","developer.rmiproxy.com";
 }

All actions support wildcards ('*') as their last character. All hostnames support wildcards ('*') as their first character. IP addresses do not support wildcards at all. Example:

 grant codebase "http://codebase.rmiproxy.com/beta/" {
	com.rmiproxy.security.FirewallPermission "access.com.rmiproxy.test.*","*";
  com.rmiproxy.security.FirewallPermission "execute.com.rmiproxy.test.*","*";
  com.rmiproxy.security.FirewallPermission "lookup.*","*";
 }

See Also:

SocketPermission, BasicPermission, Serialized Form

Constructor Summary

FirewallPermission(java.lang.String action, java.lang.String host)
Creates a new FirewallPermission object with the specified actions.

Method Summary

boolean	equals(java.lang.Object that)
java.lang.String	getActions()
boolean	implies(java.security.Permission p)
java.security.PermissionCollection	newPermissionCollection() Returns a new PermissionCollection object for storing FirewallPermission objects.

Methods inherited from class java.security.BasicPermission

hashCode

Methods inherited from class java.security.Permission

checkGuard, getName, toString

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

FirewallPermission

public FirewallPermission(java.lang.String action,
                          java.lang.String host)

Creates a new FirewallPermission object with the specified actions. The host is expressed as a DNS name, or as a numerical IP address. Optionally, a port or a portrange may be supplied (separated from the DNS name or IP address by a colon).

To specify the local machine, use "localhost" as the host. Also note: An empty host String ("") is equivalent to "localhost".

The actions parameter contains a comma-separated list of the actions granted for the specified host (and port(s)). Possible actions are "connect", "listen", "accept", "resolve", or any combination of those. "resolve" is automatically added when any of the other three are specified.

Examples of FirewallPermission instantiation are the following:

    nr = new FirewallPermission("access.*", "www.catalog.com");
    nr = new FirewallPermission("bind.*", "www.sun.com:80");
    nr = new FirewallPermission("execute.*", "204.160.241.0");
    nr = new FirewallPermission("lookup.*", "204.160.241.0:1024-65535");
 

Parameters:

action - the action to be performed

host - the hostname or IPaddress of the computer, optionally including a colon followed by a port or port range

Method Detail

getActions

public java.lang.String getActions()

Overrides:

getActions in class java.security.BasicPermission

Returns:

the actions

implies

public boolean implies(java.security.Permission p)

Overrides:

implies in class java.security.BasicPermission

Parameters:

p - permission to match

Returns:

true iff this permission implies the supplied permission

equals

public boolean equals(java.lang.Object that)

Overrides:

equals in class java.security.BasicPermission

newPermissionCollection

public java.security.PermissionCollection newPermissionCollection()

Returns a new PermissionCollection object for storing FirewallPermission objects.

FirewallPermission objects must be stored in a manner that allows them to be inserted into the collection in any order, but that also enables the PermissionCollection implies method to be implemented in an efficient (and consistent) manner.

Overrides:

newPermissionCollection in class java.security.BasicPermission

Returns:

a new PermissionCollection object suitable for storing FirewallPermissions.