Anvil | Smiths Smiths | Register Register | Login Login |
Search:
Show links Show tools Show tree | Previous document Next document | njet.org > Anvil > Documentation > Language reference > Permissions

Permissions

Anvil uses stack based permission checking to determine if privileged actions are allowed.

By default the checking is disabled and in order to enable policy checking there must be at least one policy preference set up. Policies are enabled per domain basis - setting up policy preference somewhere in domain will enable checking in that domain.

Policies consists collection of permissions, together these permissions create incremental fine-grained security policy. You may only grant permissions, but once set up, they may not be removed (at a runtime).

Citizens and tribes may also contain permissions. Addition to each citizens own permissions, it also inherits the permission from all the tribes it belongs to (directly or indirectly), although inheritance is realm implementation dependent. See anvil.server.Citizen and anvil.server.Tribe.

When privileged actions (such as file read/write or socket create) is about to be performed the security policy is consulted:

  • If there exists an authorized citizen for this request its combined permission collection is checked. If any of the permissions there allow the operation, the operation is permitted.

  • Otherwise for each stack frame (starting from most recent): if the domain of zone where frame's module is located has permissions enabled, and if the zone has permission collection, this collection is checked. If any of the permissions there allow the operation, the operation is permitted.

  • Otherwise operation is not allowed, yielding anvil.lang.AccessDenied exception.

Note that privileged operations are also subject to Java's own security checks, if enabled, possibly yielding java.lang.SecurityException.

Permission may be created at a runtime using anvil.runtime.Permission class, passing the name of permission and any parameters in constructor. Similarily, using name and parameters they are created in policy preference.

Available permissions

all

names:
all, java.security.AllPermission
parameters:
-
description:
Uncondionally allows any operation - use with caution.

import

names:
import, anvil.script.ImportPermission
parameters:
path
description:

Controls if scripts from given path may be imported, either statically or dynamically. Path is always absolute. If the path

  • ends with /* then the scripts in that directory (but not in any sub directory) may be imported

  • ends with /- then the scripts in that directory and in any sub directory may be imported.

  • Otherwise only the script pointed by path may be imported (it makes no sense to give directory unless it ends with /* or /-)

Note that when importing statically by using the import statement the permissions of citizen are not in effect.

Also note that when permissions are enabled, by default only the files in same directory may be imported.

file

names:
file, java.io.FilePermission
parameters:
pathname, actions
description:

This permission represents access to a file or directory, consisting of a pathname and a set of actions valid for that pathname.

Pathname is the pathname of the file or directory granted the specified actions. A pathname that ends in "/*" indicates all the files and directories contained in that directory. A pathname that ends with "/-" indicates (recursively) all files and subdirectories contained in that directory. A pathname consisting of the special token "<<ALL FILES>>" matches any file.

The actions to be granted are passed as a second argument containing a list of one or more comma-separated keywords. The possible keywords are "read", "write", "execute", and "delete". Their meaning is defined as follows:

read
read permission
write
write permission
execute
execute permission. Allows Runtime.exec to be called. Corresponds to SecurityManager.checkExec.
delete
delete permission. Allows File.delete to be called. Corresponds to SecurityManager.checkDelete.

The actions string is converted to lowercase before processing.

socket

names:
socket, java.net.SocketPermission
parameters:
host, actions
description:

This permission represents access to a network via sockets, consisting of a host specification and a set of "actions" specifying ways to connect to that host. The host is specified as 

      host = (hostname | IPaddress)[:portrange]
      portrange = portnumber | -portnumber | portnumber-[portnumber]

The host is expressed as a DNS name, as a numerical IP address, or as "localhost" (for the local machine). The wildcard "*" may be included once in a DNS name host specification. If it is included, it must be in the leftmost position, as in "*.sun.com".

The port or portrange is optional. A port specification of the form "N-", where N is a port number, signifies all ports numbered N and above, while a specification of the form "-N" indicates all ports numbered N and below.

The possible ways to connect to the host are 

    accept
    connect
    listen
    resolve
The "listen" action is only meaningful when used with "localhost". The "resolve" (resolve host/ip name service lookups) action is implied when any of the other actions are present.

As an example of the creation and meaning of SocketPermissions, note that if the following permission: 

     p1 = new anvil.net.Permission("socket", "puffin.eng.sun.com:7777", "connect,accept");
is granted to some code, it allows that code to connect to port 7777 on puffin.eng.sun.com, and to accept connections on that port.

Similarly, if the following permission: 

     p1 = new anvil.net.Permission("socket", "puffin.eng.sun.com:7777", "connect,accept");
     p2 = new anvil.net.Permission("socket", "localhost:1024-", "accept,connect,listen");
is granted to some code, it allows that code to accept connections on, connect to, or listen on any port between 1024 and 65535 on the local host.

Note: Granting code permission to accept or make connections to remote hosts may be dangerous because malevolent code can then more easily transfer and share confidential data among parties who may not otherwise have access to the data.

property

names:
property, java.lang.Property
parameters:
property
description:

The name is the name of the property ("java.home", "os.name", etc). The naming convention follows the hierarchical property naming convention. Also, an asterisk may appear at the end of the name, following a ".", or by itself, to signify a wildcard match. For example: "java.*" or "*" is valid, "*java" or "a*b" is not valid.

The actions to be granted are passed to the constructor in a string containing a list of zero or more comma-separated keywords. The possible keywords are "read" and "write". Their meaning is defined as follows:

read
read permission. Allows System.getProperty to be called.
write
write permission. Allows System.setProperty to be called.

The actions string is converted to lowercase before processing.

pool

names:
pool, anvil.database.ConnectionPoolPermission
parameters:
poolName
description:

Controls if it is allowed to acquire connections from pool named poolName.

realm

names:
realm, anvil.server.RealmPermission
parameters:
realmName
description:

Controls if it is allowed to access realm named realmName.

namespace

names:
namespace, anvil.server.NamespacePermission
parameters:
namespaceName, actions
description:

Controls if it is allowed to read from namespace named namespaceName. If actions string contains "writable" then the writing to that namespace is allowed as well.

java

names:
java, anvil.java.util.JavaPermission
parameters:
classname
description:

Controls if access to given java class is allowed. If classname ends with .* then the access to given package is allowed, otherwise if class ends with .** then access to given package and any other "sub" package is allowed.

Note that Anvil does not allow access to anvil.** or anvil_<buildid>.** classes, in fact, these classes are not visible at all.

tool

names:
tool, anvil.core.ToolPermission
parameters:
target, actions
description:

Generic tool permission for the benefit of user application. These permission are checked using anvil.lang.canDo(...) function.

Target parameters contains dotted name that follow same concepts (.* and .**) as Java permission above. Actions is a comma delimited string of arbitrary actions.

java.security.Permission

names:
class extending java.security.Permission
parameters:
implementation specific
description:

Any valid permissions may be use. There is also useful anvil.java.security.ExtendedBasicPermission which follows dotted name with .* and .** concepts.

See also  | Language reference  | policy
Contributes notes:
Add a note
What's new | Anvil