Back to index...
/*
 * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
package sun.security.provider;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.security.URIParameter;
import java.text.MessageFormat;
import java.util.*;
import javax.security.auth.AuthPermission;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.ConfigurationSpi;
import sun.security.util.Debug;
import sun.security.util.PropertyExpander;
import sun.security.util.ResourcesMgr;
/**
 * This class represents a default implementation for
 * {@code javax.security.auth.login.Configuration}.
 *
 * <p> This object stores the runtime login configuration representation,
 * and is the amalgamation of multiple static login configurations that
 * resides in files. The algorithm for locating the login configuration
 * file(s) and reading their information into this {@code Configuration}
 * object is:
 *
 * <ol>
 * <li>
 *   Loop through the security properties,
 *   <i>login.config.url.1</i>, <i>login.config.url.2</i>, ...,
 *   <i>login.config.url.X</i>.
 *   Each property value specifies a {@code URL} pointing to a
 *   login configuration file to be loaded.  Read in and load
 *   each configuration.
 *
 * <li>
 *   The {@code java.lang.System} property
 *   <i>java.security.auth.login.config</i>
 *   may also be set to a {@code URL} pointing to another
 *   login configuration file
 *   (which is the case when a user uses the -D switch at runtime).
 *   If this property is defined, and its use is allowed by the
 *   security property file (the Security property,
 *   <i>policy.allowSystemProperty</i> is set to <i>true</i>),
 *   also load that login configuration.
 *
 * <li>
 *   If the <i>java.security.auth.login.config</i> property is defined using
 *   "==" (rather than "="), then ignore all other specified
 *   login configurations and only load this configuration.
 *
 * <li>
 *   If no system or security properties were set, try to read from the file,
 *   ${user.home}/.java.login.config, where ${user.home} is the value
 *   represented by the "user.home" System property.
 * </ol>
 *
 * <p> The configuration syntax supported by this implementation
 * is exactly that syntax specified in the
 * {@code javax.security.auth.login.Configuration} class.
 *
 * @see javax.security.auth.login.LoginContext
 * @see java.security.Security security properties
 */
public final class ConfigFile extends Configuration {
    private final Spi spi;
    public ConfigFile() {
        spi = new Spi();
    }
    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
        return spi.engineGetAppConfigurationEntry(appName);
    }
    @Override
    public synchronized void refresh() {
        spi.engineRefresh();
    }
    public final static class Spi extends ConfigurationSpi {
        private URL url;
        private boolean expandProp = true;
        private Map<String, List<AppConfigurationEntry>> configuration;
        private int linenum;
        private StreamTokenizer st;
        private int lookahead;
        private static Debug debugConfig = Debug.getInstance("configfile");
        private static Debug debugParser = Debug.getInstance("configparser");
        /**
         * Creates a new {@code ConfigurationSpi} object.
         *
         * @throws SecurityException if the {@code ConfigurationSpi} can not be
         *                           initialized
         */
        public Spi() {
            try {
                init();
            } catch (IOException ioe) {
                throw new SecurityException(ioe);
            }
        }
        /**
         * Creates a new {@code ConfigurationSpi} object from the specified
         * {@code URI}.
         *
         * @param uri the {@code URI}
         * @throws SecurityException if the {@code ConfigurationSpi} can not be
         *                           initialized
         * @throws NullPointerException if {@code uri} is null
         */
        public Spi(URI uri) {
            // only load config from the specified URI
            try {
                url = uri.toURL();
                init();
            } catch (IOException ioe) {
                throw new SecurityException(ioe);
            }
        }
        public Spi(final Configuration.Parameters params) throws IOException {
            // call in a doPrivileged
            //
            // we have already passed the Configuration.getInstance
            // security check.  also this class is not freely accessible
            // (it is in the "sun" package).
            try {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
                    public Void run() throws IOException {
                        if (params == null) {
                            init();
                        } else {
                            if (!(params instanceof URIParameter)) {
                                throw new IllegalArgumentException
                                        ("Unrecognized parameter: " + params);
                            }
                            URIParameter uriParam = (URIParameter)params;
                            url = uriParam.getURI().toURL();
                            init();
                        }
                        return null;
                    }
                });
            } catch (PrivilegedActionException pae) {
                throw (IOException)pae.getException();
            }
            // if init() throws some other RuntimeException,
            // let it percolate up naturally.
        }
        /**
         * Read and initialize the entire login Configuration from the
         * configured URL.
         *
         * @throws IOException if the Configuration can not be initialized
         * @throws SecurityException if the caller does not have permission
         *                           to initialize the Configuration
         */
        private void init() throws IOException {
            boolean initialized = false;
            // For policy.expandProperties, check if either a security or system
            // property is set to false (old code erroneously checked the system
            // prop so we must check both to preserve compatibility).
            String expand = Security.getProperty("policy.expandProperties");
            if (expand == null) {
                expand = System.getProperty("policy.expandProperties");
            }
            if ("false".equals(expand)) {
                expandProp = false;
            }
            // new configuration
            Map<String, List<AppConfigurationEntry>> newConfig = new HashMap<>();
            if (url != null) {
                /**
                 * If the caller specified a URI via Configuration.getInstance,
                 * we only read from that URI
                 */
                if (debugConfig != null) {
                    debugConfig.println("reading " + url);
                }
                init(url, newConfig);
                configuration = newConfig;
                return;
            }
            /**
             * Caller did not specify URI via Configuration.getInstance.
             * Read from URLs listed in the java.security properties file.
             */
            String allowSys = Security.getProperty("policy.allowSystemProperty");
            if ("true".equalsIgnoreCase(allowSys)) {
                String extra_config = System.getProperty
                                      ("java.security.auth.login.config");
                if (extra_config != null) {
                    boolean overrideAll = false;
                    if (extra_config.startsWith("=")) {
                        overrideAll = true;
                        extra_config = extra_config.substring(1);
                    }
                    try {
                        extra_config = PropertyExpander.expand(extra_config);
                    } catch (PropertyExpander.ExpandException peee) {
                        throw ioException("Unable.to.properly.expand.config",
                                          extra_config);
                    }
                    URL configURL = null;
                    try {
                        configURL = new URL(extra_config);
                    } catch (MalformedURLException mue) {
                        File configFile = new File(extra_config);
                        if (configFile.exists()) {
                            configURL = configFile.toURI().toURL();
                        } else {
                            throw ioException(
                                "extra.config.No.such.file.or.directory.",
                                extra_config);
                        }
                    }
                    if (debugConfig != null) {
                        debugConfig.println("reading "+configURL);
                    }
                    init(configURL, newConfig);
                    initialized = true;
                    if (overrideAll) {
                        if (debugConfig != null) {
                            debugConfig.println("overriding other policies!");
                        }
                        configuration = newConfig;
                        return;
                    }
                }
            }
            int n = 1;
            String config_url;
            while ((config_url = Security.getProperty
                                     ("login.config.url."+n)) != null) {
                try {
                    config_url = PropertyExpander.expand
                        (config_url).replace(File.separatorChar, '/');
                    if (debugConfig != null) {
                        debugConfig.println("\tReading config: " + config_url);
                    }
                    init(new URL(config_url), newConfig);
                    initialized = true;
                } catch (PropertyExpander.ExpandException peee) {
                    throw ioException("Unable.to.properly.expand.config",
                                      config_url);
                }
                n++;
            }
            if (initialized == false && n == 1 && config_url == null) {
                // get the config from the user's home directory
                if (debugConfig != null) {
                    debugConfig.println("\tReading Policy " +
                                "from ~/.java.login.config");
                }
                config_url = System.getProperty("user.home");
                String userConfigFile = config_url + File.separatorChar +
                                        ".java.login.config";
                // No longer throws an exception when there's no config file
                // at all. Returns an empty Configuration instead.
                if (new File(userConfigFile).exists()) {
                    init(new File(userConfigFile).toURI().toURL(), newConfig);
                }
            }
            configuration = newConfig;
        }
        private void init(URL config,
                          Map<String, List<AppConfigurationEntry>> newConfig)
                          throws IOException {
            try (InputStreamReader isr
                    = new InputStreamReader(getInputStream(config), "UTF-8")) {
                readConfig(isr, newConfig);
            } catch (FileNotFoundException fnfe) {
                if (debugConfig != null) {
                    debugConfig.println(fnfe.toString());
                }
                throw new IOException(ResourcesMgr.getString
                    ("Configuration.Error.No.such.file.or.directory",
                    "sun.security.util.AuthResources"));
            }
        }
        /**
         * Retrieve an entry from the Configuration using an application name
         * as an index.
         *
         * @param applicationName the name used to index the Configuration.
         * @return an array of AppConfigurationEntries which correspond to
         *         the stacked configuration of LoginModules for this
         *         application, or null if this application has no configured
         *         LoginModules.
         */
        @Override
        public AppConfigurationEntry[] engineGetAppConfigurationEntry
            (String applicationName) {
            List<AppConfigurationEntry> list = null;
            synchronized (configuration) {
                list = configuration.get(applicationName);
            }
            if (list == null || list.size() == 0) {
                return null;
            }
            AppConfigurationEntry[] entries =
                                    new AppConfigurationEntry[list.size()];
            Iterator<AppConfigurationEntry> iterator = list.iterator();
            for (int i = 0; iterator.hasNext(); i++) {
                AppConfigurationEntry e = iterator.next();
                entries[i] = new AppConfigurationEntry(e.getLoginModuleName(),
                                                       e.getControlFlag(),
                                                       e.getOptions());
            }
            return entries;
        }
        /**
         * Refresh and reload the Configuration by re-reading all of the
         * login configurations.
         *
         * @throws SecurityException if the caller does not have permission
         *                           to refresh the Configuration.
         */
        @Override
        public synchronized void engineRefresh() {
            SecurityManager sm = System.getSecurityManager();
            if (sm != null) {
                sm.checkPermission(
                    new AuthPermission("refreshLoginConfiguration"));
            }
            AccessController.doPrivileged(new PrivilegedAction<Void>() {
                public Void run() {
                    try {
                        init();
                    } catch (IOException ioe) {
                        throw new SecurityException(ioe.getLocalizedMessage(),
                                                    ioe);
                    }
                    return null;
                }
            });
        }
        private void readConfig(Reader reader,
            Map<String, List<AppConfigurationEntry>> newConfig)
            throws IOException {
            linenum = 1;
            if (!(reader instanceof BufferedReader)) {
                reader = new BufferedReader(reader);
            }
            st = new StreamTokenizer(reader);
            st.quoteChar('"');
            st.wordChars('$', '$');
            st.wordChars('_', '_');
            st.wordChars('-', '-');
            st.wordChars('*', '*');
            st.lowerCaseMode(false);
            st.slashSlashComments(true);
            st.slashStarComments(true);
            st.eolIsSignificant(true);
            lookahead = nextToken();
            while (lookahead != StreamTokenizer.TT_EOF) {
                parseLoginEntry(newConfig);
            }
        }
        private void parseLoginEntry(
            Map<String, List<AppConfigurationEntry>> newConfig)
            throws IOException {
            List<AppConfigurationEntry> configEntries = new LinkedList<>();
            // application name
            String appName = st.sval;
            lookahead = nextToken();
            if (debugParser != null) {
                debugParser.println("\tReading next config entry: " + appName);
            }
            match("{");
            // get the modules
            while (peek("}") == false) {
                // get the module class name
                String moduleClass = match("module class name");
                // controlFlag (required, optional, etc)
                LoginModuleControlFlag controlFlag;
                String sflag = match("controlFlag").toUpperCase(Locale.ENGLISH);
                switch (sflag) {
                    case "REQUIRED":
                        controlFlag = LoginModuleControlFlag.REQUIRED;
                        break;
                    case "REQUISITE":
                        controlFlag = LoginModuleControlFlag.REQUISITE;
                        break;
                    case "SUFFICIENT":
                        controlFlag = LoginModuleControlFlag.SUFFICIENT;
                        break;
                    case "OPTIONAL":
                        controlFlag = LoginModuleControlFlag.OPTIONAL;
                        break;
                    default:
                        throw ioException(
                            "Configuration.Error.Invalid.control.flag.flag",
                            sflag);
                }
                // get the args
                Map<String, String> options = new HashMap<>();
                while (peek(";") == false) {
                    String key = match("option key");
                    match("=");
                    try {
                        options.put(key, expand(match("option value")));
                    } catch (PropertyExpander.ExpandException peee) {
                        throw new IOException(peee.getLocalizedMessage());
                    }
                }
                lookahead = nextToken();
                // create the new element
                if (debugParser != null) {
                    debugParser.println("\t\t" + moduleClass + ", " + sflag);
                    for (String key : options.keySet()) {
                        debugParser.println("\t\t\t" + key +
                                            "=" + options.get(key));
                    }
                }
                configEntries.add(new AppConfigurationEntry(moduleClass,
                                                            controlFlag,
                                                            options));
            }
            match("}");
            match(";");
            // add this configuration entry
            if (newConfig.containsKey(appName)) {
                throw ioException(
                    "Configuration.Error.Can.not.specify.multiple.entries.for.appName",
                    appName);
            }
            newConfig.put(appName, configEntries);
        }
        private String match(String expect) throws IOException {
            String value = null;
            switch(lookahead) {
            case StreamTokenizer.TT_EOF:
                throw ioException(
                    "Configuration.Error.expected.expect.read.end.of.file.",
                    expect);
            case '"':
            case StreamTokenizer.TT_WORD:
                if (expect.equalsIgnoreCase("module class name") ||
                    expect.equalsIgnoreCase("controlFlag") ||
                    expect.equalsIgnoreCase("option key") ||
                    expect.equalsIgnoreCase("option value")) {
                    value = st.sval;
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.found.value.",
                        new Integer(linenum), expect, st.sval);
                }
                break;
            case '{':
                if (expect.equalsIgnoreCase("{")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        new Integer(linenum), expect, st.sval);
                }
                break;
            case ';':
                if (expect.equalsIgnoreCase(";")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        new Integer(linenum), expect, st.sval);
                }
                break;
            case '}':
                if (expect.equalsIgnoreCase("}")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        new Integer(linenum), expect, st.sval);
                }
                break;
            case '=':
                if (expect.equalsIgnoreCase("=")) {
                    lookahead = nextToken();
                } else {
                    throw ioException(
                        "Configuration.Error.Line.line.expected.expect.",
                        new Integer(linenum), expect, st.sval);
                }
                break;
            default:
                throw ioException(
                    "Configuration.Error.Line.line.expected.expect.found.value.",
                    new Integer(linenum), expect, st.sval);
            }
            return value;
        }
        private boolean peek(String expect) {
            switch (lookahead) {
                case ',':
                    return expect.equalsIgnoreCase(",");
                case ';':
                    return expect.equalsIgnoreCase(";");
                case '{':
                    return expect.equalsIgnoreCase("{");
                case '}':
                    return expect.equalsIgnoreCase("}");
                default:
                    return false;
            }
        }
        private int nextToken() throws IOException {
            int tok;
            while ((tok = st.nextToken()) == StreamTokenizer.TT_EOL) {
                linenum++;
            }
            return tok;
        }
        private InputStream getInputStream(URL url) throws IOException {
            if ("file".equalsIgnoreCase(url.getProtocol())) {
                // Compatibility notes:
                //
                // Code changed from
                //   String path = url.getFile().replace('/', File.separatorChar);
                //   return new FileInputStream(path);
                //
                // The original implementation would search for "/tmp/a%20b"
                // when url is "file:///tmp/a%20b". This is incorrect. The
                // current codes fix this bug and searches for "/tmp/a b".
                // For compatibility reasons, when the file "/tmp/a b" does
                // not exist, the file named "/tmp/a%20b" will be tried.
                //
                // This also means that if both file exists, the behavior of
                // this method is changed, and the current codes choose the
                // correct one.
                try {
                    return url.openStream();
                } catch (Exception e) {
                    String file = url.getPath();
                    if (url.getHost().length() > 0) {  // For Windows UNC
                        file = "//" + url.getHost() + file;
                    }
                    if (debugConfig != null) {
                        debugConfig.println("cannot read " + url +
                                            ", try " + file);
                    }
                    return new FileInputStream(file);
                }
            } else {
                return url.openStream();
            }
        }
        private String expand(String value)
            throws PropertyExpander.ExpandException, IOException {
            if (value.isEmpty()) {
                return value;
            }
            if (!expandProp) {
                return value;
            }
            String s = PropertyExpander.expand(value);
            if (s == null || s.length() == 0) {
                throw ioException(
                    "Configuration.Error.Line.line.system.property.value.expanded.to.empty.value",
                    new Integer(linenum), value);
            }
            return s;
        }
        private IOException ioException(String resourceKey, Object... args) {
            MessageFormat form = new MessageFormat(ResourcesMgr.getString
                (resourceKey, "sun.security.util.AuthResources"));
            return new IOException(form.format(args));
        }
    }
}
Back to index...