1 /*
2 * Copyright (c) 1997, 2025, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package java.security;
27
28 import java.util.Map;
29 import java.util.Objects;
30 import java.util.concurrent.ConcurrentHashMap;
31 import java.util.function.Function;
32
33 /**
34 * This class extends {@code ClassLoader} with additional support for defining
35 * classes with an associated code source and permissions.
36 *
37 * @apiNote
38 * Permissions cannot be used for controlling access to resources
39 * as the Security Manager is no longer supported.
40 *
41 * @author Li Gong
42 * @author Roland Schemers
43 * @since 1.2
44 */
45 public class SecureClassLoader extends ClassLoader {
46
47 /*
48 * Map that maps the CodeSource to a ProtectionDomain. The key is a
49 * CodeSourceKey class that uses a {@code String} instead of a URL to avoid
50 * potential expensive name service lookups. This does mean that URLs that
51 * are equivalent after nameservice lookup will be placed in separate
52 * ProtectionDomains; however during policy enforcement these URLs will be
53 * canonicalized and resolved resulting in a consistent set of granted
54 * permissions.
55 */
56 private final Map<CodeSourceKey, ProtectionDomain> pdcache
57 = new ConcurrentHashMap<>(11);
58
59 static {
60 ClassLoader.registerAsParallelCapable();
61 }
62
63 /**
64 * Creates a new {@code SecureClassLoader} using the specified parent
65 * class loader for delegation.
66 *
67 * @apiNote If {@code parent} is specified as {@code null} (for the
68 * bootstrap class loader) then there is no guarantee that all platform
69 * classes are visible.
70 * See {@linkplain ClassLoader##builtinLoaders Run-time Built-in Class Loaders}
71 * for information on the bootstrap class loader and other built-in class loaders.
72 *
73 * @param parent the parent ClassLoader, can be {@code null} for the bootstrap
74 * class loader
75 */
76 protected SecureClassLoader(ClassLoader parent) {
77 super(parent);
78 }
79
80 /**
81 * Creates a new {@code SecureClassLoader} using the
82 * {@linkplain ClassLoader#getSystemClassLoader() system class loader as the parent}.
83 */
84 protected SecureClassLoader() {
85 super();
86 }
87
88 /**
89 * Creates a new {@code SecureClassLoader} of the specified name and
90 * using the specified parent class loader for delegation.
91 *
92 * @apiNote If {@code parent} is specified as {@code null} (for the
93 * bootstrap class loader) then there is no guarantee that all platform
94 * classes are visible.
95 * See {@linkplain ClassLoader##builtinLoaders Run-time Built-in Class Loaders}
96 * for information on the bootstrap class loader and other built-in class loaders.
97 *
98 * @param name class loader name; or {@code null} if not named
99 * @param parent the parent class loader, can be {@code null} for the bootstrap
100 * class loader
101 *
102 * @throws IllegalArgumentException if the given name is empty.
103 *
104 * @since 9
105 */
106 protected SecureClassLoader(String name, ClassLoader parent) {
107 super(name, parent);
108 }
109
110 /**
111 * Converts an array of bytes into an instance of class {@code Class},
112 * with an optional CodeSource. Before the
113 * class can be used it must be resolved.
114 * <p>
115 * If a non-null CodeSource is supplied a ProtectionDomain is
116 * constructed and associated with the class being defined.
117 *
118 * @param name the expected name of the class, or {@code null}
119 * if not known, using '.' and not '/' as the separator
120 * and without a trailing ".class" suffix.
121 * @param b the bytes that make up the class data. The bytes in
122 * positions {@code off} through {@code off+len-1}
123 * should have the format of a valid class file as defined by
124 * <cite>The Java Virtual Machine Specification</cite>.
125 * @param off the start offset in {@code b} of the class data
126 * @param len the length of the class data
127 * @param cs the associated CodeSource, or {@code null} if none
128 * @return the {@code Class} object created from the data,
129 * and optional CodeSource.
130 * @throws ClassFormatError if the data did not contain a valid class
131 * @throws IndexOutOfBoundsException if either {@code off} or
132 * {@code len} is negative, or if
133 * {@code off+len} is greater than {@code b.length}.
134 *
135 * @throws SecurityException if an attempt is made to add this class
136 * to a package that contains classes that were signed by
137 * a different set of certificates than this class, or if
138 * the class name begins with "java.".
139 */
140 protected final Class<?> defineClass(String name,
141 byte[] b, int off, int len,
142 CodeSource cs)
143 {
144 return defineClass(name, b, off, len, getProtectionDomain(cs));
145 }
146
147 /**
148 * Converts a {@link java.nio.ByteBuffer ByteBuffer}
149 * into an instance of class {@code Class}, with an optional CodeSource.
150 * Before the class can be used it must be resolved.
151 * <p>
152 * If a non-null CodeSource is supplied a ProtectionDomain is
153 * constructed and associated with the class being defined.
154 *
155 * @param name the expected name of the class, or {@code null}
156 * if not known, using '.' and not '/' as the separator
157 * and without a trailing ".class" suffix.
158 * @param b the bytes that make up the class data. The bytes from positions
159 * {@code b.position()} through {@code b.position() + b.limit() -1}
160 * should have the format of a valid class file as defined by
161 * <cite>The Java Virtual Machine Specification</cite>.
162 * @param cs the associated CodeSource, or {@code null} if none
163 * @return the {@code Class} object created from the data,
164 * and optional CodeSource.
165 * @throws ClassFormatError if the data did not contain a valid class
166 * @throws SecurityException if an attempt is made to add this class
167 * to a package that contains classes that were signed by
168 * a different set of certificates than this class, or if
169 * the class name begins with "java.".
170 *
171 * @since 1.5
172 */
173 protected final Class<?> defineClass(String name, java.nio.ByteBuffer b,
174 CodeSource cs)
175 {
176 return defineClass(name, b, getProtectionDomain(cs));
177 }
178
179 /**
180 * Returns the permissions for the given CodeSource object.
181 * <p>
182 * This method is invoked by the defineClass method which takes
183 * a CodeSource as an argument when it is constructing the
184 * ProtectionDomain for the class being defined.
185 *
186 * @param codesource the codesource.
187 *
188 * @return the permissions for the codesource.
189 *
190 */
191 protected PermissionCollection getPermissions(CodeSource codesource)
192 {
193 return new Permissions(); // ProtectionDomain defers the binding
194 }
195
196 /*
197 * Returned cached ProtectionDomain for the specified CodeSource.
198 */
199 private ProtectionDomain getProtectionDomain(CodeSource cs) {
200 if (cs == null) {
201 return null;
202 }
203
204 // Use a CodeSourceKey object key. It should behave in the
205 // same manner as the CodeSource when compared for equality except
206 // that no nameservice lookup is done on the hostname (String comparison
207 // only), and the fragment is not considered.
208 CodeSourceKey key = new CodeSourceKey(cs);
209 return pdcache.computeIfAbsent(key, new Function<>() {
210 // Do not turn this into a lambda since it is executed during bootstrap
211 @Override
212 public ProtectionDomain apply(CodeSourceKey key) {
213 PermissionCollection perms
214 = SecureClassLoader.this.getPermissions(key.cs);
215 ProtectionDomain pd = new ProtectionDomain(
216 key.cs, perms, SecureClassLoader.this, null);
217 return pd;
218 }
219 });
220 }
221
222 private record CodeSourceKey(CodeSource cs) {
223
224 @Override
225 public int hashCode() {
226 return Objects.hashCode(cs.getLocationNoFragString());
227 }
228
229 @Override
230 public boolean equals(Object obj) {
231 if (obj == this) {
232 return true;
233 }
234
235 return obj instanceof CodeSourceKey other
236 && Objects.equals(cs.getLocationNoFragString(),
237 other.cs.getLocationNoFragString())
238 && cs.matchCerts(other.cs, true);
239 }
240 }
241
242 /**
243 * Called by the VM, during -Xshare:dump
244 */
245 private void resetArchivedStates() {
246 pdcache.clear();
247 }
248 }