SmartFrog 3.10.000

org.smartfrog.sfcore.security
Class SFClassLoader

java.lang.Object
  extended by org.smartfrog.sfcore.security.SFClassLoader

public class SFClassLoader
extends java.lang.Object

Provides static methods to obtain a class loader used to download SmartFrog components and their descriptions. If the system level property org.smartfrog.codebase has been set to a URL (or semi-colon separated URLs), it will return an RMI class loader with these addresses. Otherwise it will return the context class loader of the current thread.


Field Summary
static java.lang.String SF_CODEBASE_PROPERTY
          Name of the system property that specifies the URL (or semi-colon separated URLS) from which we download componenents and their descriptions.
 
Method Summary
static java.lang.Class forName(java.lang.String className)
          This method is equivalent to Class.forName but it uses the SmartFrog class loader (optionally using a remote web server), and it checks whether the class comes from a trusted origin.
static java.lang.Class forName(java.lang.String className, java.lang.String codebase, boolean useDefaultCodebase)
          This method is equivalent to Class.forName but it uses the SmartFrog class loader (optionally using a remote web server), and it checks whether the class comes from a trusted origin.
protected static java.io.InputStream getLocalInputStream(java.net.URLConnection con)
          Checks that the resource pointed by a URLConnection comes from a trusted source, this is, it has been granted the SFCommunityPermission.
static java.io.InputStream getResourceAsStream(java.lang.String resource)
          Returns a stream that points to a resource specified in a string, typically a configuration file.
static java.io.InputStream getResourceAsStream(java.lang.String resource, java.lang.String codebase, boolean useDefaultCodebase)
          Returns a stream that points to a resource specified in a string, typically a configuration file.
static java.lang.String getTargetClassBase()
          Gets the codebase URL(s) path from a system property, formatted for the RMIClassLoader syntax (space sparated URLs).
protected static java.io.InputStream getURLAsStream(java.net.URL resourceURL)
          Returns a stream pointing to a given resource specified by a URL after performing security checks and making sure the resource exists.
static void loadTargetClassBase()
          Loads (or reloads) from a system property from where we are downloading components, represented by a space separated urls.
static void quickReject(java.security.ProtectionDomain pd)
          Checks that the given protection domain include a permission that ensures that is coming from a trusted origin (SFCommunityPermission).
static void quickRejectClass(java.lang.Class cl)
          Checks that a class is coming from a trusted origin.
static void quickRejectObject(java.lang.Object obj)
          Checks that an object comes from a class of a trusted origin.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

SF_CODEBASE_PROPERTY

public static final java.lang.String SF_CODEBASE_PROPERTY
Name of the system property that specifies the URL (or semi-colon separated URLS) from which we download componenents and their descriptions.

See Also:
Constant Field Values
Method Detail

loadTargetClassBase

public static void loadTargetClassBase()
Loads (or reloads) from a system property from where we are downloading components, represented by a space separated urls.


getTargetClassBase

public static java.lang.String getTargetClassBase()
Gets the codebase URL(s) path from a system property, formatted for the RMIClassLoader syntax (space sparated URLs).

Returns:
a string containing the space separated URLs.

getResourceAsStream

public static java.io.InputStream getResourceAsStream(java.lang.String resource)
Returns a stream that points to a resource specified in a string, typically a configuration file. This string could be either directly loadable from our current class loaders or converted to a file-relative URL. If security is activated, we check that it comes from a trusted source and it has not been modified. We use the default codebase.

Parameters:
resource - name of the resource wanted.
Returns:
A stream to the resource or null if either is not available through our class loaders or does not fullfill the security requirements.

getResourceAsStream

public static java.io.InputStream getResourceAsStream(java.lang.String resource,
                                                      java.lang.String codebase,
                                                      boolean useDefaultCodebase)
Returns a stream that points to a resource specified in a string, typically a configuration file. This string could be either directly loadable from our current class loaders or converted to a file-relative URL. If security is activated, we check that it comes from a trusted source and it has not been modified.

Parameters:
resource - name of the resource wanted.
codebase - suggested codebase for the classloader
useDefaultCodebase - whether to try to find the class in the default codebase before using codebase.
Returns:
A stream to the resource or null if either is not available through our class loaders or does not fullfill the security requirements.

getURLAsStream

protected static java.io.InputStream getURLAsStream(java.net.URL resourceURL)
                                             throws java.lang.ClassNotFoundException,
                                                    java.io.IOException
Returns a stream pointing to a given resource specified by a URL after performing security checks and making sure the resource exists.

Parameters:
resourceURL - URL of the input resource.
Returns:
Stream that points to that resource
Throws:
java.lang.ClassNotFoundException - The resource does not exist or it does not meet the security requirements.
java.io.IOException

getLocalInputStream

protected static java.io.InputStream getLocalInputStream(java.net.URLConnection con)
                                                  throws java.io.IOException
Checks that the resource pointed by a URLConnection comes from a trusted source, this is, it has been granted the SFCommunityPermission. If this is not the case it throws a security exception. Then, it uses that URL to obtain an input stream to a locally cached object.

Parameters:
con - URLConnection to the resource to be checked.
Returns:
Stream that point to the resource. If the resource is in a signed jar we return a ByteArrayInputStream to a local copy for security reasons.
Throws:
java.io.IOException - in case of any error

quickReject

public static void quickReject(java.security.ProtectionDomain pd)
Checks that the given protection domain include a permission that ensures that is coming from a trusted origin (SFCommunityPermission). If this is not the case, and security is active, it throws a security exception.

Parameters:
pd - a protection domain that needs to be checked.

quickRejectClass

public static void quickRejectClass(java.lang.Class cl)
Checks that a class is coming from a trusted origin. If this is not the case, and security is active, it throws a security exception. This allows to check the origin of resources even if they do not perform any security sensitive operation.

Parameters:
cl - Class whose origin we want to check.

quickRejectObject

public static void quickRejectObject(java.lang.Object obj)
Checks that an object comes from a class of a trusted origin. If this is not the case, and security is active, it throws a security exception. This allows to check the origin of resources even if they do not perform any security sensitive operation.

Parameters:
obj - Object whose origin we want to check.

forName

public static java.lang.Class forName(java.lang.String className,
                                      java.lang.String codebase,
                                      boolean useDefaultCodebase)
                               throws java.lang.ClassNotFoundException
This method is equivalent to Class.forName but it uses the SmartFrog class loader (optionally using a remote web server), and it checks whether the class comes from a trusted origin. Note that the classes referenced by this one, and loaded when this one is linked, are not checked here.

Parameters:
className - fully qualified name of the desired class
codebase - suggested codebase for the classloader
useDefaultCodebase - whether to try to find the class in the default codebase before using codebase.
Returns:
class object representing the desired class
Throws:
java.lang.ClassNotFoundException - if the class cannot be located

forName

public static java.lang.Class forName(java.lang.String className)
                               throws java.lang.ClassNotFoundException
This method is equivalent to Class.forName but it uses the SmartFrog class loader (optionally using a remote web server), and it checks whether the class comes from a trusted origin. Note that the classes referenced by this one, and loaded when this one is linked, are not checked here. We use the default codebase.

Parameters:
className - fully qualified name of the desired class
Returns:
class object representing the desired class
Throws:
java.lang.ClassNotFoundException - if the class cannot be located

SmartFrog CORE 3.10.000

(C) Copyright 1998-2006 Hewlett-Packard Development Company, LP