diff options
author | Thomas Watson | 2020-01-08 15:18:45 +0000 |
---|---|---|
committer | Thomas Watson | 2020-01-10 17:24:39 +0000 |
commit | e56c465c78ec234cbd5b39e5da6b24c70b407cef (patch) | |
tree | 7b6eca5944eca20d11068edb230a5090f9d76ec2 | |
parent | 7a2481aa40b36addd5c4cc10464c8637e0ae7e87 (diff) | |
download | rt.equinox.framework-e56c465c78ec234cbd5b39e5da6b24c70b407cef.tar.gz rt.equinox.framework-e56c465c78ec234cbd5b39e5da6b24c70b407cef.tar.xz rt.equinox.framework-e56c465c78ec234cbd5b39e5da6b24c70b407cef.zip |
Bug 558929 - Must handle relative FilePermission paths
Both ConditionalPermissionAdmin and PermissionAdmin must handle relative
paths be relative to a bundles data area.
Change-Id: Ic9565bf368d9cad8b2676e0b2a1bb6d1b1d77cec
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>
4 files changed, 190 insertions, 67 deletions
diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java index 8b2d82837..58a6fe975 100644 --- a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java +++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/securityadmin/SecurityAdminUnitTests.java @@ -46,6 +46,7 @@ import org.osgi.service.condpermadmin.ConditionalPermissionUpdate; import org.osgi.service.permissionadmin.PermissionAdmin; import org.osgi.service.permissionadmin.PermissionInfo; +@SuppressWarnings("deprecation") public class SecurityAdminUnitTests extends AbstractBundleTests { private static final PermissionInfo[] SOCKET_INFOS = new PermissionInfo[] {new PermissionInfo("java.net.SocketPermission", "localhost", "accept")}; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ @@ -56,6 +57,8 @@ public class SecurityAdminUnitTests extends AbstractBundleTests { new PermissionInfo("java.io.FilePermission", "<<ALL FILES>>", "write") //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ }; + private static final PermissionInfo[] RELATIVE_EXEC_FILE_INFOS = new PermissionInfo[] {new PermissionInfo("java.io.FilePermission", "bin/*", "execute")}; + private static final PermissionInfo[] RUNTIME_INFOS = new PermissionInfo[] {new PermissionInfo("java.lang.RuntimePermission", "exitVM", null)}; //$NON-NLS-1$ //$NON-NLS-2$ private static final ConditionInfo[] ALLLOCATION_CONDS = new ConditionInfo[] {new ConditionInfo("org.osgi.service.condpermadmin.BundleLocationCondition", new String[] {"*"})}; //$NON-NLS-1$ //$NON-NLS-2$ @@ -91,27 +94,27 @@ public class SecurityAdminUnitTests extends AbstractBundleTests { private static final long serialVersionUID = 3258131349494708277L; // A simple PermissionCollection that only has AllPermission - @Override + @Override public void add(Permission permission) { //no adding to this policy } - @Override + @Override public boolean implies(Permission permission) { return true; } - @Override + @Override public Enumeration elements() { return new Enumeration() { int cur = 0; - @Override + @Override public boolean hasMoreElements() { return cur < 1; } - @Override + @Override public Object nextElement() { if (cur == 0) { cur = 1; @@ -125,12 +128,12 @@ public class SecurityAdminUnitTests extends AbstractBundleTests { Policy.setPolicy(new Policy() { - @Override + @Override public PermissionCollection getPermissions(CodeSource codesource) { return allPermissions; } - @Override + @Override public void refresh() { // nothing } @@ -1052,15 +1055,115 @@ public class SecurityAdminUnitTests extends AbstractBundleTests { } public void testBug286307() { - Bundle test = installTestBundle("test.bug286307"); //$NON-NLS-1$ + Bundle test = installTestBundle("test.bug286307"); AccessControlContext acc = test.adapt(AccessControlContext.class); - testPermission(acc, new FilePermission("test", "read"), true); //$NON-NLS-1$ //$NON-NLS-2$ + testPermission(acc, new FilePermission("test", "read"), true); + testPermission(acc, new AllPermission(), false); + } + + public void testRelativeFilePermission() { + Bundle test = installTestBundle(TEST_BUNDLE); + File dataArea = test.getDataFile(""); + File testFile = new File(dataArea, "testFile.txt"); + File testExecutable = new File(dataArea, "bin/execFile"); + AccessControlContext acc = test.adapt(AccessControlContext.class); + + // test set by location + pa.setPermissions(test.getLocation(), RELATIVE_EXEC_FILE_INFOS); + + testPermission(acc, new FilePermission(testFile.getPath(), "write"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "read"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false); + testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true); testPermission(acc, new AllPermission(), false); + + // clear location + pa.setPermissions(test.getLocation(), null); + // goes back to all permission by default + testPermission(acc, new FilePermission(testFile.getPath(), "write"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "read"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "execute"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true); + testPermission(acc, new AllPermission(), true); + + // test set by conditions + ConditionalPermissionUpdate update = cpa.newConditionalPermissionUpdate(); + List rows = update.getConditionalPermissionInfos(); + rows.add(cpa.newConditionalPermissionInfo(null, getLocationConditions(test.getLocation(), false), RELATIVE_EXEC_FILE_INFOS, ConditionalPermissionInfo.ALLOW)); + assertTrue("failed to commit", update.commit()); + + testPermission(acc, new FilePermission(testFile.getPath(), "write"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "read"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false); + testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), true); + testPermission(acc, new AllPermission(), false); + + // update condition to only have read only, not that a bundle always + // implicitly has r/w permission to its data area + update = cpa.newConditionalPermissionUpdate(); + rows = update.getConditionalPermissionInfos(); + rows.clear(); + rows.add(cpa.newConditionalPermissionInfo(null, getLocationConditions(test.getLocation(), false), READONLY_INFOS, ConditionalPermissionInfo.ALLOW)); + assertTrue("failed to commit", update.commit()); + + testPermission(acc, new FilePermission(testFile.getPath(), "write"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "read"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false); + testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), false); + testPermission(acc, new AllPermission(), false); + + // clear the conditions + update = cpa.newConditionalPermissionUpdate(); + update.getConditionalPermissionInfos().clear(); + assertTrue("failed to commit", update.commit()); + + // test that the default permissions of PA do not handle relative + pa.setDefaultPermissions(RELATIVE_EXEC_FILE_INFOS); + + testPermission(acc, new FilePermission(testFile.getPath(), "write"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "read"), true); + testPermission(acc, new FilePermission(testFile.getPath(), "execute"), false); + testPermission(acc, new FilePermission(testExecutable.getPath(), "write"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "read"), true); + testPermission(acc, new FilePermission(testExecutable.getPath(), "execute"), false); + testPermission(acc, new AllPermission(), false); + + // go back to default all permission + pa.setDefaultPermissions(null); + testPermission(acc, new AllPermission(), true); + + // Test that the ACC returned from CPA.getAccessControlContext does not handle relative file permissions + update = cpa.newConditionalPermissionUpdate(); + rows = update.getConditionalPermissionInfos(); + rows.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {SIGNER_CONDITION1}, RELATIVE_EXEC_FILE_INFOS, ConditionalPermissionInfo.ALLOW)); + assertTrue("failed to commit", update.commit()); + + File relativeExecutable = new File("bin/executableFile"); + acc = cpa.getAccessControlContext(new String[] {"cn=t1,c=FR;cn=test1,c=US"}); + testPermission(acc, new FilePermission(relativeExecutable.getAbsolutePath(), "execute"), false); + + // update CPA to use absolute path + update = cpa.newConditionalPermissionUpdate(); + rows = update.getConditionalPermissionInfos(); + rows.clear(); + PermissionInfo[] absExectInfos = new PermissionInfo[] {new PermissionInfo("java.io.FilePermission", relativeExecutable.getAbsolutePath(), "execute")}; + rows.add(cpa.newConditionalPermissionInfo(null, new ConditionInfo[] {SIGNER_CONDITION1}, absExectInfos, ConditionalPermissionInfo.ALLOW)); + assertTrue("failed to commit", update.commit()); + + testPermission(acc, new FilePermission(relativeExecutable.getAbsolutePath(), "execute"), true); } private void checkInfos(ConditionalPermissionInfo testInfo1, ConditionalPermissionInfo testInfo2) { - assertTrue("Infos are not equal: " + testInfo1.getEncoded() + " " + testInfo2.getEncoded(), testInfo1.equals(testInfo2)); //$NON-NLS-1$ //$NON-NLS-2$ - assertEquals("Info hash code is not equal", testInfo1.hashCode(), testInfo2.hashCode()); //$NON-NLS-1$ + assertTrue("Infos are not equal: " + testInfo1.getEncoded() + " " + testInfo2.getEncoded(), testInfo1.equals(testInfo2)); + assertEquals("Info hash code is not equal", testInfo1.hashCode(), testInfo2.hashCode()); } private void checkBadInfo(String encoded) { diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java index ab5a53b36..cb057962e 100644 --- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java +++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/PermissionInfoCollection.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2008, 2017 IBM Corporation and others. + * Copyright (c) 2008, 2020 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -14,6 +14,7 @@ package org.eclipse.osgi.internal.permadmin; import java.io.File; +import java.io.FilePermission; import java.lang.reflect.Constructor; import java.security.AccessController; import java.security.AllPermission; @@ -33,19 +34,31 @@ public final class PermissionInfoCollection extends PermissionCollection { static private final Class<?> oneStringClassArray[] = new Class[] {String.class}; static private final Class<?> noArgClassArray[] = new Class[] {}; static private final Class<?>[][] permClassArrayArgs = new Class[][] {noArgClassArray, oneStringClassArray, twoStringClassArray}; + static private final String ALL_PERMISSION_NAME = AllPermission.class.getName(); + static final String FILE_PERMISSION_NAME = FilePermission.class.getName(); + static final String ALL_FILES = "<<ALL FILES>>"; //$NON-NLS-1$ - /* @GuardedBy(cachedPermisssionCollections) */ + /* @GuardedBy(cachedPermissionCollections) */ private final Map<Class<? extends Permission>, PermissionCollection> cachedPermissionCollections = new HashMap<>(); + private final Map<BundlePermissions, PermissionCollection> cachedRelativeFilePermissionCollections; private final boolean hasAllPermission; private final PermissionInfo[] permInfos; public PermissionInfoCollection(PermissionInfo[] permInfos) { this.permInfos = permInfos; boolean tempAllPermissions = false; - for (int i = 0; i < permInfos.length && !tempAllPermissions; i++) - if (permInfos[i].getType().equals(AllPermission.class.getName())) + boolean allAbsolutePaths = true; + for (PermissionInfo info : permInfos) { + if (ALL_PERMISSION_NAME.equals(info.getType())) { tempAllPermissions = true; + } else if (FILE_PERMISSION_NAME.equals(info.getType())) { + if (!(new File(info.getActions()).isAbsolute())) { + allAbsolutePaths = false; + } + } + } this.hasAllPermission = tempAllPermissions; + this.cachedRelativeFilePermissionCollections = allAbsolutePaths ? null : new HashMap<BundlePermissions, PermissionCollection>(); setReadOnly(); // collections are managed with ConditionalPermissionAdmin } @@ -62,13 +75,14 @@ public final class PermissionInfoCollection extends PermissionCollection { @Override public boolean implies(Permission perm) { + return implies(null, perm); + } + + boolean implies(final BundlePermissions bundlePermissions, Permission perm) { if (hasAllPermission) return true; final Class<? extends Permission> permClass = perm.getClass(); - PermissionCollection collection; - synchronized (cachedPermissionCollections) { - collection = cachedPermissionCollections.get(permClass); - } + PermissionCollection collection = getCachedCollection(bundlePermissions, permClass); // must populate the collection outside of the lock to prevent class loader deadlock if (collection == null) { collection = perm.newPermissionCollection(); @@ -80,10 +94,9 @@ public final class PermissionInfoCollection extends PermissionCollection { AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { - addPermissions(targetCollection, permClass); + addPermissions(bundlePermissions, targetCollection, permClass); return null; } - }); } catch (Exception e) { @@ -92,23 +105,43 @@ public final class PermissionInfoCollection extends PermissionCollection { } throw new SecurityException("Exception creating permissions: " + permClass + ": " + e.getMessage(), e); //$NON-NLS-1$ //$NON-NLS-2$ } - synchronized (cachedPermissionCollections) { - // check to see if another thread beat this thread at adding the collection - PermissionCollection exists = cachedPermissionCollections.get(permClass); - if (exists != null) - collection = exists; - else + collection = cacheCollection(bundlePermissions, permClass, collection); + } + return collection.implies(perm); + } + + PermissionCollection getCachedCollection(BundlePermissions bundlePermissions, Class<? extends Permission> permClass) { + synchronized (cachedPermissionCollections) { + if (bundlePermissions != null && cachedRelativeFilePermissionCollections != null && FILE_PERMISSION_NAME.equals(permClass.getName())) { + return cachedRelativeFilePermissionCollections.get(bundlePermissions); + } + return cachedPermissionCollections.get(permClass); + } + } + + private PermissionCollection cacheCollection(BundlePermissions bundlePermissions, Class<? extends Permission> permClass, PermissionCollection collection) { + synchronized (cachedPermissionCollections) { + // check to see if another thread beat this thread at adding the collection + boolean relativeFiles = bundlePermissions != null && cachedRelativeFilePermissionCollections != null && FILE_PERMISSION_NAME.equals(permClass.getName()); + PermissionCollection exists = relativeFiles ? cachedRelativeFilePermissionCollections.get(bundlePermissions) : cachedPermissionCollections.get(permClass); + if (exists != null) { + collection = exists; + } else { + if (relativeFiles) { + cachedRelativeFilePermissionCollections.put(bundlePermissions, collection); + } else { cachedPermissionCollections.put(permClass, collection); + } } + return collection; } - return collection.implies(perm); } PermissionInfo[] getPermissionInfos() { return permInfos; } - void addPermissions(PermissionCollection collection, Class<? extends Permission> permClass) throws Exception { + void addPermissions(BundlePermissions bundlePermissions, PermissionCollection collection, Class<? extends Permission> permClass) throws Exception { String permClassName = permClass.getName(); Constructor<? extends Permission> constructor = null; int numArgs = -1; @@ -121,8 +154,9 @@ public final class PermissionInfoCollection extends PermissionCollection { // ignore } } - if (constructor == null) + if (constructor == null) { throw new NoSuchMethodException(permClass.getName() + ".<init>()"); //$NON-NLS-1$ + } /* * TODO: We need to cache the permission constructors to enhance performance (see bug 118813). */ @@ -135,13 +169,17 @@ public final class PermissionInfoCollection extends PermissionCollection { if (numArgs > 1) { args[1] = permInfo.getActions(); } - if (permInfo.getType().equals("java.io.FilePermission")) { //$NON-NLS-1$ + if (permInfo.getType().equals(FILE_PERMISSION_NAME)) { // map FilePermissions for relative names to the bundle's data area - if (!args[0].equals("<<ALL FILES>>")) { //$NON-NLS-1$ + if (!args[0].equals(ALL_FILES)) { File file = new File(args[0]); if (!file.isAbsolute()) { // relative name - // TODO need to figure out how to do relative FilePermissions from the dataFile - continue; + File target = bundlePermissions == null ? null : bundlePermissions.getBundle().getDataFile(permInfo.getName()); + if (target == null) { + // ignore if we cannot find the data area + continue; + } + args[0] = target.getPath(); } } } @@ -153,6 +191,9 @@ public final class PermissionInfoCollection extends PermissionCollection { void clearPermissionCache() { synchronized (cachedPermissionCollections) { cachedPermissionCollections.clear(); + if (cachedRelativeFilePermissionCollections != null) { + cachedRelativeFilePermissionCollections.clear(); + } } } } diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java index 17072314f..b9bd97bd4 100644 --- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java +++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityAdmin.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2008, 2017 IBM Corporation and others. + * Copyright (c) 2008, 2020 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -95,13 +95,6 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi private final PermissionInfo[] impliedPermissionInfos; private final EquinoxSecurityManager supportedSecurityManager; - private SecurityAdmin(EquinoxSecurityManager supportedSecurityManager, PermissionInfo[] impliedPermissionInfos, PermissionInfoCollection permAdminDefaults) { - this.supportedSecurityManager = supportedSecurityManager; - this.impliedPermissionInfos = impliedPermissionInfos; - this.permAdminDefaults = permAdminDefaults; - this.permissionStorage = null; - } - public SecurityAdmin(EquinoxSecurityManager supportedSecurityManager, PermissionData permissionStorage) { this.supportedSecurityManager = supportedSecurityManager; this.permissionStorage = permissionStorage; @@ -160,7 +153,7 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi curPermAdminDefaults = permAdminDefaults; } if (locationCollection != null) - return locationCollection.implies(permission); + return locationCollection.implies(bundlePermissions, permission); // if conditional admin table is empty the fall back to defaults if (curCondAdminTable.isEmpty()) return curPermAdminDefaults != null ? curPermAdminDefaults.implies(permission) : DEFAULT_DEFAULT.implies(permission); @@ -281,8 +274,7 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi @Override public AccessControlContext getAccessControlContext(String[] signers) { - SecurityAdmin snapShot = getSnapShot(); - return new AccessControlContext(new ProtectionDomain[] {createProtectionDomain(createMockBundle(signers), snapShot)}); + return new AccessControlContext(new ProtectionDomain[] {createProtectionDomain(createMockBundle(signers), this)}); } /** @@ -317,19 +309,6 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi return setConditionalPermissionInfo(name, conds, perms, true); } - private SecurityAdmin getSnapShot() { - SecurityAdmin sa; - synchronized (lock) { - sa = new SecurityAdmin(supportedSecurityManager, impliedPermissionInfos, permAdminDefaults); - SecurityRow[] rows = condAdminTable.getRows(); - SecurityRow[] rowsSnapShot = new SecurityRow[rows.length]; - for (int i = 0; i < rows.length; i++) - rowsSnapShot[i] = new SecurityRow(sa, rows[i].getName(), rows[i].getConditionInfos(), rows[i].getPermissionInfos(), rows[i].getAccessDecision()); - sa.condAdminTable = new SecurityTable(sa, rowsSnapShot); - } - return sa; - } - private ConditionalPermissionInfo setConditionalPermissionInfo(String name, ConditionInfo[] conds, PermissionInfo[] perms, boolean firstTry) { ConditionalPermissionUpdate update = newConditionalPermissionUpdate(); List<ConditionalPermissionInfo> rows = update.getConditionalPermissionInfos(); @@ -427,8 +406,8 @@ public final class SecurityAdmin implements PermissionAdmin, ConditionalPermissi PermissionInfo[] results = new PermissionInfo[permissionInfos.length]; for (int i = 0; i < permissionInfos.length; i++) { results[i] = permissionInfos[i]; - if ("java.io.FilePermission".equals(permissionInfos[i].getType())) { //$NON-NLS-1$ - if (!"<<ALL FILES>>".equals(permissionInfos[i].getName())) { //$NON-NLS-1$ + if (PermissionInfoCollection.FILE_PERMISSION_NAME.equals(permissionInfos[i].getType())) { + if (!PermissionInfoCollection.ALL_FILES.equals(permissionInfos[i].getName())) { File file = new File(permissionInfos[i].getName()); if (!file.isAbsolute()) { // relative name try { diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java index 64bdc0eb9..0dbb366ee 100644 --- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java +++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/internal/permadmin/SecurityRow.java @@ -1,5 +1,5 @@ /******************************************************************************* - * Copyright (c) 2008, 2016 IBM Corporation and others. + * Copyright (c) 2008, 2020 IBM Corporation and others. * * This program and the accompanying materials * are made available under the terms of the Eclipse Public License 2.0 @@ -339,12 +339,12 @@ public final class SecurityRow implements ConditionalPermissionInfo { Decision evaluate(BundlePermissions bundlePermissions, Permission permission) { if (bundleConditions == null || bundlePermissions == null) - return evaluatePermission(permission); + return evaluatePermission(bundlePermissions, permission); Condition[] conditions = getConditions(bundlePermissions); if (conditions == ABSTAIN_LIST) return DECISION_ABSTAIN; if (conditions == SATISFIED_LIST) - return evaluatePermission(permission); + return evaluatePermission(bundlePermissions, permission); boolean empty = true; List<Condition> postponedConditions = null; @@ -370,7 +370,7 @@ public final class SecurityRow implements ConditionalPermissionInfo { } else { // postponed case if (postponedPermCheck == null) // perform a permission check now - postponedPermCheck = evaluatePermission(permission); + postponedPermCheck = evaluatePermission(bundlePermissions, permission); if (postponedPermCheck == DECISION_ABSTAIN) return postponedPermCheck; // no need to postpone the condition if the row abstains // this row will deny or allow the permission; must queue the postponed condition @@ -387,7 +387,7 @@ public final class SecurityRow implements ConditionalPermissionInfo { } if (postponedPermCheck != null) return new Decision(postponedPermCheck.decision | SecurityTable.POSTPONED, postponedConditions.toArray(new Condition[postponedConditions.size()]), this, bundlePermissions); - return evaluatePermission(permission); + return evaluatePermission(bundlePermissions, permission); } private boolean isPostponed(Condition condition) { @@ -395,8 +395,8 @@ public final class SecurityRow implements ConditionalPermissionInfo { return condition.isPostponed() && securityAdmin.getSupportedSecurityManager() != null; } - private Decision evaluatePermission(Permission permission) { - return permissionInfoCollection.implies(permission) ? (deny ? DECISION_DENIED : DECISION_GRANTED) : DECISION_ABSTAIN; + private Decision evaluatePermission(BundlePermissions bundlePermissions, Permission permission) { + return permissionInfoCollection.implies(bundlePermissions, permission) ? (deny ? DECISION_DENIED : DECISION_GRANTED) : DECISION_ABSTAIN; } @Override |