Okay, I get you now. I think this is just a (complicating) consequence
of the syntax. I don't think there is anything we can do about it.
BTW, I probably should warn you that we are looking at changing the spec
again
to allow port number ranges, the same as SocketPermission...
- Michael
On 13/05/13 14:54, Weijun Wang wrote:
On 5/13/13 9:38 PM, Michael McMahon wrote:
On 13/05/13 14:29, Weijun Wang wrote:
Hi Michael
Until now, for all types of permissions, the "actions" property takes
the form of a comma separated list, and it's always accumulative. For
example, it can be "read", or "write", or "read, write". In fact, the
policytool makes use of this style so that you can click on single
actions items to create a combined one.
Now with HttpURLPermission, this is no longer true.
Of course, there is no way to list single items for HttpURLPermission
(no wellknown header name) so the new style doesn't really affect
policytool that much. It's just that I realized this difference when
trying to support this new Permission type in policytool.
Max
If I understand you right, the difference isn't the fact that the list
elements "accumulate", but that
the range of possible values is unlimited. Of course, there is a syntax
difference (with the ":" char) also.
The components on the two sides of ":" have different meanings, so you
cannot make "A:B:C:D" from "A:B" and "C:D". That's what I mean "not
accumulative", at least, cannot be accumulated use simple string
concatenation.
Yes, for existing Permission types, actions only have limited possible
values, but it's not restrictive to 1 or 2.
To use the old style, "GET,POST:Header1,Header2" will have to be
rewritten to "GET:Header1, GET:Header2, POST: Header1, POST:Header2".
The more the items are, the more complicated it will be. I am not sure
how many methods and headers you would need in a typical use case.
I'm not sure I follow this. The second example isn't supported in
HttpURLPermission.
Yes, I can see that from the CCC.
You would
just create four separate permission objects if that's what you want to
grant. I imagine that typically
only small numbers of headers (5 or less?) would typically be used.
And you normally need multiple methods as well?
Thanks
Max
Michael
Thanks
Max
On 5/10/13 7:34 PM, Michael McMahon wrote:
Hi,
This is the webrev for the HttpURLPermission addition.
As well as the new permission class, the change
includes the use of the permission in java.net.HttpURLConnection.
The code basically checks for a HttpURLPermission in plainConnect(),
getInputStream() and getOutputStream() for the request and if
the caller has permission the request is executed in a doPrivileged()
block. When the limited doPrivileged feature is integrated, I will
change the doPrivileged() call to limit the privilege elevation to a
single
SocketPermission (as shown in the code comments).
The webrev is at
http://cr.openjdk.java.net/~michaelm/8010464/webrev.1/
Thanks
Michael
