api/src/main/java/jakarta/xml/bind/JAXBPermission.java - jaxb-api - Git at Google

 /*
  * Copyright (c) 2007, 2021 Oracle and/or its affiliates. All rights reserved.
  *
  * This program and the accompanying materials are made available under the
  * terms of the Eclipse Distribution License v. 1.0, which is available at
  * http://www.eclipse.org/org/documents/edl-v10.php.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */

 package jakarta.xml.bind;

 import java.security.BasicPermission;

 /**
  * This class is for Jakarta XML Binding permissions. A {@code JAXBPermission}
  * contains a name (also referred to as a "target name") but
  * no actions list; you either have the named permission
  * or you don't.
  *
  * <P>
  * The target name is the name of the Jakarta XML Binding permission (see below).
  *
  * <P>
  * The following table lists all the possible {@code JAXBPermission} target names,
  * and for each provides a description of what the permission allows
  * and a discussion of the risks of granting code the permission.
  *
  * <table class="striped">
  * <caption style="display:none">Permission target name, what the permission allows, and associated risks"</caption>
  * <thead>
  * <tr>
  * <th scope="col">Permission Target Name</th>
  * <th scope="col">What the Permission Allows</th>
  * <th scope="col">Risks of Allowing this Permission</th>
  * </tr>
  * </thead>
  *
  * <tbody style="text-align:left">
  * <tr>
  *   <th scope="row">setDatatypeConverter</th>
  *   <td>
  *     Allows the code to set VM-wide {@link DatatypeConverterInterface}
  *     via {@link DatatypeConverter#setDatatypeConverter(DatatypeConverterInterface) the setDatatypeConverter method}
  *     that all the methods on {@link DatatypeConverter} uses.
  *   </td>
  *   <td>
  *     Malicious code can set {@link DatatypeConverterInterface}, which has
  *     VM-wide singleton semantics,  before a genuine Jakarta XML Binding implementation sets one.
  *     This allows malicious code to gain access to objects that it may otherwise
  *     not have access to, such as {@code java.awt.Frame#getFrames()} that belongs to
  *     another application running in the same JVM.
  *   </td>
  * </tr>
  * </tbody>
  * </table>
  *
  * @see java.security.BasicPermission
  * @see java.security.Permission
  * @see java.security.Permissions
  * @see java.security.PermissionCollection
  * @see java.lang.SecurityManager
  *
  * @author Joe Fialli
  * @since 1.7, JAXB 2.2
  */

 /* code was borrowed originally from java.lang.RuntimePermission. */
 public final class JAXBPermission extends BasicPermission {
     /**
      * Creates a new JAXBPermission with the specified name.
      *
      * @param name
      * The name of the JAXBPermission. As of 2.2 only "setDatatypeConverter"
      * is defined.
      */
     public JAXBPermission(String name) {
         super(name);
     }

     private static final long serialVersionUID = 1L;
 }
	/*
	* Copyright (c) 2007, 2021 Oracle and/or its affiliates. All rights reserved.
	*
	* This program and the accompanying materials are made available under the
	* terms of the Eclipse Distribution License v. 1.0, which is available at
	* http://www.eclipse.org/org/documents/edl-v10.php.
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/

	package jakarta.xml.bind;

	import java.security.BasicPermission;

	/**
	* This class is for Jakarta XML Binding permissions. A {@code JAXBPermission}
	* contains a name (also referred to as a "target name") but
	* no actions list; you either have the named permission
	* or you don't.
	*
	* <P>
	* The target name is the name of the Jakarta XML Binding permission (see below).
	*
	* <P>
	* The following table lists all the possible {@code JAXBPermission} target names,
	* and for each provides a description of what the permission allows
	* and a discussion of the risks of granting code the permission.
	*
	* <table class="striped">
	* <caption style="display:none">Permission target name, what the permission allows, and associated risks"</caption>
	* <thead>
	* <tr>
	* <th scope="col">Permission Target Name</th>
	* <th scope="col">What the Permission Allows</th>
	* <th scope="col">Risks of Allowing this Permission</th>
	* </tr>
	* </thead>
	*
	* <tbody style="text-align:left">
	* <tr>
	* <th scope="row">setDatatypeConverter</th>
	* <td>
	* Allows the code to set VM-wide {@link DatatypeConverterInterface}
	* via {@link DatatypeConverter#setDatatypeConverter(DatatypeConverterInterface) the setDatatypeConverter method}
	* that all the methods on {@link DatatypeConverter} uses.
	* </td>
	* <td>
	* Malicious code can set {@link DatatypeConverterInterface}, which has
	* VM-wide singleton semantics, before a genuine Jakarta XML Binding implementation sets one.
	* This allows malicious code to gain access to objects that it may otherwise
	* not have access to, such as {@code java.awt.Frame#getFrames()} that belongs to
	* another application running in the same JVM.
	* </td>
	* </tr>
	* </tbody>
	* </table>
	*
	* @see java.security.BasicPermission
	* @see java.security.Permission
	* @see java.security.Permissions
	* @see java.security.PermissionCollection
	* @see java.lang.SecurityManager
	*
	* @author Joe Fialli
	* @since 1.7, JAXB 2.2
	*/

	/* code was borrowed originally from java.lang.RuntimePermission. */
	public final class JAXBPermission extends BasicPermission {
	/**
	* Creates a new JAXBPermission with the specified name.
	*
	* @param name
	* The name of the JAXBPermission. As of 2.2 only "setDatatypeConverter"
	* is defined.
	*/
	public JAXBPermission(String name) {
	super(name);
	}

	private static final long serialVersionUID = 1L;
	}