|
@@ -247,15 +247,17 @@ public class PolicyManager {
|
|
|
return;
|
|
|
}
|
|
|
|
|
|
+ String componentName = getEntitlements(requestingClass).componentName();
|
|
|
notEntitled(
|
|
|
Strings.format(
|
|
|
- "Not entitled: component [%s], module [%s], class [%s], operation [%s]",
|
|
|
- getEntitlements(requestingClass).componentName(),
|
|
|
+ "component [%s], module [%s], class [%s], operation [%s]",
|
|
|
+ componentName,
|
|
|
requestingClass.getModule().getName(),
|
|
|
requestingClass,
|
|
|
operationDescription.get()
|
|
|
),
|
|
|
- callerClass
|
|
|
+ callerClass,
|
|
|
+ componentName
|
|
|
);
|
|
|
}
|
|
|
|
|
@@ -366,13 +368,14 @@ public class PolicyManager {
|
|
|
if (canRead == false) {
|
|
|
notEntitled(
|
|
|
Strings.format(
|
|
|
- "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
|
|
|
+ "component [%s], module [%s], class [%s], entitlement [file], operation [read], path [%s]",
|
|
|
entitlements.componentName(),
|
|
|
requestingClass.getModule().getName(),
|
|
|
requestingClass,
|
|
|
realPath == null ? path : Strings.format("%s -> %s", path, realPath)
|
|
|
),
|
|
|
- callerClass
|
|
|
+ callerClass,
|
|
|
+ entitlements.componentName()
|
|
|
);
|
|
|
}
|
|
|
}
|
|
@@ -395,13 +398,14 @@ public class PolicyManager {
|
|
|
if (entitlements.fileAccess().canWrite(path) == false) {
|
|
|
notEntitled(
|
|
|
Strings.format(
|
|
|
- "Not entitled: component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
|
|
|
+ "component [%s], module [%s], class [%s], entitlement [file], operation [write], path [%s]",
|
|
|
entitlements.componentName(),
|
|
|
requestingClass.getModule().getName(),
|
|
|
requestingClass,
|
|
|
path
|
|
|
),
|
|
|
- callerClass
|
|
|
+ callerClass,
|
|
|
+ entitlements.componentName()
|
|
|
);
|
|
|
}
|
|
|
}
|
|
@@ -483,13 +487,14 @@ public class PolicyManager {
|
|
|
if (classEntitlements.hasEntitlement(entitlementClass) == false) {
|
|
|
notEntitled(
|
|
|
Strings.format(
|
|
|
- "Not entitled: component [%s], module [%s], class [%s], entitlement [%s]",
|
|
|
+ "component [%s], module [%s], class [%s], entitlement [%s]",
|
|
|
classEntitlements.componentName(),
|
|
|
requestingClass.getModule().getName(),
|
|
|
requestingClass,
|
|
|
PolicyParser.getEntitlementTypeName(entitlementClass)
|
|
|
),
|
|
|
- callerClass
|
|
|
+ callerClass,
|
|
|
+ classEntitlements.componentName()
|
|
|
);
|
|
|
}
|
|
|
logger.debug(
|
|
@@ -524,21 +529,29 @@ public class PolicyManager {
|
|
|
}
|
|
|
notEntitled(
|
|
|
Strings.format(
|
|
|
- "Not entitled: component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
|
|
|
+ "component [%s], module [%s], class [%s], entitlement [write_system_properties], property [%s]",
|
|
|
entitlements.componentName(),
|
|
|
requestingClass.getModule().getName(),
|
|
|
requestingClass,
|
|
|
property
|
|
|
),
|
|
|
- callerClass
|
|
|
+ callerClass,
|
|
|
+ entitlements.componentName()
|
|
|
);
|
|
|
}
|
|
|
|
|
|
- private void notEntitled(String message, Class<?> callerClass) {
|
|
|
+ private void notEntitled(String message, Class<?> callerClass, String componentName) {
|
|
|
var exception = new NotEntitledException(message);
|
|
|
// Don't emit a log for muted classes, e.g. classes containing self tests
|
|
|
if (mutedClasses.contains(callerClass) == false) {
|
|
|
- logger.warn(message, exception);
|
|
|
+ var moduleName = callerClass.getModule().getName();
|
|
|
+ var loggerSuffix = "." + componentName + "." + ((moduleName == null) ? ALL_UNNAMED : moduleName);
|
|
|
+ var notEntitledLogger = LogManager.getLogger(PolicyManager.class.getName() + loggerSuffix);
|
|
|
+ String frameInfoSuffix = StackWalker.getInstance(RETAIN_CLASS_REFERENCE)
|
|
|
+ .walk(this::findRequestingFrame)
|
|
|
+ .map(frame -> "\n\tat " + frame)
|
|
|
+ .orElse("");
|
|
|
+ notEntitledLogger.warn("Not entitled: " + message + frameInfoSuffix);
|
|
|
}
|
|
|
throw exception;
|
|
|
}
|
|
@@ -658,19 +671,18 @@ public class PolicyManager {
|
|
|
return callerClass;
|
|
|
}
|
|
|
Optional<Class<?>> result = StackWalker.getInstance(RETAIN_CLASS_REFERENCE)
|
|
|
- .walk(frames -> findRequestingClass(frames.map(StackFrame::getDeclaringClass)));
|
|
|
+ .walk(frames -> findRequestingFrame(frames).map(StackFrame::getDeclaringClass));
|
|
|
return result.orElse(null);
|
|
|
}
|
|
|
|
|
|
/**
|
|
|
- * Given a stream of classes corresponding to the frames from a {@link StackWalker},
|
|
|
- * returns the module whose entitlements should be checked.
|
|
|
+ * Given a stream of {@link StackFrame}s, identify the one whose entitlements should be checked.
|
|
|
*
|
|
|
* @throws NullPointerException if the requesting module is {@code null}
|
|
|
*/
|
|
|
- Optional<Class<?>> findRequestingClass(Stream<Class<?>> classes) {
|
|
|
- return classes.filter(c -> c.getModule() != entitlementsModule) // Ignore the entitlements library
|
|
|
- .skip(1) // Skip the sensitive caller method
|
|
|
+ Optional<StackFrame> findRequestingFrame(Stream<StackFrame> frames) {
|
|
|
+ return frames.filter(f -> f.getDeclaringClass().getModule() != entitlementsModule) // ignore entitlements library
|
|
|
+ .skip(1) // Skip the sensitive caller method
|
|
|
.findFirst();
|
|
|
}
|
|
|
|