The NetIOPermission Class of the com.ms.security.permissions package represents a permission that controls the ability to perform networking operations.
public class NetIOPermission implements IPermission, IEncodablePermission, IAdjustablePermission { // Fields public static final int ALL_API_FLAGS; public static final int ALLOW; public static final int ALLOWALL; public static final int ALLOWBIND; public static final int ALLOWCONNECT; public static final int ALLOWMULTICAST; public static final int BIND; public static final int CONNECT; public static final int DENY; public static final int DENYALL; public static final int DENYBIND; public static final int DENYCONNECT; public static final int DENYMULTICAST; public static final int HOSTS; public static final int IPS; public static final int MULTICAST; // Constructors public NetIOPermission(); // Methods public void addAddress(int flags, InetAddress addr); public void addAddress(int flags, InetAddress addr, IntRanges ports); public void addAllFormsByName(int flags, String spec, IntRanges ports); public void addAllFormsByName(int flags, String spec); public void addConnectHost(String hostspec, boolean fAllow); public void addGlobalPortRules(int flags, String spec); public void addGlobalPorts(int flags, int start, int end); public void addHost(int flags, String hostspec); public void addHost(int flags, String hostspec, IntRanges ports); public void addHostRules(int flags, String spec); public void addIP(int flags, int addr); public void addIP(int flags, int addr, IntRanges ports); public void addIP(int flags, byte[] addr); public void addIP(int flags, byte[] addr, IntRanges ports); public void addIPRules(int flags, String spec); public void addIPs(int flags, int s, int e, IntRanges ports); public void addIPs(int flags, int s, int e); public void addIPs(int flags, byte[] s, byte[] e, IntRanges ports); public void addIPs(int flags, byte[] s, byte[] e); public void addPattern(int flags, String spec); public void addPattern(int flags, String spec, IntRanges ports); public void adjustPermission(String tag, Object adjustment); public void check(Object param) throws SecurityException; public IPermission combine(IPermission source2); public int compareSet(Object target); public IPermission copy(); public boolean decode(String tag, InputStream data); public boolean encode(String tag, OutputStream out); public boolean getCanConnectToFileURLCodeBase(); public boolean getCanConnectToNonFileURLCodeBase(); public String getGlobalPortRules(int flags); public IntRanges getGlobalPorts(int flags); public String getHostRules(int flags); public WildcardExpression getHosts(int flags); public String getIPRules(int flags); public IntRanges getIPs(int flags); public IntRanges[] getPorts(int flags); public String mapFormat(String format); public void reset(); public void setCanConnectToFileURLCodeBase(boolean f); public void setCanConnectToNonFileURLCodeBase(boolean f); public String[] supportedFormats(); public String toString(); }
A NetIOPermission object contains components for the following basic types of network operations:
The ability to have general communication with specific hosts.
The ability to accept connections on specific interfaces and ports. The ability to accept a connection from a specific host is controlled by the CONNECT rules.
The ability to join specific multicast groups. Communication with specific members of the multicast group is controlled by the CONNECT rules.
For each type of operation, the permissions are specified as ranges of IP (Internet Protocol) addresses, hostname patterns, and ports. Ports can be specified for individual ranges or patterns, or for all ranges or patterns. The global port rules supercede any individual port rules.
All the permission's operators are incremental. The reset method can be used to clear an existing permission of all components.
The components of the permission can be added individually or one hostname mask/address range/port range at a time. Multiple components can also be added in string format. For example, the string ".microsoft.com;myhost.com" could be used to indicate the specific host named "myhost.com." and all host names that end in ".microsoft.com".
Address ranges have the normal dotted IP form. An asterisk (*) can be used in place of a byte to represent any valid byte. A single address can be specified, or starting and ending ranges can be delimited by a hyphen.
Port lists must have the same syntax accepted by the string constructors of the com.ms.util.IntRanges class. For example, "80,1024-2000" is a valid port list. Ports can be specified on individual hostname patterns or addresses by appending a colon and a port range. For example, "*.microsoft.com:80" and "1.2.*.*:1024-5000" are both valid port specifications.
For hostnames, multiple addresses and address ranges are delimited by semicolons. For example, "1.2.*.*;4.5.6.7-4.5.6.50" is a valid hostname.
Some of the addXXX methods in this class take a flag parameter that consists of two values combined with a logical OR operator (|). The first value specifies the connection type by using one or more of MULTICAST, BIND, or CONNECT. The second value specifies ALLOW or DENY to indicate whether the address, port, or hostname being added is supposed to use the exclude or include rules. An IllegalArgumentException is thrown by these methods if the arguments don't apply to one or more of the specified types.
The flags can be used to update multiple aspects of the permission with one method call. For example, the following code sample adds "localhost" as a hostname that can be both connected and bound to:
NetIOPermission data; data.addHost(NetIOPermission.ALLOWALL, "localhost");
The getXXX methods also take a flag parameter that consists of two values combined with a logical OR operator (|). To indicate the connection type, you must specify exactly one of MULTICAST, BIND or CONNECT. If more than one of these is specified, an IllegalArgumentException is thrown. For the second value, you should specify ALLOW or DENY.
For your convenience, combination flags are provided to use for the flag parameters. With these values, you don't have to use the OR (|) operator.
ALLOWCONNECT
DENYCONNECT
ALLOWBIND
DENYBIND
ALLOWMULTICAST
DENYMULTICAST
ALLOWALL
DENYALL
The addXXX methods accept all the flags in the previous list, but the getXXX methods do not accept the last two.
Hostname masks are input to the permission as strings and retrieved as expressions.
IP addresses are only supported in 32-bit lengths. Addresses are added as integers, byte arrays (for use with the java.net.InetAddress.getAddress method), or as com.ms.util.IntRanges.
The setCanConnectToFileURLCodeBase and setCanConnectToNonFileURLCodeBase methods are used to control whether the permission allows connections to the host from which the classes with the permission were loaded. If set, the permission can be updated with the codebase by the com.ms.security.PermissionDataSet.adjustForCodebase method.