1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
# HG changeset patch
# User dbuck
# Date 1342799616 25200
# Node ID 39b599e90c7b33435ca42ae96ed673812a8be3d7
# Parent 47e7c8e33cd82dade3e84af94bff125cdbdae062
7169888: Narrowing resource definitions in JMX RMI connector
Summary: see bugdb 13932219 for details
Reviewed-by: fparain, vikram
diff --git a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
--- jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
+++ jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,11 +39,17 @@
import java.rmi.MarshalledObject;
import java.rmi.UnmarshalException;
import java.rmi.server.Unreferenced;
+
import java.security.AccessControlContext;
import java.security.AccessController;
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Permissions;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.security.ProtectionDomain;
+
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
@@ -60,6 +66,7 @@
import javax.management.MBeanException;
import javax.management.MBeanInfo;
import javax.management.MBeanRegistrationException;
+import javax.management.MBeanPermission;
import javax.management.MBeanServer;
import javax.management.NotCompliantMBeanException;
import javax.management.NotificationFilter;
@@ -144,15 +151,20 @@
this.mbeanServer = rmiServer.getMBeanServer();
final ClassLoader dcl = defaultClassLoader;
+
this.classLoaderWithRepository =
AccessController.doPrivileged(
new PrivilegedAction<ClassLoaderWithRepository>() {
public ClassLoaderWithRepository run() {
return new ClassLoaderWithRepository(
- getClassLoaderRepository(),
+ mbeanServer.getClassLoaderRepository(),
dcl);
}
- });
+ },
+
+ withPermissions( new MBeanPermission("*", "getClassLoaderRepository"),
+ new RuntimePermission("createClassLoader"))
+ );
serverCommunicatorAdmin = new
RMIServerCommunicatorAdmin(EnvHelp.getServerConnectionTimeout(env));
@@ -160,6 +172,17 @@
this.env = env;
}
+ private static AccessControlContext withPermissions(Permission ... perms){
+ Permissions col = new Permissions();
+
+ for (Permission thePerm : perms ) {
+ col.add(thePerm);
+ }
+
+ final ProtectionDomain pd = new ProtectionDomain(null, col);
+ return new AccessControlContext( new ProtectionDomain[] { pd });
+ }
+
private synchronized ServerNotifForwarder getServerNotifFwd() {
// Lazily created when first use. Mainly when
// addNotificationListener is first called.
@@ -1314,16 +1337,6 @@
// private methods
//------------------------------------------------------------------------
- private ClassLoaderRepository getClassLoaderRepository() {
- return
- AccessController.doPrivileged(
- new PrivilegedAction<ClassLoaderRepository>() {
- public ClassLoaderRepository run() {
- return mbeanServer.getClassLoaderRepository();
- }
- });
- }
-
private ClassLoader getClassLoader(final ObjectName name)
throws InstanceNotFoundException {
try {
@@ -1333,7 +1346,9 @@
public ClassLoader run() throws InstanceNotFoundException {
return mbeanServer.getClassLoader(name);
}
- });
+ },
+ withPermissions(new MBeanPermission("*", "getClassLoader"))
+ );
} catch (PrivilegedActionException pe) {
throw (InstanceNotFoundException) extractException(pe);
}
@@ -1348,7 +1363,9 @@
public Object run() throws InstanceNotFoundException {
return mbeanServer.getClassLoaderFor(name);
}
- });
+ },
+ withPermissions(new MBeanPermission("*", "getClassLoaderFor"))
+ );
} catch (PrivilegedActionException pe) {
throw (InstanceNotFoundException) extractException(pe);
}
|