changeset 6306:a424696cf0e4

Merge
author coffeys
date Fri, 22 Mar 2013 09:35:50 +0000
parents ee10aa75d397 c2fb1948c39f
children ec931d812faa
files
diffstat 5 files changed, 49 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	Thu Mar 21 22:38:46 2013 +0000
+++ b/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	Fri Mar 22 09:35:50 2013 +0000
@@ -27,12 +27,14 @@
 
 
 import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER;
+import java.security.Permission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
+import javax.management.MBeanPermission;
 
 import javax.management.ObjectName;
 import javax.management.loading.PrivateClassLoader;
@@ -300,7 +302,19 @@
     }
 
     public final ClassLoader getClassLoader(ObjectName name) {
-        return loadersWithNames.get(name);
+        ClassLoader instance = loadersWithNames.get(name);
+        if (instance != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                Permission perm =
+                        new MBeanPermission(instance.getClass().getName(),
+                        null,
+                        name,
+                        "getClassLoader");
+                sm.checkPermission(perm);
+            }
+        }
+        return instance;
     }
 
 }
--- a/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	Thu Mar 21 22:38:46 2013 +0000
+++ b/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	Fri Mar 22 09:35:50 2013 +0000
@@ -33,7 +33,12 @@
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.security.Permission;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.Map;
 import java.util.logging.Level;
 
@@ -127,9 +132,8 @@
 
         // Retrieve the class loader from the repository
         ClassLoader loader = null;
-        synchronized(this) {
-            if (clr!=null)
-                loader = clr.getClassLoader(aLoader);
+        synchronized (this) {
+            loader = getClassLoader(aLoader);
         }
         if (loader == null) {
             throw new InstanceNotFoundException("The loader named " +
@@ -429,8 +433,7 @@
             try {
                 ClassLoader instance = null;
 
-                if (clr!=null)
-                    instance = clr.getClassLoader(loaderName);
+                instance = getClassLoader(loaderName);
                 if (instance == null)
                     throw new ClassNotFoundException(className);
                 theClass = Class.forName(className, false, instance);
@@ -762,4 +765,22 @@
             throw new IllegalAccessException("Class is not public and can't be instantiated");
         }
     }
+
+    private ClassLoader getClassLoader(final ObjectName name) {
+        if(clr == null){
+            return null;
+        }
+        // Restrict to getClassLoader permission only
+        Permissions permissions = new Permissions();
+        permissions.add(new MBeanPermission("*", null, name, "getClassLoader"));
+        ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
+        ProtectionDomain[] domains = {protectionDomain};
+        AccessControlContext ctx = new AccessControlContext(domains);
+        ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return clr.getClassLoader(name);
+            }
+        }, ctx);
+        return loader;
+    }
 }
--- a/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java	Thu Mar 21 22:38:46 2013 +0000
+++ b/src/share/classes/com/sun/jmx/mbeanserver/ObjectInputStreamWithLoader.java	Fri Mar 22 09:35:50 2013 +0000
@@ -30,7 +30,7 @@
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.ObjectStreamClass;
-import java.io.StreamCorruptedException;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * This class deserializes an object in the context of a specific class loader.
@@ -61,6 +61,7 @@
             return super.resolveClass(aClass);
         } else {
             String name = aClass.getName();
+            ReflectUtil.checkPackageAccess(name);
             // Query the class loader ...
             return Class.forName(name, false, loader);
         }
--- a/src/share/classes/javax/management/MBeanServerFactory.java	Thu Mar 21 22:38:46 2013 +0000
+++ b/src/share/classes/javax/management/MBeanServerFactory.java	Fri Mar 22 09:35:50 2013 +0000
@@ -34,6 +34,7 @@
 import java.util.ArrayList;
 import java.util.logging.Level;
 import javax.management.loading.ClassLoaderRepository;
+import sun.reflect.misc.ReflectUtil;
 
 
 /**
@@ -446,7 +447,7 @@
         }
 
         // No context class loader? Try with Class.forName()
-        return Class.forName(builderClassName);
+        return ReflectUtil.forName(builderClassName);
     }
 
     /**
--- a/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Thu Mar 21 22:38:46 2013 +0000
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnector.java	Fri Mar 22 09:35:50 2013 +0000
@@ -103,6 +103,7 @@
 import javax.naming.NamingException;
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.security.auth.Subject;
+import sun.reflect.misc.ReflectUtil;
 import sun.rmi.server.UnicastRef2;
 import sun.rmi.transport.LiveRef;
 
@@ -1991,7 +1992,9 @@
         @Override
         protected Class<?> resolveClass(ObjectStreamClass classDesc)
                 throws IOException, ClassNotFoundException {
-            return Class.forName(classDesc.getName(), false, loader);
+            String name = classDesc.getName();
+            ReflectUtil.checkPackageAccess(name);
+            return Class.forName(name, false, loader);
         }
 
         private final ClassLoader loader;