From 4a77df1972dfc712586844f4311125732cda8224 Mon Sep 17 00:00:00 2001 From: Jean-Francois Denise Date: Wed, 27 Mar 2013 09:59:17 +0100 Subject: [PATCH] 8008128: Better API coherence for JMX Permission for getting classloader Reviewed-by: alanb, dfuchs, skoivu --- .../ClassLoaderRepositorySupport.java | 16 +++++++++- .../jmx/mbeanserver/MBeanInstantiator.java | 31 ++++++++++++++++--- 2 files changed, 41 insertions(+), 6 deletions(-) diff --git a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java index 9fc0e7dbe9e..3226e2e55e4 100644 --- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java +++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java @@ -27,12 +27,14 @@ package com.sun.jmx.mbeanserver; import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER; +import java.security.Permission; import java.util.ArrayList; import java.util.Arrays; import java.util.Hashtable; import java.util.List; import java.util.Map; import java.util.logging.Level; +import javax.management.MBeanPermission; import javax.management.ObjectName; import javax.management.loading.PrivateClassLoader; @@ -300,7 +302,19 @@ final class ClassLoaderRepositorySupport } public final ClassLoader getClassLoader(ObjectName name) { - return loadersWithNames.get(name); + ClassLoader instance = loadersWithNames.get(name); + if (instance != null) { + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + Permission perm = + new MBeanPermission(instance.getClass().getName(), + null, + name, + "getClassLoader"); + sm.checkPermission(perm); + } + } + return instance; } } diff --git a/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java b/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java index 6e7bb89f921..2fd2d52410e 100644 --- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java +++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java @@ -33,7 +33,12 @@ import java.io.ObjectInputStream; import java.lang.reflect.Constructor; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Modifier; +import java.security.AccessControlContext; +import java.security.AccessController; import java.security.Permission; +import java.security.Permissions; +import java.security.PrivilegedAction; +import java.security.ProtectionDomain; import java.util.Map; import java.util.logging.Level; @@ -127,9 +132,8 @@ public class MBeanInstantiator { // Retrieve the class loader from the repository ClassLoader loader = null; - synchronized(this) { - if (clr!=null) - loader = clr.getClassLoader(aLoader); + synchronized (this) { + loader = getClassLoader(aLoader); } if (loader == null) { throw new InstanceNotFoundException("The loader named " + @@ -429,8 +433,7 @@ public class MBeanInstantiator { try { ClassLoader instance = null; - if (clr!=null) - instance = clr.getClassLoader(loaderName); + instance = getClassLoader(loaderName); if (instance == null) throw new ClassNotFoundException(className); theClass = Class.forName(className, false, instance); @@ -762,4 +765,22 @@ public class MBeanInstantiator { throw new IllegalAccessException("Class is not public and can't be instantiated"); } } + + private ClassLoader getClassLoader(final ObjectName name) { + if(clr == null){ + return null; + } + // Restrict to getClassLoader permission only + Permissions permissions = new Permissions(); + permissions.add(new MBeanPermission("*", null, name, "getClassLoader")); + ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions); + ProtectionDomain[] domains = {protectionDomain}; + AccessControlContext ctx = new AccessControlContext(domains); + ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction() { + public ClassLoader run() { + return clr.getClassLoader(name); + } + }, ctx); + return loader; + } }