8008128: Better API coherence for JMX

Permission for getting classloader

Reviewed-by: alanb, dfuchs, skoivu

jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java

@@ -27,12 +27,14 @@ package com.sun.jmx.mbeanserver;
 
 
 import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER;
+import java.security.Permission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
+import javax.management.MBeanPermission;
 
 import javax.management.ObjectName;
 import javax.management.loading.PrivateClassLoader;
@@ -300,7 +302,19 @@ final class ClassLoaderRepositorySupport
     }
 
     public final ClassLoader getClassLoader(ObjectName name) {
-        return loadersWithNames.get(name);
+        ClassLoader instance = loadersWithNames.get(name);
+        if (instance != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                Permission perm =
+                        new MBeanPermission(instance.getClass().getName(),
+                        null,
+                        name,
+                        "getClassLoader");
+                sm.checkPermission(perm);
+            }
+        }
+        return instance;
     }
 
 }

jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java

@@ -33,7 +33,12 @@ import java.io.ObjectInputStream;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.security.Permission;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.Map;
 import java.util.logging.Level;
 
@@ -127,9 +132,8 @@ public class MBeanInstantiator {
 
         // Retrieve the class loader from the repository
         ClassLoader loader = null;
-        synchronized(this) {
+        synchronized (this) {
-            if (clr!=null)
+            loader = getClassLoader(aLoader);
-                loader = clr.getClassLoader(aLoader);
         }
         if (loader == null) {
             throw new InstanceNotFoundException("The loader named " +
@@ -429,8 +433,7 @@ public class MBeanInstantiator {
             try {
                 ClassLoader instance = null;
 
-                if (clr!=null)
+                instance = getClassLoader(loaderName);
-                    instance = clr.getClassLoader(loaderName);
                 if (instance == null)
                     throw new ClassNotFoundException(className);
                 theClass = Class.forName(className, false, instance);
@@ -762,4 +765,22 @@ public class MBeanInstantiator {
             throw new IllegalAccessException("Class is not public and can't be instantiated");
         }
     }
+
+    private ClassLoader getClassLoader(final ObjectName name) {
+        if(clr == null){
+            return null;
+        }
+        // Restrict to getClassLoader permission only
+        Permissions permissions = new Permissions();
+        permissions.add(new MBeanPermission("*", null, name, "getClassLoader"));
+        ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
+        ProtectionDomain[] domains = {protectionDomain};
+        AccessControlContext ctx = new AccessControlContext(domains);
+        ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return clr.getClassLoader(name);
+            }
+        }, ctx);
+        return loader;
+    }
 }