stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8006446: Restrict MBeanServer access

Browse Source 
Reviewed-by: alanb, mchung, darcy, jrose, ahgross, skoivu
This commit is contained in:
Daniel Fuchs 2013-01-30 11:33:51 +01:00
parent 7cb8f824d3
commit 7303280ef5
11 changed files with 67 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java
View File

@ -36,6 +36,7 @@ import java.util.logging.Level;
import javax.management.ObjectName;
import javax.management.loading.PrivateClassLoader;
import sun.reflect.misc.ReflectUtil;
/**
* This class keeps the list of Class Loaders registered in the MBean Server.
@ -192,6 +193,7 @@ final class ClassLoaderRepositorySupport
final ClassLoader without,
final ClassLoader stop)
throws ClassNotFoundException {
ReflectUtil.checkPackageAccess(className);
final int size = list.length;
for(int i=0; i<size; i++) {
try {

10
jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java
View File

@ -51,6 +51,7 @@ import javax.management.MBeanPermission;
import javax.management.MBeanRegistrationException;
import javax.management.MBeanServer;
import javax.management.MBeanServerDelegate;
import javax.management.MBeanServerPermission;
import javax.management.NotCompliantMBeanException;
import javax.management.NotificationFilter;
import javax.management.NotificationListener;
@ -1409,6 +1410,8 @@ public final class JmxMBeanServer
// Default is true.
final boolean fairLock = DEFAULT_FAIR_LOCK_POLICY;
checkNewMBeanServerPermission();
// This constructor happens to disregard the value of the interceptors
// flag - that is, it always uses the default value - false.
// This is admitedly a bug, but we chose not to fix it for now
@ -1494,4 +1497,11 @@ public final class JmxMBeanServer
}
}
private static void checkNewMBeanServerPermission() {
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
Permission perm = new MBeanServerPermission("newMBeanServer");
sm.checkPermission(perm);
}
}
}

34
jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java
View File

@ -32,11 +32,13 @@ import java.io.IOException;
import java.io.ObjectInputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.security.Permission;
import java.util.Map;
import java.util.logging.Level;
import javax.management.InstanceNotFoundException;
import javax.management.MBeanException;
import javax.management.MBeanPermission;
import javax.management.NotCompliantMBeanException;
import javax.management.ObjectName;
import javax.management.OperationsException;
@ -44,7 +46,7 @@ import javax.management.ReflectionException;
import javax.management.RuntimeErrorException;
import javax.management.RuntimeMBeanException;
import javax.management.RuntimeOperationsException;
import sun.reflect.misc.ConstructorUtil;
import sun.reflect.misc.ReflectUtil;
/**
@ -56,7 +58,6 @@ import sun.reflect.misc.ReflectUtil;
* @since 1.5
*/
public class MBeanInstantiator {
private final ModifiableClassLoaderRepository clr;
// private MetaData meta = null;
@ -88,6 +89,7 @@ public class MBeanInstantiator {
"Exception occurred during object instantiation");
}
ReflectUtil.checkPackageAccess(className);
try {
if (clr == null) throw new ClassNotFoundException(className);
theClass = clr.loadClass(className);
@ -162,6 +164,7 @@ public class MBeanInstantiator {
continue;
}
ReflectUtil.checkPackageAccess(signature[i]);
// Ok we do not have a primitive type ! We need to build
// the signature of the method
//
@ -205,6 +208,9 @@ public class MBeanInstantiator {
*/
public Object instantiate(Class<?> theClass)
throws ReflectionException, MBeanException {
checkMBeanPermission(theClass, null, null, "instantiate");
Object moi;
@ -260,6 +266,9 @@ public class MBeanInstantiator {
public Object instantiate(Class<?> theClass, Object params[],
String signature[], ClassLoader loader)
throws ReflectionException, MBeanException {
checkMBeanPermission(theClass, null, null, "instantiate");
// Instantiate the new object
// ------------------------------
@ -407,6 +416,8 @@ public class MBeanInstantiator {
throw new RuntimeOperationsException(new
IllegalArgumentException(), "Null className passed in parameter");
}
ReflectUtil.checkPackageAccess(className);
Class<?> theClass;
if (loaderName == null) {
// Load the class using the agent class loader
@ -619,13 +630,13 @@ public class MBeanInstantiator {
**/
static Class<?> loadClass(String className, ClassLoader loader)
throws ReflectionException {
Class<?> theClass;
if (className == null) {
throw new RuntimeOperationsException(new
IllegalArgumentException("The class name cannot be null"),
"Exception occurred during object instantiation");
}
ReflectUtil.checkPackageAccess(className);
try {
if (loader == null)
loader = MBeanInstantiator.class.getClassLoader();
@ -676,6 +687,7 @@ public class MBeanInstantiator {
// We need to load the class through the class
// loader of the target object.
//
ReflectUtil.checkPackageAccess(signature[i]);
tab[i] = Class.forName(signature[i], false, aLoader);
}
} catch (ClassNotFoundException e) {
@ -701,7 +713,7 @@ public class MBeanInstantiator {
private Constructor<?> findConstructor(Class<?> c, Class<?>[] params) {
try {
return c.getConstructor(params);
return ConstructorUtil.getConstructor(c, params);
} catch (Exception e) {
return null;
}
@ -715,4 +727,18 @@ public class MBeanInstantiator {
char.class, boolean.class})
primitiveClasses.put(c.getName(), c);
}
private static void checkMBeanPermission(Class<?> clazz,
String member,
ObjectName objectName,
String actions) {
SecurityManager sm = System.getSecurityManager();
if (clazz != null && sm != null) {
Permission perm = new MBeanPermission(clazz.getName(),
member,
objectName,
actions);
sm.checkPermission(perm);
}
}
}

2
jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java
View File

@ -38,6 +38,7 @@ import javax.management.NotCompliantMBeanException;
import javax.management.ObjectName;
import javax.management.ReflectionException;
import com.sun.jmx.mbeanserver.MXBeanMappingFactory;
import sun.reflect.misc.ReflectUtil;
/**
* Base class for MBeans. There is one instance of this class for
@ -131,6 +132,7 @@ public abstract class MBeanSupport<M>
" is not an instance of " + mbeanInterfaceType.getName();
throw new NotCompliantMBeanException(msg);
}
ReflectUtil.checkPackageAccess(mbeanInterfaceType);
this.resource = resource;
MBeanIntrospector<M> introspector = getMBeanIntrospector();
this.perInterface = introspector.getPerInterface(mbeanInterfaceType);

10
jdk/src/share/classes/java/lang/management/ManagementFactory.java
View File

@ -802,6 +802,11 @@ public class ManagementFactory {
*/
private static void addMXBean(final MBeanServer mbs, final PlatformManagedObject pmo) {
// Make DynamicMBean out of MXBean by wrapping it with a StandardMBean
try {
AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
public Void run() throws InstanceAlreadyExistsException,
MBeanRegistrationException,
NotCompliantMBeanException {
final DynamicMBean dmbean;
if (pmo instanceof DynamicMBean) {
dmbean = DynamicMBean.class.cast(pmo);
@ -811,11 +816,6 @@ public class ManagementFactory {
dmbean = new StandardMBean(pmo, null, true);
}
try {
AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
public Void run() throws InstanceAlreadyExistsException,
MBeanRegistrationException,
NotCompliantMBeanException {
mbs.registerMBean(dmbean, pmo.getObjectName());
return null;
}

6
jdk/src/share/lib/security/java.security-linux
View File

@ -151,8 +151,7 @@ package.access=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\
@ -176,8 +175,7 @@ package.definition=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\

6
jdk/src/share/lib/security/java.security-macosx
View File

@ -152,8 +152,7 @@ package.access=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\
@ -178,8 +177,7 @@ package.definition=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\

6
jdk/src/share/lib/security/java.security-solaris
View File

@ -153,8 +153,7 @@ package.access=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\
@ -178,8 +177,7 @@ package.definition=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\

6
jdk/src/share/lib/security/java.security-windows
View File

@ -152,8 +152,7 @@ package.access=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\
@ -177,8 +176,7 @@ package.definition=sun.,\
com.sun.xml.internal.ws.,\
com.sun.imageio.,\
com.sun.istack.internal.,\
com.sun.jmx.defaults.,\
com.sun.jmx.remote.util.,\
com.sun.jmx.,\
com.sun.proxy.,\
com.sun.org.apache.xerces.internal.utils.,\
com.sun.org.apache.xalan.internal.utils.,\

6
jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java
View File

@ -119,9 +119,6 @@ public class SubjectDelegation2Test {
System.out.println("Create SimpleStandard MBean");
SimpleStandard s = new SimpleStandard("monitorRole");
mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard"));
// Set Security Manager
//
System.setSecurityManager(new SecurityManager());
// Create Properties containing the username/password entries
//
Properties props = new Properties();
@ -132,6 +129,9 @@ public class SubjectDelegation2Test {
HashMap env = new HashMap();
env.put("jmx.remote.authenticator",
new JMXPluggableAuthenticator(props));
// Set Security Manager
//
System.setSecurityManager(new SecurityManager());
// Create an RMI connector server
//
System.out.println("Create an RMI connector server");

6
jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java
View File

@ -120,9 +120,6 @@ public class SubjectDelegation3Test {
System.out.println("Create SimpleStandard MBean");
SimpleStandard s = new SimpleStandard("delegate");
mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard"));
// Set Security Manager
//
System.setSecurityManager(new SecurityManager());
// Create Properties containing the username/password entries
//
Properties props = new Properties();
@ -133,6 +130,9 @@ public class SubjectDelegation3Test {
HashMap env = new HashMap();
env.put("jmx.remote.authenticator",
new JMXPluggableAuthenticator(props));
// Set Security Manager
//
System.setSecurityManager(new SecurityManager());
// Create an RMI connector server
//
System.out.println("Create an RMI connector server");