8008128: Better API coherence for JMX
authorjfdenise
Wed, 27 Mar 2013 09:59:17 +0100
changeset 18207 64dcc0ad2298
parent 18206 136373d8d805
child 18208 5c6150ffbc80
8008128: Better API coherence for JMX Summary: Permission for getting classloader Reviewed-by: alanb, dfuchs, skoivu Contributed-by: jean-francois.denise@oracle.com
jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java
jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	Tue Mar 26 08:32:16 2013 +0100
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	Wed Mar 27 09:59:17 2013 +0100
@@ -27,12 +27,14 @@
 
 
 import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER;
+import java.security.Permission;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
+import javax.management.MBeanPermission;
 
 import javax.management.ObjectName;
 import javax.management.loading.PrivateClassLoader;
@@ -300,7 +302,19 @@
     }
 
     public final ClassLoader getClassLoader(ObjectName name) {
-        return loadersWithNames.get(name);
+        ClassLoader instance = loadersWithNames.get(name);
+        if (instance != null) {
+            SecurityManager sm = System.getSecurityManager();
+            if (sm != null) {
+                Permission perm =
+                        new MBeanPermission(instance.getClass().getName(),
+                        null,
+                        name,
+                        "getClassLoader");
+                sm.checkPermission(perm);
+            }
+        }
+        return instance;
     }
 
 }
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	Tue Mar 26 08:32:16 2013 +0100
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	Wed Mar 27 09:59:17 2013 +0100
@@ -33,7 +33,12 @@
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
+import java.security.AccessController;
 import java.security.Permission;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
 import java.util.Map;
 import java.util.logging.Level;
 
@@ -127,9 +132,8 @@
 
         // Retrieve the class loader from the repository
         ClassLoader loader = null;
-        synchronized(this) {
-            if (clr!=null)
-                loader = clr.getClassLoader(aLoader);
+        synchronized (this) {
+            loader = getClassLoader(aLoader);
         }
         if (loader == null) {
             throw new InstanceNotFoundException("The loader named " +
@@ -429,8 +433,7 @@
             try {
                 ClassLoader instance = null;
 
-                if (clr!=null)
-                    instance = clr.getClassLoader(loaderName);
+                instance = getClassLoader(loaderName);
                 if (instance == null)
                     throw new ClassNotFoundException(className);
                 theClass = Class.forName(className, false, instance);
@@ -762,4 +765,22 @@
             throw new IllegalAccessException("Class is not public and can't be instantiated");
         }
     }
+
+    private ClassLoader getClassLoader(final ObjectName name) {
+        if(clr == null){
+            return null;
+        }
+        // Restrict to getClassLoader permission only
+        Permissions permissions = new Permissions();
+        permissions.add(new MBeanPermission("*", null, name, "getClassLoader"));
+        ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
+        ProtectionDomain[] domains = {protectionDomain};
+        AccessControlContext ctx = new AccessControlContext(domains);
+        ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return clr.getClassLoader(name);
+            }
+        }, ctx);
+        return loader;
+    }
 }