8008128: Better API coherence for JMX
Summary: Permission for getting classloader
Reviewed-by: alanb, dfuchs, skoivu
Contributed-by: jean-francois.denise@oracle.com
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java Tue Mar 26 08:32:16 2013 +0100
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java Wed Mar 27 09:59:17 2013 +0100
@@ -27,12 +27,14 @@
import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER;
+import java.security.Permission;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
+import javax.management.MBeanPermission;
import javax.management.ObjectName;
import javax.management.loading.PrivateClassLoader;
@@ -300,7 +302,19 @@
}
public final ClassLoader getClassLoader(ObjectName name) {
- return loadersWithNames.get(name);
+ ClassLoader instance = loadersWithNames.get(name);
+ if (instance != null) {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null) {
+ Permission perm =
+ new MBeanPermission(instance.getClass().getName(),
+ null,
+ name,
+ "getClassLoader");
+ sm.checkPermission(perm);
+ }
+ }
+ return instance;
}
}
--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java Tue Mar 26 08:32:16 2013 +0100
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java Wed Mar 27 09:59:17 2013 +0100
@@ -33,7 +33,12 @@
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Modifier;
+import java.security.AccessControlContext;
+import java.security.AccessController;
import java.security.Permission;
+import java.security.Permissions;
+import java.security.PrivilegedAction;
+import java.security.ProtectionDomain;
import java.util.Map;
import java.util.logging.Level;
@@ -127,9 +132,8 @@
// Retrieve the class loader from the repository
ClassLoader loader = null;
- synchronized(this) {
- if (clr!=null)
- loader = clr.getClassLoader(aLoader);
+ synchronized (this) {
+ loader = getClassLoader(aLoader);
}
if (loader == null) {
throw new InstanceNotFoundException("The loader named " +
@@ -429,8 +433,7 @@
try {
ClassLoader instance = null;
- if (clr!=null)
- instance = clr.getClassLoader(loaderName);
+ instance = getClassLoader(loaderName);
if (instance == null)
throw new ClassNotFoundException(className);
theClass = Class.forName(className, false, instance);
@@ -762,4 +765,22 @@
throw new IllegalAccessException("Class is not public and can't be instantiated");
}
}
+
+ private ClassLoader getClassLoader(final ObjectName name) {
+ if(clr == null){
+ return null;
+ }
+ // Restrict to getClassLoader permission only
+ Permissions permissions = new Permissions();
+ permissions.add(new MBeanPermission("*", null, name, "getClassLoader"));
+ ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
+ ProtectionDomain[] domains = {protectionDomain};
+ AccessControlContext ctx = new AccessControlContext(domains);
+ ClassLoader loader = AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+ public ClassLoader run() {
+ return clr.getClassLoader(name);
+ }
+ }, ctx);
+ return loader;
+ }
}