--- a/jdk/src/java.base/share/conf/security/java.security Sun Oct 09 14:38:30 2016 +0300
+++ b/jdk/src/java.base/share/conf/security/java.security Wed Oct 12 12:56:35 2016 -0400
@@ -658,6 +658,36 @@
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & denyAfter 2017-01-01, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
+#
+# RMI Registry Serial Filter
+#
+# The filter pattern uses the same format as jdk.serialFilter.
+# This filter can override the builtin filter if additional types need to be
+# allowed or rejected from the RMI Registry.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+#sun.rmi.registry.registryFilter=pattern;pattern
+#
+# RMI Distributed Garbage Collector (DGC) Serial Filter
+#
+# The filter pattern uses the same format as jdk.serialFilter.
+# This filter can override the builtin filter if additional types need to be
+# allowed or rejected from the RMI DGC.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# The builtin DGC filter can approximately be represented as the filter pattern:
+#
+#sun.rmi.transport.dgcFilter=\
+# java.rmi.server.ObjID;\
+# java.rmi.server.UID;\
+# java.rmi.dgc.VMID;\
+# java.rmi.dgc.Lease;\
+# maxdepth=5;maxarray=10000
+
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
--- a/jdk/src/java.rmi/share/classes/java/rmi/MarshalledObject.java Sun Oct 09 14:38:30 2016 +0300
+++ b/jdk/src/java.rmi/share/classes/java/rmi/MarshalledObject.java Wed Oct 12 12:56:35 2016 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,11 +29,15 @@
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
+import java.io.ObjectInputFilter;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamConstants;
import java.io.OutputStream;
import java.io.Serializable;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
import sun.rmi.server.MarshalInputStream;
import sun.rmi.server.MarshalOutputStream;
@@ -90,6 +94,9 @@
*/
private int hash;
+ /** Filter used when creating the instance from a stream; may be null. */
+ private transient ObjectInputFilter objectInputFilter = null;
+
/** Indicate compatibility with 1.2 version of class. */
private static final long serialVersionUID = 8988374069173025854L;
@@ -133,9 +140,25 @@
}
/**
+ * Reads in the state of the object and saves the stream's
+ * serialization filter to be used when the object is deserialized.
+ *
+ * @param stream the stream
+ * @throws IOException if an I/O error occurs
+ * @throws ClassNotFoundException if a class cannot be found
+ */
+ private void readObject(ObjectInputStream stream)
+ throws IOException, ClassNotFoundException {
+ stream.defaultReadObject(); // read in all fields
+ objectInputFilter = stream.getObjectInputFilter();
+ }
+
+ /**
* Returns a new copy of the contained marshalledobject. The internal
* representation is deserialized with the semantics used for
* unmarshaling parameters for RMI calls.
+ * If the MarshalledObject was read from an ObjectInputStream,
+ * the filter from that stream is used to deserialize the object.
*
* @return a copy of the contained object
* @exception IOException if an <code>IOException</code> occurs while
@@ -155,7 +178,7 @@
ByteArrayInputStream lin =
(locBytes == null ? null : new ByteArrayInputStream(locBytes));
MarshalledObjectInputStream in =
- new MarshalledObjectInputStream(bin, lin);
+ new MarshalledObjectInputStream(bin, lin, objectInputFilter);
@SuppressWarnings("unchecked")
T obj = (T) in.readObject();
in.close();
@@ -295,11 +318,21 @@
* <code>null</code>, then all annotations will be
* <code>null</code>.
*/
- MarshalledObjectInputStream(InputStream objIn, InputStream locIn)
+ MarshalledObjectInputStream(InputStream objIn, InputStream locIn,
+ ObjectInputFilter filter)
throws IOException
{
super(objIn);
this.locIn = (locIn == null ? null : new ObjectInputStream(locIn));
+ if (filter != null) {
+ AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
+ MarshalledObjectInputStream.this.setObjectInputFilter(filter);
+ if (MarshalledObjectInputStream.this.locIn != null) {
+ MarshalledObjectInputStream.this.locIn.setObjectInputFilter(filter);
+ }
+ return null;
+ });
+ }
}
/**
--- a/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Sun Oct 09 14:38:30 2016 +0300
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java Wed Oct 12 12:56:35 2016 -0400
@@ -25,8 +25,12 @@
package sun.rmi.registry;
+import java.io.ObjectInputFilter;
import java.nio.file.Path;
import java.nio.file.Paths;
+import java.rmi.server.LogStream;
+import java.security.PrivilegedAction;
+import java.security.Security;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Hashtable;
@@ -39,7 +43,6 @@
import java.net.*;
import java.rmi.*;
import java.rmi.server.ObjID;
-import java.rmi.server.RemoteServer;
import java.rmi.server.ServerNotActiveException;
import java.rmi.registry.Registry;
import java.rmi.server.RMIClientSocketFactory;
@@ -54,12 +57,12 @@
import java.security.Permissions;
import java.security.ProtectionDomain;
import java.text.MessageFormat;
-import sun.rmi.server.LoaderHandler;
+
+import sun.rmi.runtime.Log;
+import sun.rmi.server.UnicastRef;
import sun.rmi.server.UnicastServerRef;
import sun.rmi.server.UnicastServerRef2;
import sun.rmi.transport.LiveRef;
-import sun.rmi.transport.ObjectTable;
-import sun.rmi.transport.Target;
/**
* A "registry" exists on every node that allows RMI connections to
@@ -91,6 +94,48 @@
private static ResourceBundle resources = null;
/**
+ * Property name of the RMI Registry serial filter to augment
+ * the built-in list of allowed types.
+ * Setting the property in the {@code conf/security/java.security} file
+ * will enable the augmented filter.
+ */
+ private static final String REGISTRY_FILTER_PROPNAME = "sun.rmi.registry.registryFilter";
+
+ /** Registry max depth of remote invocations. **/
+ private static int REGISTRY_MAX_DEPTH = 5;
+
+ /** Registry maximum array size in remote invocations. **/
+ private static int REGISTRY_MAX_ARRAY_SIZE = 10000;
+
+ /**
+ * The registryFilter created from the value of the {@code "sun.rmi.registry.registryFilter"}
+ * property.
+ */
+ private static final ObjectInputFilter registryFilter =
+ AccessController.doPrivileged((PrivilegedAction<ObjectInputFilter>)RegistryImpl::initRegistryFilter);
+
+ /**
+ * Initialize the registryFilter from the security properties or system property; if any
+ * @return an ObjectInputFilter, or null
+ */
+ @SuppressWarnings("deprecation")
+ private static ObjectInputFilter initRegistryFilter() {
+ ObjectInputFilter filter = null;
+ String props = System.getProperty(REGISTRY_FILTER_PROPNAME);
+ if (props == null) {
+ props = Security.getProperty(REGISTRY_FILTER_PROPNAME);
+ }
+ if (props != null) {
+ filter = ObjectInputFilter.Config.createFilter(props);
+ Log regLog = Log.getLog("sun.rmi.registry", "registry", -1);
+ if (regLog.isLoggable(Log.BRIEF)) {
+ regLog.log(Log.BRIEF, "registryFilter = " + filter);
+ }
+ }
+ return filter;
+ }
+
+ /**
* Construct a new RegistryImpl on the specified port with the
* given custom socket factory pair.
*/
@@ -105,7 +150,7 @@
AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
public Void run() throws RemoteException {
LiveRef lref = new LiveRef(id, port, csf, ssf);
- setup(new UnicastServerRef2(lref));
+ setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
return null;
}
}, null, new SocketPermission("localhost:"+port, "listen,accept"));
@@ -114,7 +159,7 @@
}
} else {
LiveRef lref = new LiveRef(id, port, csf, ssf);
- setup(new UnicastServerRef2(lref));
+ setup(new UnicastServerRef2(lref, RegistryImpl::registryFilter));
}
}
@@ -130,7 +175,7 @@
AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
public Void run() throws RemoteException {
LiveRef lref = new LiveRef(id, port);
- setup(new UnicastServerRef(lref));
+ setup(new UnicastServerRef(lref, RegistryImpl::registryFilter));
return null;
}
}, null, new SocketPermission("localhost:"+port, "listen,accept"));
@@ -139,7 +184,7 @@
}
} else {
LiveRef lref = new LiveRef(id, port);
- setup(new UnicastServerRef(lref));
+ setup(new UnicastServerRef(lref, RegistryImpl::registryFilter));
}
}
@@ -362,6 +407,60 @@
}
/**
+ * ObjectInputFilter to filter Registry input objects.
+ * The list of acceptable classes is limited to classes normally
+ * stored in a registry.
+ *
+ * @param filterInfo access to the class, array length, etc.
+ * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed,
+ * {@link ObjectInputFilter.Status#REJECTED} if rejected,
+ * otherwise {@link ObjectInputFilter.Status#UNDECIDED}
+ */
+ private static ObjectInputFilter.Status registryFilter(ObjectInputFilter.FilterInfo filterInfo) {
+ if (registryFilter != null) {
+ ObjectInputFilter.Status status = registryFilter.checkInput(filterInfo);
+ if (status != ObjectInputFilter.Status.UNDECIDED) {
+ // The Registry filter can override the built-in white-list
+ return status;
+ }
+ }
+
+ if (filterInfo.depth() > REGISTRY_MAX_DEPTH) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ Class<?> clazz = filterInfo.serialClass();
+ if (clazz != null) {
+ if (clazz.isArray()) {
+ if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > REGISTRY_MAX_ARRAY_SIZE) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ do {
+ // Arrays are allowed depending on the component type
+ clazz = clazz.getComponentType();
+ } while (clazz.isArray());
+ }
+ if (clazz.isPrimitive()) {
+ // Arrays of primitives are allowed
+ return ObjectInputFilter.Status.ALLOWED;
+ }
+ if (String.class == clazz
+ || java.lang.Number.class.isAssignableFrom(clazz)
+ || Remote.class.isAssignableFrom(clazz)
+ || java.lang.reflect.Proxy.class.isAssignableFrom(clazz)
+ || UnicastRef.class.isAssignableFrom(clazz)
+ || RMIClientSocketFactory.class.isAssignableFrom(clazz)
+ || RMIServerSocketFactory.class.isAssignableFrom(clazz)
+ || java.rmi.activation.ActivationID.class.isAssignableFrom(clazz)
+ || java.rmi.server.UID.class.isAssignableFrom(clazz)) {
+ return ObjectInputFilter.Status.ALLOWED;
+ } else {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ }
+ return ObjectInputFilter.Status.UNDECIDED;
+ }
+
+ /**
* Return a new RegistryImpl on the requested port and export it to serve
* registry requests. A classloader is initialized from the system property
* "env.class.path" and a security manager is set unless one is already set.
--- a/jdk/src/java.rmi/share/classes/sun/rmi/runtime/Log.java Sun Oct 09 14:38:30 2016 +0300
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/runtime/Log.java Wed Oct 12 12:56:35 2016 -0400
@@ -232,6 +232,11 @@
}
}
+ public String toString() {
+ return logger.toString() + ", level: " + logger.getLevel() +
+ ", name: " + logger.getName();
+ }
+
/**
* Set the output stream associated with the RMI server call
* logger.
--- a/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl.java Sun Oct 09 14:38:30 2016 +0300
+++ b/jdk/src/java.rmi/share/classes/sun/rmi/transport/DGCImpl.java Wed Oct 12 12:56:35 2016 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -24,6 +24,7 @@
*/
package sun.rmi.transport;
+import java.io.ObjectInputFilter;
import java.net.SocketPermission;
import java.rmi.Remote;
import java.rmi.RemoteException;
@@ -34,11 +35,13 @@
import java.rmi.server.ObjID;
import java.rmi.server.RemoteServer;
import java.rmi.server.ServerNotActiveException;
+import java.rmi.server.UID;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.Permissions;
import java.security.PrivilegedAction;
import java.security.ProtectionDomain;
+import java.security.Security;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.HashMap;
@@ -100,6 +103,46 @@
}
/**
+ * Property name of the DGC serial filter to augment
+ * the built-in list of allowed types.
+ * Setting the property in the {@code conf/security/java.security} file
+ * or system property will enable the augmented filter.
+ */
+ private static final String DGC_FILTER_PROPNAME = "sun.rmi.transport.dgcFilter";
+
+ /** Registry max depth of remote invocations. **/
+ private static int DGC_MAX_DEPTH = 5;
+
+ /** Registry maximum array size in remote invocations. **/
+ private static int DGC_MAX_ARRAY_SIZE = 10000;
+
+ /**
+ * The dgcFilter created from the value of the {@code "sun.rmi.transport.dgcFilter"}
+ * property.
+ */
+ private static final ObjectInputFilter dgcFilter =
+ AccessController.doPrivileged((PrivilegedAction<ObjectInputFilter>)DGCImpl::initDgcFilter);
+
+ /**
+ * Initialize the dgcFilter from the security properties or system property; if any
+ * @return an ObjectInputFilter, or null
+ */
+ private static ObjectInputFilter initDgcFilter() {
+ ObjectInputFilter filter = null;
+ String props = System.getProperty(DGC_FILTER_PROPNAME);
+ if (props == null) {
+ props = Security.getProperty(DGC_FILTER_PROPNAME);
+ }
+ if (props != null) {
+ filter = ObjectInputFilter.Config.createFilter(props);
+ if (dgcLog.isLoggable(Log.BRIEF)) {
+ dgcLog.log(Log.BRIEF, "dgcFilter = " + filter);
+ }
+ }
+ return filter;
+ }
+
+ /**
* Construct a new server-side remote object collector at
* a particular port. Disallow construction from outside.
*/
@@ -293,7 +336,8 @@
dgc = new DGCImpl();
ObjID dgcID = new ObjID(ObjID.DGC_ID);
LiveRef ref = new LiveRef(dgcID, 0);
- UnicastServerRef disp = new UnicastServerRef(ref);
+ UnicastServerRef disp = new UnicastServerRef(ref,
+ DGCImpl::checkInput);
Remote stub =
Util.createProxy(DGCImpl.class,
new UnicastRef(ref), true);
@@ -324,6 +368,53 @@
});
}
+ /**
+ * ObjectInputFilter to filter DGC input objects.
+ * The list of acceptable classes is very short and explicit.
+ * The depth and array sizes are limited.
+ *
+ * @param filterInfo access to class, arrayLength, etc.
+ * @return {@link ObjectInputFilter.Status#ALLOWED} if allowed,
+ * {@link ObjectInputFilter.Status#REJECTED} if rejected,
+ * otherwise {@link ObjectInputFilter.Status#UNDECIDED}
+ */
+ private static ObjectInputFilter.Status checkInput(ObjectInputFilter.FilterInfo filterInfo) {
+ if (dgcFilter != null) {
+ ObjectInputFilter.Status status = dgcFilter.checkInput(filterInfo);
+ if (status != ObjectInputFilter.Status.UNDECIDED) {
+ // The DGC filter can override the built-in white-list
+ return status;
+ }
+ }
+
+ if (filterInfo.depth() > DGC_MAX_DEPTH) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ Class<?> clazz = filterInfo.serialClass();
+ if (clazz != null) {
+ while (clazz.isArray()) {
+ if (filterInfo.arrayLength() >= 0 && filterInfo.arrayLength() > DGC_MAX_ARRAY_SIZE) {
+ return ObjectInputFilter.Status.REJECTED;
+ }
+ // Arrays are allowed depending on the component type
+ clazz = clazz.getComponentType();
+ }
+ if (clazz.isPrimitive()) {
+ // Arrays of primitives are allowed
+ return ObjectInputFilter.Status.ALLOWED;
+ }
+ return (clazz == ObjID.class ||
+ clazz == UID.class ||
+ clazz == VMID.class ||
+ clazz == Lease.class)
+ ? ObjectInputFilter.Status.ALLOWED
+ : ObjectInputFilter.Status.REJECTED;
+ }
+ // Not a class, not size limited
+ return ObjectInputFilter.Status.UNDECIDED;
+ }
+
+
private static class LeaseInfo {
VMID vmid;
long expiration;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/MarshalledObject/MOFilterTest.java Wed Oct 12 12:56:35 2016 -0400
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InvalidClassException;
+import java.io.ObjectInput;
+import java.io.ObjectInputStream;
+import java.io.ObjectInputFilter;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.rmi.MarshalledObject;
+import java.util.Objects;
+
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+import org.testng.annotations.DataProvider;
+
+/* @test
+ * @run testng/othervm MOFilterTest
+ *
+ * @summary Test MarshalledObject applies ObjectInputFilter
+ */
+@Test
+public class MOFilterTest {
+
+ /**
+ * Two cases are tested.
+ * The filter = null and a filter set to verify the calls to the filter.
+ * @return array objects with test parameters for each test case
+ */
+ @DataProvider(name = "FilterCases")
+ public static Object[][] filterCases() {
+ return new Object[][] {
+ {true}, // run the test with the filter
+ {false}, // run the test without the filter
+
+ };
+ }
+
+ /**
+ * Test that MarshalledObject inherits the ObjectInputFilter from
+ * the stream it was deserialized from.
+ */
+ @Test(dataProvider="FilterCases")
+ static void delegatesToMO(boolean withFilter) {
+ try {
+ Serializable testobj = Integer.valueOf(5);
+ MarshalledObject<Serializable> mo = new MarshalledObject<>(testobj);
+ Assert.assertEquals(mo.get(), testobj, "MarshalledObject.get returned a non-equals test object");
+
+ byte[] bytes = writeObjects(mo);
+
+ try (ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
+ ObjectInputStream ois = new ObjectInputStream(bais)) {
+
+ CountingFilter filter1 = new CountingFilter();
+ ois.setObjectInputFilter(withFilter ? filter1 : null);
+ MarshalledObject<?> actualMO = (MarshalledObject<?>)ois.readObject();
+ int count = filter1.getCount();
+
+ actualMO.get();
+ int expectedCount = withFilter ? count + 2 : count;
+ int actualCount = filter1.getCount();
+ Assert.assertEquals(actualCount, expectedCount, "filter called wrong number of times during get()");
+ }
+ } catch (IOException ioe) {
+ Assert.fail("Unexpected IOException", ioe);
+ } catch (ClassNotFoundException cnf) {
+ Assert.fail("Deserializing", cnf);
+ }
+ }
+
+ /**
+ * Write objects and return a byte array with the bytes.
+ *
+ * @param objects zero or more objects to serialize
+ * @return the byte array of the serialized objects
+ * @throws IOException if an exception occurs
+ */
+ static byte[] writeObjects(Object... objects) throws IOException {
+ byte[] bytes;
+ try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+ for (Object o : objects) {
+ oos.writeObject(o);
+ }
+ bytes = baos.toByteArray();
+ }
+ return bytes;
+ }
+
+
+ static class CountingFilter implements ObjectInputFilter {
+
+ private int count; // count of calls to the filter
+
+ CountingFilter() {
+ count = 0;
+ }
+
+ int getCount() {
+ return count;
+ }
+
+ /**
+ * Filter that rejects class Integer and allows others
+ *
+ * @param filterInfo access to the class, arrayLength, etc.
+ * @return {@code STATUS.REJECTED}
+ */
+ public ObjectInputFilter.Status checkInput(FilterInfo filterInfo) {
+ count++;
+ return ObjectInputFilter.Status.ALLOWED;
+ }
+ }
+
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/registry/serialFilter/RegistryFilterTest.java Wed Oct 12 12:56:35 2016 -0400
@@ -0,0 +1,186 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.rmi.MarshalledObject;
+import java.rmi.NotBoundException;
+import java.rmi.Remote;
+import java.rmi.RemoteException;
+import java.rmi.AlreadyBoundException;
+import java.rmi.registry.LocateRegistry;
+import java.rmi.registry.Registry;
+import java.util.Objects;
+import java.security.Security;
+
+import org.testng.Assert;
+import org.testng.TestNG;
+import org.testng.annotations.BeforeSuite;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+/*
+ * @test
+ * @library /java/rmi/testlibrary
+ * @modules java.rmi/sun.rmi.registry
+ * java.rmi/sun.rmi.server
+ * java.rmi/sun.rmi.transport
+ * java.rmi/sun.rmi.transport.tcp
+ * @build TestLibrary
+ * @summary Test filters for the RMI Registry
+ * @run testng/othervm RegistryFilterTest
+ * @run testng/othervm
+ * -Dsun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass
+ * RegistryFilterTest
+ * @run testng/othervm/policy=security.policy
+ * -Djava.security.properties=${test.src}/java.security-extra1
+ * RegistryFilterTest
+ */
+public class RegistryFilterTest {
+ private static Registry impl;
+ private static int port;
+ private static Registry registry;
+
+ static final int REGISTRY_MAX_ARRAY = 10000;
+
+ static final String registryFilter =
+ System.getProperty("sun.rmi.registry.registryFilter",
+ Security.getProperty("sun.rmi.registry.registryFilter"));
+
+ @DataProvider(name = "bindAllowed")
+ static Object[][] bindAllowedObjects() {
+ Object[][] objects = {
+ };
+ return objects;
+ }
+
+ /**
+ * Data RMI Regiry bind test.
+ * - name
+ * - Object
+ * - true/false if object is blacklisted by a filter (implicit or explicit)
+ * @return array of test data
+ */
+ @DataProvider(name = "bindData")
+ static Object[][] bindObjects() {
+ Object[][] data = {
+ { "byte[max]", new XX(new byte[REGISTRY_MAX_ARRAY]), false },
+ { "String", new XX("now is the time"), false},
+ { "String[]", new XX(new String[3]), false},
+ { "Long[4]", new XX(new Long[4]), registryFilter != null },
+ { "rej-byte[toobig]", new XX(new byte[REGISTRY_MAX_ARRAY + 1]), true },
+ { "rej-MarshalledObject", createMarshalledObject(), true },
+ { "rej-RejectableClass", new RejectableClass(), registryFilter != null},
+ };
+ return data;
+ }
+
+ static XX createMarshalledObject() {
+ try {
+ return new XX(new MarshalledObject<>(null));
+ } catch (IOException ioe) {
+ return new XX(ioe);
+ }
+ }
+
+ @BeforeSuite
+ static void setupRegistry() {
+ try {
+ impl = TestLibrary.createRegistryOnEphemeralPort();
+ port = TestLibrary.getRegistryPort(impl);
+ registry = LocateRegistry.getRegistry("localhost", port);
+ } catch (RemoteException ex) {
+ Assert.fail("initialization of registry", ex);
+ }
+
+ System.out.printf("RMI Registry filter: %s%n", registryFilter);
+ }
+
+
+ /*
+ * Test registry rejects an object with the max array size + 1.
+ */
+ @Test(dataProvider="bindData")
+ public void simpleBind(String name, Remote obj, boolean blacklisted) throws RemoteException, AlreadyBoundException, NotBoundException {
+ try {
+ registry.bind(name, obj);
+ Assert.assertFalse(blacklisted, "Registry filter did not reject (but should have) ");
+ registry.unbind(name);
+ } catch (Exception rex) {
+ Assert.assertTrue(blacklisted, "Registry filter should not have rejected");
+ }
+ }
+
+ /*
+ * Test registry rejects an object with a well known class
+ * if blacklisted in the security properties.
+ */
+ @Test
+ public void simpleRejectableClass() throws RemoteException, AlreadyBoundException, NotBoundException {
+ RejectableClass r1 = null;
+ try {
+ String name = "reject1";
+ r1 = new RejectableClass();
+ registry.bind(name, r1);
+ registry.unbind(name);
+ Assert.assertNull(registryFilter, "Registry filter should not have rejected");
+ } catch (Exception rex) {
+ Assert.assertNotNull(registryFilter, "Registry filter should have rejected");
+ }
+ }
+
+ /**
+ * A simple Serializable Remote object that is passed by value.
+ * It and its contents are checked by the Registry serial filter.
+ */
+ static class XX implements Serializable, Remote {
+ private static final long serialVersionUID = 362498820763181265L;
+
+ final Object obj;
+
+ XX(Object obj) {
+ this.obj = obj;
+ }
+
+ public String toString() {
+ return super.toString() + "//" + Objects.toString(obj);
+ }
+ }
+ /**
+ * A simple Serializable Remote object that is passed by value.
+ * It and its contents are checked by the Registry serial filter.
+ */
+ static class RejectableClass implements Serializable, Remote {
+ private static final long serialVersionUID = 362498820763181264L;
+
+ RejectableClass() {}
+ }
+
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/registry/serialFilter/java.security-extra1 Wed Oct 12 12:56:35 2016 -0400
@@ -0,0 +1,9 @@
+# RMI Registry Input Serial Filter
+#
+# The filter pattern uses the same format as java.io.ObjectInputStream.serialFilter.
+# This filter can override the builtin filter if additional types need to be
+# allowed or rejected from the RMI Registry.
+#
+#sun.rmi.registry.registryFilter=pattern,pattern
+sun.rmi.registry.registryFilter=!java.lang.Long;!RegistryFilterTest$RejectableClass
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/rmi/registry/serialFilter/security.policy Wed Oct 12 12:56:35 2016 -0400
@@ -0,0 +1,4 @@
+grant {
+ permission java.security.AllPermission;
+};
+