archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8333344: JMX attaching of Subject does not work when security manager not allowed

Browse source 
Reviewed-by: weijun, dfuchs
This commit is contained in:
Kevin Walls 2024-06-19 16:35:20 +00:00
parent 856931d01f
commit bcf4bb4882
17 changed files with 162 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

91
src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
View file

@ -46,6 +46,7 @@ import javax.management.*;
import javax.management.remote.JMXServerErrorException;
import javax.management.remote.NotificationResult;
import javax.security.auth.Subject;
import jdk.internal.access.SharedSecrets;
import sun.reflect.misc.ReflectUtil;
import static javax.management.remote.rmi.RMIConnector.Util.cast;
@ -108,14 +109,19 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
this.rmiServer = rmiServer;
this.connectionId = connectionId;
this.defaultClassLoader = defaultClassLoader;
this.subject = subject;
if (subject == null) {
this.acc = null;
} else {
// An authenticated Subject was provided.
// Subject Delegation has been removed.
this.acc = JMXSubjectDomainCombiner.getContext(subject);
if (SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
// SM is allowed. Will use ACC created with Subject:
this.acc = JMXSubjectDomainCombiner.getContext(subject);
} else {
this.acc = null;
}
}
this.mbeanServer = rmiServer.getMBeanServer();
@ -1292,10 +1298,21 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
return getServerNotifFwd().fetchNotifs(csn, t, mn);
}
};
if (acc == null)
return action.run();
else
return AccessController.doPrivileged(action, acc);
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
// Modern case
if (subject == null) {
return action.run();
} else {
return Subject.doAs(subject, action);
}
} else {
// SM permitted
if (acc == null) {
return action.run(); // No Subject or ACC
} else {
return AccessController.doPrivileged(action, acc);
}
}
} finally {
serverCommunicatorAdmin.rspOutgoing();
}
@ -1411,16 +1428,36 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
serverCommunicatorAdmin.reqIncoming();
try {
PrivilegedOperation op = new PrivilegedOperation(operation, params);
if (acc == null) {
try {
return op.run();
} catch (Exception e) {
if (e instanceof RuntimeException)
throw (RuntimeException) e;
throw new PrivilegedActionException(e);
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
// Modern case
if (subject == null) {
try {
return op.run();
} catch (Exception e) {
if (e instanceof RuntimeException) {
throw (RuntimeException) e;
} else {
throw new PrivilegedActionException(e);
}
}
} else {
return Subject.doAs(subject, op);
}
} else {
return AccessController.doPrivileged(op, acc);
// SM permitted
if (acc == null) {
try {
return op.run();
} catch (Exception e) {
if (e instanceof RuntimeException) {
throw (RuntimeException) e;
} else {
throw new PrivilegedActionException(e);
}
}
} else {
return AccessController.doPrivileged(op, acc);
}
}
} catch (Error e) {
throw new JMXServerErrorException(e.toString(),e);
@ -1585,15 +1622,25 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
}
try {
final ClassLoader old = AccessController.doPrivileged(new SetCcl(cl));
try{
if (acc != null) {
return AccessController.doPrivileged(
(PrivilegedExceptionAction<T>) () ->
wrappedClass.cast(mo.get()), acc);
}else{
return wrappedClass.cast(mo.get());
try {
if (!SharedSecrets.getJavaLangAccess().allowSecurityManager()) {
// Modern case
if (subject != null) {
return Subject.doAs(subject, (PrivilegedExceptionAction<T>) () -> wrappedClass.cast(mo.get()));
} else {
return wrappedClass.cast(mo.get());
}
} else {
// SM permitted
if (acc != null) {
return AccessController.doPrivileged(
(PrivilegedExceptionAction<T>) () ->
wrappedClass.cast(mo.get()), acc);
} else {
return wrappedClass.cast(mo.get());
}
}
}finally{
} finally {
AccessController.doPrivileged(new SetCcl(old));
}
} catch (PrivilegedActionException pe) {