Skip to content

Commit

Permalink
8326666: Remove the Java Management Extension (JMX) Subject Delegatio…
Browse files Browse the repository at this point in the history 
…n feature

Reviewed-by: mchung, dfuchs
  • Loading branch information
@kevinjwalls
kevinjwalls committed Apr 4, 2024
1 parent d90e5b5 commit 6382a12
Show file tree
Hide file tree
Showing 35 changed files with 394 additions and 1,812 deletions.
224 changes: 101 additions & 123 deletions src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnection.java
View file

Large diffs are not rendered by default.

104 changes: 50 additions & 54 deletions src/java.management.rmi/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -52,7 +52,6 @@
import com.sun.jmx.remote.internal.ServerCommunicatorAdmin;
import com.sun.jmx.remote.internal.ServerNotifForwarder;
import com.sun.jmx.remote.security.JMXSubjectDomainCombiner;
import com.sun.jmx.remote.security.SubjectDelegator;
import com.sun.jmx.remote.util.ClassLoaderWithRepository;
import com.sun.jmx.remote.util.ClassLogger;
import com.sun.jmx.remote.util.EnvHelp;
Expand Down Expand Up @@ -110,21 +109,13 @@ public RMIConnectionImpl(RMIServerImpl rmiServer,
this.connectionId = connectionId;
this.defaultClassLoader = defaultClassLoader;

this.subjectDelegator = new SubjectDelegator();
this.subject = subject;
if (subject == null) {
this.acc = null;
this.removeCallerContext = false;
} else {
this.removeCallerContext =
SubjectDelegator.checkRemoveCallerContext(subject);
if (this.removeCallerContext) {
this.acc =
JMXSubjectDomainCombiner.getDomainCombinerContext(subject);
} else {
this.acc =
JMXSubjectDomainCombiner.getContext(subject);
}
// An authenticated Subject was provided.
// Subject Delegation has been removed.
this.acc = JMXSubjectDomainCombiner.getContext(subject);
}
this.mbeanServer = rmiServer.getMBeanServer();

Expand Down Expand Up @@ -236,6 +227,7 @@ public void unreferenced() {
// MBeanServerConnection Wrapper
//-------------------------------------------------------------------------

/** @throws UnsupportedOperationException {@inheritDoc} */
public ObjectInstance createMBean(String className,
ObjectName name,
Subject delegationSubject)
Expand Down Expand Up @@ -278,6 +270,7 @@ public ObjectInstance createMBean(String className,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public ObjectInstance createMBean(String className,
ObjectName name,
ObjectName loaderName,
Expand Down Expand Up @@ -326,6 +319,7 @@ public ObjectInstance createMBean(String className,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public ObjectInstance createMBean(String className,
ObjectName name,
Expand Down Expand Up @@ -386,6 +380,7 @@ public ObjectInstance createMBean(String className,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public ObjectInstance createMBean(String className,
ObjectName name,
Expand Down Expand Up @@ -453,6 +448,7 @@ public ObjectInstance createMBean(String className,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public void unregisterMBean(ObjectName name, Subject delegationSubject)
throws
InstanceNotFoundException,
Expand Down Expand Up @@ -481,6 +477,7 @@ public void unregisterMBean(ObjectName name, Subject delegationSubject)
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public ObjectInstance getObjectInstance(ObjectName name,
Subject delegationSubject)
throws
Expand Down Expand Up @@ -511,6 +508,7 @@ public ObjectInstance getObjectInstance(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public Set<ObjectInstance>
queryMBeans(ObjectName name,
Expand Down Expand Up @@ -546,6 +544,7 @@ public ObjectInstance getObjectInstance(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public Set<ObjectName>
queryNames(ObjectName name,
Expand Down Expand Up @@ -581,6 +580,7 @@ public ObjectInstance getObjectInstance(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public boolean isRegistered(ObjectName name,
Subject delegationSubject) throws IOException {
try {
Expand All @@ -598,6 +598,7 @@ public boolean isRegistered(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public Integer getMBeanCount(Subject delegationSubject)
throws IOException {
try {
Expand All @@ -619,6 +620,7 @@ public Integer getMBeanCount(Subject delegationSubject)
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public Object getAttribute(ObjectName name,
String attribute,
Subject delegationSubject)
Expand Down Expand Up @@ -656,6 +658,7 @@ public Object getAttribute(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public AttributeList getAttributes(ObjectName name,
String[] attributes,
Subject delegationSubject)
Expand Down Expand Up @@ -688,6 +691,7 @@ public AttributeList getAttributes(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public void setAttribute(ObjectName name,
MarshalledObject attribute,
Expand Down Expand Up @@ -741,6 +745,7 @@ public void setAttribute(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public AttributeList setAttributes(ObjectName name,
MarshalledObject attributes,
Expand Down Expand Up @@ -787,6 +792,7 @@ public AttributeList setAttributes(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public Object invoke(ObjectName name,
String operationName,
Expand Down Expand Up @@ -844,6 +850,7 @@ public Object invoke(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public String getDefaultDomain(Subject delegationSubject)
throws IOException {
try {
Expand All @@ -865,6 +872,7 @@ public String getDefaultDomain(Subject delegationSubject)
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public String[] getDomains(Subject delegationSubject) throws IOException {
try {
final Object params[] = new Object[] { };
Expand All @@ -885,6 +893,7 @@ public String[] getDomains(Subject delegationSubject) throws IOException {
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public MBeanInfo getMBeanInfo(ObjectName name, Subject delegationSubject)
throws
InstanceNotFoundException,
Expand Down Expand Up @@ -920,6 +929,7 @@ public MBeanInfo getMBeanInfo(ObjectName name, Subject delegationSubject)
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public boolean isInstanceOf(ObjectName name,
String className,
Subject delegationSubject)
Expand Down Expand Up @@ -950,6 +960,8 @@ public boolean isInstanceOf(ObjectName name,
}
}


/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public Integer[] addNotificationListeners(ObjectName[] names,
MarshalledObject[] filters,
Expand All @@ -959,9 +971,10 @@ public Integer[] addNotificationListeners(ObjectName[] names,
if (names == null || filters == null) {
throw new IllegalArgumentException("Got null arguments.");
}

Subject[] sbjs = (delegationSubjects != null) ? delegationSubjects :
new Subject[names.length];
if (delegationSubjects != null) {
throw new UnsupportedOperationException("Subject Delegation has been removed.");
}
Subject[] sbjs = new Subject[names.length];
if (names.length != filters.length || filters.length != sbjs.length) {
final String msg =
"The value lengths of 3 parameters are not same.";
Expand Down Expand Up @@ -1037,6 +1050,7 @@ public Integer[] addNotificationListeners(ObjectName[] names,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public void addNotificationListener(ObjectName name,
ObjectName listener,
Expand Down Expand Up @@ -1096,6 +1110,7 @@ public void addNotificationListener(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public void removeNotificationListeners(ObjectName name,
Integer[] listenerIDs,
Subject delegationSubject)
Expand Down Expand Up @@ -1137,6 +1152,7 @@ public void removeNotificationListeners(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
public void removeNotificationListener(ObjectName name,
ObjectName listener,
Subject delegationSubject)
Expand Down Expand Up @@ -1173,6 +1189,7 @@ public void removeNotificationListener(ObjectName name,
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("rawtypes") // MarshalledObject
public void removeNotificationListener(ObjectName name,
ObjectName listener,
Expand Down Expand Up @@ -1375,32 +1392,22 @@ public Object run() throws InstanceNotFoundException {
}
}

/** @throws UnsupportedOperationException {@inheritDoc} */
@SuppressWarnings("removal")
private Object doPrivilegedOperation(final int operation,
final Object[] params,
final Subject delegationSubject)
throws PrivilegedActionException, IOException {

// Subject Delegation is removed: locally this is caught earlier, in getMBeanServerConnection,
// but remote connections call into RMIConnectionImpl over RMI, so deny them here:
if (delegationSubject != null) {
throw new UnsupportedOperationException("Subject Delegation has been removed.");
}
serverCommunicatorAdmin.reqIncoming();
try {

final AccessControlContext reqACC;
if (delegationSubject == null)
reqACC = acc;
else {
if (subject == null) {
final String msg =
"Subject delegation cannot be enabled unless " +
"an authenticated subject is put in place";
throw new SecurityException(msg);
}
reqACC = subjectDelegator.delegatedContext(
acc, delegationSubject, removeCallerContext);
}

PrivilegedOperation op =
new PrivilegedOperation(operation, params);
if (reqACC == null) {
PrivilegedOperation op = new PrivilegedOperation(operation, params);
if (acc == null) {
try {
return op.run();
} catch (Exception e) {
Expand All @@ -1409,7 +1416,7 @@ private Object doPrivilegedOperation(final int operation,
throw new PrivilegedActionException(e);
}
} else {
return AccessController.doPrivileged(op, reqACC);
return AccessController.doPrivileged(op, acc);
}
} catch (Error e) {
throw new JMXServerErrorException(e.toString(),e);
Expand Down Expand Up @@ -1563,29 +1570,22 @@ private <T> T unwrap(final MarshalledObject<?> mo,
final Class<T> wrappedClass,
Subject delegationSubject)
throws IOException {

// Subject Delegation is removed: locally this is caught earlier, in getMBeanServerConnection,
// but remote connections call into RMIConnectionImpl over RMI, so deny them here:
if (delegationSubject != null) {
throw new UnsupportedOperationException("Subject Delegation has been removed.");
}
if (mo == null) {
return null;
}
try {
final ClassLoader old = AccessController.doPrivileged(new SetCcl(cl));
try{
final AccessControlContext reqACC;
if (delegationSubject == null)
reqACC = acc;
else {
if (subject == null) {
final String msg =
"Subject delegation cannot be enabled unless " +
"an authenticated subject is put in place";
throw new SecurityException(msg);
}
reqACC = subjectDelegator.delegatedContext(
acc, delegationSubject, removeCallerContext);
}
if(reqACC != null){
if (acc != null) {
return AccessController.doPrivileged(
(PrivilegedExceptionAction<T>) () ->
wrappedClass.cast(mo.get()), reqACC);
wrappedClass.cast(mo.get()), acc);
}else{
return wrappedClass.cast(mo.get());
}
Expand Down Expand Up @@ -1704,10 +1704,6 @@ private static void checkNonNull(String what, Object x) {

private final Subject subject;

private final SubjectDelegator subjectDelegator;

private final boolean removeCallerContext;

@SuppressWarnings("removal")
private final AccessControlContext acc;

Expand Down

1 comment on commit 6382a12

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

Issues

Please sign in to comment.