[UNDERTOW-1558] security-manager and reflection permissions in Direct…

core/src/main/java/io/undertow/server/DirectByteBufferDeallocator.java

@@ -33,10 +33,8 @@ public final class DirectByteBufferDeallocator {
         Unsafe tmpUnsafe = null;
         if (version < 9) {
             try {
-                tmpCleaner = Class.forName("java.nio.DirectByteBuffer").getMethod("cleaner");
-                tmpCleaner.setAccessible(true);
-                tmpCleanerClean = Class.forName("sun.misc.Cleaner").getMethod("clean");
-                tmpCleanerClean.setAccessible(true);
+                tmpCleaner = getAccesibleMethod("java.nio.DirectByteBuffer", "cleaner");
+                tmpCleanerClean = getAccesibleMethod("sun.misc.Cleaner", "clean");
                 supported = true;
             } catch (Throwable t) {
                 UndertowLogger.ROOT_LOGGER.directBufferDeallocatorInitializationFailed(t);
@@ -106,4 +104,27 @@ private static Unsafe getUnsafe0() {
             throw new RuntimeException("JDK did not allow accessing unsafe", t);
         }
     }
+
+    private static Method getAccesibleMethod(String className, String methodName) {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Method>() {
+                @Override
+                public Method run() {
+                    return getAccesibleMethod0(className, methodName);
+                }
+            });
+        }
+        return getAccesibleMethod0(className, methodName);
+    }
+
+    private static Method getAccesibleMethod0(String className, String methodName) {
+        try {
+            Method method = Class.forName(className).getMethod(methodName);
+            method.setAccessible(true);
+            return method;
+        } catch (Throwable t) {
+            throw new RuntimeException("JDK did not allow accessing method", t);
+        }
+    }
+
 }

core/src/test/java/io/undertow/server/DirectByteBufferDeallocatorTestCase.java

@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2019 Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package io.undertow.server;
+
+import org.junit.Test;
+
+import java.security.Permission;
+import java.security.Policy;
+import java.security.ProtectionDomain;
+
+import org.junit.Assert;
+
+/**
+ * Test for UNDERTOW-1558, it cannot instantiate the class if a security manager is set on JDK1.8
+ *
+ * @author tmiyar
+ *
+ */
+public class DirectByteBufferDeallocatorTestCase {
+
+    @Test
+    public void directByteBufferDeallocatorInstantiationTest() {
+        Exception exception = null;
+        Policy.setPolicy(new Policy() {
+            @Override
+            public boolean implies(ProtectionDomain pd, Permission perm) {
+                return true;
+            }
+        });
+        System.setSecurityManager(new SecurityManager());
+        try {
+            DirectByteBufferDeallocator.free(null);
+        } catch (Exception e) {
+            exception = e;
+        }
+
+        Assert.assertNull("An exception was thrown with security manager enabled", exception);
+
+        System.setSecurityManager(null);
+
+        try {
+            DirectByteBufferDeallocator.free(null);
+        } catch (Exception e) {
+            exception = e;
+        }
+
+        Assert.assertNull("An exception was thrown without security manager enabled", exception);
+    }
+
+}