Use Tree Navigation
public abstract class

MBeanServerAccessController

extends Object
implements MBeanServerForwarder
/*
 * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Oracle in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */


package com.sun.jmx.remote.security;

import com.sun.jmx.mbeanserver.GetPropertyAction;
import java.io.ObjectInputStream;
import java.security.AccessController;
import java.util.Set;
import javax.management.Attribute;
import javax.management.AttributeList;
import javax.management.AttributeNotFoundException;
import javax.management.InstanceNotFoundException;
import javax.management.InstanceAlreadyExistsException;
import javax.management.IntrospectionException;
import javax.management.InvalidAttributeValueException;
import javax.management.ListenerNotFoundException;
import javax.management.MBeanException;
import javax.management.MBeanInfo;
import javax.management.MBeanRegistrationException;
import javax.management.MBeanServer;
import javax.management.NotCompliantMBeanException;
import javax.management.NotificationFilter;
import javax.management.NotificationListener;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.management.OperationsException;
import javax.management.QueryExp;
import javax.management.ReflectionException;
import javax.management.loading.ClassLoaderRepository;
import javax.management.remote.MBeanServerForwarder;

/**
 * <p>An object of this class implements the MBeanServer interface
 * and, for each of its methods, calls an appropriate checking method
 * and then forwards the request to a wrapped MBeanServer object.  The
 * checking method may throw a RuntimeException if the operation is
 * not allowed; in this case the request is not forwarded to the
 * wrapped object.</p>
 *
 * <p>A typical use of this class is to insert it between a connector server
 * such as the RMI connector and the MBeanServer with which the connector
 * is associated.  Requests from the connector client can then be filtered
 * and those operations that are not allowed, or not allowed in a particular
 * context, can be rejected by throwing a <code>SecurityException</code>
 * in the corresponding <code>check*</code> method.</p>
 *
 * <p>This is an abstract class, because in its implementation none of
 * the checking methods does anything.  To be useful, it must be
 * subclassed and at least one of the checking methods overridden to
 * do some checking.  Some or all of the MBeanServer methods may also
 * be overridden, for instance if the default checking behavior is
 * inappropriate.</p>
 *
 * <p>If there is no SecurityManager, then the access controller will refuse
 * to create an MBean that is a ClassLoader, which includes MLets, or to
 * execute the method addURL on an MBean that is an MLet. This prevents
 * people from opening security holes unintentionally. Otherwise, it
 * would not be obvious that granting write access grants the ability to
 * download and execute arbitrary code in the target MBean server. Advanced
 * users who do want the ability to use MLets are presumably advanced enough
 * to handle policy files and security managers.</p>
 */

public abstract class MBeanServerAccessController
       
implements MBeanServerForwarder {

   
public MBeanServer getMBeanServer() {
       
return mbs;
   
}

   
public void setMBeanServer(MBeanServer mbs) {
       
if (mbs == null)
           
throw new IllegalArgumentException("Null MBeanServer");
       
if (this.mbs != null)
           
throw new IllegalArgumentException("MBeanServer object already " +
                                               
"initialized");
       
this.mbs = mbs;
   
}

   
/**
     * Check if the caller can do read operations. This method does
     * nothing if so, otherwise throws SecurityException.
     */

   
protected abstract void checkRead();

   
/**
     * Check if the caller can do write operations.  This method does
     * nothing if so, otherwise throws SecurityException.
     */

   
protected abstract void checkWrite();

   
/**
     * Check if the caller can create the named class.  The default
     * implementation of this method calls {@link #checkWrite()}.
     */

   
protected void checkCreate(String className) {
        checkWrite
();
   
}

   
/**
     * Check if the caller can unregister the named MBean.  The default
     * implementation of this method calls {@link #checkWrite()}.
     */

   
protected void checkUnregister(ObjectName name) {
        checkWrite
();
   
}

   
//--------------------------------------------
   
//--------------------------------------------
   
//
   
// Implementation of the MBeanServer interface
   
//
   
//--------------------------------------------
   
//--------------------------------------------

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void addNotificationListener(ObjectName name,
                                       
NotificationListener listener,
                                       
NotificationFilter filter,
                                       
Object handback)
       
throws InstanceNotFoundException {
        checkRead
();
        getMBeanServer
().addNotificationListener(name, listener,
                                                 filter
, handback);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void addNotificationListener(ObjectName name,
                                       
ObjectName listener,
                                       
NotificationFilter filter,
                                       
Object handback)
       
throws InstanceNotFoundException {
        checkRead
();
        getMBeanServer
().addNotificationListener(name, listener,
                                                 filter
, handback);
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance createMBean(String className, ObjectName name)
       
throws
       
ReflectionException,
       
InstanceAlreadyExistsException,
       
MBeanRegistrationException,
       
MBeanException,
       
NotCompliantMBeanException {
        checkCreate
(className);
       
SecurityManager sm = System.getSecurityManager();
       
if (sm == null) {
           
Object object = getMBeanServer().instantiate(className);
            checkClassLoader
(object);
           
return getMBeanServer().registerMBean(object, name);
       
} else {
           
return getMBeanServer().createMBean(className, name);
       
}
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance createMBean(String className, ObjectName name,
                                     
Object params[], String signature[])
       
throws
       
ReflectionException,
       
InstanceAlreadyExistsException,
       
MBeanRegistrationException,
       
MBeanException,
       
NotCompliantMBeanException {
        checkCreate
(className);
       
SecurityManager sm = System.getSecurityManager();
       
if (sm == null) {
           
Object object = getMBeanServer().instantiate(className,
                                                         
params,
                                                         signature
);
            checkClassLoader
(object);
           
return getMBeanServer().registerMBean(object, name);
       
} else {
           
return getMBeanServer().createMBean(className, name,
                                               
params, signature);
       
}
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance createMBean(String className,
                                     
ObjectName name,
                                     
ObjectName loaderName)
       
throws
       
ReflectionException,
       
InstanceAlreadyExistsException,
       
MBeanRegistrationException,
       
MBeanException,
       
NotCompliantMBeanException,
       
InstanceNotFoundException {
        checkCreate
(className);
       
SecurityManager sm = System.getSecurityManager();
       
if (sm == null) {
           
Object object = getMBeanServer().instantiate(className,
                                                         loaderName
);
            checkClassLoader
(object);
           
return getMBeanServer().registerMBean(object, name);
       
} else {
           
return getMBeanServer().createMBean(className, name, loaderName);
       
}
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance createMBean(String className,
                                     
ObjectName name,
                                     
ObjectName loaderName,
                                     
Object params[],
                                     
String signature[])
       
throws
       
ReflectionException,
       
InstanceAlreadyExistsException,
       
MBeanRegistrationException,
       
MBeanException,
       
NotCompliantMBeanException,
       
InstanceNotFoundException {
        checkCreate
(className);
       
SecurityManager sm = System.getSecurityManager();
       
if (sm == null) {
           
Object object = getMBeanServer().instantiate(className,
                                                         loaderName
,
                                                         
params,
                                                         signature
);
            checkClassLoader
(object);
           
return getMBeanServer().registerMBean(object, name);
       
} else {
           
return getMBeanServer().createMBean(className, name, loaderName,
                                               
params, signature);
       
}
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
@Deprecated
   
public ObjectInputStream deserialize(ObjectName name, byte[] data)
       
throws InstanceNotFoundException, OperationsException {
        checkRead
();
       
return getMBeanServer().deserialize(name, data);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
@Deprecated
   
public ObjectInputStream deserialize(String className, byte[] data)
       
throws OperationsException, ReflectionException {
        checkRead
();
       
return getMBeanServer().deserialize(className, data);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
@Deprecated
   
public ObjectInputStream deserialize(String className,
                                         
ObjectName loaderName,
                                         
byte[] data)
       
throws
       
InstanceNotFoundException,
       
OperationsException,
       
ReflectionException {
        checkRead
();
       
return getMBeanServer().deserialize(className, loaderName, data);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public Object getAttribute(ObjectName name, String attribute)
       
throws
       
MBeanException,
       
AttributeNotFoundException,
       
InstanceNotFoundException,
       
ReflectionException {
        checkRead
();
       
return getMBeanServer().getAttribute(name, attribute);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public AttributeList getAttributes(ObjectName name, String[] attributes)
       
throws InstanceNotFoundException, ReflectionException {
        checkRead
();
       
return getMBeanServer().getAttributes(name, attributes);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public ClassLoader getClassLoader(ObjectName loaderName)
       
throws InstanceNotFoundException {
        checkRead
();
       
return getMBeanServer().getClassLoader(loaderName);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public ClassLoader getClassLoaderFor(ObjectName mbeanName)
       
throws InstanceNotFoundException {
        checkRead
();
       
return getMBeanServer().getClassLoaderFor(mbeanName);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public ClassLoaderRepository getClassLoaderRepository() {
        checkRead
();
       
return getMBeanServer().getClassLoaderRepository();
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public String getDefaultDomain() {
        checkRead
();
       
return getMBeanServer().getDefaultDomain();
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public String[] getDomains() {
        checkRead
();
       
return getMBeanServer().getDomains();
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public Integer getMBeanCount() {
        checkRead
();
       
return getMBeanServer().getMBeanCount();
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public MBeanInfo getMBeanInfo(ObjectName name)
       
throws
       
InstanceNotFoundException,
       
IntrospectionException,
       
ReflectionException {
        checkRead
();
       
return getMBeanServer().getMBeanInfo(name);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance getObjectInstance(ObjectName name)
       
throws InstanceNotFoundException {
        checkRead
();
       
return getMBeanServer().getObjectInstance(name);
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public Object instantiate(String className)
       
throws ReflectionException, MBeanException {
        checkCreate
(className);
       
return getMBeanServer().instantiate(className);
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public Object instantiate(String className,
                             
Object params[],
                             
String signature[])
       
throws ReflectionException, MBeanException {
        checkCreate
(className);
       
return getMBeanServer().instantiate(className, params, signature);
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public Object instantiate(String className, ObjectName loaderName)
       
throws ReflectionException, MBeanException, InstanceNotFoundException {
        checkCreate
(className);
       
return getMBeanServer().instantiate(className, loaderName);
   
}

   
/**
     * Call <code>checkCreate(className)</code>, then forward this method to the
     * wrapped object.
     */

   
public Object instantiate(String className, ObjectName loaderName,
                             
Object params[], String signature[])
       
throws ReflectionException, MBeanException, InstanceNotFoundException {
        checkCreate
(className);
       
return getMBeanServer().instantiate(className, loaderName,
                                           
params, signature);
   
}

   
/**
     * Call <code>checkWrite()</code>, then forward this method to the
     * wrapped object.
     */

   
public Object invoke(ObjectName name, String operationName,
                         
Object params[], String signature[])
       
throws
       
InstanceNotFoundException,
       
MBeanException,
       
ReflectionException {
        checkWrite
();
        checkMLetMethods
(name, operationName);
       
return getMBeanServer().invoke(name, operationName, params, signature);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public boolean isInstanceOf(ObjectName name, String className)
       
throws InstanceNotFoundException {
        checkRead
();
       
return getMBeanServer().isInstanceOf(name, className);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public boolean isRegistered(ObjectName name) {
        checkRead
();
       
return getMBeanServer().isRegistered(name);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public Set<ObjectInstance> queryMBeans(ObjectName name, QueryExp query) {
        checkRead
();
       
return getMBeanServer().queryMBeans(name, query);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public Set<ObjectName> queryNames(ObjectName name, QueryExp query) {
        checkRead
();
       
return getMBeanServer().queryNames(name, query);
   
}

   
/**
     * Call <code>checkWrite()</code>, then forward this method to the
     * wrapped object.
     */

   
public ObjectInstance registerMBean(Object object, ObjectName name)
       
throws
       
InstanceAlreadyExistsException,
       
MBeanRegistrationException,
       
NotCompliantMBeanException {
        checkWrite
();
       
return getMBeanServer().registerMBean(object, name);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void removeNotificationListener(ObjectName name,
                                           
NotificationListener listener)
       
throws InstanceNotFoundException, ListenerNotFoundException {
        checkRead
();
        getMBeanServer
().removeNotificationListener(name, listener);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void removeNotificationListener(ObjectName name,
                                           
NotificationListener listener,
                                           
NotificationFilter filter,
                                           
Object handback)
       
throws InstanceNotFoundException, ListenerNotFoundException {
        checkRead
();
        getMBeanServer
().removeNotificationListener(name, listener,
                                                    filter
, handback);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void removeNotificationListener(ObjectName name,
                                           
ObjectName listener)
       
throws InstanceNotFoundException, ListenerNotFoundException {
        checkRead
();
        getMBeanServer
().removeNotificationListener(name, listener);
   
}

   
/**
     * Call <code>checkRead()</code>, then forward this method to the
     * wrapped object.
     */

   
public void removeNotificationListener(ObjectName name,
                                           
ObjectName listener,
                                           
NotificationFilter filter,
                                           
Object handback)
       
throws InstanceNotFoundException, ListenerNotFoundException {
        checkRead
();
        getMBeanServer
().removeNotificationListener(name, listener,
                                                    filter
, handback);
   
}

   
/**
     * Call <code>checkWrite()</code>, then forward this method to the
     * wrapped object.
     */

   
public void setAttribute(ObjectName name, Attribute attribute)
       
throws
       
InstanceNotFoundException,
       
AttributeNotFoundException,
       
InvalidAttributeValueException,
       
MBeanException,
       
ReflectionException {
        checkWrite
();
        getMBeanServer
().setAttribute(name, attribute);
   
}

   
/**
     * Call <code>checkWrite()</code>, then forward this method to the
     * wrapped object.
     */

   
public AttributeList setAttributes(ObjectName name,
                                       
AttributeList attributes)
       
throws InstanceNotFoundException, ReflectionException {
        checkWrite
();
       
return getMBeanServer().setAttributes(name, attributes);
   
}

   
/**
     * Call <code>checkUnregister()</code>, then forward this method to the
     * wrapped object.
     */

   
public void unregisterMBean(ObjectName name)
       
throws InstanceNotFoundException, MBeanRegistrationException {
        checkUnregister
(name);
        getMBeanServer
().unregisterMBean(name);
   
}

   
//----------------
   
// PRIVATE METHODS
   
//----------------

   
private void checkClassLoader(Object object) {
       
if (object instanceof ClassLoader)
           
throw new SecurityException("Access denied! Creating an " +
                                       
"MBean that is a ClassLoader " +
                                       
"is forbidden unless a security " +
                                       
"manager is installed.");
   
}

   
private void checkMLetMethods(ObjectName name, String operation)
   
throws InstanceNotFoundException {
       
// Check if security manager installed
       
SecurityManager sm = System.getSecurityManager();
       
if (sm != null) {
           
return;
       
}
       
// Check for addURL and getMBeansFromURL methods
       
if (!operation.equals("addURL") &&
               
!operation.equals("getMBeansFromURL")) {
           
return;
       
}
       
// Check if MBean is instance of MLet
       
if (!getMBeanServer().isInstanceOf(name,
               
"javax.management.loading.MLet")) {
           
return;
       
}
       
// Throw security exception
       
if (operation.equals("addURL")) { // addURL
           
throw new SecurityException("Access denied! MLet method addURL " +
                   
"cannot be invoked unless a security manager is installed.");
       
} else { // getMBeansFromURL
           
// Whether or not calling getMBeansFromURL is allowed is controlled
           
// by the value of the "jmx.remote.x.mlet.allow.getMBeansFromURL"
           
// system property. If the value of this property is true, calling
           
// the MLet's getMBeansFromURL method is allowed. The default value
           
// for this property is false.
           
final String propName = "jmx.remote.x.mlet.allow.getMBeansFromURL";
           
GetPropertyAction propAction = new GetPropertyAction(propName);
           
String propValue = AccessController.doPrivileged(propAction);
           
boolean allowGetMBeansFromURL = "true".equalsIgnoreCase(propValue);
           
if (!allowGetMBeansFromURL) {
               
throw new SecurityException("Access denied! MLet method " +
                       
"getMBeansFromURL cannot be invoked unless a " +
                       
"security manager is installed or the system property " +
                       
"-Djmx.remote.x.mlet.allow.getMBeansFromURL=true " +
                       
"is specified.");
           
}
       
}
   
}

   
//------------------
   
// PRIVATE VARIABLES
   
//------------------

   
private MBeanServer mbs;
}