1 /* 2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.rmi.server; 27 28 import java.io.IOException; 29 import java.io.InputStream; 30 import java.io.ObjectInputStream; 31 import java.io.ObjectStreamClass; 32 import java.io.StreamCorruptedException; 33 import java.util.*; 34 import java.security.AccessControlException; 35 import java.security.Permission; 36 import java.rmi.server.RMIClassLoader; 37 import sun.misc.ObjectStreamClassValidator; 38 import sun.misc.SharedSecrets; 39 40 /** 41 * MarshalInputStream is an extension of ObjectInputStream. When resolving 42 * a class, it reads an object from the stream written by a corresponding 43 * MarshalOutputStream. If the class to be resolved is not available 44 * locally, from the first class loader on the execution stack, or from the 45 * context class loader of the current thread, it will attempt to load the 46 * class from the location annotated by the sending MarshalOutputStream. 47 * This location object must be a string representing a path of URLs. 48 * 49 * A new MarshalInputStream should be created to deserialize remote objects or 50 * graphs containing remote objects. Objects are created from the stream 51 * using the ObjectInputStream.readObject method. 52 * 53 * @author Peter Jones 54 */ 55 public class MarshalInputStream extends ObjectInputStream { 56 interface StreamChecker extends ObjectStreamClassValidator { 57 void checkProxyInterfaceNames(String[] ifaces); 58 } 59 60 private volatile StreamChecker streamChecker = null; 61 62 /** 63 * Value of "java.rmi.server.useCodebaseOnly" property, 64 * as cached at class initialization time. 65 * 66 * The default value is true. That is, the value is true 67 * if the property is absent or is not equal to "false". 68 * The value is only false when the property is present 69 * and is equal to "false". 70 */ 71 private static final boolean useCodebaseOnlyProperty = 72 ! java.security.AccessController.doPrivileged( 73 new sun.security.action.GetPropertyAction( 74 "java.rmi.server.useCodebaseOnly", "true")) 75 .equalsIgnoreCase("false"); 76 77 /** table to hold sun classes to which access is explicitly permitted */ 78 protected static Map<String, Class<?>> permittedSunClasses 79 = new HashMap<>(3); 80 81 /** if true, don't try superclass first in resolveClass() */ 82 private boolean skipDefaultResolveClass = false; 83 84 /** callbacks to make when done() called: maps Object to Runnable */ 85 private final Map<Object, Runnable> doneCallbacks 86 = new HashMap<>(3); 87 88 /** 89 * if true, load classes (if not available locally) only from the 90 * URL specified by the "java.rmi.server.codebase" property. 91 */ 92 private boolean useCodebaseOnly = useCodebaseOnlyProperty; 93 94 /* 95 * Fix for 4179055: The remote object services inside the 96 * activation daemon use stubs that are in the package 97 * sun.rmi.server. Classes for these stubs should be loaded from 98 * the classpath by RMI system code and not by the normal 99 * unmarshalling process as applications should not need to have 100 * permission to access the sun implementation classes. 101 * 102 * Note: this fix should be redone when API changes may be 103 * integrated 104 * 105 * During parameter unmarshalling RMI needs to explicitly permit 106 * access to three sun.* stub classes 107 */ 108 static { 109 try { 110 String system = 111 "sun.rmi.server.Activation$ActivationSystemImpl_Stub"; 112 String registry = "sun.rmi.registry.RegistryImpl_Stub"; 113 114 permittedSunClasses.put(system, Class.forName(system)); 115 permittedSunClasses.put(registry, Class.forName(registry)); 116 117 } catch (ClassNotFoundException e) { 118 throw new NoClassDefFoundError("Missing system class: " + 119 e.getMessage()); 120 } 121 } 122 123 /** 124 * Create a new MarshalInputStream object. 125 */ 126 public MarshalInputStream(InputStream in) 127 throws IOException, StreamCorruptedException 128 { 129 super(in); 130 } 131 132 /** 133 * Returns a callback previously registered via the setDoneCallback 134 * method with given key, or null if no callback has yet been registered 135 * with that key. 136 */ 137 public Runnable getDoneCallback(Object key) { 138 return doneCallbacks.get(key); // not thread-safe 139 } 140 141 /** 142 * Registers a callback to make when this stream's done() method is 143 * invoked, along with a key for retrieving the same callback instance 144 * subsequently from the getDoneCallback method. 145 */ 146 public void setDoneCallback(Object key, Runnable callback) { 147 //assert(!doneCallbacks.contains(key)); 148 doneCallbacks.put(key, callback); // not thread-safe 149 } 150 151 /** 152 * Indicates that the user of this MarshalInputStream is done reading 153 * objects from it, so all callbacks registered with the setDoneCallback 154 * method should now be (synchronously) executed. When this method 155 * returns, there are no more callbacks registered. 156 * 157 * This method is implicitly invoked by close() before it delegates to 158 * the superclass's close method. 159 */ 160 public void done() { 161 Iterator<Runnable> iter = doneCallbacks.values().iterator(); 162 while (iter.hasNext()) { // not thread-safe 163 Runnable callback = iter.next(); 164 callback.run(); 165 } 166 doneCallbacks.clear(); 167 } 168 169 /** 170 * Closes this stream, implicitly invoking done() first. 171 */ 172 public void close() throws IOException { 173 done(); 174 super.close(); 175 } 176 177 /** 178 * resolveClass is extended to acquire (if present) the location 179 * from which to load the specified class. 180 * It will find, load, and return the class. 181 */ 182 protected Class<?> resolveClass(ObjectStreamClass classDesc) 183 throws IOException, ClassNotFoundException 184 { 185 /* 186 * Always read annotation written by MarshalOutputStream 187 * describing where to load class from. 188 */ 189 Object annotation = readLocation(); 190 191 String className = classDesc.getName(); 192 193 /* 194 * Unless we were told to skip this consideration, choose the 195 * "default loader" to simulate the default ObjectInputStream 196 * resolveClass mechanism (that is, choose the first non-null 197 * loader on the execution stack) to maximize the likelihood of 198 * type compatibility with calling code. (This consideration 199 * is skipped during server parameter unmarshalling using the 1.2 200 * stub protocol, because there would never be a non-null class 201 * loader on the stack in that situation anyway.) 202 */ 203 ClassLoader defaultLoader = 204 skipDefaultResolveClass ? null : latestUserDefinedLoader(); 205 206 /* 207 * If the "java.rmi.server.useCodebaseOnly" property was true or 208 * useCodebaseOnly() was called or the annotation is not a String, 209 * load from the local loader using the "java.rmi.server.codebase" 210 * URL. Otherwise, load from a loader using the codebase URL in 211 * the annotation. 212 */ 213 String codebase = null; 214 if (!useCodebaseOnly && annotation instanceof String) { 215 codebase = (String) annotation; 216 } 217 218 try { 219 return RMIClassLoader.loadClass(codebase, className, 220 defaultLoader); 221 } catch (AccessControlException e) { 222 return checkSunClass(className, e); 223 } catch (ClassNotFoundException e) { 224 /* 225 * Fix for 4442373: delegate to ObjectInputStream.resolveClass() 226 * to resolve primitive classes. 227 */ 228 try { 229 if (Character.isLowerCase(className.charAt(0)) && 230 className.indexOf('.') == -1) 231 { 232 return super.resolveClass(classDesc); 233 } 234 } catch (ClassNotFoundException e2) { 235 } 236 throw e; 237 } 238 } 239 240 /** 241 * resolveProxyClass is extended to acquire (if present) the location 242 * to determine the class loader to define the proxy class in. 243 */ 244 protected Class<?> resolveProxyClass(String[] interfaces) 245 throws IOException, ClassNotFoundException 246 { 247 StreamChecker checker = streamChecker; 248 if (checker != null) { 249 checker.checkProxyInterfaceNames(interfaces); 250 } 251 252 /* 253 * Always read annotation written by MarshalOutputStream. 254 */ 255 Object annotation = readLocation(); 256 257 ClassLoader defaultLoader = 258 skipDefaultResolveClass ? null : latestUserDefinedLoader(); 259 260 String codebase = null; 261 if (!useCodebaseOnly && annotation instanceof String) { 262 codebase = (String) annotation; 263 } 264 265 return RMIClassLoader.loadProxyClass(codebase, interfaces, 266 defaultLoader); 267 } 268 269 /* 270 * Returns the first non-null class loader up the execution stack, or null 271 * if only code from the null class loader is on the stack. 272 */ 273 private static ClassLoader latestUserDefinedLoader() { 274 return sun.misc.VM.latestUserDefinedLoader(); 275 } 276 277 /** 278 * Fix for 4179055: Need to assist resolving sun stubs; resolve 279 * class locally if it is a "permitted" sun class 280 */ 281 private Class<?> checkSunClass(String className, AccessControlException e) 282 throws AccessControlException 283 { 284 // ensure that we are giving out a stub for the correct reason 285 Permission perm = e.getPermission(); 286 String name = null; 287 if (perm != null) { 288 name = perm.getName(); 289 } 290 291 Class<?> resolvedClass = permittedSunClasses.get(className); 292 293 // if class not permitted, throw the SecurityException 294 if ((name == null) || 295 (resolvedClass == null) || 296 ((!name.equals("accessClassInPackage.sun.rmi.server")) && 297 (!name.equals("accessClassInPackage.sun.rmi.registry")))) 298 { 299 throw e; 300 } 301 302 return resolvedClass; 303 } 304 305 /** 306 * Return the location for the class in the stream. This method can 307 * be overridden by subclasses that store this annotation somewhere 308 * else than as the next object in the stream, as is done by this class. 309 */ 310 protected Object readLocation() 311 throws IOException, ClassNotFoundException 312 { 313 return readObject(); 314 } 315 316 /** 317 * Set a flag to indicate that the superclass's default resolveClass() 318 * implementation should not be invoked by our resolveClass(). 319 */ 320 void skipDefaultResolveClass() { 321 skipDefaultResolveClass = true; 322 } 323 324 /** 325 * Disable code downloading except from the URL specified by the 326 * "java.rmi.server.codebase" property. 327 */ 328 void useCodebaseOnly() { 329 useCodebaseOnly = true; 330 } 331 332 synchronized void setStreamChecker(StreamChecker checker) { 333 streamChecker = checker; 334 SharedSecrets.getJavaOISAccess().setValidator(this, checker); 335 } 336 @Override 337 protected ObjectStreamClass readClassDescriptor() throws IOException, 338 ClassNotFoundException { 339 ObjectStreamClass descriptor = super.readClassDescriptor(); 340 341 validateDesc(descriptor); 342 343 return descriptor; 344 } 345 346 private void validateDesc(ObjectStreamClass descriptor) { 347 StreamChecker checker; 348 synchronized (this) { 349 checker = streamChecker; 350 } 351 if (checker != null) { 352 checker.validateDescriptor(descriptor); 353 } 354 } 355 }