--- old/src/share/classes/sun/rmi/registry/RegistryImpl.java Mon Nov 21 17:10:34 2011 +++ new/src/share/classes/sun/rmi/registry/RegistryImpl.java Mon Nov 21 17:10:33 2011 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.util.Hashtable; import java.util.MissingResourceException; import java.util.ResourceBundle; +import java.io.FilePermission; import java.io.IOException; import java.net.*; import java.rmi.*; @@ -54,7 +55,6 @@ import sun.rmi.transport.LiveRef; import sun.rmi.transport.ObjectTable; import sun.rmi.transport.Target; -import sun.security.action.GetPropertyAction; /** * A "registry" exists on every node that allows RMI connections to @@ -335,19 +335,6 @@ URL[] urls = sun.misc.URLClassPath.pathToURLs(envcp); ClassLoader cl = new URLClassLoader(urls); - String codebaseProperty = null; - String prop = java.security.AccessController.doPrivileged( - new GetPropertyAction("java.rmi.server.codebase")); - if (prop != null && prop.trim().length() > 0) { - codebaseProperty = prop; - } - URL[] codebaseURLs = null; - if (codebaseProperty != null) { - codebaseURLs = sun.misc.URLClassPath.pathToURLs(codebaseProperty); - } else { - codebaseURLs = new URL[0]; - } - /* * Fix bugid 4242317: Classes defined by this class loader should * be annotated with the value of the "java.rmi.server.codebase" @@ -365,7 +352,7 @@ public RegistryImpl run() throws RemoteException { return new RegistryImpl(regPort); } - }, getAccessControlContext(codebaseURLs)); + }, getAccessControlContext()); } catch (PrivilegedActionException ex) { throw (RemoteException) ex.getException(); } @@ -391,11 +378,11 @@ } /** - * Generates an AccessControlContext from several URLs. + * Generates an AccessControlContext with minimal permissions. * The approach used here is taken from the similar method * getAccessControlContext() in the sun.applet.AppletPanel class. */ - private static AccessControlContext getAccessControlContext(URL[] urls) { + private static AccessControlContext getAccessControlContext() { // begin with permissions granted to all code in current policy PermissionCollection perms = AccessController.doPrivileged( new java.security.PrivilegedAction() { @@ -420,8 +407,7 @@ perms.add(new RuntimePermission("accessClassInPackage.sun.*")); - // add permissions required to load from codebase URL path - LoaderHandler.addPermissionsForURLs(urls, perms, false); + perms.add(new FilePermission("<>", "read")); /* * Create an AccessControlContext that consists of a single @@ -428,9 +414,8 @@ * protection domain with only the permissions calculated above. */ ProtectionDomain pd = new ProtectionDomain( - new CodeSource((urls.length > 0 ? urls[0] : null), - (java.security.cert.Certificate[]) null), - perms); + new CodeSource(null, + (java.security.cert.Certificate[]) null), perms); return new AccessControlContext(new ProtectionDomain[] { pd }); } } --- old/src/share/classes/sun/rmi/server/LoaderHandler.java Mon Nov 21 17:10:43 2011 +++ new/src/share/classes/sun/rmi/server/LoaderHandler.java Mon Nov 21 17:10:41 2011 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1031,7 +1031,7 @@ * loader. A given permission is only added to the collection if * it is not already implied by the collection. */ - public static void addPermissionsForURLs(URL[] urls, + private static void addPermissionsForURLs(URL[] urls, PermissionCollection perms, boolean forLoader) { --- /dev/null Mon Nov 21 17:10:48 2011 +++ new/test/java/rmi/registry/readTest/readTest.java Mon Nov 21 17:10:47 2011 @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +import java.rmi.registry.Registry; +import java.rmi.registry.LocateRegistry; +import java.rmi.RemoteException; +import java.rmi.server.UnicastRemoteObject; + + +public class readTest { + + public static void main(String args[]) throws Exception { + int port = 7491; + try { + testPkg.Server obj = new testPkg.Server(); + testPkg.Hello stub = (testPkg.Hello) UnicastRemoteObject.exportObject(obj, 0); + // Bind the remote object's stub in the registry + Registry registry = LocateRegistry.getRegistry(port); + registry.bind("Hello", stub); + + System.err.println("Server ready"); + + // now, let's test client + testPkg.Client client = new testPkg.Client(port); + String testStubReturn = client.testStub(); + if(!testStubReturn.equals(obj.hello)) { + throw new RuntimeException("Test Fails : unexpected string from stub call"); + } else { + System.out.println("Test passed"); + } + registry.unbind("Hello"); + + } catch (Exception e) { + System.err.println("Server exception: " + e.toString()); + e.printStackTrace(); + } + + } +} --- /dev/null Mon Nov 21 17:10:50 2011 +++ new/test/java/rmi/registry/readTest/readTest.sh Mon Nov 21 17:10:49 2011 @@ -0,0 +1,95 @@ +# +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# @test +# @bug 7102369 7094468 7100592 +# @summary remove java.rmi.server.codebase property parsing from registyimpl +# @run shell readTest.sh + +OS=`uname -s` +case "$OS" in + SunOS | Linux ) + PS=":" + FS="/" + FILEURL="file:" + ;; + Windows* | CYGWIN* ) + PS=";" + FS="\\" + FILEURL="file:/" + ;; + * ) + echo "Unrecognized system!" + exit 1; + ;; +esac + +cp -r ${TESTSRC}${FS}* . +${TESTJAVA}${FS}bin${FS}javac testPkg${FS}*java +${TESTJAVA}${FS}bin${FS}javac readTest.java + +mkdir rmi_tmp +RMIREG_OUT=rmi.out +#start rmiregistry without any local classes on classpath +cd rmi_tmp +${TESTJAVA}${FS}bin${FS}rmiregistry 7491 > ..${FS}${RMIREG_OUT} 2>&1 & +RMIREG_PID=$! +# allow some time to start +sleep 3 +cd .. + +# trailing / after code base is important for rmi codebase property. +${TESTJAVA}${FS}bin${FS}java -Djava.rmi.server.codebase=${FILEURL}`pwd`/ readTest > OUT.TXT 2>&1 & +TEST_PID=$! +#bulk of testcase - let it run for a while +sleep 5 + +#we're done, kill processes first +kill -9 ${RMIREG_PID} ${TEST_PID} +sleep 3 + +echo "Test output : " + +cat OUT.TXT +echo "==============" +echo "rmiregistry output : " +cat ${RMIREG_OUT} +echo "==============" + +grep "Server ready" OUT.TXT +result1=$? +grep "Test passed" OUT.TXT +result2=$? + +if [ $result1 -eq 0 -a $result2 -eq 0 ] +then + echo "Passed" + exitCode=0; +else + echo "Failed" + exitCode=1 +fi +rm -rf OUT.TXT ${RMIREG_OUT} rmi_tmp +exit ${exitCode} + + --- /dev/null Mon Nov 21 17:10:53 2011 +++ new/test/java/rmi/registry/readTest/testPkg/Client.java Mon Nov 21 17:10:51 2011 @@ -0,0 +1,48 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; + +public class Client { + int port; + + public Client(int p) { + port = p; + } + + public String testStub() throws Exception { + try { + Registry registry = LocateRegistry.getRegistry(port); + Hello stub = (Hello) registry.lookup("Hello"); + String response = stub.sayHello(); + return response; + } catch (Exception e) { + System.err.println("Client exception: " + e.toString()); + throw e; + } + } + } + --- /dev/null Mon Nov 21 17:10:57 2011 +++ new/test/java/rmi/registry/readTest/testPkg/Hello.java Mon Nov 21 17:10:54 2011 @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +import java.rmi.Remote; +import java.rmi.RemoteException; + +public interface Hello extends Remote { + String sayHello() throws RemoteException; +} --- /dev/null Mon Nov 21 17:10:59 2011 +++ new/test/java/rmi/registry/readTest/testPkg/Server.java Mon Nov 21 17:10:58 2011 @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package testPkg; + +public class Server implements Hello { + + public String hello = "Hello, world!"; + + public Server() {} + + public String sayHello() { + return hello; + } + +}