1 /* 2 * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.rmi.server; 27 28 import java.io.File; 29 import java.io.FilePermission; 30 import java.io.IOException; 31 import java.lang.ref.ReferenceQueue; 32 import java.lang.ref.SoftReference; 33 import java.lang.ref.WeakReference; 34 import java.lang.reflect.Modifier; 35 import java.lang.reflect.Proxy; 36 import java.net.JarURLConnection; 37 import java.net.MalformedURLException; 38 import java.net.SocketPermission; 39 import java.net.URL; 40 import java.net.URLClassLoader; 41 import java.net.URLConnection; 42 import java.security.AccessControlContext; 43 import java.security.CodeSource; 44 import java.security.Permission; 45 import java.security.Permissions; 46 import java.security.PermissionCollection; 47 import java.security.Policy; 48 import java.security.ProtectionDomain; 49 import java.rmi.server.LogStream; 50 import java.util.Arrays; 51 import java.util.Collections; 52 import java.util.Enumeration; 53 import java.util.HashMap; 54 import java.util.IdentityHashMap; 55 import java.util.Map; 56 import java.util.StringTokenizer; 57 import java.util.WeakHashMap; 58 import sun.reflect.misc.ReflectUtil; 59 import sun.rmi.runtime.Log; 60 import sun.security.action.GetPropertyAction; 61 62 /** 63 * <code>LoaderHandler</code> provides the implementation of the static 64 * methods of the <code>java.rmi.server.RMIClassLoader</code> class. 65 * 66 * @author Ann Wollrath 67 * @author Peter Jones 68 * @author Laird Dornin 69 */ 70 @SuppressWarnings("deprecation") 71 public final class LoaderHandler { 72 73 /** RMI class loader log level */ 74 static final int logLevel = LogStream.parseLevel( 75 java.security.AccessController.doPrivileged( 76 new GetPropertyAction("sun.rmi.loader.logLevel"))); 77 78 /* loader system log */ 79 static final Log loaderLog = 80 Log.getLog("sun.rmi.loader", "loader", LoaderHandler.logLevel); 81 82 /** 83 * value of "java.rmi.server.codebase" property, as cached at class 84 * initialization time. It may contain malformed URLs. 85 */ 86 private static String codebaseProperty = null; 87 static { 88 String prop = java.security.AccessController.doPrivileged( 89 new GetPropertyAction("java.rmi.server.codebase")); 90 if (prop != null && prop.trim().length() > 0) { 91 codebaseProperty = prop; 92 } 93 } 94 95 /** list of URLs represented by the codebase property, if valid */ 96 private static URL[] codebaseURLs = null; 97 98 /** table of class loaders that use codebase property for annotation */ 99 private static final Map<ClassLoader, Void> codebaseLoaders = 100 Collections.synchronizedMap(new IdentityHashMap<ClassLoader, Void>(5)); 101 static { 102 for (ClassLoader codebaseLoader = ClassLoader.getSystemClassLoader(); 103 codebaseLoader != null; 104 codebaseLoader = codebaseLoader.getParent()) 105 { 106 codebaseLoaders.put(codebaseLoader, null); 107 } 108 } 109 110 /** 111 * table mapping codebase URL path and context class loader pairs 112 * to class loader instances. Entries hold class loaders with weak 113 * references, so this table does not prevent loaders from being 114 * garbage collected. 115 */ 116 private static final HashMap<LoaderKey, LoaderEntry> loaderTable 117 = new HashMap<>(5); 118 119 /** reference queue for cleared class loader entries */ 120 private static final ReferenceQueue<Loader> refQueue 121 = new ReferenceQueue<>(); 122 123 /* 124 * Disallow anyone from creating one of these. 125 */ 126 private LoaderHandler() {} 127 128 /** 129 * Returns an array of URLs initialized with the value of the 130 * java.rmi.server.codebase property as the URL path. 131 */ 132 private static synchronized URL[] getDefaultCodebaseURLs() 133 throws MalformedURLException 134 { 135 /* 136 * If it hasn't already been done, convert the codebase property 137 * into an array of URLs; this may throw a MalformedURLException. 138 */ 139 if (codebaseURLs == null) { 140 if (codebaseProperty != null) { 141 codebaseURLs = pathToURLs(codebaseProperty); 142 } else { 143 codebaseURLs = new URL[0]; 144 } 145 } 146 return codebaseURLs; 147 } 148 149 /** 150 * Load a class from a network location (one or more URLs), 151 * but first try to resolve the named class through the given 152 * "default loader". 153 */ 154 public static Class<?> loadClass(String codebase, String name, 155 ClassLoader defaultLoader) 156 throws MalformedURLException, ClassNotFoundException 157 { 158 if (loaderLog.isLoggable(Log.BRIEF)) { 159 loaderLog.log(Log.BRIEF, 160 "name = \"" + name + "\", " + 161 "codebase = \"" + (codebase != null ? codebase : "") + "\"" + 162 (defaultLoader != null ? 163 ", defaultLoader = " + defaultLoader : "")); 164 } 165 166 URL[] urls; 167 if (codebase != null) { 168 urls = pathToURLs(codebase); 169 } else { 170 urls = getDefaultCodebaseURLs(); 171 } 172 173 if (defaultLoader != null) { 174 try { 175 Class<?> c = loadClassForName(name, false, defaultLoader); 176 if (loaderLog.isLoggable(Log.VERBOSE)) { 177 loaderLog.log(Log.VERBOSE, 178 "class \"" + name + "\" found via defaultLoader, " + 179 "defined by " + c.getClassLoader()); 180 } 181 return c; 182 } catch (ClassNotFoundException e) { 183 } 184 } 185 186 return loadClass(urls, name); 187 } 188 189 /** 190 * Returns the class annotation (representing the location for 191 * a class) that RMI will use to annotate the call stream when 192 * marshalling objects of the given class. 193 */ 194 public static String getClassAnnotation(Class<?> cl) { 195 String name = cl.getName(); 196 197 /* 198 * Class objects for arrays of primitive types never need an 199 * annotation, because they never need to be (or can be) downloaded. 200 * 201 * REMIND: should we (not) be annotating classes that are in 202 * "java.*" packages? 203 */ 204 int nameLength = name.length(); 205 if (nameLength > 0 && name.charAt(0) == '[') { 206 // skip past all '[' characters (see bugid 4211906) 207 int i = 1; 208 while (nameLength > i && name.charAt(i) == '[') { 209 i++; 210 } 211 if (nameLength > i && name.charAt(i) != 'L') { 212 return null; 213 } 214 } 215 216 /* 217 * Get the class's class loader. If it is null, the system class 218 * loader, an ancestor of the base class loader (such as the loader 219 * for installed extensions), return the value of the 220 * "java.rmi.server.codebase" property. 221 */ 222 ClassLoader loader = cl.getClassLoader(); 223 if (loader == null || codebaseLoaders.containsKey(loader)) { 224 return codebaseProperty; 225 } 226 227 /* 228 * Get the codebase URL path for the class loader, if it supports 229 * such a notion (i.e., if it is a URLClassLoader or subclass). 230 */ 231 String annotation = null; 232 if (loader instanceof Loader) { 233 /* 234 * If the class loader is one of our RMI class loaders, we have 235 * already computed the class annotation string, and no 236 * permissions are required to know the URLs. 237 */ 238 annotation = ((Loader) loader).getClassAnnotation(); 239 240 } else if (loader instanceof URLClassLoader) { 241 try { 242 URL[] urls = ((URLClassLoader) loader).getURLs(); 243 if (urls != null) { 244 /* 245 * If the class loader is not one of our RMI class loaders, 246 * we must verify that the current access control context 247 * has permission to know all of these URLs. 248 */ 249 SecurityManager sm = System.getSecurityManager(); 250 if (sm != null) { 251 Permissions perms = new Permissions(); 252 for (int i = 0; i < urls.length; i++) { 253 Permission p = 254 urls[i].openConnection().getPermission(); 255 if (p != null) { 256 if (!perms.implies(p)) { 257 sm.checkPermission(p); 258 perms.add(p); 259 } 260 } 261 } 262 } 263 264 annotation = urlsToPath(urls); 265 } 266 } catch (SecurityException | IOException e) { 267 /* 268 * SecurityException: If access was denied to the knowledge of 269 * the class loader's URLs, fall back to the default behavior. 270 * 271 * IOException: This shouldn't happen, although it is declared 272 * to be thrown by openConnection() and getPermission(). If it 273 * does happen, forget about this class loader's URLs and 274 * fall back to the default behavior. 275 */ 276 } 277 } 278 279 if (annotation != null) { 280 return annotation; 281 } else { 282 return codebaseProperty; // REMIND: does this make sense?? 283 } 284 } 285 286 /** 287 * Returns a classloader that loads classes from the given codebase URL 288 * path. The parent classloader of the returned classloader is the 289 * context class loader. 290 */ 291 public static ClassLoader getClassLoader(String codebase) 292 throws MalformedURLException 293 { 294 ClassLoader parent = getRMIContextClassLoader(); 295 296 URL[] urls; 297 if (codebase != null) { 298 urls = pathToURLs(codebase); 299 } else { 300 urls = getDefaultCodebaseURLs(); 301 } 302 303 /* 304 * If there is a security manager, the current access control 305 * context must have the "getClassLoader" RuntimePermission. 306 */ 307 SecurityManager sm = System.getSecurityManager(); 308 if (sm != null) { 309 sm.checkPermission(new RuntimePermission("getClassLoader")); 310 } else { 311 /* 312 * But if no security manager is set, disable access to 313 * RMI class loaders and simply return the parent loader. 314 */ 315 return parent; 316 } 317 318 Loader loader = lookupLoader(urls, parent); 319 320 /* 321 * Verify that the caller has permission to access this loader. 322 */ 323 if (loader != null) { 324 loader.checkPermissions(); 325 } 326 327 return loader; 328 } 329 330 /** 331 * Return the security context of the given class loader. 332 */ 333 public static Object getSecurityContext(ClassLoader loader) { 334 /* 335 * REMIND: This is a bogus JDK1.1-compatible implementation. 336 * This method should never be called by application code anyway 337 * (hence the deprecation), but should it do something different 338 * and perhaps more useful, like return a String or a URL[]? 339 */ 340 if (loader instanceof Loader) { 341 URL[] urls = ((Loader) loader).getURLs(); 342 if (urls.length > 0) { 343 return urls[0]; 344 } 345 } 346 return null; 347 } 348 349 /** 350 * Register a class loader as one whose classes should always be 351 * annotated with the value of the "java.rmi.server.codebase" property. 352 */ 353 public static void registerCodebaseLoader(ClassLoader loader) { 354 codebaseLoaders.put(loader, null); 355 } 356 357 /** 358 * Load a class from the RMI class loader corresponding to the given 359 * codebase URL path in the current execution context. 360 */ 361 private static Class<?> loadClass(URL[] urls, String name) 362 throws ClassNotFoundException 363 { 364 ClassLoader parent = getRMIContextClassLoader(); 365 if (loaderLog.isLoggable(Log.VERBOSE)) { 366 loaderLog.log(Log.VERBOSE, 367 "(thread context class loader: " + parent + ")"); 368 } 369 370 /* 371 * If no security manager is set, disable access to RMI class 372 * loaders and simply delegate request to the parent loader 373 * (see bugid 4140511). 374 */ 375 SecurityManager sm = System.getSecurityManager(); 376 if (sm == null) { 377 try { 378 Class<?> c = Class.forName(name, false, parent); 379 if (loaderLog.isLoggable(Log.VERBOSE)) { 380 loaderLog.log(Log.VERBOSE, 381 "class \"" + name + "\" found via " + 382 "thread context class loader " + 383 "(no security manager: codebase disabled), " + 384 "defined by " + c.getClassLoader()); 385 } 386 return c; 387 } catch (ClassNotFoundException e) { 388 if (loaderLog.isLoggable(Log.BRIEF)) { 389 loaderLog.log(Log.BRIEF, 390 "class \"" + name + "\" not found via " + 391 "thread context class loader " + 392 "(no security manager: codebase disabled)", e); 393 } 394 throw new ClassNotFoundException(e.getMessage() + 395 " (no security manager: RMI class loader disabled)", 396 e.getException()); 397 } 398 } 399 400 /* 401 * Get or create the RMI class loader for this codebase URL path 402 * and parent class loader pair. 403 */ 404 Loader loader = lookupLoader(urls, parent); 405 406 try { 407 if (loader != null) { 408 /* 409 * Verify that the caller has permission to access this loader. 410 */ 411 loader.checkPermissions(); 412 } 413 } catch (SecurityException e) { 414 /* 415 * If the current access control context does not have permission 416 * to access all of the URLs in the codebase path, wrap the 417 * resulting security exception in a ClassNotFoundException, so 418 * the caller can handle this outcome just like any other class 419 * loading failure (see bugid 4146529). 420 */ 421 try { 422 /* 423 * But first, check to see if the named class could have been 424 * resolved without the security-offending codebase anyway; 425 * if so, return successfully (see bugids 4191926 & 4349670). 426 */ 427 Class<?> c = loadClassForName(name, false, parent); 428 if (loaderLog.isLoggable(Log.VERBOSE)) { 429 loaderLog.log(Log.VERBOSE, 430 "class \"" + name + "\" found via " + 431 "thread context class loader " + 432 "(access to codebase denied), " + 433 "defined by " + c.getClassLoader()); 434 } 435 return c; 436 } catch (ClassNotFoundException unimportant) { 437 /* 438 * Presumably the security exception is the more important 439 * exception to report in this case. 440 */ 441 if (loaderLog.isLoggable(Log.BRIEF)) { 442 loaderLog.log(Log.BRIEF, 443 "class \"" + name + "\" not found via " + 444 "thread context class loader " + 445 "(access to codebase denied)", e); 446 } 447 throw new ClassNotFoundException( 448 "access to class loader denied", e); 449 } 450 } 451 452 try { 453 Class<?> c = loadClassForName(name, false, loader); 454 if (loaderLog.isLoggable(Log.VERBOSE)) { 455 loaderLog.log(Log.VERBOSE, 456 "class \"" + name + "\" " + "found via codebase, " + 457 "defined by " + c.getClassLoader()); 458 } 459 return c; 460 } catch (ClassNotFoundException e) { 461 if (loaderLog.isLoggable(Log.BRIEF)) { 462 loaderLog.log(Log.BRIEF, 463 "class \"" + name + "\" not found via codebase", e); 464 } 465 throw e; 466 } 467 } 468 469 /** 470 * Define and return a dynamic proxy class in a class loader with 471 * URLs supplied in the given location. The proxy class will 472 * implement interface classes named by the given array of 473 * interface names. 474 */ 475 public static Class<?> loadProxyClass(String codebase, String[] interfaces, 476 ClassLoader defaultLoader) 477 throws MalformedURLException, ClassNotFoundException 478 { 479 if (loaderLog.isLoggable(Log.BRIEF)) { 480 loaderLog.log(Log.BRIEF, 481 "interfaces = " + Arrays.asList(interfaces) + ", " + 482 "codebase = \"" + (codebase != null ? codebase : "") + "\"" + 483 (defaultLoader != null ? 484 ", defaultLoader = " + defaultLoader : "")); 485 } 486 487 /* 488 * This method uses a fairly complex algorithm to load the 489 * proxy class and its interface classes in order to maximize 490 * the likelihood that the proxy's codebase annotation will be 491 * preserved. The algorithm is (assuming that all of the 492 * proxy interface classes are public): 493 * 494 * If the default loader is not null, try to load the proxy 495 * interfaces through that loader. If the interfaces can be 496 * loaded in that loader, try to define the proxy class in an 497 * RMI class loader (child of the context class loader) before 498 * trying to define the proxy in the default loader. If the 499 * attempt to define the proxy class succeeds, the codebase 500 * annotation is preserved. If the attempt fails, try to 501 * define the proxy class in the default loader. 502 * 503 * If the interface classes can not be loaded from the default 504 * loader or the default loader is null, try to load them from 505 * the RMI class loader. Then try to define the proxy class 506 * in the RMI class loader. 507 * 508 * Additionally, if any of the proxy interface classes are not 509 * public, all of the non-public interfaces must reside in the 510 * same class loader or it will be impossible to define the 511 * proxy class (an IllegalAccessError will be thrown). An 512 * attempt to load the interfaces from the default loader is 513 * made. If the attempt fails, a second attempt will be made 514 * to load the interfaces from the RMI loader. If all of the 515 * non-public interfaces classes do reside in the same class 516 * loader, then we attempt to define the proxy class in the 517 * class loader of the non-public interfaces. No other 518 * attempt to define the proxy class will be made. 519 */ 520 ClassLoader parent = getRMIContextClassLoader(); 521 if (loaderLog.isLoggable(Log.VERBOSE)) { 522 loaderLog.log(Log.VERBOSE, 523 "(thread context class loader: " + parent + ")"); 524 } 525 526 URL[] urls; 527 if (codebase != null) { 528 urls = pathToURLs(codebase); 529 } else { 530 urls = getDefaultCodebaseURLs(); 531 } 532 533 /* 534 * If no security manager is set, disable access to RMI class 535 * loaders and use the would-de parent instead. 536 */ 537 SecurityManager sm = System.getSecurityManager(); 538 if (sm == null) { 539 try { 540 Class<?> c = loadProxyClass(interfaces, defaultLoader, parent, 541 false); 542 if (loaderLog.isLoggable(Log.VERBOSE)) { 543 loaderLog.log(Log.VERBOSE, 544 "(no security manager: codebase disabled) " + 545 "proxy class defined by " + c.getClassLoader()); 546 } 547 return c; 548 } catch (ClassNotFoundException e) { 549 if (loaderLog.isLoggable(Log.BRIEF)) { 550 loaderLog.log(Log.BRIEF, 551 "(no security manager: codebase disabled) " + 552 "proxy class resolution failed", e); 553 } 554 throw new ClassNotFoundException(e.getMessage() + 555 " (no security manager: RMI class loader disabled)", 556 e.getException()); 557 } 558 } 559 560 /* 561 * Get or create the RMI class loader for this codebase URL path 562 * and parent class loader pair. 563 */ 564 Loader loader = lookupLoader(urls, parent); 565 566 try { 567 if (loader != null) { 568 /* 569 * Verify that the caller has permission to access this loader. 570 */ 571 loader.checkPermissions(); 572 } 573 } catch (SecurityException e) { 574 /* 575 * If the current access control context does not have permission 576 * to access all of the URLs in the codebase path, wrap the 577 * resulting security exception in a ClassNotFoundException, so 578 * the caller can handle this outcome just like any other class 579 * loading failure (see bugid 4146529). 580 */ 581 try { 582 /* 583 * But first, check to see if the proxy class could have been 584 * resolved without the security-offending codebase anyway; 585 * if so, return successfully (see bugids 4191926 & 4349670). 586 */ 587 Class<?> c = loadProxyClass(interfaces, defaultLoader, parent, 588 false); 589 if (loaderLog.isLoggable(Log.VERBOSE)) { 590 loaderLog.log(Log.VERBOSE, 591 "(access to codebase denied) " + 592 "proxy class defined by " + c.getClassLoader()); 593 } 594 return c; 595 } catch (ClassNotFoundException unimportant) { 596 /* 597 * Presumably the security exception is the more important 598 * exception to report in this case. 599 */ 600 if (loaderLog.isLoggable(Log.BRIEF)) { 601 loaderLog.log(Log.BRIEF, 602 "(access to codebase denied) " + 603 "proxy class resolution failed", e); 604 } 605 throw new ClassNotFoundException( 606 "access to class loader denied", e); 607 } 608 } 609 610 try { 611 Class<?> c = loadProxyClass(interfaces, defaultLoader, loader, true); 612 if (loaderLog.isLoggable(Log.VERBOSE)) { 613 loaderLog.log(Log.VERBOSE, 614 "proxy class defined by " + c.getClassLoader()); 615 } 616 return c; 617 } catch (ClassNotFoundException e) { 618 if (loaderLog.isLoggable(Log.BRIEF)) { 619 loaderLog.log(Log.BRIEF, 620 "proxy class resolution failed", e); 621 } 622 throw e; 623 } 624 } 625 626 /** 627 * Define a proxy class in the default loader if appropriate. 628 * Define the class in an RMI class loader otherwise. The proxy 629 * class will implement classes which are named in the supplied 630 * interfaceNames. 631 */ 632 private static Class<?> loadProxyClass(String[] interfaceNames, 633 ClassLoader defaultLoader, 634 ClassLoader codebaseLoader, 635 boolean preferCodebase) 636 throws ClassNotFoundException 637 { 638 ClassLoader proxyLoader = null; 639 Class<?>[] classObjs = new Class<?>[interfaceNames.length]; 640 boolean[] nonpublic = { false }; 641 642 defaultLoaderCase: 643 if (defaultLoader != null) { 644 try { 645 proxyLoader = 646 loadProxyInterfaces(interfaceNames, defaultLoader, 647 classObjs, nonpublic); 648 if (loaderLog.isLoggable(Log.VERBOSE)) { 649 ClassLoader[] definingLoaders = 650 new ClassLoader[classObjs.length]; 651 for (int i = 0; i < definingLoaders.length; i++) { 652 definingLoaders[i] = classObjs[i].getClassLoader(); 653 } 654 loaderLog.log(Log.VERBOSE, 655 "proxy interfaces found via defaultLoader, " + 656 "defined by " + Arrays.asList(definingLoaders)); 657 } 658 } catch (ClassNotFoundException e) { 659 break defaultLoaderCase; 660 } 661 if (!nonpublic[0]) { 662 if (preferCodebase) { 663 try { 664 return Proxy.getProxyClass(codebaseLoader, classObjs); 665 } catch (IllegalArgumentException e) { 666 } 667 } 668 proxyLoader = defaultLoader; 669 } 670 return loadProxyClass(proxyLoader, classObjs); 671 } 672 673 nonpublic[0] = false; 674 proxyLoader = loadProxyInterfaces(interfaceNames, codebaseLoader, 675 classObjs, nonpublic); 676 if (loaderLog.isLoggable(Log.VERBOSE)) { 677 ClassLoader[] definingLoaders = new ClassLoader[classObjs.length]; 678 for (int i = 0; i < definingLoaders.length; i++) { 679 definingLoaders[i] = classObjs[i].getClassLoader(); 680 } 681 loaderLog.log(Log.VERBOSE, 682 "proxy interfaces found via codebase, " + 683 "defined by " + Arrays.asList(definingLoaders)); 684 } 685 if (!nonpublic[0]) { 686 proxyLoader = codebaseLoader; 687 } 688 return loadProxyClass(proxyLoader, classObjs); 689 } 690 691 /** 692 * Define a proxy class in the given class loader. The proxy 693 * class will implement the given interfaces Classes. 694 */ 695 private static Class<?> loadProxyClass(ClassLoader loader, Class<?>[] interfaces) 696 throws ClassNotFoundException 697 { 698 try { 699 return Proxy.getProxyClass(loader, interfaces); 700 } catch (IllegalArgumentException e) { 701 throw new ClassNotFoundException( 702 "error creating dynamic proxy class", e); 703 } 704 } 705 706 /* 707 * Load Class objects for the names in the interfaces array fron 708 * the given class loader. 709 * 710 * We pass classObjs and nonpublic arrays to avoid needing a 711 * multi-element return value. nonpublic is an array to enable 712 * the method to take a boolean argument by reference. 713 * 714 * nonpublic array is needed to signal when the return value of 715 * this method should be used as the proxy class loader. Because 716 * null represents a valid class loader, that value is 717 * insufficient to signal that the return value should not be used 718 * as the proxy class loader. 719 */ 720 private static ClassLoader loadProxyInterfaces(String[] interfaces, 721 ClassLoader loader, 722 Class<?>[] classObjs, 723 boolean[] nonpublic) 724 throws ClassNotFoundException 725 { 726 /* loader of a non-public interface class */ 727 ClassLoader nonpublicLoader = null; 728 729 for (int i = 0; i < interfaces.length; i++) { 730 Class<?> cl = 731 (classObjs[i] = loadClassForName(interfaces[i], false, loader)); 732 733 if (!Modifier.isPublic(cl.getModifiers())) { 734 ClassLoader current = cl.getClassLoader(); 735 if (loaderLog.isLoggable(Log.VERBOSE)) { 736 loaderLog.log(Log.VERBOSE, 737 "non-public interface \"" + interfaces[i] + 738 "\" defined by " + current); 739 } 740 if (!nonpublic[0]) { 741 nonpublicLoader = current; 742 nonpublic[0] = true; 743 } else if (current != nonpublicLoader) { 744 throw new IllegalAccessError( 745 "non-public interfaces defined in different " + 746 "class loaders"); 747 } 748 } 749 } 750 return nonpublicLoader; 751 } 752 753 /** 754 * Convert a string containing a space-separated list of URLs into a 755 * corresponding array of URL objects, throwing a MalformedURLException 756 * if any of the URLs are invalid. 757 */ 758 private static URL[] pathToURLs(String path) 759 throws MalformedURLException 760 { 761 synchronized (pathToURLsCache) { 762 Object[] v = pathToURLsCache.get(path); 763 if (v != null) { 764 return ((URL[])v[0]); 765 } 766 } 767 StringTokenizer st = new StringTokenizer(path); // divide by spaces 768 URL[] urls = new URL[st.countTokens()]; 769 for (int i = 0; st.hasMoreTokens(); i++) { 770 urls[i] = new URL(st.nextToken()); 771 } 772 synchronized (pathToURLsCache) { 773 pathToURLsCache.put(path, 774 new Object[] {urls, new SoftReference<String>(path)}); 775 } 776 return urls; 777 } 778 779 /** map from weak(key=string) to [URL[], soft(key)] */ 780 private static final Map<String, Object[]> pathToURLsCache 781 = new WeakHashMap<>(5); 782 783 /** 784 * Convert an array of URL objects into a corresponding string 785 * containing a space-separated list of URLs. 786 * 787 * Note that if the array has zero elements, the return value is 788 * null, not the empty string. 789 */ 790 private static String urlsToPath(URL[] urls) { 791 if (urls.length == 0) { 792 return null; 793 } else if (urls.length == 1) { 794 return urls[0].toExternalForm(); 795 } else { 796 StringBuffer path = new StringBuffer(urls[0].toExternalForm()); 797 for (int i = 1; i < urls.length; i++) { 798 path.append(' '); 799 path.append(urls[i].toExternalForm()); 800 } 801 return path.toString(); 802 } 803 } 804 805 /** 806 * Return the class loader to be used as the parent for an RMI class 807 * loader used in the current execution context. 808 */ 809 private static ClassLoader getRMIContextClassLoader() { 810 /* 811 * The current implementation simply uses the current thread's 812 * context class loader. 813 */ 814 return Thread.currentThread().getContextClassLoader(); 815 } 816 817 /** 818 * Look up the RMI class loader for the given codebase URL path 819 * and the given parent class loader. A new class loader instance 820 * will be created and returned if no match is found. 821 */ 822 private static Loader lookupLoader(final URL[] urls, 823 final ClassLoader parent) 824 { 825 /* 826 * If the requested codebase URL path is empty, the supplied 827 * parent class loader will be sufficient. 828 * 829 * REMIND: To be conservative, this optimization is commented out 830 * for now so that it does not open a security hole in the future 831 * by providing untrusted code with direct access to the public 832 * loadClass() method of a class loader instance that it cannot 833 * get a reference to. (It's an unlikely optimization anyway.) 834 * 835 * if (urls.length == 0) { 836 * return parent; 837 * } 838 */ 839 840 LoaderEntry entry; 841 Loader loader; 842 843 synchronized (LoaderHandler.class) { 844 /* 845 * Take this opportunity to remove from the table entries 846 * whose weak references have been cleared. 847 */ 848 while ((entry = (LoaderEntry) refQueue.poll()) != null) { 849 if (!entry.removed) { // ignore entries removed below 850 loaderTable.remove(entry.key); 851 } 852 } 853 854 /* 855 * Look up the codebase URL path and parent class loader pair 856 * in the table of RMI class loaders. 857 */ 858 LoaderKey key = new LoaderKey(urls, parent); 859 entry = loaderTable.get(key); 860 861 if (entry == null || (loader = entry.get()) == null) { 862 /* 863 * If entry was in table but it's weak reference was cleared, 864 * remove it from the table and mark it as explicitly cleared, 865 * so that new matching entry that we put in the table will 866 * not be erroneously removed when this entry is processed 867 * from the weak reference queue. 868 */ 869 if (entry != null) { 870 loaderTable.remove(key); 871 entry.removed = true; 872 } 873 874 /* 875 * A matching loader was not found, so create a new class 876 * loader instance for the requested codebase URL path and 877 * parent class loader. The instance is created within an 878 * access control context retricted to the permissions 879 * necessary to load classes from its codebase URL path. 880 */ 881 AccessControlContext acc = getLoaderAccessControlContext(urls); 882 loader = java.security.AccessController.doPrivileged( 883 new java.security.PrivilegedAction<Loader>() { 884 public Loader run() { 885 return new Loader(urls, parent); 886 } 887 }, acc); 888 889 /* 890 * Finally, create an entry to hold the new loader with a 891 * weak reference and store it in the table with the key. 892 */ 893 entry = new LoaderEntry(key, loader); 894 loaderTable.put(key, entry); 895 } 896 } 897 898 return loader; 899 } 900 901 /** 902 * LoaderKey holds a codebase URL path and parent class loader pair 903 * used to look up RMI class loader instances in its class loader cache. 904 */ 905 private static class LoaderKey { 906 907 private URL[] urls; 908 909 private ClassLoader parent; 910 911 private int hashValue; 912 913 public LoaderKey(URL[] urls, ClassLoader parent) { 914 this.urls = urls; 915 this.parent = parent; 916 917 if (parent != null) { 918 hashValue = parent.hashCode(); 919 } 920 for (int i = 0; i < urls.length; i++) { 921 hashValue ^= urls[i].hashCode(); 922 } 923 } 924 925 public int hashCode() { 926 return hashValue; 927 } 928 929 public boolean equals(Object obj) { 930 if (obj instanceof LoaderKey) { 931 LoaderKey other = (LoaderKey) obj; 932 if (parent != other.parent) { 933 return false; 934 } 935 if (urls == other.urls) { 936 return true; 937 } 938 if (urls.length != other.urls.length) { 939 return false; 940 } 941 for (int i = 0; i < urls.length; i++) { 942 if (!urls[i].equals(other.urls[i])) { 943 return false; 944 } 945 } 946 return true; 947 } else { 948 return false; 949 } 950 } 951 } 952 953 /** 954 * LoaderEntry contains a weak reference to an RMIClassLoader. The 955 * weak reference is registered with the private static "refQueue" 956 * queue. The entry contains the codebase URL path and parent class 957 * loader key for the loader so that the mapping can be removed from 958 * the table efficiently when the weak reference is cleared. 959 */ 960 private static class LoaderEntry extends WeakReference<Loader> { 961 962 public LoaderKey key; 963 964 /** 965 * set to true if the entry has been removed from the table 966 * because it has been replaced, so it should not be attempted 967 * to be removed again 968 */ 969 public boolean removed = false; 970 971 public LoaderEntry(LoaderKey key, Loader loader) { 972 super(loader, refQueue); 973 this.key = key; 974 } 975 } 976 977 /** 978 * Return the access control context that a loader for the given 979 * codebase URL path should execute with. 980 */ 981 private static AccessControlContext getLoaderAccessControlContext( 982 URL[] urls) 983 { 984 /* 985 * The approach used here is taken from the similar method 986 * getAccessControlContext() in the sun.applet.AppletPanel class. 987 */ 988 // begin with permissions granted to all code in current policy 989 PermissionCollection perms = 990 java.security.AccessController.doPrivileged( 991 new java.security.PrivilegedAction<PermissionCollection>() { 992 public PermissionCollection run() { 993 CodeSource codesource = new CodeSource(null, 994 (java.security.cert.Certificate[]) null); 995 Policy p = java.security.Policy.getPolicy(); 996 if (p != null) { 997 return p.getPermissions(codesource); 998 } else { 999 return new Permissions(); 1000 } 1001 } 1002 }); 1003 1004 // createClassLoader permission needed to create loader in context 1005 perms.add(new RuntimePermission("createClassLoader")); 1006 1007 // add permissions to read any "java.*" property 1008 perms.add(new java.util.PropertyPermission("java.*","read")); 1009 1010 // add permissions reuiqred to load from codebase URL path 1011 addPermissionsForURLs(urls, perms, true); 1012 1013 /* 1014 * Create an AccessControlContext that consists of a single 1015 * protection domain with only the permissions calculated above. 1016 */ 1017 ProtectionDomain pd = new ProtectionDomain( 1018 new CodeSource((urls.length > 0 ? urls[0] : null), 1019 (java.security.cert.Certificate[]) null), 1020 perms); 1021 return new AccessControlContext(new ProtectionDomain[] { pd }); 1022 } 1023 1024 /** 1025 * Adds to the specified permission collection the permissions 1026 * necessary to load classes from a loader with the specified URL 1027 * path; if "forLoader" is true, also adds URL-specific 1028 * permissions necessary for the security context that such a 1029 * loader operates within, such as permissions necessary for 1030 * granting automatic permissions to classes defined by the 1031 * loader. A given permission is only added to the collection if 1032 * it is not already implied by the collection. 1033 */ 1034 private static void addPermissionsForURLs(URL[] urls, 1035 PermissionCollection perms, 1036 boolean forLoader) 1037 { 1038 for (int i = 0; i < urls.length; i++) { 1039 URL url = urls[i]; 1040 try { 1041 URLConnection urlConnection = url.openConnection(); 1042 Permission p = urlConnection.getPermission(); 1043 if (p != null) { 1044 if (p instanceof FilePermission) { 1045 /* 1046 * If the codebase is a file, the permission required 1047 * to actually read classes from the codebase URL is 1048 * the permission to read all files beneath the last 1049 * directory in the file path, either because JAR 1050 * files can refer to other JAR files in the same 1051 * directory, or because permission to read a 1052 * directory is not implied by permission to read the 1053 * contents of a directory, which all that might be 1054 * granted. 1055 */ 1056 String path = p.getName(); 1057 int endIndex = path.lastIndexOf(File.separatorChar); 1058 if (endIndex != -1) { 1059 path = path.substring(0, endIndex+1); 1060 if (path.endsWith(File.separator)) { 1061 path += "-"; 1062 } 1063 Permission p2 = new FilePermission(path, "read"); 1064 if (!perms.implies(p2)) { 1065 perms.add(p2); 1066 } 1067 perms.add(new FilePermission(path, "read")); 1068 } else { 1069 /* 1070 * No directory separator: use permission to 1071 * read the file. 1072 */ 1073 if (!perms.implies(p)) { 1074 perms.add(p); 1075 } 1076 } 1077 } else { 1078 if (!perms.implies(p)) { 1079 perms.add(p); 1080 } 1081 1082 /* 1083 * If the purpose of these permissions is to grant 1084 * them to an instance of a URLClassLoader subclass, 1085 * we must add permission to connect to and accept 1086 * from the host of non-"file:" URLs, otherwise the 1087 * getPermissions() method of URLClassLoader will 1088 * throw a security exception. 1089 */ 1090 if (forLoader) { 1091 // get URL with meaningful host component 1092 URL hostURL = url; 1093 for (URLConnection conn = urlConnection; 1094 conn instanceof JarURLConnection;) 1095 { 1096 hostURL = 1097 ((JarURLConnection) conn).getJarFileURL(); 1098 conn = hostURL.openConnection(); 1099 } 1100 String host = hostURL.getHost(); 1101 if (host != null && 1102 p.implies(new SocketPermission(host, 1103 "resolve"))) 1104 { 1105 Permission p2 = 1106 new SocketPermission(host, 1107 "connect,accept"); 1108 if (!perms.implies(p2)) { 1109 perms.add(p2); 1110 } 1111 } 1112 } 1113 } 1114 } 1115 } catch (IOException e) { 1116 /* 1117 * This shouldn't happen, although it is declared to be 1118 * thrown by openConnection() and getPermission(). If it 1119 * does, don't bother granting or requiring any permissions 1120 * for this URL. 1121 */ 1122 } 1123 } 1124 } 1125 1126 /** 1127 * Loader is the actual class of the RMI class loaders created 1128 * by the RMIClassLoader static methods. 1129 */ 1130 private static class Loader extends URLClassLoader { 1131 1132 /** parent class loader, kept here as an optimization */ 1133 private ClassLoader parent; 1134 1135 /** string form of loader's codebase URL path, also an optimization */ 1136 private String annotation; 1137 1138 /** permissions required to access loader through public API */ 1139 private Permissions permissions; 1140 1141 private Loader(URL[] urls, ClassLoader parent) { 1142 super(urls, parent); 1143 this.parent = parent; 1144 1145 /* 1146 * Precompute the permissions required to access the loader. 1147 */ 1148 permissions = new Permissions(); 1149 addPermissionsForURLs(urls, permissions, false); 1150 1151 /* 1152 * Caching the value of class annotation string here assumes 1153 * that the protected method addURL() is never called on this 1154 * class loader. 1155 */ 1156 annotation = urlsToPath(urls); 1157 } 1158 1159 /** 1160 * Return the string to be annotated with all classes loaded from 1161 * this class loader. 1162 */ 1163 public String getClassAnnotation() { 1164 return annotation; 1165 } 1166 1167 /** 1168 * Check that the current access control context has all of the 1169 * permissions necessary to load classes from this loader. 1170 */ 1171 private void checkPermissions() { 1172 SecurityManager sm = System.getSecurityManager(); 1173 if (sm != null) { // should never be null? 1174 Enumeration<Permission> enum_ = permissions.elements(); 1175 while (enum_.hasMoreElements()) { 1176 sm.checkPermission(enum_.nextElement()); 1177 } 1178 } 1179 } 1180 1181 /** 1182 * Return the permissions to be granted to code loaded from the 1183 * given code source. 1184 */ 1185 protected PermissionCollection getPermissions(CodeSource codesource) { 1186 PermissionCollection perms = super.getPermissions(codesource); 1187 /* 1188 * Grant the same permissions that URLClassLoader would grant. 1189 */ 1190 return perms; 1191 } 1192 1193 /** 1194 * Return a string representation of this loader (useful for 1195 * debugging). 1196 */ 1197 public String toString() { 1198 return super.toString() + "[\"" + annotation + "\"]"; 1199 } 1200 1201 @Override 1202 protected Class<?> loadClass(String name, boolean resolve) 1203 throws ClassNotFoundException { 1204 if (parent == null) { 1205 ReflectUtil.checkPackageAccess(name); 1206 } 1207 return super.loadClass(name, resolve); 1208 } 1209 1210 1211 } 1212 1213 private static Class<?> loadClassForName(String name, 1214 boolean initialize, 1215 ClassLoader loader) 1216 throws ClassNotFoundException 1217 { 1218 if (loader == null) { 1219 ReflectUtil.checkPackageAccess(name); 1220 } 1221 return Class.forName(name, initialize, loader); 1222 } 1223 1224 }