--- old/src/share/classes/java/rmi/activation/ActivationGroup.java 2013-07-16 00:14:14.087483392 -0400 +++ new/src/share/classes/java/rmi/activation/ActivationGroup.java 2013-07-16 00:14:13.584482430 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import java.rmi.server.UnicastRemoteObject; import java.security.AccessController; import sun.security.action.GetIntegerAction; +import sun.security.action.GetPropertyAction; /** * An ActivationGroup is responsible for creating new @@ -436,11 +437,14 @@ { if (currSystem == null) { try { + String host = AccessController.doPrivileged( + new GetPropertyAction("sun.rmi.activation.host", + "")); int port = AccessController.doPrivileged( new GetIntegerAction("java.rmi.activation.port", ActivationSystem.SYSTEM_PORT)); currSystem = (ActivationSystem) - Naming.lookup("//:" + port + + Naming.lookup("//" + host + ":" + port + "/java.rmi.activation.ActivationSystem"); } catch (Exception e) { throw new ActivationException( --- old/src/share/classes/sun/rmi/server/Activation.java 2013-07-16 00:14:14.584019882 -0400 +++ new/src/share/classes/sun/rmi/server/Activation.java 2013-07-16 00:14:14.584019882 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -74,6 +74,7 @@ import java.rmi.server.RMIServerSocketFactory; import java.rmi.server.RemoteObject; import java.rmi.server.RemoteServer; +import java.rmi.server.ServerNotActiveException; import java.rmi.server.UnicastRemoteObject; import java.security.AccessControlException; import java.security.AccessController; @@ -84,6 +85,7 @@ import java.security.Permissions; import java.security.Policy; import java.security.PrivilegedAction; +import java.security.PrivilegedActionException; import java.security.PrivilegedExceptionAction; import java.security.cert.Certificate; import java.text.MessageFormat; @@ -107,6 +109,7 @@ import sun.rmi.runtime.NewThreadAction; import sun.rmi.server.UnicastServerRef; import sun.rmi.transport.LiveRef; +import sun.rmi.transport.tcp.TCPTransport; import sun.security.action.GetBooleanAction; import sun.security.action.GetIntegerAction; import sun.security.action.GetPropertyAction; @@ -182,6 +185,31 @@ private static final Object initLock = new Object(); private static boolean initDone = false; + private static final InetAddress remoteClientAddress; + static { + remoteClientAddress = java.security.AccessController.doPrivileged( + new java.security.PrivilegedAction() { + public InetAddress run() { + String remoteClientProp = + System.getProperty("sun.rmi.activation.remoteClient", + null); + + if (remoteClientProp == null) { + return null; + } + + try { + return InetAddress.getByName(remoteClientProp); + } catch (Throwable t) { + System.err.println("Activation: Cannot get the IP " + + "address of the remote client: " + + remoteClientProp); + } + + return null; + }}); + } + // this should be a *private* method since it is privileged private static int getInt(String name, int def) { return AccessController.doPrivileged(new GetIntegerAction(name, def)); @@ -207,6 +235,58 @@ private Activation() {} /** + * Check that the caller has access to this interface. + *

+ * Use the default policy as implemented in RegistryImpl.checkAccess, + * unless the sun.rmi.activation.remoteClient property is set, and in + * that case only allow access from that host. + * + * @param op name of operation used to create a meaningful exception + * message, the parameter is not used to determine access + */ + static void checkAccess(String op) throws AccessException { + if (remoteClientAddress == null) { + /* + * Note, the op arg to checkAccess is only used to build an + * access exception message if needed. + */ + RegistryImpl.checkAccess(op); + return; + } + + InetAddress clientHost; + + try { + // Get client host that this operation was made from. + final String clientHostName = TCPTransport.getClientHost(); + + try { + clientHost = java.security.AccessController.doPrivileged( + new java.security.PrivilegedExceptionAction() { + public InetAddress run() + throws java.net.UnknownHostException + { + return InetAddress.getByName(clientHostName); + } + }); + } catch (PrivilegedActionException pae) { + throw new AccessException("RMI " + op + " disallowed; " + + clientHostName + " is an unknown client"); + } + } catch (ServerNotActiveException ex) { + throw new AccessException("RMI " + op + + " is not allowed from the local host"); + } + + if (remoteClientAddress.equals(clientHost)) { + return; + } + + throw new AccessException("RMI " + op + " is not allowed from " + + clientHost); + } + + /** * Recover activation state from the reliable log and initialize * activation services. */ @@ -426,7 +506,7 @@ } catch (ActivationException e) { return; } - RegistryImpl.checkAccess("Activator.inactiveObject"); + Activation.checkAccess("Activator.inactiveObject"); getGroupEntry(id).inactiveObject(id); } @@ -439,7 +519,7 @@ } catch (ActivationException e) { return; } - RegistryImpl.checkAccess("ActivationSystem.activeObject"); + Activation.checkAccess("ActivationSystem.activeObject"); getGroupEntry(id).activeObject(id, mobj); } @@ -452,7 +532,7 @@ } catch (ActivationException e) { return; } - RegistryImpl.checkAccess("ActivationMonitor.inactiveGroup"); + Activation.checkAccess("ActivationMonitor.inactiveGroup"); getGroupEntry(id).inactiveGroup(incarnation, false); } } @@ -484,7 +564,7 @@ throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.registerObject"); + Activation.checkAccess("ActivationSystem.registerObject"); ActivationGroupID groupID = desc.getGroupID(); ActivationID id = new ActivationID(activatorStub); @@ -496,7 +576,7 @@ throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.unregisterObject"); + Activation.checkAccess("ActivationSystem.unregisterObject"); getGroupEntry(id).unregisterObject(id, true); } @@ -504,7 +584,7 @@ throws ActivationException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.registerGroup"); + Activation.checkAccess("ActivationSystem.registerGroup"); checkArgs(desc, null); ActivationGroupID id = new ActivationGroupID(systemStub); @@ -521,7 +601,7 @@ throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.activeGroup"); + Activation.checkAccess("ActivationSystem.activeGroup"); getGroupEntry(id).activeGroup(group, incarnation); return monitor; @@ -531,7 +611,7 @@ throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.unregisterGroup"); + Activation.checkAccess("ActivationSystem.unregisterGroup"); // remove entry before unregister so state is updated before // logged @@ -543,7 +623,7 @@ throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.setActivationDesc"); + Activation.checkAccess("ActivationSystem.setActivationDesc"); if (!getGroupID(id).equals(desc.getGroupID())) { throw new ActivationException( @@ -557,7 +637,7 @@ throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess( + Activation.checkAccess( "ActivationSystem.setActivationGroupDesc"); checkArgs(desc, null); @@ -568,7 +648,7 @@ throws ActivationException, UnknownObjectException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess("ActivationSystem.getActivationDesc"); + Activation.checkAccess("ActivationSystem.getActivationDesc"); return getGroupEntry(id).getActivationDesc(id); } @@ -577,7 +657,7 @@ throws ActivationException, UnknownGroupException, RemoteException { checkShutdown(); - RegistryImpl.checkAccess + Activation.checkAccess ("ActivationSystem.getActivationGroupDesc"); return getGroupEntry(id).desc; @@ -588,7 +668,7 @@ * the activation daemon and exits the activation daemon. */ public void shutdown() throws AccessException { - RegistryImpl.checkAccess("ActivationSystem.shutdown"); + Activation.checkAccess("ActivationSystem.shutdown"); Object lock = startupLock; if (lock != null) { --- old/src/share/classes/sun/rmi/server/ActivationGroupImpl.java 2013-07-16 00:14:15.083983614 -0400 +++ new/src/share/classes/sun/rmi/server/ActivationGroupImpl.java 2013-07-16 00:14:15.083983614 -0400 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -208,7 +208,7 @@ final ActivationDesc desc) throws ActivationException, RemoteException { - RegistryImpl.checkAccess("ActivationInstantiator.newInstance"); + Activation.checkAccess("ActivationInstantiator.newInstance"); if (!groupID.equals(desc.getGroupID())) throw new ActivationException("newInstance in wrong group");