GEODE-7628: Block jmx mbean creation when no security manager is conf…

…igured (apache#4534)
DaveNutkins · Dec 28, 2019 · 70f86c6 · 70f86c6
1 parent 51d1b24
commit 70f86c6
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 2 deletions.
diff --git a/...grationTest/java/org/apache/geode/management/internal/security/NoSecurityManagerTest.java b/...grationTest/java/org/apache/geode/management/internal/security/NoSecurityManagerTest.java
@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.geode.management.internal.security;
+
+
+
+import javax.management.MBeanServerConnection;
+import javax.management.ObjectName;
+
+import org.assertj.core.api.Assertions;
+import org.junit.ClassRule;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.experimental.categories.Category;
+
+import org.apache.geode.test.junit.categories.SecurityTest;
+import org.apache.geode.test.junit.rules.MBeanServerConnectionRule;
+import org.apache.geode.test.junit.rules.ServerStarterRule;
+
+@Category({SecurityTest.class})
+public class NoSecurityManagerTest {
+  @ClassRule
+  public static ServerStarterRule server = new ServerStarterRule().withJMXManager()
+      .withAutoStart();
+
+  @Rule
+  public MBeanServerConnectionRule connectionRule =
+      new MBeanServerConnectionRule(server::getJmxPort);
+
+
+  @Test
+  public void cannotCreateMBeansInServer() throws Exception {
+    connectionRule.connect(server.getJmxPort());
+    MBeanServerConnection mBeanServerConnection = connectionRule.getMBeanServerConnection();
+    ObjectName mletName = new ObjectName("foo:name=mlet");
+    Assertions.assertThatThrownBy(
+        () -> mBeanServerConnection.createMBean("javax.management.loading.MLet", mletName))
+        .isInstanceOf(SecurityException.class);
+  }
+}
diff --git a/...core/src/main/java/org/apache/geode/management/internal/BlockMBeanCreationController.java b/...core/src/main/java/org/apache/geode/management/internal/BlockMBeanCreationController.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.geode.management.internal;
+
+
+import com.sun.jmx.remote.security.MBeanServerAccessController;
+
+public class BlockMBeanCreationController extends MBeanServerAccessController {
+
+  @Override
+  protected void checkCreate(String className) {
+    throw new SecurityException(
+        "Access Denied. Remote MBean creation is not allowed unless a security manager is enabled");
+  }
+
+  @Override
+  protected void checkRead() {
+
+  }
+
+  @Override
+  protected void checkWrite() {
+
+  }
+}
diff --git a/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java b/geode-core/src/main/java/org/apache/geode/management/internal/ManagementAgent.java
@@ -418,8 +418,7 @@ public synchronized void start() throws IOException {
       jmxConnectorServer.addNotificationListener(shiroAuthenticator, null,
           jmxConnectorServer.getAttributes());
       // always going to assume authorization is needed as well, if no custom AccessControl, then
-      // the CustomAuthRealm
-      // should take care of that
+      // the CustomAuthRealm should take care of that
       MBeanServerWrapper mBeanServerWrapper = new MBeanServerWrapper(this.securityService);
       jmxConnectorServer.setMBeanServerForwarder(mBeanServerWrapper);
     } else {
@@ -434,6 +433,10 @@ public synchronized void start() throws IOException {
         // Rewire the mbs hierarchy to set accessController
         ReadOpFileAccessController controller = new ReadOpFileAccessController(accessFile);
         controller.setMBeanServer(mbs);
+        jmxConnectorServer.setMBeanServerForwarder(controller);
+      } else {
+        // if no access control, do not allow mbean creation to prevent Mlet attack
+        jmxConnectorServer.setMBeanServerForwarder(new BlockMBeanCreationController());
       }
     }
     registerAccessControlMBean();