diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java
--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	2011-11-14 22:11:44.000000000 +0000
+++ jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java	2013-02-15 03:40:40.511587149 +0000
@@ -36,6 +36,7 @@
 
 import javax.management.ObjectName;
 import javax.management.loading.PrivateClassLoader;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * This class keeps the list of Class Loaders registered in the MBean Server.
@@ -192,6 +193,7 @@
                             final ClassLoader without,
                             final ClassLoader stop)
             throws ClassNotFoundException {
+        ReflectUtil.checkPackageAccess(className);
         final int size = list.length;
         for(int i=0; i<size; i++) {
             try {
diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java
--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java	2011-11-14 22:11:44.000000000 +0000
+++ jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java	2013-02-15 03:40:40.511587149 +0000
@@ -57,6 +57,7 @@
 import javax.management.RuntimeOperationsException;
 import javax.management.MBeanServer;
 import javax.management.MBeanServerDelegate;
+import javax.management.MBeanServerPermission;
 import javax.management.loading.ClassLoaderRepository;
 
 import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER;
@@ -1413,6 +1414,8 @@
         // Default is true.
         final boolean fairLock = DEFAULT_FAIR_LOCK_POLICY;
 
+        checkNewMBeanServerPermission();
+
         // This constructor happens to disregard the value of the interceptors
         // flag - that is, it always uses the default value - false.
         // This is admitedly a bug, but we chose not to fix it for now
@@ -1499,4 +1502,11 @@
         }
     }
 
+    private static void checkNewMBeanServerPermission() {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null) {
+            Permission perm = new MBeanServerPermission("newMBeanServer");
+            sm.checkPermission(perm);
+        }
+    }
 }
diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java
--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	2011-11-14 22:11:44.000000000 +0000
+++ jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java	2013-02-15 03:40:40.511587149 +0000
@@ -32,11 +32,13 @@
 import java.io.ObjectInputStream;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.InvocationTargetException;
+import java.security.Permission;
 import java.util.Map;
 import java.util.logging.Level;
 
 import javax.management.InstanceNotFoundException;
 import javax.management.MBeanException;
+import javax.management.MBeanPermission;
 import javax.management.NotCompliantMBeanException;
 import javax.management.ObjectName;
 import javax.management.OperationsException;
@@ -44,7 +46,7 @@
 import javax.management.RuntimeErrorException;
 import javax.management.RuntimeMBeanException;
 import javax.management.RuntimeOperationsException;
-
+import sun.reflect.misc.ConstructorUtil;
 import sun.reflect.misc.ReflectUtil;
 
 /**
@@ -56,7 +58,6 @@
  * @since 1.5
  */
 public class MBeanInstantiator {
-
     private final ModifiableClassLoaderRepository clr;
     //    private MetaData meta = null;
 
@@ -88,6 +89,7 @@
                              "Exception occurred during object instantiation");
         }
 
+        ReflectUtil.checkPackageAccess(className);
         try {
             if (clr == null) throw new ClassNotFoundException(className);
             theClass = clr.loadClass(className);
@@ -162,6 +164,7 @@
                     continue;
                 }
 
+                ReflectUtil.checkPackageAccess(signature[i]);
                 // Ok we do not have a primitive type ! We need to build
                 // the signature of the method
                 //
@@ -205,6 +208,9 @@
      */
     public Object instantiate(Class theClass)
         throws ReflectionException, MBeanException {
+
+        checkMBeanPermission(theClass, null, null, "instantiate");
+
         Object moi = null;
 
 
@@ -260,6 +266,9 @@
     public Object instantiate(Class theClass, Object params[],
                               String signature[], ClassLoader loader)
         throws ReflectionException, MBeanException {
+
+        checkMBeanPermission(theClass, null, null, "instantiate");
+
         // Instantiate the new object
 
         // ------------------------------
@@ -408,6 +417,8 @@
             throw new  RuntimeOperationsException(new
              IllegalArgumentException(), "Null className passed in parameter");
         }
+
+        ReflectUtil.checkPackageAccess(className);
         Class theClass = null;
         if (loaderName == null) {
             // Load the class using the agent class loader
@@ -620,13 +631,13 @@
      **/
     static Class loadClass(String className, ClassLoader loader)
         throws ReflectionException {
-
         Class theClass = null;
         if (className == null) {
             throw new RuntimeOperationsException(new
                 IllegalArgumentException("The class name cannot be null"),
                               "Exception occurred during object instantiation");
         }
+	ReflectUtil.checkPackageAccess(className);
         try {
             if (loader == null)
                 loader = MBeanInstantiator.class.getClassLoader();
@@ -677,6 +688,7 @@
                 // We need to load the class through the class
                 // loader of the target object.
                 //
+                ReflectUtil.checkPackageAccess(signature[i]);
                 tab[i] = Class.forName(signature[i], false, aLoader);
             }
         } catch (ClassNotFoundException e) {
@@ -702,7 +714,7 @@
 
     private Constructor<?> findConstructor(Class<?> c, Class<?>[] params) {
         try {
-            return c.getConstructor(params);
+            return ConstructorUtil.getConstructor(c, params);
         } catch (Exception e) {
             return null;
         }
@@ -716,4 +728,18 @@
                                        char.class, boolean.class})
             primitiveClasses.put(c.getName(), c);
     }
+
+    private static void checkMBeanPermission(Class<?> clazz,
+                                             String member,
+                                             ObjectName objectName,
+                                             String actions) {
+        SecurityManager sm = System.getSecurityManager();
+        if (clazz != null && sm != null) {
+            Permission perm = new MBeanPermission(clazz.getName(),
+                                                  member,
+                                                  objectName,
+                                                  actions);
+            sm.checkPermission(perm);
+        }
+    }
 }
diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java
--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java	2011-11-14 22:11:44.000000000 +0000
+++ jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java	2013-02-15 03:40:40.511587149 +0000
@@ -38,6 +38,7 @@
 import javax.management.NotCompliantMBeanException;
 import javax.management.ObjectName;
 import javax.management.ReflectionException;
+import sun.reflect.misc.ReflectUtil;
 
 /**
  * Base class for MBeans.  There is one instance of this class for
@@ -131,6 +132,7 @@
                 " is not an instance of " + mbeanInterface.getName();
             throw new NotCompliantMBeanException(msg);
         }
+        ReflectUtil.checkPackageAccess(mbeanInterface);
         this.resource = resource;
         MBeanIntrospector<M> introspector = getMBeanIntrospector();
         this.perInterface = introspector.getPerInterface(mbeanInterface);
diff -Nru openjdk.orig/jdk/src/share/classes/sun/management/LockDataConverter.java openjdk/jdk/src/share/classes/sun/management/LockDataConverter.java
--- openjdk.orig/jdk/src/share/classes/sun/management/LockDataConverter.java	2011-11-14 22:12:00.000000000 +0000
+++ jdk/src/share/classes/sun/management/LockDataConverter.java	2013-02-15 03:40:40.511587149 +0000
@@ -27,6 +27,8 @@
 
 import java.lang.management.LockInfo;
 import java.lang.management.ThreadInfo;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import javax.management.Attribute;
 import javax.management.StandardMBean;
 import javax.management.openmbean.CompositeData;
@@ -40,13 +42,13 @@
     private LockInfo      lockInfo;
     private LockInfo[]    lockedSyncs;
 
-    LockDataConverter() {
+    private LockDataConverter() {
         super(LockDataConverterMXBean.class, true);
         this.lockInfo = null;
         this.lockedSyncs = null;
     }
 
-    LockDataConverter(ThreadInfo ti) {
+    private LockDataConverter(ThreadInfo ti) {
         super(LockDataConverterMXBean.class, true);
         this.lockInfo = ti.getLockInfo();
         this.lockedSyncs = ti.getLockedSynchronizers();
@@ -104,8 +106,24 @@
     }
 
     static CompositeData toLockInfoCompositeData(LockInfo l) {
-        LockDataConverter ldc = new LockDataConverter();
+        LockDataConverter ldc = newLockDataConverter();
         ldc.setLockInfo(l);
         return ldc.toLockInfoCompositeData();
     }
+
+   static LockDataConverter newLockDataConverter() {
+        return AccessController.doPrivileged(new PrivilegedAction<LockDataConverter>() {
+               public LockDataConverter run() {
+                   return new LockDataConverter();
+               }
+        });
+   }
+
+   static LockDataConverter newLockDataConverter(final ThreadInfo ti) {
+        LockDataConverter result = newLockDataConverter();
+        result.lockInfo = ti.getLockInfo();
+        result.lockedSyncs = ti.getLockedSynchronizers();
+        return result;
+   }
 }
+
diff -Nru openjdk.orig/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java openjdk/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java
--- openjdk.orig/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java	2011-11-14 22:12:01.000000000 +0000
+++ jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java	2013-02-15 03:40:40.511587149 +0000
@@ -85,7 +85,7 @@
         }
 
         // Convert MonitorInfo[] and LockInfo[] to CompositeData[]
-        LockDataConverter converter = new LockDataConverter(threadInfo);
+        LockDataConverter converter = LockDataConverter.newLockDataConverter(threadInfo);
         CompositeData lockInfoData = converter.toLockInfoCompositeData();
         CompositeData[] lockedSyncsData = converter.toLockedSynchronizersCompositeData();
 
@@ -315,7 +315,7 @@
 
     // 6.0 new attributes
     public LockInfo lockInfo() {
-        LockDataConverter converter = new LockDataConverter();
+        LockDataConverter converter = LockDataConverter.newLockDataConverter();
         CompositeData lockInfoData = (CompositeData) cdata.get(LOCK_INFO);
         return converter.toLockInfo(lockInfoData);
     }
@@ -336,7 +336,7 @@
     }
 
     public LockInfo[] lockedSynchronizers() {
-        LockDataConverter converter = new LockDataConverter();
+        LockDataConverter converter = LockDataConverter.newLockDataConverter();
         CompositeData[] lockedSyncsData =
             (CompositeData[]) cdata.get(LOCKED_SYNCS);
 
diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security openjdk/jdk/src/share/lib/security/java.security
--- openjdk.orig/jdk/src/share/lib/security/java.security	2013-02-15 03:39:56.922892783 +0000
+++ jdk/src/share/lib/security/java.security	2013-02-15 03:40:40.511587149 +0000
@@ -131,8 +131,7 @@
                com.sun.xml.internal.,\
                com.sun.imageio.,\
                com.sun.istack.internal.,\
-               com.sun.jmx.defaults.,\
-               com.sun.jmx.remote.util.
+               com.sun.jmx.
 
 #
 # List of comma-separated packages that start with or equal this string
@@ -148,8 +147,7 @@
                    com.sun.xml.internal.,\
                    com.sun.imageio.,\
                    com.sun.istack.internal.,\
-                   com.sun.jmx.defaults.,\
-                   com.sun.jmx.remote.util.
+                   com.sun.jmx.
 
 #
 # Determines whether this properties file can be appended to
diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris
--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris	2013-02-15 03:39:56.902892466 +0000
+++ jdk/src/share/lib/security/java.security-solaris	2013-02-15 03:41:36.996489851 +0000
@@ -131,6 +131,8 @@
 package.access=sun.,\
                com.sun.xml.internal.,\
                com.sun.imageio.
+               com.sun.istack.internal.,\
+               com.sun.jmx.
 
 #
 # List of comma-separated packages that start with or equal this string
@@ -145,6 +147,8 @@
 package.definition=sun.,\
                    com.sun.xml.internal.,\
                    com.sun.imageio.
+                   com.sun.istack.internal.,\
+                   com.sun.jmx.
 
 #
 # Determines whether this properties file can be appended to
diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows
--- openjdk.orig/jdk/src/share/lib/security/java.security-windows	2013-02-15 03:39:56.902892466 +0000
+++ jdk/src/share/lib/security/java.security-windows	2013-02-15 03:42:05.304943135 +0000
@@ -131,6 +131,8 @@
 package.access=sun.,\
                com.sun.xml.internal.,\
                com.sun.imageio.
+               com.sun.istack.internal.,\
+               com.sun.jmx.
 
 #
 # List of comma-separated packages that start with or equal this string
@@ -145,6 +147,8 @@
 package.definition=sun.,\
                    com.sun.xml.internal.,\
                    com.sun.imageio.
+                   com.sun.istack.internal.,\
+                   com.sun.jmx.
 
 #
 # Determines whether this properties file can be appended to
diff -Nru openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java
--- openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java	2011-11-14 22:12:28.000000000 +0000
+++ jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java	2013-02-15 03:40:40.511587149 +0000
@@ -119,9 +119,6 @@
             System.out.println("Create SimpleStandard MBean");
             SimpleStandard s = new SimpleStandard("monitorRole");
             mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard"));
-            // Set Security Manager
-            //
-            System.setSecurityManager(new SecurityManager());
             // Create Properties containing the username/password entries
             //
             Properties props = new Properties();
@@ -132,6 +129,9 @@
             HashMap env = new HashMap();
             env.put("jmx.remote.authenticator",
                     new JMXPluggableAuthenticator(props));
+            // Set Security Manager
+            //
+            System.setSecurityManager(new SecurityManager());
             // Create an RMI connector server
             //
             System.out.println("Create an RMI connector server");
diff -Nru openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java
--- openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java	2011-11-14 22:12:28.000000000 +0000
+++ jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java	2013-02-15 03:40:40.511587149 +0000
@@ -120,9 +120,6 @@
             System.out.println("Create SimpleStandard MBean");
             SimpleStandard s = new SimpleStandard("delegate");
             mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard"));
-            // Set Security Manager
-            //
-            System.setSecurityManager(new SecurityManager());
             // Create Properties containing the username/password entries
             //
             Properties props = new Properties();
@@ -133,6 +130,9 @@
             HashMap env = new HashMap();
             env.put("jmx.remote.authenticator",
                     new JMXPluggableAuthenticator(props));
+            // Set Security Manager
+            //
+            System.setSecurityManager(new SecurityManager());
             // Create an RMI connector server
             //
             System.out.println("Create an RMI connector server");