activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Mesnil (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ARTEMIS-294) Make ServiceUtils loads its services within doPrivileged block
Date Wed, 04 Nov 2015 10:26:27 GMT
Jeff Mesnil created ARTEMIS-294:
-----------------------------------

             Summary: Make ServiceUtils loads its services within doPrivileged block
                 Key: ARTEMIS-294
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-294
             Project: ActiveMQ Artemis
          Issue Type: Bug
          Components: Broker
    Affects Versions: 1.1.0
            Reporter: Jeff Mesnil


We have tests that fails when the JVM is running a Security Manager.

{noformat}
1) IJ000604: Throwable while attempting to get a new connection: null: java.security.AccessControlException:
WFSM000001: Permission check failed (permission "("java.io.FilePermission" "/opt/buildAgent/work/6da23a4ee9951677/dist/target/wildfly-10.0.0.CR5-SNAPSHOT/modules/system/layers/base/org/wildfly/extension/messaging-activemq/main/wildfly-messaging-activemq-10.0.0.CR5-SNAPSHOT.jar"
"read")" in code source "(vfs:/content/DefaultJMSConnectionFactoryTest.jar <no signer certificates>)"
of "null")
    at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:273)
    at org.wildfly.security.manager.WildFlySecurityManager.checkPermission(WildFlySecurityManager.java:175)
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
    at org.wildfly.security.manager.WildFlySecurityManager.checkRead(WildFlySecurityManager.java:377)
    at java.util.zip.ZipFile.<init>(ZipFile.java:210)
    at java.util.zip.ZipFile.<init>(ZipFile.java:149)
    at java.util.jar.JarFile.<init>(JarFile.java:166)
    at java.util.jar.JarFile.<init>(JarFile.java:103)
    at sun.net.www.protocol.jar.URLJarFile.<init>(URLJarFile.java:93)
    at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:69)
    at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:99)
    at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
    at sun.net.www.protocol.jar.JarURLConnection.getInputStream(JarURLConnection.java:150)
    at java.net.URL.openStream(URL.java:1038)
    at java.util.ServiceLoader.parse(ServiceLoader.java:304)
    at java.util.ServiceLoader.access$200(ServiceLoader.java:185)
    at java.util.ServiceLoader$LazyIterator.hasNextService(ServiceLoader.java:357)
    at java.util.ServiceLoader$LazyIterator.access$600(ServiceLoader.java:323)
    at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:396)
    at java.util.ServiceLoader$LazyIterator$1.run(ServiceLoader.java:395)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.util.ServiceLoader$LazyIterator.hasNext(ServiceLoader.java:398)
    at java.util.ServiceLoader$1.hasNext(ServiceLoader.java:474)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.setActiveMQXAResourceWrapperFactory(ServiceUtils.java:72)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.getActiveMQXAResourceWrapperFactory(ServiceUtils.java:40)
    at org.apache.activemq.artemis.service.extensions.ServiceUtils.wrapXAResource(ServiceUtils.java:46)
    at org.apache.activemq.artemis.ra.ActiveMQRAManagedConnection.getXAResource(ActiveMQRAManagedConnection.java:480)
    at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.createConnectionListener(TxConnectionManagerImpl.java:715)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.createConnectionEventListener(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:1345)
    at org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreConcurrentLinkedDequeManagedConnectionPool.getConnection(SemaphoreConcurrentLinkedDequeManagedConnectionPool.java:501)
    at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getTransactionNewConnection(AbstractPool.java:717)
    at org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:614)
    at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:603)
    at org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:430)
    at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:761)
    at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.allocateConnection(ActiveMQRASessionFactoryImpl.java:853)
    at org.apache.activemq.artemis.ra.ActiveMQRASessionFactoryImpl.createSession(ActiveMQRASessionFactoryImpl.java:520)
   ...
{noformat}

After debugging, the issue is in the RA's ServiceUtils that loads its services outside a AccessController.doPriviledged
block. Depending on who's requesting the RA's managed connection, it may not have the required
permissions to load the services.

In addition, the ServiceUtils loads its services using the TCCL and caches its activeMQXAResourceWrapperFactory
instance.
Depending on who's requesting a managed connection, the TCCL might differ. It'd be better
to use the ServiceUtils's own class loader instead.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message