commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bartosz Baranowski <baran...@gmail.com>
Subject getClassLoader vs AccessController
Date Mon, 28 Dec 2009 10:56:57 GMT
Hi All
Im banging against security issue with commons. Ive looked through src which
seems to have contadicting jdoc entry for LogFactory.getClassLoader().
Is there any estimation on adding proper access control to commons? In light
of jdoc comment it seems there is none?

Thing is that commons will not initialize even when jar(commons) has
"AllPermissions" - since if at some point in call stack code passes
unpriviledged domain, permissions will be restricted to that domains set.
It restricts initialization to be done in special blocks, a bit akward I
must say.

Failure could look as follows:
java.lang.ExceptionInInitializerError
        at
org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271)
        at
org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477)
        at
org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355)
        at
org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75)
        at
org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122)
        at
org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182)
        at
org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at
org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662)
        at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351)
        at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33)
        at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106)
        at java.security.AccessController.doPrivileged(Native Method)
        at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
        at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.commons.logging.LogConfigurationException:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader) (Caused by
java.security.AccessControl
Exception: access denied (java.lang.RuntimePermission getClassLoader))
        at
org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637)
        at
org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
        at
org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310)
        at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685)
        at
org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45)
        ... 22 more
Caused by: java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader)
        at java.security.AccessControlContext.checkPermission(Unknown
Source)
        at java.security.AccessController.checkPermission(Unknown Source)
        at java.lang.SecurityManager.checkPermission(Unknown Source)
        at java.lang.ClassLoader.getParent(Unknown Source)
        at
org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327)
        at
org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247)
        at
org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048)
        at
org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858)
        at
org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604)
        ... 26 more

Where all classes except "org.mobicents.tests.SecTestSbb" have
"AllPermissions"

Fix seems easy and if it is desired I can gladly contribute.
-- 
Bartosz Baranowski
JBoss R & D
==================================
Word of criticism meant to improve is always step forward.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message