commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bartosz Baranowski <baran...@gmail.com>
Subject Re: [logging] Re: getClassLoader vs AccessController
Date Tue, 29 Dec 2009 13:12:15 GMT
Hi Dennis
Please see inline

On Tue, Dec 29, 2009 at 11:22 AM, Dennis Lundberg <dennisl@apache.org>wrote:

> First I just want to make sure that you are using version 1.1.1 of
> commons-logging.
>
> Tested against 1.1.0 and 1.1.1

If that is the case the please file an issue in JIRA at
> http://issues.apache.org/jira/browse/LOGGING
>
Ok, I will. Just wanted to get indication if its valid issue - jdoc comments
indicated it may not be.
Thanks.

> If you have a test project that can be used to verify the issue, then
> that is even better. Attach that project to JIRA, if you have one.
>
> Project is quite big. It requiers jboss+mobicents, but I can try to submit
something smaller that can be run to test.

> Phil Steitz wrote:
> > Since this list is shared by all commons components, we follow the
> > convention of prefixing the subject line of each post with the
> > component that the post refers to.  You will get answers to
> > questions faster that way.  Thanks!
> >
> > Phil
> >
> > Bartosz Baranowski wrote:
> >> Hi All
> >> Im banging against security issue with commons. Ive looked through src
> which
> >> seems to have contadicting jdoc entry for LogFactory.getClassLoader().
> >> Is there any estimation on adding proper access control to commons? In
> light
> >> of jdoc comment it seems there is none?
> >>
> >> Thing is that commons will not initialize even when jar(commons) has
> >> "AllPermissions" - since if at some point in call stack code passes
> >> unpriviledged domain, permissions will be restricted to that domains
> set.
> >> It restricts initialization to be done in special blocks, a bit akward I
> >> must say.
> >>
> >> Failure could look as follows:
> >> java.lang.ExceptionInInitializerError
> >>         at
> >>
> org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271)
> >>         at
> >>
> org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477)
> >>         at
> >>
> org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355)
> >>         at
> >>
> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75)
> >>         at
> >>
> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122)
> >>         at
> >> org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182)
> >>         at
> >>
> org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106)
> >>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >>         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown
> Source)
> >>         at java.lang.reflect.Method.invoke(Unknown Source)
> >>         at
> >> org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664)
> >>         at java.security.AccessController.doPrivileged(Native Method)
> >>         at
> >>
> org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662)
> >>         at
> >>
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351)
> >>         at
> >>
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33)
> >>         at
> >>
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106)
> >>         at java.security.AccessController.doPrivileged(Native Method)
> >>         at
> >>
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103)
> >>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> >> Source)
> >>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> >> Source)
> >>         at java.lang.Thread.run(Unknown Source)
> >> Caused by: org.apache.commons.logging.LogConfigurationException:
> >> java.security.AccessControlException: access denied
> >> (java.lang.RuntimePermission getClassLoader) (Caused by
> >> java.security.AccessControl
> >> Exception: access denied (java.lang.RuntimePermission getClassLoader))
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310)
> >>         at
> org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685)
> >>         at
> >>
> org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45)
> >>         ... 22 more
> >> Caused by: java.security.AccessControlException: access denied
> >> (java.lang.RuntimePermission getClassLoader)
> >>         at java.security.AccessControlContext.checkPermission(Unknown
> >> Source)
> >>         at java.security.AccessController.checkPermission(Unknown
> Source)
> >>         at java.lang.SecurityManager.checkPermission(Unknown Source)
> >>         at java.lang.ClassLoader.getParent(Unknown Source)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858)
> >>         at
> >>
> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604)
> >>         ... 26 more
> >>
> >> Where all classes except "org.mobicents.tests.SecTestSbb" have
> >> "AllPermissions"
> >>
> >> Fix seems easy and if it is desired I can gladly contribute.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
> >
>
>
> --
> Dennis Lundberg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>


-- 
Bartosz Baranowski
JBoss R & D
==================================
Word of criticism meant to improve is always step forward.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message