commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Steitz <phil.ste...@gmail.com>
Subject [logging] Re: getClassLoader vs AccessController
Date Tue, 29 Dec 2009 00:03:43 GMT
Since this list is shared by all commons components, we follow the
convention of prefixing the subject line of each post with the
component that the post refers to.  You will get answers to
questions faster that way.  Thanks!

Phil

Bartosz Baranowski wrote:
> Hi All
> Im banging against security issue with commons. Ive looked through src which
> seems to have contadicting jdoc entry for LogFactory.getClassLoader().
> Is there any estimation on adding proper access control to commons? In light
> of jdoc comment it seems there is none?
> 
> Thing is that commons will not initialize even when jar(commons) has
> "AllPermissions" - since if at some point in call stack code passes
> unpriviledged domain, permissions will be restricted to that domains set.
> It restricts initialization to be done in special blocks, a bit akward I
> must say.
> 
> Failure could look as follows:
> java.lang.ExceptionInInitializerError
>         at
> org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271)
>         at
> org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477)
>         at
> org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355)
>         at
> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75)
>         at
> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122)
>         at
> org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182)
>         at
> org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>         at java.lang.reflect.Method.invoke(Unknown Source)
>         at
> org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662)
>         at
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351)
>         at
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33)
>         at
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at
> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>         at java.lang.Thread.run(Unknown Source)
> Caused by: org.apache.commons.logging.LogConfigurationException:
> java.security.AccessControlException: access denied
> (java.lang.RuntimePermission getClassLoader) (Caused by
> java.security.AccessControl
> Exception: access denied (java.lang.RuntimePermission getClassLoader))
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310)
>         at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685)
>         at
> org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45)
>         ... 22 more
> Caused by: java.security.AccessControlException: access denied
> (java.lang.RuntimePermission getClassLoader)
>         at java.security.AccessControlContext.checkPermission(Unknown
> Source)
>         at java.security.AccessController.checkPermission(Unknown Source)
>         at java.lang.SecurityManager.checkPermission(Unknown Source)
>         at java.lang.ClassLoader.getParent(Unknown Source)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858)
>         at
> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604)
>         ... 26 more
> 
> Where all classes except "org.mobicents.tests.SecTestSbb" have
> "AllPermissions"
> 
> Fix seems easy and if it is desired I can gladly contribute.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message