From dev-return-117482-apmail-commons-dev-archive=commons.apache.org@commons.apache.org Tue Dec 29 13:12:45 2009 Return-Path: Delivered-To: apmail-commons-dev-archive@www.apache.org Received: (qmail 93559 invoked from network); 29 Dec 2009 13:12:44 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 29 Dec 2009 13:12:44 -0000 Received: (qmail 75920 invoked by uid 500); 29 Dec 2009 13:12:44 -0000 Delivered-To: apmail-commons-dev-archive@commons.apache.org Received: (qmail 75789 invoked by uid 500); 29 Dec 2009 13:12:43 -0000 Mailing-List: contact dev-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Developers List" Delivered-To: mailing list dev@commons.apache.org Received: (qmail 75779 invoked by uid 99); 29 Dec 2009 13:12:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Dec 2009 13:12:43 +0000 X-ASF-Spam-Status: No, hits=-2.6 required=5.0 tests=BAYES_00,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of baranowb@gmail.com designates 209.85.218.224 as permitted sender) Received: from [209.85.218.224] (HELO mail-bw0-f224.google.com) (209.85.218.224) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Dec 2009 13:12:36 +0000 Received: by bwz24 with SMTP id 24so7496165bwz.10 for ; Tue, 29 Dec 2009 05:12:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=dgZKK89498aayMtW+NsLFs9HasT90cRmOSrHf8iCS48=; b=QjOSwn17wmAHQ321tKTIFZbiWa7rmO6qF65RSp7sFsUy4opCrxrVC+pMMHCbZtohXQ qqCMzaQU4ndrbYSy/+wrOtT8KHoXMowkpsGXAPcr3ew3EHxyOgmtlZ0G4Z6GmYIk50AV JCjqSfTGoOamESnIAmCYP+/udWbRcb5o0mnTo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=jhteYKVU6VQ1zM4SP+Qri3s4dHjowTpFeQoZwomHaV+669ImyXWmymCxx9h6LmdW8N CJeUE+2MJMub+us+6nYHKtbFUmKKjOrnVLDag4E6BamO1UmKWNE2uQr5uipjQZUSACuC OuoCsxYUYEoHnWXL/lzxzqgoe8B4jO2OXPrjo= MIME-Version: 1.0 Received: by 10.204.174.199 with SMTP id u7mr3045973bkz.88.1262092335129; Tue, 29 Dec 2009 05:12:15 -0800 (PST) In-Reply-To: <4B39D853.3070108@apache.org> References: <13c12d6b0912280256q148d5680n196a99a8e9e25777@mail.gmail.com> <4B39475F.40705@gmail.com> <4B39D853.3070108@apache.org> Date: Tue, 29 Dec 2009 14:12:15 +0100 Message-ID: <13c12d6b0912290512r39457570kee4254908fc91616@mail.gmail.com> Subject: Re: [logging] Re: getClassLoader vs AccessController From: Bartosz Baranowski To: Commons Developers List Content-Type: multipart/alternative; boundary=000325554e464f2581047bddc521 --000325554e464f2581047bddc521 Content-Type: text/plain; charset=UTF-8 Hi Dennis Please see inline On Tue, Dec 29, 2009 at 11:22 AM, Dennis Lundberg wrote: > First I just want to make sure that you are using version 1.1.1 of > commons-logging. > > Tested against 1.1.0 and 1.1.1 If that is the case the please file an issue in JIRA at > http://issues.apache.org/jira/browse/LOGGING > Ok, I will. Just wanted to get indication if its valid issue - jdoc comments indicated it may not be. Thanks. > If you have a test project that can be used to verify the issue, then > that is even better. Attach that project to JIRA, if you have one. > > Project is quite big. It requiers jboss+mobicents, but I can try to submit something smaller that can be run to test. > Phil Steitz wrote: > > Since this list is shared by all commons components, we follow the > > convention of prefixing the subject line of each post with the > > component that the post refers to. You will get answers to > > questions faster that way. Thanks! > > > > Phil > > > > Bartosz Baranowski wrote: > >> Hi All > >> Im banging against security issue with commons. Ive looked through src > which > >> seems to have contadicting jdoc entry for LogFactory.getClassLoader(). > >> Is there any estimation on adding proper access control to commons? In > light > >> of jdoc comment it seems there is none? > >> > >> Thing is that commons will not initialize even when jar(commons) has > >> "AllPermissions" - since if at some point in call stack code passes > >> unpriviledged domain, permissions will be restricted to that domains > set. > >> It restricts initialization to be done in special blocks, a bit akward I > >> must say. > >> > >> Failure could look as follows: > >> java.lang.ExceptionInInitializerError > >> at > >> > org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271) > >> at > >> > org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477) > >> at > >> > org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355) > >> at > >> > org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75) > >> at > >> > org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122) > >> at > >> org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182) > >> at > >> > org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown > Source) > >> at java.lang.reflect.Method.invoke(Unknown Source) > >> at > >> org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664) > >> at java.security.AccessController.doPrivileged(Native Method) > >> at > >> > org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662) > >> at > >> > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351) > >> at > >> > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33) > >> at > >> > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106) > >> at java.security.AccessController.doPrivileged(Native Method) > >> at > >> > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103) > >> at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown > >> Source) > >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > >> Source) > >> at java.lang.Thread.run(Unknown Source) > >> Caused by: org.apache.commons.logging.LogConfigurationException: > >> java.security.AccessControlException: access denied > >> (java.lang.RuntimePermission getClassLoader) (Caused by > >> java.security.AccessControl > >> Exception: access denied (java.lang.RuntimePermission getClassLoader)) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310) > >> at > org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685) > >> at > >> > org.jboss.cache.commands.write.RemoveNodeCommand.(RemoveNodeCommand.java:45) > >> ... 22 more > >> Caused by: java.security.AccessControlException: access denied > >> (java.lang.RuntimePermission getClassLoader) > >> at java.security.AccessControlContext.checkPermission(Unknown > >> Source) > >> at java.security.AccessController.checkPermission(Unknown > Source) > >> at java.lang.SecurityManager.checkPermission(Unknown Source) > >> at java.lang.ClassLoader.getParent(Unknown Source) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858) > >> at > >> > org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604) > >> ... 26 more > >> > >> Where all classes except "org.mobicents.tests.SecTestSbb" have > >> "AllPermissions" > >> > >> Fix seems easy and if it is desired I can gladly contribute. > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > > For additional commands, e-mail: dev-help@commons.apache.org > > > > > > > -- > Dennis Lundberg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org > For additional commands, e-mail: dev-help@commons.apache.org > > -- Bartosz Baranowski JBoss R & D ================================== Word of criticism meant to improve is always step forward. --000325554e464f2581047bddc521--