db-derby-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From kahat...@apache.org
Subject svn commit: r1582655 - in /db/derby/code/trunk/java: engine/org/apache/derby/impl/io/ testing/org/apache/derbyTesting/functionTests/tests/lang/
Date Fri, 28 Mar 2014 09:44:38 GMT
Author: kahatlen
Date: Fri Mar 28 09:44:37 2014
New Revision: 1582655

URL: http://svn.apache.org/r1582655
Log:
DERBY-5615: Permission problems with classpath subsubprotocol

Wrap CPFile's privileged operations in doPrivileged() so that
classpath databases can be accessed with a security manager.

Make more of the test cases in DatabaseClassLoadingTest and
NativeAuthenticationServiceTest run with a security manager.

Modified:
    db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
    db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java

Modified: db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/impl/io/CPFile.java Fri Mar 28 09:44:37
2014
@@ -26,7 +26,12 @@ import org.apache.derby.io.StorageFile;
 import java.io.InputStream;
 
 import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 
 /**
  * This class provides a class path based implementation of the StorageFile interface. It
is used by the
@@ -90,30 +95,22 @@ class CPFile extends InputStreamFile
      */
     public InputStream getInputStream( ) throws FileNotFoundException
     {
-    	//System.out.println("HERE FOR " + toString());
-    	InputStream is = null;
-    	ClassLoader cl = Thread.currentThread().getContextClassLoader();
-    	if (cl != null)
-    		is = cl.getResourceAsStream(path);
-    	
-       	// don't assume the context class loader is tied
-    	// into the class loader that loaded this class.
-    	if (is == null)
-    	{
-    		cl = getClass().getClassLoader();
-    		// Javadoc indicates implementations can use
-    		// null as a return from Class.getClassLoader()
-    		// to indicate the system/bootstrap classloader.
-    		if (cl != null)
-    			is = cl.getResourceAsStream(path);
-    		else
-    			is = ClassLoader.getSystemResourceAsStream(path);
-    	}
-    	
-    	if (is == null)
-    		throw new FileNotFoundException(toString());
-    	return is;
-    	
+        URL url = getURL();
+
+        if (url == null) {
+            throw new FileNotFoundException(toString());
+        }
+
+        try {
+            return openStream(url);
+        } catch (FileNotFoundException fnf) {
+            throw fnf;
+        } catch (IOException ioe) {
+            FileNotFoundException fnf = new FileNotFoundException(toString());
+            fnf.initCause(ioe);
+            throw fnf;
+        }
+
     } // end of getInputStream
     
 	/**
@@ -123,10 +120,10 @@ class CPFile extends InputStreamFile
      */
     public URL getURL() {
 
-        ClassLoader cl = Thread.currentThread().getContextClassLoader();
+        ClassLoader cl = getContextClassLoader(Thread.currentThread());
         URL myURL;
         if (cl != null) {
-            myURL = cl.getResource(path);
+            myURL = getResource(cl, path);
             if (myURL != null)
                 return myURL;
         }
@@ -138,9 +135,51 @@ class CPFile extends InputStreamFile
         // null as a return from Class.getClassLoader()
         // to indicate the system/bootstrap classloader.
         if (cl != null) {
-            return cl.getResource(path);
+            return getResource(cl, path);
         } else {
-            return ClassLoader.getSystemResource(path);
+            return getSystemResource(path);
+        }
+    }
+
+    /** Privileged wrapper for {@code Thread.getContextClassLoader()}. */
+    private static ClassLoader getContextClassLoader(final Thread thread) {
+        return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+            public ClassLoader run() {
+                return thread.getContextClassLoader();
+            }
+        });
+    }
+
+    /** Privileged wrapper for {@code ClassLoader.getResource(String)}. */
+    private static URL getResource(
+            final ClassLoader cl, final String name) {
+        return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+            public URL run() {
+                return cl.getResource(name);
+            }
+        });
+    }
+
+    /** Privileged wrapper for {@code ClassLoader.getSystemResource(String)}. */
+    private static URL getSystemResource(final String name) {
+        return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+            public URL run() {
+                return ClassLoader.getSystemResource(name);
+            }
+        });
+    }
+
+    /** Privileged wrapper for {@code URL.openStream()}. */
+    private static InputStream openStream(final URL url) throws IOException {
+        try {
+            return AccessController.doPrivileged(
+                    new PrivilegedExceptionAction<InputStream>() {
+                public InputStream run() throws IOException {
+                    return url.openStream();
+                }
+            });
+        } catch (PrivilegedActionException pae) {
+            throw (IOException) pae.getCause();
         }
     }
 }

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/DatabaseClassLoadingTest.java
Fri Mar 28 09:44:37 2014
@@ -44,6 +44,7 @@ import javax.sql.DataSource;
 import junit.framework.Test;
 import junit.framework.TestSuite;
 
+import org.apache.derbyTesting.functionTests.util.PrivilegedFileOpsForTests;
 import org.apache.derbyTesting.junit.BaseJDBCTestCase;
 import org.apache.derbyTesting.junit.ClasspathSetup;
 import org.apache.derbyTesting.junit.CleanDatabaseTestSetup;
@@ -114,17 +115,15 @@ public class DatabaseClassLoadingTest ex
                 suite.addTest(new DatabaseClassLoadingTest(orderedTests[i]));
             }
        
-           suite.addTest(SecurityManagerSetup.noSecurityManager(
-                   new DatabaseClassLoadingTest("testDatabaseInJar"))); 
+            suite.addTest(new DatabaseClassLoadingTest("testDatabaseInJar"));
 
             // DERBY-2162: Only run this test case on platforms that support
             // the URLClassLoader.close() method. Otherwise, we won't be able
             // to delete the jar file afterwards.
             if (ClasspathSetup.supportsClose()) {
-                suite.addTest(SecurityManagerSetup.noSecurityManager(
-                    new ClasspathSetup(
+                suite.addTest(new ClasspathSetup(
                         new DatabaseClassLoadingTest("testDatabaseInClasspath"),
-                        SupportFilesSetup.getReadOnlyURL("dclt.jar"))));
+                        SupportFilesSetup.getReadOnlyURL("dclt.jar")));
             }
            
            // No security manager because the test uses getClass().getClassLoader()
@@ -638,7 +637,8 @@ public class DatabaseClassLoadingTest ex
     public void testDatabaseInJar() throws SQLException
     {
         File jarFile = SupportFilesSetup.getReadOnly("dclt.jar");
-        String dbName = "jar:(" + jarFile.getAbsolutePath() + ")dbro";
+        String dbName = "jar:(" +
+                PrivilegedFileOpsForTests.getAbsolutePath(jarFile) + ")dbro";
         
         DataSource ds = JDBCDataSource.getDataSource(dbName);
         

Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java?rev=1582655&r1=1582654&r2=1582655&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
(original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/NativeAuthenticationServiceTest.java
Fri Mar 28 09:44:37 2014
@@ -37,7 +37,6 @@ import org.apache.derbyTesting.junit.Cla
 import org.apache.derbyTesting.junit.DatabaseChangeSetup;
 import org.apache.derbyTesting.junit.JDBC;
 import org.apache.derbyTesting.junit.JDBCDataSource;
-import org.apache.derbyTesting.junit.SecurityManagerSetup;
 import org.apache.derbyTesting.junit.SupportFilesSetup;
 import org.apache.derbyTesting.junit.SystemPropertyTestSetup;
 import org.apache.derbyTesting.junit.TestConfiguration;
@@ -73,9 +72,6 @@ public class NativeAuthenticationService
     private static  final   boolean DISABLE_AUTHORIZATION = true;
     private static  final   boolean DONT_DISABLE_AUTH = false;
     
-    private static  final   boolean DISABLE_JAVA_SECURITY = true;
-    private static  final   boolean ENABLE_JAVA_SECURITY = false;
-    
     // fruits are legal users. nuts are not
     private static  final   String  DBO = "KIWI";   
     private static  final   String  APPLE_USER = "APPLE";   
@@ -158,7 +154,6 @@ public class NativeAuthenticationService
     private final   boolean _nativeAuthentication;
     private final   boolean _localAuthentication;
     private final   boolean _turnOffAuthenticationAndAuthorization;
-    private final   boolean _disableSecurityManager;
 
     private String  _credentialsDBPhysicalName;
 
@@ -184,8 +179,7 @@ public class NativeAuthenticationService
          int            credentialsDBLocation,
          boolean    nativeAuthentication,
          boolean    localAuthentication,
-         boolean    turnOffAuthenticationAndAuthorization,
-         boolean    disableSecurityManager
+         boolean    turnOffAuthenticationAndAuthorization
          )
     {
         super( "testAll" );
@@ -194,7 +188,6 @@ public class NativeAuthenticationService
         _nativeAuthentication = nativeAuthentication;
         _localAuthentication = localAuthentication;
         _turnOffAuthenticationAndAuthorization = turnOffAuthenticationAndAuthorization;
-        _disableSecurityManager = disableSecurityManager;
     }
 
     ///////////////////////////////////////////////////////////////////////////////////
@@ -329,14 +322,11 @@ public class NativeAuthenticationService
         String  authOverrides = _turnOffAuthenticationAndAuthorization ?
             "Authentication/Authorization turned OFF, " :
             "Authentication/Authorization DEFAULT, ";
-        String  securityManager = _disableSecurityManager ?
-            "SecurityManager OFF, " :
-            "SecurityManager ON, ";
         String  embedded = isEmbedded() ?
             "Embedded" :
             "Client/Server";
 
-        return "[ " + dbLocation + authType + local + authOverrides + securityManager + embedded
+ " ]";
+        return "[ " + dbLocation + authType + local + authOverrides + embedded + " ]";
     }
 
     /** Return true if the test is running embedded */
@@ -367,7 +357,7 @@ public class NativeAuthenticationService
                 (
                  (
                   new NativeAuthenticationServiceTest
-                  ( JAR_ENCRYPTED, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY
)
+                  ( JAR_ENCRYPTED, NATIVE, LOCAL, DONT_DISABLE_AUTH )
                   ).decorate( false )
                  );
         }
@@ -413,7 +403,7 @@ public class NativeAuthenticationService
             (
              (
               new NativeAuthenticationServiceTest
-              ( NONE, NO_AUTH, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+              ( NONE, NO_AUTH, SYSTEM_WIDE, DONT_DISABLE_AUTH )
               ).decorate( clientServer )
              );
 
@@ -424,14 +414,14 @@ public class NativeAuthenticationService
             (
              (
               new NativeAuthenticationServiceTest
-              ( FILE, NATIVE, LOCAL, DISABLE_AUTHORIZATION, ENABLE_JAVA_SECURITY )
+              ( FILE, NATIVE, LOCAL, DISABLE_AUTHORIZATION )
               ).decorate( clientServer )
              );
         suite.addTest
             (
              (
               new NativeAuthenticationServiceTest
-              ( FILE, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+              ( FILE, NATIVE, LOCAL, DONT_DISABLE_AUTH )
               ).decorate( clientServer )
              );
 
@@ -442,14 +432,14 @@ public class NativeAuthenticationService
             (
              (
               new NativeAuthenticationServiceTest
-              ( FILE, NATIVE, SYSTEM_WIDE, DISABLE_AUTHORIZATION, ENABLE_JAVA_SECURITY )
+              ( FILE, NATIVE, SYSTEM_WIDE, DISABLE_AUTHORIZATION )
               ).decorate( clientServer )
              );
         suite.addTest
             (
              (
               new NativeAuthenticationServiceTest
-              ( FILE, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+              ( FILE, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
               ).decorate( clientServer )
              );
         
@@ -466,14 +456,14 @@ public class NativeAuthenticationService
                 (
                  (
                   new NativeAuthenticationServiceTest
-                  ( JAR, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+                  ( JAR, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
                   ).decorate( clientServer )
                  );
             suite.addTest
                 (
                  (
                   new NativeAuthenticationServiceTest
-                  ( JAR, NATIVE, LOCAL, DONT_DISABLE_AUTH, ENABLE_JAVA_SECURITY )
+                  ( JAR, NATIVE, LOCAL, DONT_DISABLE_AUTH )
                   ).decorate( clientServer )
                  );
 
@@ -484,14 +474,14 @@ public class NativeAuthenticationService
                 (
                  (
                   new NativeAuthenticationServiceTest
-                  ( CLASSPATH, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH, DISABLE_JAVA_SECURITY
)
+                  ( CLASSPATH, NATIVE, SYSTEM_WIDE, DONT_DISABLE_AUTH )
                   ).decorate( clientServer )
                  );
             suite.addTest
                 (
                  (
                   new NativeAuthenticationServiceTest
-                  ( CLASSPATH, NATIVE, LOCAL, DONT_DISABLE_AUTH, DISABLE_JAVA_SECURITY )
+                  ( CLASSPATH, NATIVE, LOCAL, DONT_DISABLE_AUTH )
                   ).decorate( clientServer )
                  );
         }
@@ -512,8 +502,6 @@ public class NativeAuthenticationService
         
         Test        result = this;
 
-        if ( _disableSecurityManager ) { result = SecurityManagerSetup.noSecurityManager(
result ); }
-
         //
         // Putting the clientServer decorator on the inside allows the server-side
         // embedded driver to be re-registered after engine shutdown. If you put
@@ -881,11 +869,8 @@ public class NativeAuthenticationService
             // database accessed via jar subprotocol
             vetProtocol( jarDBName( _credentialsDBLocation ) );
         
-            //
-            // We only use the classpath subprotocol if we are not running under a security
manager.
-            // We may be able to remove that restriction after DERBY-5615 is fixed.
-            //
-            if ( _disableSecurityManager ) { vetProtocol( classpathDBName() ); }
+            // database accessed via classpath subprotocol
+            vetProtocol( classpathDBName() );
         }
         
         ///////////////////////////////////////////////////////////////////////////////////



Mime
View raw message