felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Karl Pauls (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (FELIX-837) Setting the SecurityManager in a bundle generate an infinite loop
Date Fri, 19 Dec 2008 22:14:44 GMT

     [ https://issues.apache.org/jira/browse/FELIX-837?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Karl Pauls resolved FELIX-837.

    Resolution: Fixed

Setting a security manager when the framework already was started is causing a recursive lookup
of handlers as 

a) not all security sensitive calls where done from inside a doPriv and 
b) invoking built-in handlers is causing a recursive attempt to create the url to the policy

Fixed in trunk by adding the doPrivs and makeing sure to only use setAccessible where needed
and then (if possible) before the URLHandlers are registered. Additionally, we create urls
for the known built-in handler up front to be able to set the handler of a new url without
causing a security check. 

This will make it into the upcoming 1.4.1 release. Thanks again for reporting and please close
this issue if it works for you.

> Setting the SecurityManager in a bundle generate an infinite loop
> -----------------------------------------------------------------
>                 Key: FELIX-837
>                 URL: https://issues.apache.org/jira/browse/FELIX-837
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework
>    Affects Versions: felix-1.4.0
>            Reporter: Loris Bouzonnet
>            Assignee: Karl Pauls
>            Priority: Minor
>             Fix For: felix-1.4.1
>         Attachments: sm-test.zip
> Since Felix 1.4.0, each method invocation is now check in the class SecureAction. When
we DON'T set the security manager as argument of the command line and a started bundle tries
to set this one, we always get an infinite loop:
> 	at java.net.URL.<init>(URL.java:413)
> 	at sun.security.provider.PolicyFile$3.run(PolicyFile.java:676)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at sun.security.provider.PolicyFile.initStaticPolicy(PolicyFile.java:617)
> 	at sun.security.provider.PolicyFile.<init>(PolicyFile.java:314)
> 	at java.security.Policy.getPolicyNoCheck(Policy.java:145)
> 	at java.security.ProtectionDomain.implies(ProtectionDomain.java:195)
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:249)
> 	at java.security.AccessController.checkPermission(AccessController.java:427)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
> 	at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107)
> 	at org.apache.felix.framework.util.SecureAction$Actions.run(SecureAction.java:1123)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at org.apache.felix.framework.util.SecureAction.invoke(SecureAction.java:754)
> 	at org.apache.felix.framework.URLHandlersStreamHandlerProxy.getStreamHandlerService(URLHandlersStreamHandlerProxy.java:400)
> 	at org.apache.felix.framework.URLHandlersStreamHandlerProxy.parseURL(URLHandlersStreamHandlerProxy.java:267)
> 	at java.net.URL.<init>(URL.java:596)
> 	at java.net.URL.<init>(URL.java:464)
> 	at java.net.URL.<init>(URL.java:413)
> 	at sun.security.provider.PolicyFile$3.run(PolicyFile.java:676)
> ... until a stack overflow.
> To reproduce it, just start the attached bundle that does:
> System.setSecurityManager(new RMISecurityManager());
> URL wantBug = new URL("http://felix.apache.org");
> System.out.println("I want a bug: " + wantBug.toExternalForm());
> If the security manager is set in the command line, there is no bug.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message