felix-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gerrit van Brakel (JIRA)" <j...@apache.org>
Subject [jira] Commented: (FELIX-1363) Stack overflow on Java 2 Security evaluation of getLocation() in WebSphere
Date Fri, 17 Jul 2009 15:00:15 GMT

    [ https://issues.apache.org/jira/browse/FELIX-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12732563#action_12732563

Gerrit van Brakel commented on FELIX-1363:


I can understand that Felix prefers to use its own classes. However, the AdminPermission class
resides in org.osgi.framework-package, and is probably present in each OSGi implemenation.
OSGi is all about avoiding dependency problems like these. I would expect that OSGi implementors
do not only provide a more or less problem free environment, but also try to avoid depency
problems in the environment they run in themselves.  This includes to my opinion agreeing
with the OSGi specificators or other implementors on what can be expected from shared classes
and on what they are allowed to do.

Is it allowed and can it be expected for AdminPermission implementations () to call getLocation()?
Either it is, and then getLocation should not use AdminPermission
Or it isn't, and then no AdminPermission implementation is allowed to call it.

The Felix source of AdminPermission suggests  that  there is a 'standard' implementation of
AdminPermission that is replaced. I don't know the details about what and why,  but it could
be that it is just this replacement that enabled the use of AdminPermission in getLocation().

> Stack overflow on Java 2 Security evaluation of getLocation() in WebSphere 
> ---------------------------------------------------------------------------
>                 Key: FELIX-1363
>                 URL: https://issues.apache.org/jira/browse/FELIX-1363
>             Project: Felix
>          Issue Type: Bug
>          Components: Framework
>    Affects Versions: felix-1.2.1
, felix-1.4.1, felix-1.8.0, felix-1.8.1
>         Environment: WebSphere 6.1 with Java 2 Security enabled
>            Reporter: Gerrit van Brakel
> When the Felix framework is used in an application in WebSphere, the Java 2 Security
permission evaluation of Felix.getLocation() causes a Stack Overflow.
> The Stack Overflow is caused by an incompatiblity between classes of the Felix framework
and the framework classes present in WebSphere.
> When the permissions for Felix.getLocation() are evaluated, an AdminPermission object
is created and evaluated. The AdminPermission permission object created is not the one supplied
by the Felix framework, but one found higher on the classpath: the WebSphere/eclipse version
of the AdminPermission class. This version of the class is incompatible with Felix, as it
uses getLocation() in its evaluation. 
> ways to work around or solve this problem:
> 1) disable Java 2 Security (not acceptable by company policy)
> 2) grant a global AllPermissions (not acceptable by company policy): by specifying global
AllPermissions, the evaluation of permissions seems to be avoided
> 3) modify the Felix Framework in such a way that no permissions are set/evaluated for
> 4) modify the Websphere / eclipse version of AdminPermission in such a way that no getLocation()
is used in its evaluation
> A test for option 3 has been performed on Felix 1.2.1. If the permission test is removed
from BundleImpl.getLocation() and Felix.getLocation(), the stack overflow does not appear.
Of course the permission test is lost in the process.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message