geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevan Miller (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-4037) Geronimo 2.0.3 (and I guess at least 2.0.2) can't run with a security manager settled from the command line using -Djava.security.manager
Date Wed, 28 May 2008 21:46:45 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-4037?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12600616#action_12600616
] 

Kevan Miller commented on GERONIMO-4037:
----------------------------------------

Just to clarify what I think is going on.. It's more of a chicken and egg problem that prevents
a successful load of the GeronimoPolicyConfigurationFactory class. Note that the second call
to GeronimoPolicy.implies() is triggered by File.canRead(). Which is being invoked by UrlResourceFinder.
The system ClassLoader would not require this second SecurityManager check, it has permission
to read files... 

Cycle goes like this:

1. System.getProperty() needs a SecurityManager check to see if the operation should be permitted.
2. To do this, we need to load the GeronimoPolicyConfigurationFactory class.
3. To load the class, JarFileClassLoader/UrlResourceFinder need to read the Jar file.
4. To read the jar file, we need to load the GeronimoPolicyConfigurationFactory class... Uh
oh...
5. To load the class, we need to read the jar file.
6. To read the jar file, we need to load GeronimoPolicyConfigurationFactory

I'm a relative newbie to security policy configuration. Hoping that's enough to get someone
going... Send an email or ping me on IRC to discuss further

> Geronimo 2.0.3 (and I guess at least 2.0.2) can't run  with a security manager settled
from the command line using -Djava.security.manager
> ------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GERONIMO-4037
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-4037
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: kernel, security
>    Affects Versions: 2.0.2
>         Environment: Windows Xp Sp2
>            Reporter: Jacques Le Roux
>            Priority: Blocker
>
> I'm facing an issue on Windows XPsp2: I can't run WASCE with a security manager settled
from the command line using -Djava.security.manager-Djava.security.policy=client.policy options.
I get the error below. Note that this is working properly under Linux (Ubuntu and Suze as
well).
> C:\geronimo-tomcat6-jee5-2.0.3\bin>geronimo run
> Using GERONIMO_BASE:   C:\geronimo-tomcat6-jee5-2.0.3
> Using GERONIMO_HOME:   C:\geronimo-tomcat6-jee5-2.0.3
> Using GERONIMO_TMPDIR: var\temp
> Using JRE_HOME:        C:\Program Files\Java\jre1.5.0_11
> Listening for transport dt_socket at address: 5005
> Booting Geronimo Kernel (in Java 1.5.0_11)...
> Starting Geronimo Application Server v2.0.3-SNAPSHOT
> [***>                                  ] 11%  27s Starting org.apac...15:57:28,625
ERROR [GBeanInstanceState] Error while starting; GBean is now in the FAILED state: abstractName="org.apache.geronimo.configs/
> j2ee-security/2.0.3-SNAPSHOT/car?ServiceModule=org.apache.geronimo.configs/j2ee-security/2.0.3-SNAPSHOT/car,j2eeType=GBean,name=SecurityService"
> java.lang.LinkageError: org/apache/geronimo/security/jacc/GeronimoPolicyConfigurationFactory
>         at org.apache.geronimo.security.jacc.GeronimoPolicy.implies(GeronimoPolicy.java:74)
>         at java.security.ProtectionDomain.implies(Unknown Source)
>         at java.security.AccessControlContext.checkPermission(Unknown Source)
>         at java.security.AccessController.checkPermission(Unknown Source)
>         at java.lang.SecurityManager.checkPermission(Unknown Source)
>         at java.lang.Thread.setContextClassLoader(Unknown Source)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:1056)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:268)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:102)
>         at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:124)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:553)
>         at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:379)
>         at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:448)
>         at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:187)
>         at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:530)
>         at org.apache.geronimo.kernel.config.SimpleConfigurationManager$$FastClassByCGLIB$$ce77a924.invoke(<generated>)
>         at net.sf.cglib.reflect.FastMethod.invoke(FastMethod.java:53)
>         at org.apache.geronimo.gbean.runtime.FastMethodInvoker.invoke(FastMethodInvoker.java:38)
>         at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:124)
>         at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:830)
>         at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
>         at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
>         at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
>         at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$7e14cd11.startConfiguration(<generated>)
>         at org.apache.geronimo.system.main.EmbeddedDaemon.doStartup(EmbeddedDaemon.java:156)
>         at org.apache.geronimo.system.main.EmbeddedDaemon.execute(EmbeddedDaemon.java:78)
>         at org.apache.geronimo.kernel.util.MainConfigurationBootstrapper.main(MainConfigurationBootstrapper.java:45)
>         at org.apache.geronimo.cli.AbstractCLI.executeMain(AbstractCLI.java:67)
>         at org.apache.geronimo.cli.daemon.DaemonCLI.main(DaemonCLI.java:30)
> 15:57:28,640 WARN  [BasicLifecycleMonitor] Exception occured while notifying listener
> [...]
> This is needed in order to launch the OFBiz RMIDispatcher (in other words to allow using
RMI inside Apache OFBiz). That's why I put this issue as a blocker.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message