myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Nicolucci (JIRA)" <>
Subject [jira] [Created] (MYFACES-3536) AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
Date Wed, 02 May 2012 16:52:49 GMT
Paul Nicolucci created MYFACES-3536:

             Summary: AccessControlException occurs when using a CustomExceptionHandler to
navigate to a page using the NavigationHandler
                 Key: MYFACES-3536
             Project: MyFaces Core
          Issue Type: Bug
          Components: JSR-314
    Affects Versions: 2.0.13
         Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
            Reporter: Paul Nicolucci

After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version
8.0 and found the following issue related to using a custom Exception Handler to handle a

When we Navigate to a page from the customer Exception Handler in the application the following
exception occurs: Access denied org.osgi.framework.AdminPermission (id=65)
	at java.lang.SecurityManager.checkPermission(
	at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(
	at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(
	at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
	at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
	at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
	at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
	at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
	at javax.xml.parsers.SAXParser.parse(Unknown Source)
	at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(
	at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(
	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(
	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(
	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(
	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(
	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(
	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(
	at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(
 -> Application code

I've attached Exception.txt showing the full stack trace for reference.  The exception looks
to come from: 


I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged
block.  I had to make the following changes to completely fix the problem:

1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used within
the doPrivileged block.

2) I had to create a secondary InputStream object "finalInputStream which is just a copy of
the local "is" InputStream but is marked final so it can also be used within the doPrivileged

3) I also added a nested try/catch block that will catch the PrivilegedActionException and
catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException,
throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged
block wraps the exceptions from parser.parse in a PrivilegedActionException.

4) The new code is only used if System.getSecurityManager() != null so there should be no
performance ramifications if security is not enabled.

Please review and let me know if you are ok with my patch.


This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message