myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Struberg (JIRA)" <>
Subject [jira] [Commented] (MYFACES-3536) AccessControlException occurs when using a CustomExceptionHandler to navigate to a page using the NavigationHandler
Date Fri, 04 May 2012 19:32:48 GMT


Mark Struberg commented on MYFACES-3536:

patch looks ok to me.
> AccessControlException occurs when using a CustomExceptionHandler to navigate to a page
using the NavigationHandler
> -------------------------------------------------------------------------------------------------------------------
>                 Key: MYFACES-3536
>                 URL:
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: JSR-314
>    Affects Versions: 2.0.13
>         Environment: WebSphere Application Server Version 8.0 with Java2 Security enabled
>            Reporter: Paul Nicolucci
>         Attachments: Exception.txt, SAXCompiler.patch
>   Original Estimate: 4h
>  Remaining Estimate: 4h
> After fixing MYFACES-3530 I enabled Java2 Security in Websphere Application Server Version
8.0 and found the following issue related to using a custom Exception Handler to handle a
> When we Navigate to a page from the customer Exception Handler in the application the
following exception occurs:
> Access denied org.osgi.framework.AdminPermission
(id=65) resolve,resource)
> 	at
> 	at java.lang.SecurityManager.checkPermission(
> 	at
> 	at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.checkAuthorization(
> 	at org.eclipse.osgi.framework.internal.core.BundleResourceHandler.parseURL(
> 	at<init>(
> 	at<init>(
> 	at<init>(
> 	at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> 	at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> 	at org.apache.xerces.impl.XMLEntityManager.startDTDEntity(Unknown Source)
> 	at org.apache.xerces.impl.XMLDTDScannerImpl.setInputSource(Unknown Source)
> 	at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
> 	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
> 	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> 	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> 	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> 	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> 	at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
> 	at org.apache.xerces.jaxp.SAXParserImpl.parse(Unknown Source)
> 	at javax.xml.parsers.SAXParser.parse(Unknown Source)
> 	at org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(
> 	at org.apache.myfaces.view.facelets.compiler.Compiler.compileViewMetadata(
> 	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory._createViewMetadataFacelet(
> 	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(
> 	at org.apache.myfaces.view.facelets.impl.DefaultFaceletFactory.getViewMetadataFacelet(
> 	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage._getViewMetadataFacelet(
> 	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage.access$000(
> 	at org.apache.myfaces.view.facelets.FaceletViewDeclarationLanguage$FaceletViewMetadata.createMetadataView(
> 	at org.apache.myfaces.application.NavigationHandlerImpl.handleNavigation(
> 	at
 -> Application code
> I've attached Exception.txt showing the full stack trace for reference.  The exception
looks to come from: 
> org.apache.myfaces.view.facelets.compiler.SAXCompiler.doCompileViewMetadata(
> I've attached a suggested patch that wraps the offending code in an AccessController.doPrivileged
block.  I had to make the following changes to completely fix the problem:
> 1) Make the ViewMetadataHandler and SAXParser local variables final so they can be used
within the doPrivileged block.
> 2) I had to create a secondary InputStream object "finalInputStream which is just a copy
of the local "is" InputStream but is marked final so it can also be used within the doPrivileged
> 3) I also added a nested try/catch block that will catch the PrivilegedActionException
and catches the SAXException/IOException and keeps the behavior we had before ( throwing IOException,
throwing new FaceletException for the SAXException ). I had to do this since the doPrivileged
block wraps the exceptions from parser.parse in a PrivilegedActionException.
> 4) The new code is only used if System.getSecurityManager() != null so there should be
no performance ramifications if security is not enabled.
> Please review and let me know if you are ok with my patch.
> Thanks!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


View raw message