From open-jpa-dev-return-4152-apmail-incubator-open-jpa-dev-archive=incubator.apache.org@incubator.apache.org Thu May 17 17:18:15 2007 Return-Path: Delivered-To: apmail-incubator-open-jpa-dev-archive@locus.apache.org Received: (qmail 45169 invoked from network); 17 May 2007 17:18:03 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 May 2007 17:18:03 -0000 Received: (qmail 99008 invoked by uid 500); 17 May 2007 17:18:09 -0000 Delivered-To: apmail-incubator-open-jpa-dev-archive@incubator.apache.org Received: (qmail 98865 invoked by uid 500); 17 May 2007 17:18:08 -0000 Mailing-List: contact open-jpa-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: open-jpa-dev@incubator.apache.org Delivered-To: mailing list open-jpa-dev@incubator.apache.org Received: (qmail 98856 invoked by uid 99); 17 May 2007 17:18:08 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 May 2007 10:18:08 -0700 X-ASF-Spam-Status: No, hits=2.9 required=10.0 tests=HTML_10_20,HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of allee8285@gmail.com designates 64.233.166.181 as permitted sender) Received: from [64.233.166.181] (HELO py-out-1112.google.com) (64.233.166.181) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 May 2007 10:18:01 -0700 Received: by py-out-1112.google.com with SMTP id p76so956437pyb for ; Thu, 17 May 2007 10:17:39 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type; b=rJtSLojrstcW+o/QLJRqkqBJ7a3M7GJinmGFjHEskaGPTogGbRstSQ1ptxIcQzONERENAwHJ3T8dmR+at+dQHd/72GjynCsWWfacTAK9KZrMH6A67GlsxQ3HtnX39azHxSLIOkCChh5tE9UJrO3GP/a7YcSv9n0pqosEq3TWEIU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:mime-version:content-type; b=qDa2rUMjBXL4e33sN4rViDFwmHav+/g78m/wQ6cw8RLvKPfR+WEzc3lENvJGT0g6A5CJ+05yBHsvaFthLFm7SuK24/PTFGS9pbUuKV+FL8n5MHAjy501nhlt32a/TZFxyBOSVKcdhf0cE3qU4xm+GudMVV7jTBMuNxXfhm/uUBM= Received: by 10.65.186.18 with SMTP id n18mr3723199qbp.1179422259237; Thu, 17 May 2007 10:17:39 -0700 (PDT) Received: by 10.65.151.4 with HTTP; Thu, 17 May 2007 10:17:39 -0700 (PDT) Message-ID: <8e68c8e90705171017g7d6f7088g2d933ccd0b8ed396@mail.gmail.com> Date: Thu, 17 May 2007 12:17:39 -0500 From: "Albert Lee" To: open-jpa-dev Subject: Enable Java 2 Security in EE environment causes Access denied exception Cc: allee8285@gmail.com MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_26185_8681511.1179422259168" X-Virus-Checked: Checked by ClamAV on apache.org ------=_Part_26185_8681511.1179422259168 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I ran into the following exception when I enabled Java 2 security in the Java EE environment using openjpa in the WebSphere environment: java.security.AccessControlException: Access denied ( java.lang.RuntimePermission getClassLoader) at java.security.AccessController.checkPermission(AccessController.java :104) at java.lang.SecurityManager.checkPermission(SecurityManager.java:547) at com.ibm.ws.security.core.SecurityManager.checkPermission( SecurityManager.java:189) at java.lang.Thread.getContextClassLoader(Thread.java:490) at org.apache.openjpa.lib.conf.Configurations.findDerivedLoader( Configurations.java:232) at org.apache.openjpa.lib.conf.Configurations.newInstance( Configurations.java:194) at org.apache.openjpa.lib.conf.ObjectValue.newInstance(ObjectValue.java :103) at org.apache.openjpa.lib.conf.PluginValue.instantiate(PluginValue.java :101) at org.apache.openjpa.lib.conf.ObjectValue.instantiate(ObjectValue.java :79) at org.apache.openjpa.conf.OpenJPAConfigurationImpl.getDataCacheManagerInstance (OpenJPAConfigurationImpl.java:583) at org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker( AbstractBrokerFactory.java:169) at org.apache.openjpa.kernel.DelegatingBrokerFactory.newBroker( DelegatingBrokerFactory.java:142) at org.apache.openjpa.persistence.EntityManagerFactoryImpl.createEntityManager( EntityManagerFactoryImpl.java:190) at com.ibm.websphere.ejb3sample.counter.StatelessCounterBean.getTheValue (StatelessCounterBean.java:63) The scenario is a openjpa entity manager factory is injected to a stateless session bean and it is trying to create an EntityManager from the factory. Since the factory is directly injected in the application, the container has no involvment in handling the AccessController.doPrivileged(). Another similiar scenario is Persistence.createEntityManagerFactory() is called from within a stateless session bean, in which a similiar but different security related symptom is surfaced. These tests run successfully when Java 2 security is disabled. A security policy has put in place in the app server to give all permissions to the openjpa jar files in the app server. For experimentation, I add a doPrivilege block in the Configurations.findDerivedLoader where the above exception took place and I was able to by-pass the failure and the doPriv seems to work. However I went into the same exception in different places when getSystemClassLoader() and other privileged operations are used. Questions: 1) How is security being handled in openjpa or JPA in general? 2) What is the philosphy of putting doPrivilege construct around security sensitive code in openjpa? I only find 2 instances of doPrivilege usage in openJPA. 3) Who is responsible to define and enable security in a app server environment? 4) Is injecting a provider entity manager factory to user code an valid procedure? I understand EntityManager proxy/wrapper is needed for persistence context injection but I see no reason why provider's entity manager factory can not be injected to user code. Am I way off base regarding security in OpenJPA and/or JPA in general? Any insights into this topics is greatly appreciated. Thanks. Albert Lee. ------=_Part_26185_8681511.1179422259168--