openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Albert Lee (JIRA)" <j...@apache.org>
Subject [jira] Commented: (OPENJPA-244) Java 2 Security enablement
Date Thu, 05 Jul 2007 03:44:04 GMT

    [ https://issues.apache.org/jira/browse/OPENJPA-244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12510271
] 

Albert Lee commented on OPENJPA-244:
------------------------------------

>> I almost commented on this earlier. I'm not sure that the grant of CodeBase "file:///${user.home}/.m2/repository/-"
{ and grant CodeBase "file:///${test.basedir}/-" { are correct.

Typically a security exception stack looks something like this:

java.security.AccessControlException: Access denied (java.util.PropertyPermission localRepository
write)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at java.lang.System.setProperty(System.java:385)
        at org.apache.maven.surefire.booter.SurefireBooter.setSystemProperties(SurefireBooter.java:624)
        at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:692)

or

java.security.AccessControlException: Access denied (java.lang.reflect.ReflectPermission suppressAccessChecks)
        at java.security.AccessController.checkPermission(AccessController.java:104)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:547)
        at java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:119)
        at org.apache.openjpa.event.MethodLifecycleCallbacks.makeCallback(MethodLifecycleCallbacks.java:87)
        at org.apache.openjpa.event.LifecycleEventManager.makeCallbacks(LifecycleEventManager.java:329)
        at org.apache.openjpa.event.LifecycleEventManager.fireEvent(LifecycleEventManager.java:291)
        at org.apache.openjpa.kernel.BrokerImpl.fireLifecycleEvent(BrokerImpl.java:671)
        at org.apache.openjpa.kernel.BrokerImpl.persist(BrokerImpl.java:2393)
        at org.apache.openjpa.kernel.BrokerImpl.persist(BrokerImpl.java:2244)
        at org.apache.openjpa.kernel.DelegatingBroker.persist(DelegatingBroker.java:1010)
        at org.apache.openjpa.persistence.EntityManagerImpl.persist(EntityManagerImpl.java:541)
        at org.apache.openjpa.persistence.callbacks.TestExceptionsFromCallbacks.testPrePersistException(TestExceptionsFromCallbacks.java:50)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:615)
        at junit.framework.TestCase.runTest(TestCase.java:154)
        at junit.framework.TestCase.runBare(TestCase.java:127)
        at junit.framework.TestResult$1.protect(TestResult.java:106)
        at junit.framework.TestResult.runProtected(TestResult.java:124)
        at junit.framework.TestResult.run(TestResult.java:109)
        at junit.framework.TestCase.run(TestCase.java:118)
        at junit.framework.TestSuite.runTest(TestSuite.java:208)
        at junit.framework.TestSuite.run(TestSuite.java:203)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:615)
        at org.apache.maven.surefire.junit.JUnitTestSet.execute(JUnitTestSet.java:210)
        at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:135)
        at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:122)
        at org.apache.maven.surefire.Surefire.run(Surefire.java:129)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:615)
        at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:225)
        at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:747)

The 3 major packages that needs security permission are org.apache.maven.surefire.*, junit.*
and org.apache.*.Test*. The CodeBase "file:///${user.home}/.m2/repository/-" is for the first
2 package category and CodeBase "file:///${test.basedir}/-" is for the openjpa test cases.
So the 'grant's are needed for these CodeBase. 

I can further narrow down the surefire and junit. However some of the openjpa tests use the
same packages as the code (e.g. org.apache.openjpa.persistence.jdbc), so the grant codebase
for the tests may not be specific just to the test packages.

>> The grants might mask the required grants in OpenJPA by "catching" the illegal access
by the test case or the framework.

I agree, see reason before.

>> Do we know why the test.basedir needs e.g. suppressAccessChecks? Do the test cases
themselves use reflection?

This is a oversight because AccessibleObject.setAccessible is not being bracketted with doPrive.
 I'll get this fix.

Albert Lee.

> Java 2 Security enablement
> --------------------------
>
>                 Key: OPENJPA-244
>                 URL: https://issues.apache.org/jira/browse/OPENJPA-244
>             Project: OpenJPA
>          Issue Type: Bug
>    Affects Versions: 0.9.8
>            Reporter: Kevin Sutter
>         Attachments: OPENJPA-244.patch
>
>
> Via some testing with the WebSphere Application Server, it's been discovered that we're
missing some doPriv blocks through out the OpenJPA code base.  This JIRA report will be used
to resolve these issues.  More specific examples will be posted later.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message