mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Roberts (JIRA)" <j...@apache.org>
Subject [jira] [Created] (SSHD-668) AccessControlException running under OSGi container
Date Thu, 26 May 2016 12:59:12 GMT
Dave Roberts created SSHD-668:

             Summary: AccessControlException running under OSGi container
                 Key: SSHD-668
                 URL: https://issues.apache.org/jira/browse/SSHD-668
             Project: MINA SSHD
          Issue Type: Bug
    Affects Versions: 1.2.0
            Reporter: Dave Roberts

Using a minimalistic version of the "SSHD in 5 minutes", I was able to run this up and connect
using WinSCP no problem. 

I then added my JAR as a bundle into an OSGi container. This deployed OK, but as soon as I
tried to connect, the following exception was thrown:-
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "modifyThreadGroup")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at com.sun.enterprise.security.ee.J2EESecurityManager.checkAccess(J2EESecurityManager.java:98)
	at java.lang.ThreadGroup.checkAccess(ThreadGroup.java:315)
	at java.lang.Thread.init(Thread.java:391)
	at java.lang.Thread.init(Thread.java:349)
	at java.lang.Thread.<init>(Thread.java:675)
	at org.apache.sshd.common.util.threads.ThreadUtils$SshdThreadFactory.newThread(ThreadUtils.java:174)
	at java.util.concurrent.ThreadPoolExecutor$Worker.<init>(ThreadPoolExecutor.java:612)
	at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:925)
	at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1357)
	at sun.nio.ch.AsynchronousChannelGroupImpl.executeOnPooledThread(AsynchronousChannelGroupImpl.java:188)
	at sun.nio.ch.Invoker.invokeIndirectly(Invoker.java:212)
	at sun.nio.ch.Invoker.invokeIndirectly(Invoker.java:313)
	at sun.nio.ch.WindowsAsynchronousServerSocketChannelImpl$AcceptTask.completed(WindowsAsynchronousServerSocketChannelImpl.java:272)
	at sun.nio.ch.Iocp$EventHandlerTask.run(Iocp.java:397)
	at java.lang.Thread.run(Thread.java:745)
	at sun.misc.InnocuousThread.run(InnocuousThread.java:74)

I'm no expert on the java security model, but I traced how the initial thread was created
successfully, so modified the thread instantiation in  {{SshdThreadFactory.newThread}} to
run in priviledged mode:-
            try {
                t = AccessController.doPrivileged(new PrivilegedExceptionAction<Thread>()
                    public Thread run() {
                        return new Thread(group, r, namePrefix + threadNumber.getAndIncrement(),
            } catch (PrivilegedActionException e1) {
                //Exception from privileged code block, re-throwing...
                throw (RuntimeException) e1.getException();

This resolved the issue and also worked correctly in standalone mode (invoking my SSHD implementation
from a main method).  Of course there may be side effects that I'm not aware of when doing
the above when it's not required, in which case it can obviously be wrapped in a test that
loads the Security Manager and checks whether the permission is required.

This message was sent by Atlassian JIRA

View raw message