myfaces-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lu4...@apache.org
Subject svn commit: r777341 - in /myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared: util/ClassUtils.java util/StateUtils.java webapp/webxml/WebXmlParser.java
Date Fri, 22 May 2009 01:06:10 GMT
Author: lu4242
Date: Fri May 22 01:06:09 2009
New Revision: 777341

URL: http://svn.apache.org/viewvc?rev=777341&view=rev
Log:
MYFACES-1879 Problems with myfaces when java2 security is enabled

Modified:
    myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
    myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
    myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/webapp/webxml/WebXmlParser.java

Modified: myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java?rev=777341&r1=777340&r2=777341&view=diff
==============================================================================
--- myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
(original)
+++ myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/ClassUtils.java
Fri May 22 01:06:09 2009
@@ -27,6 +27,9 @@
 import java.io.InputStream;
 import java.io.IOException;
 import java.lang.reflect.Array;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.*;
 
 
@@ -131,7 +134,7 @@
             // Try WebApp ClassLoader first
             return Class.forName(type,
                                  false, // do not initialize for faster startup
-                                 Thread.currentThread().getContextClassLoader());
+                                 getContextClassLoader());
         }
         catch (ClassNotFoundException ignore)
         {
@@ -223,7 +226,7 @@
 
     public static InputStream getResourceAsStream(String resource)
     {
-        InputStream stream = Thread.currentThread().getContextClassLoader()
+        InputStream stream = getContextClassLoader()
                                 .getResourceAsStream(resource);
         if (stream == null)
         {
@@ -343,11 +346,43 @@
      */
     protected static ClassLoader getCurrentLoader(Object defaultObject)
     {
-        ClassLoader loader = Thread.currentThread().getContextClassLoader();
+        ClassLoader loader = getContextClassLoader();
         if(loader == null)
         {
             loader = defaultObject.getClass().getClassLoader();
         }
         return loader;
     }
+    
+    /**
+     * Gets the ClassLoader associated with the current thread.  Includes a check for priviledges

+     * against java2 security to ensure no security related exceptions are encountered. 
+     *
+     * @since 3.0.6
+     * @return ClassLoader
+     */
+    public static ClassLoader getContextClassLoader()
+    {
+        if (System.getSecurityManager() != null) 
+        {
+            try {
+                ClassLoader cl = AccessController.doPrivileged(new PrivilegedExceptionAction<ClassLoader>()
+                        {
+                            public ClassLoader run() throws PrivilegedActionException
+                            {
+                                return Thread.currentThread().getContextClassLoader();
+                            }
+                        });
+                return cl;
+            }
+            catch (PrivilegedActionException pae)
+            {
+                throw new FacesException(pae);
+            }
+        }
+        else
+        {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
 }

Modified: myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?rev=777341&r1=777340&r2=777341&view=diff
==============================================================================
--- myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
(original)
+++ myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java
Fri May 22 01:06:09 2009
@@ -38,6 +38,9 @@
 import java.io.ObjectOutputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
 import java.util.Random;
 import java.util.zip.GZIPInputStream;
 import java.util.zip.GZIPOutputStream;
@@ -302,27 +305,107 @@
     
     public static final Object getAsObject(byte[] bytes, ExternalContext ctx)
     {
-        ByteArrayInputStream input = new ByteArrayInputStream(bytes);
+        ByteArrayInputStream input = null;
 
-        // get the Factory that was instantiated @ startup
-        SerialFactory serialFactory = (SerialFactory) ctx.getApplicationMap().get(SERIAL_FACTORY);
-        
-        if(serialFactory == null)
-            throw new NullPointerException("serialFactory");
-        
         try
         {
-            ObjectInputStream s = serialFactory.getObjectInputStream(input); 
-            Object object = s.readObject();
-            s.close();
-            input.close();
-            s = null;
-            input = null;
-            return object;
+            input = new ByteArrayInputStream(bytes);
+
+            // get the Factory that was instantiated @ startup
+            SerialFactory serialFactory = (SerialFactory) ctx.getApplicationMap().get(SERIAL_FACTORY);
+            
+            if(serialFactory == null)
+                throw new NullPointerException("serialFactory");
+            
+            ObjectInputStream s = null;
+            Exception pendingException = null;
+            try
+            {
+                s = serialFactory.getObjectInputStream(input); 
+                Object object = null;
+                if (System.getSecurityManager() != null)
+                {
+                    final ObjectInputStream ois = s;
+                    object = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>()
+                    {
+                        //Put IOException and ClassNotFoundException as "checked" exceptions,
+                        //so AccessController wrap them in a PrivilegedActionException
+                        public Object run() throws  PrivilegedActionException, IOException,
ClassNotFoundException
+                        {
+                            return ois.readObject();
+                        }
+                    });
+                    // Since s has the same instance as ois,
+                    // we don't need to close it here, rather
+                    // close it on the finally block related to s
+                    // and avoid duplicate close exceptions
+                    // finally
+                    // {
+                    //    ois.close();
+                    // }
+                }
+                else
+                {
+                    object = s.readObject();
+                }
+                return object;
+            }
+            catch (Exception e)
+            {
+                pendingException = e;
+                throw new FacesException(e);
+            }
+            finally
+            {
+                if (s != null)
+                {
+                    try
+                    {
+                        s.close();
+                    }
+                    catch (IOException e)
+                    {
+                        // If a previous exception is thrown 
+                        // ignore this, but if not, wrap it in a
+                        // FacesException and throw it. In this way
+                        // we preserve the original semantic of this
+                        // method, but we handle correctly the case
+                        // when we close a stream. Obviously, the 
+                        // information about this exception is lost,
+                        // but note that the interesting information 
+                        // is always on pendingException, since we
+                        // only do a readObject() on the outer try block.
+                        if (pendingException == null)
+                        {
+                            throw new FacesException(e);
+                        }                        
+                    }
+                    finally
+                    {
+                        s = null;
+                    }
+                }
+            }
         }
-        catch (Exception e)
+        finally
         {
-            throw new FacesException(e);
+            if (input != null)
+            {
+                try
+                {
+                    input.close();
+                }
+                catch (IOException e)
+                {
+                    //ignore it, because ByteArrayInputStream.close has
+                    //no effect, but it is better to call close and preserve
+                    //semantic from previous code.
+                }
+                finally
+                {
+                    input = null;
+                }
+            }
         }
     }
 

Modified: myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/webapp/webxml/WebXmlParser.java
URL: http://svn.apache.org/viewvc/myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/webapp/webxml/WebXmlParser.java?rev=777341&r1=777340&r2=777341&view=diff
==============================================================================
--- myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/webapp/webxml/WebXmlParser.java
(original)
+++ myfaces/shared/trunk_3.0.x/core/src/main/java/org/apache/myfaces/shared/webapp/webxml/WebXmlParser.java
Fri May 22 01:06:09 2009
@@ -29,6 +29,7 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.myfaces.shared.util.ClassUtils;
 import org.apache.myfaces.shared.util.xml.MyFacesErrorHandler;
 import org.apache.myfaces.shared.util.xml.XmlUtils;
 import org.w3c.dom.Document;
@@ -148,7 +149,7 @@
 
     private InputSource createClassloaderInputSource(String publicId, String systemId)
     {
-        InputStream inStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(systemId);
+        InputStream inStream = ClassUtils.getContextClassLoader().getResourceAsStream(systemId);
         if (inStream == null)
         {
             // there is no such entity



Mime
View raw message