tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mclu <m...@markuslutum.de>
Subject OpenEJB, Embedded Tomcat and SecurityManager problem with java.lang.RuntimePermission setContextClassLoader
Date Wed, 15 Jun 2011 09:10:59 GMT
Hi..
I have a problem running my openejb app with a security manager.
My setup is a little complicated but I try to explain.

We have a running pure java based application which runs on an embedded
devide with less resources.

Now I try to get a fancy ZK Framework based Webfrontend to it to administer
stuff. I want to reuse some ejb3 code so my setup is:

The pure Java app has a optional component to start an embedded Tomcat
Server.
This tomcat server has the ZK Framework application and an init Servlet.
This init Servlet starts Openejb (libs are part of this ZK app):

        Properties properties = new Properties();
        properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"org.apache.openejb.client.LocalInitialContextFactory");
        properties.setProperty("openejb.embedded.remotable", "true");
        properties.setProperty("openejb.configuration",
catalinaBase+"\\webapps\\zktest\\openejbhome\\conf\\openejb.xml");
        properties.setProperty("openejb.home",
catalinaBase+"\\webapps\\zktest\\openejbhome");
        InitialContext localContext =  new InitialContext(properties);

the zk webapp contains also a dir which acts as the openejb home.

The openejbhome/app dir contains the ejb3 backend session and entity beans.

And.... it works perfect. No issues....It deploys the ejb3 stuff which I can
fetch using local jndi lookups.

PROBLEM:
The pure java app needs the RMISecurityManager. The policy file which is
used is the policy all file means the content is:
grant {
    permission java.security.AllPermission "", "";
};

If I start my embedded tomcat 6.0 instance it starts as usual and deployed
the beans.
But If I do my local JNDI lookup I get a SecurityException:

I do:
 Properties p = new Properties();
 p.put("java.naming.factory.initial",
"org.apache.openejb.client.LocalInitialContextFactory");
         
 Context ctx = new InitialContext(p);
 service = (UserService)ctx.lookup("UserServiceBeanLocal");

And with the policy I get and AccessControlException.
I enabled security logging so maybe you see more than I do....

access: access allowed (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\WEB-INF\lib\openejb-core-3.1.4.jar
read)
access: access allowed (java.lang.RuntimePermission setContextClassLoader)
access: AccessControlContext invoking the Combiner
access: access allowed (java.io.FilePermission
E:\Java\jboss-4.2.3.GA\server\aeosmain\lib\jboss-j2ee.jar read)
access: access allowed (java.security.SecurityPermission setPolicy)
access: access allowed (javax.security.jacc.EJBMethodPermission
UserServiceBean create,LocalHome,)[LocalHome:create()]
access: AccessControlContext invoking the Combiner
access: access denied (java.lang.RuntimePermission setContextClassLoader)
java.lang.Exception: Stack trace
	at java.lang.Thread.dumpStack(Thread.java:1249)
	at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:313)
	at
java.security.AccessController.checkPermission(AccessController.java:546)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
	at java.lang.Thread.setContextClassLoader(Thread.java:1394)
	at org.apache.openejb.core.ThreadContext.exit(ThreadContext.java:70)
	at
org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:186)
	at
org.apache.openejb.core.ivm.EjbHomeProxyHandler.create(EjbHomeProxyHandler.java:284)
	at
org.apache.openejb.core.ivm.EjbHomeProxyHandler._invoke(EjbHomeProxyHandler.java:169)
	at
org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:282)
	at $Proxy26.create(Unknown Source)
	at
org.apache.openejb.core.ivm.naming.BusinessLocalReference.getObject(BusinessLocalReference.java:33)
	at
org.apache.openejb.core.ivm.naming.IvmContext.lookup(IvmContext.java:171)
	at
org.apache.openejb.core.ivm.naming.ContextWrapper.lookup(ContextWrapper.java:115)
	at javax.naming.InitialContext.lookup(InitialContext.java:392)
	at
com.nedap.zk.intrusion.model.ContentWinViewCtrl.doAfterCompose(ContentWinViewCtrl.java:77)
	at
org.zkoss.zk.ui.impl.UiEngineImpl.execCreateChild0(UiEngineImpl.java:741)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execCreateChild(UiEngineImpl.java:687)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execCreate0(UiEngineImpl.java:631)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execCreateChild(UiEngineImpl.java:663)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execCreate0(UiEngineImpl.java:631)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execCreate(UiEngineImpl.java:598)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage0(UiEngineImpl.java:384)
	at org.zkoss.zk.ui.impl.UiEngineImpl.execNewPage(UiEngineImpl.java:306)
	at
org.zkoss.zk.ui.http.DHtmlLayoutServlet.process(DHtmlLayoutServlet.java:225)
	at
org.zkoss.zk.ui.http.DHtmlLayoutServlet.doGet(DHtmlLayoutServlet.java:146)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:270)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:269)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:302)
	at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:163)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:283)
	at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:56)
	at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:189)
	at java.security.AccessController.doPrivileged(Native Method)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:185)
	at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
	at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Thread.java:662)
access: access allowed (java.security.SecurityPermission getPolicy)
access: access allowed (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\WEB-INF\lib\openejb-core-3.1.4.jar
read)
access: domain that failed ProtectionDomain 
(file:/E:/workspaces/nedap_ws/aeosmain/src/network/web/apache-tomcat-6.0.32/webapps/zktest/WEB-INF/lib/openejb-core-3.1.4.jar
<no signer certificates>)
 WebappClassLoader
  context: /zktest
  delegate: false
  repositories:
    /WEB-INF/classes/
----------> Parent Classloader:
sun.misc.Launcher$AppClassLoader@558fe7c3

 <no principals>
 java.security.Permissions@5c5fba1c (
 (java.security.AllPermission <all permissions> <all actions>)
 (java.util.PropertyPermission line.separator read)
 (java.util.PropertyPermission java.vm.version read)
 (java.util.PropertyPermission java.vm.specification.version read)
 (java.util.PropertyPermission java.vm.specification.vendor read)
 (java.util.PropertyPermission java.vendor.url read)
 (java.util.PropertyPermission java.vm.name read)
 (java.util.PropertyPermission os.name read)
 (java.util.PropertyPermission java.vm.vendor read)
 (java.util.PropertyPermission path.separator read)
 (java.util.PropertyPermission java.specification.name read)
 (java.util.PropertyPermission os.version read)
 (java.util.PropertyPermission os.arch read)
 (java.util.PropertyPermission java.class.version read)
 (java.util.PropertyPermission java.version read)
 (java.util.PropertyPermission file.separator read)
 (java.util.PropertyPermission java.vendor read)
 (java.util.PropertyPermission java.vm.specification.name read)
 (java.util.PropertyPermission java.specification.version read)
 (java.util.PropertyPermission java.specification.vendor read)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\WEB-INF\lib\-
read)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\WEB-INF\lib
read)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\-
read)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest
read)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\work\null\localhost\zktest\-
read,write,delete)
 (java.io.FilePermission
E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\work\null\localhost\zktest
read,write)
 (java.io.FilePermission
\E:\workspaces\nedap_ws\aeosmain\src\network\web\apache-tomcat-6.0.32\webapps\zktest\WEB-INF\lib\openejb-core-3.1.4.jar
read)
 (java.net.SocketPermission localhost:1024- listen,resolve)
 (org.apache.naming.JndiPermission jndi:/localhost/zktest/*)
 (org.apache.naming.JndiPermission jndi:/localhost/zktest/WEB-INF/lib/*)
 (org.apache.naming.JndiPermission jndi:/localhost/zktest/WEB-INF/classes/*)
 (java.lang.RuntimePermission stopThread)
)
-------------------------------------------------------------------

Any Ideas?
I tried to solve this now for about 8h. I think next I will do some tests
with jetty....











--
View this message in context: http://openejb.979440.n4.nabble.com/OpenEJB-Embedded-Tomcat-and-SecurityManager-problem-with-java-lang-RuntimePermission-setContextClassr-tp3598921p3598921.html
Sent from the OpenEJB User mailing list archive at Nabble.com.

Mime
View raw message