tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Romain Manni-Bucau (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TOMEE-2014) Security Permission for setPolicy
Date Tue, 14 Feb 2017 13:46:41 GMT

    [ https://issues.apache.org/jira/browse/TOMEE-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15865787#comment-15865787
] 

Romain Manni-Bucau commented on TOMEE-2014:
-------------------------------------------

Applied the patch (with a small change to avoid the wrapping if no manager is in use), the
new error looks related to jsp more than anything else and can need the same kind of trick
inTomEEWebappClassLoader. There i would be more cautious and I think it can lead to another
classloader impl handling permissions since it slows down the startup too much to be a flag.

> Security Permission for setPolicy
> ---------------------------------
>
>                 Key: TOMEE-2014
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2014
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 7.0.2
>            Reporter: Magesh
>         Attachments: AbstractSecurityService.java, tomee1.patch, tomee2.patch
>
>
> Hi,
>   We deployed our application that uses EJB in Tomee Server (apache-tomee-plus-7.0.2)
with security mode enabled. We are getting the exception to add the below permission in catalina.policy
file.
> permission java.security.SecurityPermission "setPolicy";
> Log:
>   java.security.AccessControlException: access denied ("java.security.SecurityPermission"
"setPolicy")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:884)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at javax.security.jacc.PolicyContext.setContextID(PolicyContext.java:49)
> 	at org.apache.openejb.core.security.AbstractSecurityService.contextEntered(AbstractSecurityService.java:153)
> 	at org.apache.openejb.core.ThreadContext.enter(ThreadContext.java:60)
> 	at org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:169)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
> 	at org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:347)
> 	at com.sun.proxy.$Proxy79.getVersionPhases(Unknown Source)
> 	at biaccounting.presentation.servlet.InitServlet.initReferenceLists(InitServlet.java:141)
> 	at biaccounting.presentation.servlet.InitServlet.init(InitServlet.java:54)
> 	at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:497)
> To fix this, we commented the below lines in the class AbstractSecurityService.java (Please
find attached)
> PolicyContext.setContextID(moduleID); --> Line#138
> PolicyContext.setContextID(null); --> Line#175
> PolicyContext.setContextID(reenteredContext.getBeanContext().getModuleID()); -->Line#177
> We have done this as a temporary fix from our end. Please let us know whether will this
be fixed in the future release ? please let us know your comment on this one.
> Thanks  & Regards,
> Magesh M



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message