tomee-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Magesh (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (TOMEE-2014) Security Permission for setPolicy
Date Thu, 16 Feb 2017 15:04:41 GMT

     [ https://issues.apache.org/jira/browse/TOMEE-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Magesh updated TOMEE-2014:
--------------------------
    Attachment: tomee-catalina.patch
                openejb-core.patch

> Security Permission for setPolicy
> ---------------------------------
>
>                 Key: TOMEE-2014
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2014
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 7.0.2
>            Reporter: Magesh
>         Attachments: AbstractSecurityService.java, openejb-core.patch, tomee1.patch,
tomee2.patch, tomee-catalina.patch
>
>
> Hi,
>   We deployed our application that uses EJB in Tomee Server (apache-tomee-plus-7.0.2)
with security mode enabled. We are getting the exception to add the below permission in catalina.policy
file.
> permission java.security.SecurityPermission "setPolicy";
> Log:
>   java.security.AccessControlException: access denied ("java.security.SecurityPermission"
"setPolicy")
> 	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> 	at java.security.AccessController.checkPermission(AccessController.java:884)
> 	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> 	at javax.security.jacc.PolicyContext.setContextID(PolicyContext.java:49)
> 	at org.apache.openejb.core.security.AbstractSecurityService.contextEntered(AbstractSecurityService.java:153)
> 	at org.apache.openejb.core.ThreadContext.enter(ThreadContext.java:60)
> 	at org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:169)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
> 	at org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
> 	at org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:347)
> 	at com.sun.proxy.$Proxy79.getVersionPhases(Unknown Source)
> 	at biaccounting.presentation.servlet.InitServlet.initReferenceLists(InitServlet.java:141)
> 	at biaccounting.presentation.servlet.InitServlet.init(InitServlet.java:54)
> 	at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:497)
> To fix this, we commented the below lines in the class AbstractSecurityService.java (Please
find attached)
> PolicyContext.setContextID(moduleID); --> Line#138
> PolicyContext.setContextID(null); --> Line#175
> PolicyContext.setContextID(reenteredContext.getBeanContext().getModuleID()); -->Line#177
> We have done this as a temporary fix from our end. Please let us know whether will this
be fixed in the future release ? please let us know your comment on this one.
> Thanks  & Regards,
> Magesh M



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message