Hi All
Im banging against security issue with commons. Ive looked through src which
seems to have contadicting jdoc entry for LogFactory.getClassLoader().
Is there any estimation on adding proper access control to commons? In light
of jdoc comment it seems there is none?
Thing is that commons will not initialize even when jar(commons) has
"AllPermissions" - since if at some point in call stack code passes
unpriviledged domain, permissions will be restricted to that domains set.
It restricts initialization to be done in special blocks, a bit akward I
must say.
Failure could look as follows:
java.lang.ExceptionInInitializerError
at
org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271)
at
org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477)
at
org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355)
at
org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75)
at
org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122)
at
org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182)
at
org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at
org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664)
at java.security.AccessController.doPrivileged(Native Method)
at
org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662)
at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351)
at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33)
at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106)
at java.security.AccessController.doPrivileged(Native Method)
at
org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.commons.logging.LogConfigurationException:
java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader) (Caused by
java.security.AccessControl
Exception: access denied (java.lang.RuntimePermission getClassLoader))
at
org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637)
at
org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336)
at
org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310)
at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685)
at
org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45)
... 22 more
Caused by: java.security.AccessControlException: access denied
(java.lang.RuntimePermission getClassLoader)
at java.security.AccessControlContext.checkPermission(Unknown
Source)
at java.security.AccessController.checkPermission(Unknown Source)
at java.lang.SecurityManager.checkPermission(Unknown Source)
at java.lang.ClassLoader.getParent(Unknown Source)
at
org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327)
at
org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247)
at
org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048)
at
org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858)
at
org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604)
... 26 more
Where all classes except "org.mobicents.tests.SecTestSbb" have
"AllPermissions"
Fix seems easy and if it is desired I can gladly contribute.
--
Bartosz Baranowski
JBoss R & D
==================================
Word of criticism meant to improve is always step forward.
