Since this list is shared by all commons components, we follow the convention of prefixing the subject line of each post with the component that the post refers to. You will get answers to questions faster that way. Thanks!
Phil Bartosz Baranowski wrote: > Hi All > Im banging against security issue with commons. Ive looked through src which > seems to have contadicting jdoc entry for LogFactory.getClassLoader(). > Is there any estimation on adding proper access control to commons? In light > of jdoc comment it seems there is none? > > Thing is that commons will not initialize even when jar(commons) has > "AllPermissions" - since if at some point in call stack code passes > unpriviledged domain, permissions will be restricted to that domains set. > It restricts initialization to be done in special blocks, a bit akward I > must say. > > Failure could look as follows: > java.lang.ExceptionInInitializerError > at > org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271) > at > org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477) > at > org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355) > at > org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75) > at > org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122) > at > org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182) > at > org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at > org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664) > at java.security.AccessController.doPrivileged(Native Method) > at > org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662) > at > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351) > at > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33) > at > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106) > at java.security.AccessController.doPrivileged(Native Method) > at > org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103) > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > Caused by: org.apache.commons.logging.LogConfigurationException: > java.security.AccessControlException: access denied > (java.lang.RuntimePermission getClassLoader) (Caused by > java.security.AccessControl > Exception: access denied (java.lang.RuntimePermission getClassLoader)) > at > org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637) > at > org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336) > at > org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310) > at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685) > at > org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45) > ... 22 more > Caused by: java.security.AccessControlException: access denied > (java.lang.RuntimePermission getClassLoader) > at java.security.AccessControlContext.checkPermission(Unknown > Source) > at java.security.AccessController.checkPermission(Unknown Source) > at java.lang.SecurityManager.checkPermission(Unknown Source) > at java.lang.ClassLoader.getParent(Unknown Source) > at > org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327) > at > org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247) > at > org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048) > at > org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858) > at > org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604) > ... 26 more > > Where all classes except "org.mobicents.tests.SecTestSbb" have > "AllPermissions" > > Fix seems easy and if it is desired I can gladly contribute. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
