https://issues.apache.org/jira/browse/LOGGING-134
On Tue, Dec 29, 2009 at 2:12 PM, Bartosz Baranowski <baran...@gmail.com>wrote: > Hi Dennis > Please see inline > > On Tue, Dec 29, 2009 at 11:22 AM, Dennis Lundberg <denn...@apache.org>wrote: > >> First I just want to make sure that you are using version 1.1.1 of >> commons-logging. >> >> Tested against 1.1.0 and 1.1.1 > > If that is the case the please file an issue in JIRA at >> http://issues.apache.org/jira/browse/LOGGING >> > Ok, I will. Just wanted to get indication if its valid issue - jdoc > comments indicated it may not be. > Thanks. > >> If you have a test project that can be used to verify the issue, then >> that is even better. Attach that project to JIRA, if you have one. >> >> Project is quite big. It requiers jboss+mobicents, but I can try to submit > something smaller that can be run to test. > >> Phil Steitz wrote: >> > Since this list is shared by all commons components, we follow the >> > convention of prefixing the subject line of each post with the >> > component that the post refers to. You will get answers to >> > questions faster that way. Thanks! >> > >> > Phil >> > >> > Bartosz Baranowski wrote: >> >> Hi All >> >> Im banging against security issue with commons. Ive looked through src >> which >> >> seems to have contadicting jdoc entry for LogFactory.getClassLoader(). >> >> Is there any estimation on adding proper access control to commons? In >> light >> >> of jdoc comment it seems there is none? >> >> >> >> Thing is that commons will not initialize even when jar(commons) has >> >> "AllPermissions" - since if at some point in call stack code passes >> >> unpriviledged domain, permissions will be restricted to that domains >> set. >> >> It restricts initialization to be done in special blocks, a bit akward >> I >> >> must say. >> >> >> >> Failure could look as follows: >> >> java.lang.ExceptionInInitializerError >> >> at >> >> >> org.jboss.cache.commands.CommandsFactoryImpl.buildRemoveNodeCommand(CommandsFactoryImpl.java:271) >> >> at >> >> >> org.jboss.cache.invocation.CacheInvocationDelegate.removeNode(CacheInvocationDelegate.java:477) >> >> at >> >> >> org.jboss.cache.invocation.NodeInvocationDelegate.removeChild(NodeInvocationDelegate.java:355) >> >> at >> >> >> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityCacheData.unbindName(ActivityContextNamingFacilityCacheData.java:75) >> >> at >> >> >> org.mobicents.slee.runtime.facilities.ActivityContextNamingFacilityImpl.unbind(ActivityContextNamingFacilityImpl.java:122) >> >> at >> >> org.mobicents.tests.SecTestSbb.testNamingFacility(SecTestSbb.java:182) >> >> at >> >> >> org.mobicents.tests.SecTestSbb.onServiceStartedEvent(SecTestSbb.java:106) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) >> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown >> Source) >> >> at java.lang.reflect.Method.invoke(Unknown Source) >> >> at >> >> >> org.mobicents.slee.runtime.sbbentity.SbbEntity$1.run(SbbEntity.java:664) >> >> at java.security.AccessController.doPrivileged(Native Method) >> >> at >> >> >> org.mobicents.slee.runtime.sbbentity.SbbEntity.invokeEventHandler(SbbEntity.java:662) >> >> at >> >> >> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.routeQueuedEvent(EventRoutingTask.java:351) >> >> at >> >> >> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.access$000(EventRoutingTask.java:33) >> >> at >> >> >> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask$1.run(EventRoutingTask.java:106) >> >> at java.security.AccessController.doPrivileged(Native Method) >> >> at >> >> >> org.mobicents.slee.runtime.eventrouter.routingtask.EventRoutingTask.run(EventRoutingTask.java:103) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown >> >> Source) >> >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown >> >> Source) >> >> at java.lang.Thread.run(Unknown Source) >> >> Caused by: org.apache.commons.logging.LogConfigurationException: >> >> java.security.AccessControlException: access denied >> >> (java.lang.RuntimePermission getClassLoader) (Caused by >> >> java.security.AccessControl >> >> Exception: access denied (java.lang.RuntimePermission getClassLoader)) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:637) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:336) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.getInstance(LogFactoryImpl.java:310) >> >> at >> org.apache.commons.logging.LogFactory.getLog(LogFactory.java:685) >> >> at >> >> >> org.jboss.cache.commands.write.RemoveNodeCommand.<clinit>(RemoveNodeCommand.java:45) >> >> ... 22 more >> >> Caused by: java.security.AccessControlException: access denied >> >> (java.lang.RuntimePermission getClassLoader) >> >> at java.security.AccessControlContext.checkPermission(Unknown >> >> Source) >> >> at java.security.AccessController.checkPermission(Unknown >> Source) >> >> at java.lang.SecurityManager.checkPermission(Unknown Source) >> >> at java.lang.ClassLoader.getParent(Unknown Source) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.getLowestClassLoader(LogFactoryImpl.java:1327) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.getBaseClassLoader(LogFactoryImpl.java:1247) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.createLogFromClass(LogFactoryImpl.java:1048) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.discoverLogImplementation(LogFactoryImpl.java:858) >> >> at >> >> >> org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFactoryImpl.java:604) >> >> ... 26 more >> >> >> >> Where all classes except "org.mobicents.tests.SecTestSbb" have >> >> "AllPermissions" >> >> >> >> Fix seems easy and if it is desired I can gladly contribute. >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> > For additional commands, e-mail: dev-h...@commons.apache.org >> > >> > >> >> >> -- >> Dennis Lundberg >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > > -- > Bartosz Baranowski > JBoss R & D > ================================== > Word of criticism meant to improve is always step forward. > -- Bartosz Baranowski JBoss R & D ================================== Word of criticism meant to improve is always step forward.
