[jira] [Commented] (TOMEE-2013) Java PropertyPermisssion

Tue, 07 Feb 2017 02:41:01 -0800 

    [ 
https://issues.apache.org/jira/browse/TOMEE-2013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855718#comment-15855718
 ] 

Magesh commented on TOMEE-2013:
-------------------------------

Hi,
  We can take care of the permissions requested as part of eclipse link jar. 
But our concern is regarding the 
permission java.util.PropertyPermission "*", "read,write";

We got the above permission issue from the classes 
org.apache.openejb.core.transaction.EjbTransactionUtil and 
org.apache.openejb.core.transaction.JtaTransactionPolicy  which tries to access 
the org.apache.openejb.util.Logger class. Logger.java has the code which tries 
to get the system properties.
Please do refer the lines from 42 to 75 in the attached file.
public static synchronized void configure(Properties config)
  {
    if (logStreamFactory != null) {
      return;
    }
    String julFqn = JuliLogStreamFactory.class.getName();
    String factoryName = config.getProperty("openejb.log.factory", 
SystemInstance.isInitialized() ? 
SystemInstance.get().getOptions().get("openejb.log.factory", julFqn) : julFqn);
    if (("jul".equalsIgnoreCase(factoryName)) || 
("juli".equalsIgnoreCase(factoryName))) {
      factoryName = JuliLogStreamFactory.class.getName();
    } else if ("slf4j".equalsIgnoreCase(factoryName)) {
      factoryName = Slf4jLogStreamFactory.class.getName();
    } else if ("log4j".equalsIgnoreCase(factoryName))
    {
      if (exists("org.apache.log4j.Logger")) {
        factoryName = "org.apache.openejb.util.Log4jLogStreamFactory";
      } else {
        System.out.println("Cannot respect 'openejb.log.factory=log4j' setting 
as Log4j is not in the classpath.");
      }
    }
    else if ("pax".equalsIgnoreCase(factoryName)) {
      factoryName = "org.apache.openejb.util.PaxLogStreamFactory";
    } else if ("log4j2".equalsIgnoreCase(factoryName)) {
      factoryName = "org.apache.openejb.util.Log4j2LogStreamFactory";
    }
    String[] specialKeys = { "openejb.jul.forceReload", 
"openejb.jul.consoleHandlerClazz", "openejb.logger.external" };
    String[] originals = new String[specialKeys.length];
    for (int i = 0; i < specialKeys.length; i++)
    {
      originals[i] = System.getProperty(specialKeys[i]);
      String property = config.getProperty(specialKeys[i], 
SystemInstance.isInitialized() ? 
SystemInstance.get().getOptions().get(specialKeys[i], (String)null) : null);
      if (property != null) {
        System.setProperty(specialKeys[i], property);
      }
    }
    try
    {
      if (factoryName != null) {
        logStreamFactory = createFactory(factoryName);
      }
      if (isLog4jImplied()) {
        logStreamFactory = 
createFactory("org.apache.openejb.util.Log4jLogStreamFactory");
      }
      if (logStreamFactory == null) {
        logStreamFactory = new JuliLogStreamFactory();
      }
      checkForIgnoredLog4jConfig();
    }
    finally
    {
     // int i;
      for (int i = 0; i < specialKeys.length; i++) {
        if (originals[i] == null) {
          System.clearProperty(specialKeys[i]);
        } else {
          System.setProperty(specialKeys[i], originals[i]);
        }
      }
    }
  }

> Java PropertyPermisssion
> ------------------------
>
>                 Key: TOMEE-2013
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2013
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 7.0.2
>            Reporter: Magesh
>              Labels: security
>         Attachments: openejb-core-7.0.2.jar, Security_Permissions_openejb.txt
>
>
> Hi,
>   We are using TOMEE server (apache-tomee-plus-7.0.2) to deploy our 
> applications which uses EJBs. When we run the server with security mode 
> enabled, applications are not getting deployed without the below permission.
> permission java.util.PropertyPermission "*", "read,write";
> We did some changes to the openejb-core-7.0.2.jar file in the classes 
> org.apache.openejb.core.transaction.EjbTransactionUtil, 
> org.apache.openejb.core.transaction.JtaTransactionPolicy
> After the changes were made the following specific permissions were required.
>                permission java.util.PropertyPermission 
> "javax.persistence.transactionType", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.schema-generation.database.action", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.schema-generation.scripts.action", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.jdbc.user", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.jdbc.password", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.jtaDataSource", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.nonJtaDataSource", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.lock.timeout", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.query.timeout", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.schema-generation.connection", "read";
>                permission java.util.PropertyPermission 
> "javax.persistence.sql-load-script-source", "read";
>                permission java.util.PropertyPermission 
> "org.eclipse.persistence.querymonitor", "read";
> Will this be addressed in the future release or else the permissions are 
> required.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to