[jira] [Created] (TOMEE-2014) Security Permission for setPolicy

Thu, 09 Feb 2017 05:47:43 -0800 

Magesh created TOMEE-2014:
-----------------------------

             Summary: Security Permission for setPolicy
                 Key: TOMEE-2014
                 URL: https://issues.apache.org/jira/browse/TOMEE-2014
             Project: TomEE
          Issue Type: Bug
          Components: TomEE Core Server
    Affects Versions: 7.0.2
            Reporter: Magesh
         Attachments: AbstractSecurityService.java

Hi,
  We deployed our application that uses EJB in Tomee Server 
(apache-tomee-plus-7.0.2) with security mode enabled. We are getting the 
exception to add the below permission in catalina.policy file.

permission java.security.SecurityPermission "setPolicy";

Log:
  java.security.AccessControlException: access denied 
("java.security.SecurityPermission" "setPolicy")
        at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at 
java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at javax.security.jacc.PolicyContext.setContextID(PolicyContext.java:49)
        at 
org.apache.openejb.core.security.AbstractSecurityService.contextEntered(AbstractSecurityService.java:153)
        at org.apache.openejb.core.ThreadContext.enter(ThreadContext.java:60)
        at 
org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:169)
        at 
org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
        at 
org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
        at 
org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
        at 
org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:347)
        at com.sun.proxy.$Proxy79.getVersionPhases(Unknown Source)
        at 
biaccounting.presentation.servlet.InitServlet.initReferenceLists(InitServlet.java:141)
        at 
biaccounting.presentation.servlet.InitServlet.init(InitServlet.java:54)
        at javax.servlet.GenericServlet.init(GenericServlet.java:158)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)

To fix this, we commented the below lines in the class 
AbstractSecurityService.java (Please find attached)

PolicyContext.setContextID(moduleID); --> Line#138
PolicyContext.setContextID(null); --> Line#175
PolicyContext.setContextID(reenteredContext.getBeanContext().getModuleID()); 
-->Line#177

We have done this as a temporary fix from our end. Please let us know whether 
will this be fixed in the future release ? please let us know your comment on 
this one.

Thanks  & Regards,
Magesh M



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to