[
https://issues.apache.org/jira/browse/TOMEE-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15865775#comment-15865775
]
Magesh commented on TOMEE-2014:
-------------------------------
Hi,
We have created two patches tomee1.patch and tomee2.patch
tomee1.patch
a) We have commented the lines where context id is set in the class
AbstractSecurityService.java
The above change work fine without the setPolicy permission, but as you said
this might not be the right way.
tomee2.patch
a) We have added a new method(setContextID) in JavaSecurityManagers.java and
called the same in the AbstractSecurityService.java
public static void setContextID(final String moduleID) {
AccessController.doPrivileged(new PrivilegedAction<String>() {
@Override
public String run() {
PolicyContext.setContextID(moduleID);
return null;
}
});
}
We started the server with the above change, but we got exception to add the
below permissions. Even after adding
those permissions , it is still asking for the same permissions.
"java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper.servlet"
"java.lang.RuntimePermission" "setContextClassLoader"
Log:
14-Feb-2017 13:56:51.182 INFO [localhost-startStop-1]
org.apache.catalina.loader.WebappClassLoaderBase.loadClass Security Violation,
attempt to use Restricted Class: org.apache.jasper.servlet.JspServlet
java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "accessClassInPackage.org.apache.jasper.servlet")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at
java.lang.SecurityManager.checkPackageAccess(SecurityManager.java:1564)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1220)
at
org.apache.tomee.catalina.TomEEWebappClassLoader.loadClass(TomEEWebappClassLoader.java:204)
at
org.apache.catalina.loader.WebappClassLoaderBase.loadClass(WebappClassLoaderBase.java:1119)
at
org.apache.tomee.catalina.JavaeeInstanceManager.newInstance(JavaeeInstanceManager.java:124)
at
org.apache.tomee.catalina.JavaeeInstanceManager.newInstance(JavaeeInstanceManager.java:119)
at
org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1050)
at
org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:989)
at
org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4913)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5223)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:724)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
14-Feb-2017 13:56:51.182 SEVERE [localhost-startStop-1]
sun.reflect.NativeMethodAccessorImpl.invoke ContainerBase.addChild: start:
org.apache.catalina.LifecycleException: Failed to start component
[StandardEngine[Catalina].StandardHost[localhost].StandardContext[/travelaccountingsystem]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:724)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:698)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:952)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1823)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.AccessControlException: access denied
("java.lang.RuntimePermission" "setContextClassLoader")
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.Thread.setContextClassLoader(Thread.java:1467)
at
org.apache.catalina.core.StandardContext.unbind(StandardContext.java:5848)
at
org.apache.catalina.core.StandardContext.unbindThread(StandardContext.java:5778)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5233)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 14 more
Please let us know your suggestions.
Thanks,
Magesh M
> Security Permission for setPolicy
> ---------------------------------
>
> Key: TOMEE-2014
> URL: https://issues.apache.org/jira/browse/TOMEE-2014
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 7.0.2
> Reporter: Magesh
> Attachments: AbstractSecurityService.java, tomee1.patch, tomee2.patch
>
>
> Hi,
> We deployed our application that uses EJB in Tomee Server
> (apache-tomee-plus-7.0.2) with security mode enabled. We are getting the
> exception to add the below permission in catalina.policy file.
> permission java.security.SecurityPermission "setPolicy";
> Log:
> java.security.AccessControlException: access denied
> ("java.security.SecurityPermission" "setPolicy")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at javax.security.jacc.PolicyContext.setContextID(PolicyContext.java:49)
> at
> org.apache.openejb.core.security.AbstractSecurityService.contextEntered(AbstractSecurityService.java:153)
> at org.apache.openejb.core.ThreadContext.enter(ThreadContext.java:60)
> at
> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:169)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
> at
> org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:347)
> at com.sun.proxy.$Proxy79.getVersionPhases(Unknown Source)
> at
> biaccounting.presentation.servlet.InitServlet.initReferenceLists(InitServlet.java:141)
> at
> biaccounting.presentation.servlet.InitServlet.init(InitServlet.java:54)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> To fix this, we commented the below lines in the class
> AbstractSecurityService.java (Please find attached)
> PolicyContext.setContextID(moduleID); --> Line#138
> PolicyContext.setContextID(null); --> Line#175
> PolicyContext.setContextID(reenteredContext.getBeanContext().getModuleID());
> -->Line#177
> We have done this as a temporary fix from our end. Please let us know whether
> will this be fixed in the future release ? please let us know your comment on
> this one.
> Thanks & Regards,
> Magesh M
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
