[
https://issues.apache.org/jira/browse/TOMEE-2014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15876212#comment-15876212
]
Magesh commented on TOMEE-2014:
-------------------------------
Hi,
Since we need to address this issue at the earliest ,we are going with the
option of commenting the lines as we mentioned in the ticket initially and we
tested this option thoroughly. Could you please let us know whether this will
be addressed in the next release.
Thanks,
Magesh M
> Security Permission for setPolicy
> ---------------------------------
>
> Key: TOMEE-2014
> URL: https://issues.apache.org/jira/browse/TOMEE-2014
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 7.0.2
> Reporter: Magesh
> Attachments: AbstractSecurityService.java, openejb-core.patch,
> tomee1.patch, tomee2.patch, tomee-catalina.patch
>
>
> Hi,
> We deployed our application that uses EJB in Tomee Server
> (apache-tomee-plus-7.0.2) with security mode enabled. We are getting the
> exception to add the below permission in catalina.policy file.
> permission java.security.SecurityPermission "setPolicy";
> Log:
> java.security.AccessControlException: access denied
> ("java.security.SecurityPermission" "setPolicy")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at javax.security.jacc.PolicyContext.setContextID(PolicyContext.java:49)
> at
> org.apache.openejb.core.security.AbstractSecurityService.contextEntered(AbstractSecurityService.java:153)
> at org.apache.openejb.core.ThreadContext.enter(ThreadContext.java:60)
> at
> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:169)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler.synchronizedBusinessMethod(EjbObjectProxyHandler.java:265)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:260)
> at
> org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:89)
> at
> org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:347)
> at com.sun.proxy.$Proxy79.getVersionPhases(Unknown Source)
> at
> biaccounting.presentation.servlet.InitServlet.initReferenceLists(InitServlet.java:141)
> at
> biaccounting.presentation.servlet.InitServlet.init(InitServlet.java:54)
> at javax.servlet.GenericServlet.init(GenericServlet.java:158)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:497)
> To fix this, we commented the below lines in the class
> AbstractSecurityService.java (Please find attached)
> PolicyContext.setContextID(moduleID); --> Line#138
> PolicyContext.setContextID(null); --> Line#175
> PolicyContext.setContextID(reenteredContext.getBeanContext().getModuleID());
> -->Line#177
> We have done this as a temporary fix from our end. Please let us know whether
> will this be fixed in the future release ? please let us know your comment on
> this one.
> Thanks & Regards,
> Magesh M
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
