Re: Securing javascript

Thu, 19 Feb 2009 05:46:11 -0800

If this is the security exception you're getting, then I'd wager there's a bug somewhere in the weblogic.utils.classloaders.* code. Either that, or it is not a bug, but they don't anticipate code source URLs from outside the app directory... what happens if your script's code source URL points to somewhere within the webapp directory?
Now, the java.security.debug="access,failure" will print stack traces for all failures *even* if they are caught and later handled by the code. Without java.security.debug in effect, what is the stack trace of the SecurityException that is preventing normal execution? I'm assuming it's different from (java.io.FilePermission D:\Demo\Demo\APP- INF\classes\org\mozilla\javascript\NativeJavaTopPackage.class read)... 


If it is the same exception, then I think we have a case of overeager  
security lockdown in Weblogic, which you might get around if you use a  
code source URL that points within some location Weblogic expects. A  
long-term solution would be for us to use a doPrivileged() block when  
LazilyLoadedCtor is used to load a class from org.mozilla.javascript.*  
package.


Attila.

On 2009.02.18., at 21:13, [email protected] wrote:


On Feb 18, 6:40 am, Attila Szegedi <[email protected]> wrote:

Probably the app server places additional restrictions on code in
applications. It might be possible that you'd need to grant some
additional privileges to js.jar when it's in app directory (and then
we might need to augment Rhino to use doPrivileged() in few places
after you identify those places).


I suggest you run your JVM with - 
Djava.security.debug="access,failure"

and see exactly what code fails obtaining which permissions, and come
back to us with the findings.

Attila.

On 2009.02.17., at 23:31, Gary Brown wrote:




I have some code similar to the following that is used to call js  
code

from java.



   ContextFactory contextFactory = new ContextFactory();
   Context context = contextFactory.enterContext();
   context.setSecurityController( new PolicySecurityController() );
   Scriptable scope = context.initStandardObjects( new
ImporterTopLevel( context ) );
   URL url = new URL( "http://acme.com/scripting/test.js"; );
   CodeSource codeSource = new CodeSource( url, ( CodeSigner[] )
null );

   context.evaluateString( scope, script, "test.js", 0,  
codeSource );

   Context.exit();



The code works and can be secured using java policy when executed  
from

a simple stand-alone application. The code also works correctly when

executed from a web application running on Weblogic 10.0, but only  
if

js.jar from Rhino 1.7R1 is in the classpath. The file js.jar must be

placed ahead of the Weblogic jars in the classpath because one of  
the

classes conflicts with a class found in the Weblogic jars.



The following is an example of the java policy file:



   // Give java code full access.
   grant codeBase "file:/-" {
       permission java.security.AllPermission;
   };



   grant codeBase "file:C:/-" {
       permission java.security.AllPermission;
   };



   grant codeBase "file:D:/-" {
       permission java.security.AllPermission;
   };



   // Give javascript code no access.
   grant codeBase "http://acme.com/scripting"; {
   };



If I remove js.jar from the classpath and instead put js.jar in the
APP-INF/lib directory (I also have to put a weblogic-application.xml

file in the META-INF directory to fix the class load conflict), I  
get

security exceptions. The security exceptions go away if I grant full
permissions to all code.



-----

I get similar results when I deploy my code to Tomcat 6. If js.jar  
is
placed in $CATALINA_HOME/lib/ (and not in /WEB-INF/lib/), all is  
well.
If js.jar is placed in /WEB-INF/lib/, I get 'ReferenceError:  
"java" is

not defined.' unless I grant full permissions to all code.
-----



Is there any way to get this code to execute correctly without  
putting

js.jar in the common classpath? Any idea why the code works with

reduced permissions with js.jar in the common classpath, and with  
full

permissions with js.jar in the application classpath, but not with

reduced permissions with js.jar in the application classpath?-  
Hide quoted text -


- Show quoted text -


This is a summary of the failures:

access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\NativeJavaTopPackage.class read)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\resources\Messages.class read)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\resources\Messages_en.class read)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\resources\Messages_en_US.class read)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\EcmaError.class read)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
java.security.AccessControlException: access denied
(java.io.FilePermission D:\Demo\Demo\APP-INF\classes\org\mozilla
\javascript\EcmaError.class read)

This is the detail of the first and last failures:

.
.
.
access: access allowed (java.net.SocketPermission acme.com resolve)
access: access denied (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\NativeJavaTopPackage.class read)
java.lang.Exception: Stack trace
   at java.lang.Thread.dumpStack(Thread.java:1158)
   at java.security.AccessControlContext.checkPermission
(AccessControlContext.java:253)
   at java.security.AccessController.checkPermission
(AccessController.java:427)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:
532)
   at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
   at java.io.File.exists(File.java:700)
   at weblogic.utils.classloaders.DirectoryClassFinder.getSource
(DirectoryClassFinder.java:36)
   at weblogic.utils.classloaders.JarClassFinder.getSource
(JarClassFinder.java:45)
   at weblogic.utils.classloaders.AbstractClassFinder.getClassSource
(AbstractClassFinder.java:17)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.CodeGenClassFinder.getClassSource
(CodeGenClassFinder.java:27)
   at weblogic.utils.classloaders.GenericClassLoader.findLocalClass
(GenericClassLoader.java:280)
   at weblogic.utils.classloaders.GenericClassLoader.findClass
(GenericClassLoader.java:259)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
   at weblogic.utils.classloaders.GenericClassLoader.loadClass
(GenericClassLoader.java:179)
   at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
   at java.lang.Class.forName0(Native Method)
   at java.lang.Class.forName(Class.java:164)
   at org.mozilla.javascript.Kit.classOrNull(Kit.java:74)
   at org.mozilla.javascript.LazilyLoadedCtor.buildValue
(LazilyLoadedCtor.java:107)
   at org.mozilla.javascript.LazilyLoadedCtor.init
(LazilyLoadedCtor.java:89)
   at org.mozilla.javascript.ScriptableObject.getImpl
(ScriptableObject.java:1992)
   at org.mozilla.javascript.ScriptableObject.get
(ScriptableObject.java:280)
   at org.mozilla.javascript.IdScriptableObject.get
(IdScriptableObject.java:385)
   at org.mozilla.javascript.ImporterTopLevel.get
(ImporterTopLevel.java:128)
   at org.mozilla.javascript.ScriptableObject.getProperty
(ScriptableObject.java:1575)
   at org.mozilla.javascript.ScriptRuntime.topScopeName
(ScriptRuntime.java:1748)
   at org.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:
1650)
   at org.mozilla.javascript.gen.c1._c0(C:\temp\demo.js:1)
   at org.mozilla.javascript.gen.c1.call(C:\temp\demo.js)
   at org.mozilla.javascript.ContextFactory.doTopCall
(ContextFactory.java:401)
   at org.mozilla.javascript.ScriptRuntime.doTopCall
(ScriptRuntime.java:3003)
   at org.mozilla.javascript.gen.c1.call(C:\temp\demo.js)
   at org.mozilla.javascript.gen.c1.exec(C:\temp\demo.js)
   at org.mozilla.javascript.Context.evaluateString(Context.java:
1088)
   at com.acme.script.ScriptHelper.call(ScriptHelper.java:514)
   at com.acme.script.ScriptHelper.call(ScriptHelper.java:407)
   at com.acme.demo.NumberNegativeEvent.service
(NumberNegativeEvent.java:91)
   at com.acme.next.next.NextController.processCurrentEvent
(NextController.java:622)
   at com.acme.next.next.NextController.processAllEvents
(NextController.java:359)
   at com.acme.next.next.NextController.service(NextController.java:
181)
   at com.acme.next.Transaction.run(Transaction.java:136)
   at com.acme.next.TransactionObject.processTransaction
(TransactionObject.java:94)
   at com.acme.next.Loader.processRequest(Loader.java:1052)
   at com.acme.next.Loader.doService(Loader.java:727)
   at com.acme.next.Loader.service(Loader.java:548)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
   at weblogic.servlet.internal.StubSecurityHelper
$ServletServiceAction.run(StubSecurityHelper.java:226)
   at weblogic.servlet.internal.StubSecurityHelper.invokeServlet
(StubSecurityHelper.java:124)
   at weblogic.servlet.internal.ServletStubImpl.execute
(ServletStubImpl.java:283)
   at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:
26)
   at weblogic.servlet.internal.FilterChainImpl.doFilter
(FilterChainImpl.java:42)
   at com.acme.next.FrameworkFilter.doFilter(FrameworkFilter.java:
564)
   at weblogic.servlet.internal.FilterChainImpl.doFilter
(FilterChainImpl.java:42)
   at weblogic.servlet.internal.WebAppServletContext
$ServletInvocationAction.run(WebAppServletContext.java:3368)
   at weblogic.security.acl.internal.AuthenticatedSubject.doAs
(AuthenticatedSubject.java:321)
   at weblogic.security.service.SecurityManager.runAs(Unknown Source)
   at weblogic.servlet.internal.WebAppServletContext.securedExecute
(WebAppServletContext.java:2117)
   at weblogic.servlet.internal.WebAppServletContext.execute
(WebAppServletContext.java:2023)
   at weblogic.servlet.internal.ServletRequestImpl.run
(ServletRequestImpl.java:1359)
   at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
   at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
access: access allowed (java.security.SecurityPermission getPolicy)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
org.mozilla.javascript.policysecuritycontroller$loa...@9c6e6e
<no principals>
java.security.permissi...@9453f9 (
(java.util.PropertyPermission java.version read)
(java.util.PropertyPermission java.vm.name read)
(java.util.PropertyPermission java.vm.vendor read)
(java.util.PropertyPermission os.name read)
(java.util.PropertyPermission java.vendor.url read)
(java.util.PropertyPermission java.vm.specification.vendor read)
(java.util.PropertyPermission java.specification.vendor read)
(java.util.PropertyPermission os.version read)
(java.util.PropertyPermission java.specification.name read)
(java.util.PropertyPermission java.class.version read)
(java.util.PropertyPermission file.separator read)
(java.util.PropertyPermission java.vm.version read)
(java.util.PropertyPermission os.arch read)
(java.util.PropertyPermission java.vm.specification.name read)
(java.util.PropertyPermission java.vm.specification.version read)
(java.util.PropertyPermission java.specification.version read)
(java.util.PropertyPermission java.vendor read)
(java.util.PropertyPermission path.separator read)
(java.util.PropertyPermission line.separator read)
(java.net.SocketPermission localhost:1024- listen,resolve)
(java.lang.RuntimePermission stopThread)
)

.
.
.

access: access allowed (java.security.SecurityPermission getPolicy)
access: domain that failed ProtectionDomain  (http://acme.com/
scripting <no signer certificates>)
org.mozilla.javascript.policysecuritycontroller$loa...@9c6e6e
<no principals>
java.security.permissi...@11cdf8a (
(java.util.PropertyPermission java.version read)
(java.util.PropertyPermission java.vm.name read)
(java.util.PropertyPermission java.vm.vendor read)
(java.util.PropertyPermission os.name read)
(java.util.PropertyPermission java.vendor.url read)
(java.util.PropertyPermission java.vm.specification.vendor read)
(java.util.PropertyPermission java.specification.vendor read)
(java.util.PropertyPermission os.version read)
(java.util.PropertyPermission java.specification.name read)
(java.util.PropertyPermission java.class.version read)
(java.util.PropertyPermission file.separator read)
(java.util.PropertyPermission java.vm.version read)
(java.util.PropertyPermission os.arch read)
(java.util.PropertyPermission java.vm.specification.name read)
(java.util.PropertyPermission java.vm.specification.version read)
(java.util.PropertyPermission java.specification.version read)
(java.util.PropertyPermission java.vendor read)
(java.util.PropertyPermission path.separator read)
(java.util.PropertyPermission line.separator read)
(java.net.SocketPermission localhost:1024- listen,resolve)
(java.lang.RuntimePermission stopThread)
)

access: access allowed (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\RhinoException.class read)
access: access allowed (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org\mozilla\javascript\RhinoException.class read)
access: access allowed (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org.mozilla.javascript.RhinoException read)
access: access allowed (java.io.FilePermission D:\Demo\Demo\APP-INF
\classes\org.mozilla.javascript.RhinoException read)
access: access allowed (java.io.FilePermission D:\bea\user_projects
\domains\Demo\servers\AdminServer\tmp\_WL_user\Demo\xa8amf\APP-INF\lib
\js.jar read)
access: access allowed (java.io.FilePermission D:\bea\user_projects
\domains\Demo\servers\AdminServer\tmp\_WL_user\Demo\xa8amf\APP-INF\lib
\js.jar read)
access: access allowed (java.io.FilePermission D:\bea\user_projects
\domains\Demo\servers\AdminServer\tmp\_WL_user\Demo\xa8amf\APP-INF\lib
\js.jar read)
java.security.AccessControlException: access denied
(java.io.FilePermission D:\Demo\Demo\APP-INF\classes\org\mozilla
\javascript\EcmaError.class read)
   at java.security.AccessControlContext.checkPermission
(AccessControlContext.java:264)
   at java.security.AccessController.checkPermission
(AccessController.java:427)
   at java.lang.SecurityManager.checkPermission(SecurityManager.java:
532)
   at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
   at java.io.File.exists(File.java:700)
   at weblogic.utils.classloaders.DirectoryClassFinder.getSource
(DirectoryClassFinder.java:36)
   at weblogic.utils.classloaders.JarClassFinder.getSource
(JarClassFinder.java:45)
   at weblogic.utils.classloaders.AbstractClassFinder.getClassSource
(AbstractClassFinder.java:17)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.MultiClassFinder.getClassSource
(MultiClassFinder.java:58)
   at weblogic.utils.classloaders.CodeGenClassFinder.getClassSource
(CodeGenClassFinder.java:27)
   at weblogic.utils.classloaders.GenericClassLoader.findLocalClass
(GenericClassLoader.java:280)
   at weblogic.utils.classloaders.GenericClassLoader.findClass
(GenericClassLoader.java:259)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:306)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:251)
   at weblogic.utils.classloaders.GenericClassLoader.loadClass
(GenericClassLoader.java:179)
   at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
   at org.mozilla.javascript.ScriptRuntime.constructError
(ScriptRuntime.java:3557)
   at org.mozilla.javascript.ScriptRuntime.constructError
(ScriptRuntime.java:3535)
   at org.mozilla.javascript.ScriptRuntime.notFoundError
(ScriptRuntime.java:3620)
   at org.mozilla.javascript.ScriptRuntime.name(ScriptRuntime.java:
1652)
   at org.mozilla.javascript.gen.c1._c0(C:\temp\demo.js:1)
   at org.mozilla.javascript.gen.c1.call(C:\temp\demo.js)
   at org.mozilla.javascript.ContextFactory.doTopCall
(ContextFactory.java:401)
   at org.mozilla.javascript.ScriptRuntime.doTopCall
(ScriptRuntime.java:3003)
   at org.mozilla.javascript.gen.c1.call(C:\temp\demo.js)
   at org.mozilla.javascript.gen.c1.exec(C:\temp\demo.js)
   at org.mozilla.javascript.Context.evaluateString(Context.java:
1088)
   at com.acme.script.ScriptHelper.call(ScriptHelper.java:514)
   at com.acme.script.ScriptHelper.call(ScriptHelper.java:407)
   at com.acme.demo.NumberNegativeEvent.service
(NumberNegativeEvent.java:91)
   at com.acme.next.next.NextController.processCurrentEvent
(NextController.java:622)
   at com.acme.next.next.NextController.processAllEvents
(NextController.java:359)
   at com.acme.next.next.NextController.service(NextController.java:
181)
   at com.acme.next.Transaction.run(Transaction.java:136)
   at com.acme.next.TransactionObject.processTransaction
(TransactionObject.java:94)
   at com.acme.next.Loader.processRequest(Loader.java:1052)
   at com.acme.next.Loader.doService(Loader.java:727)
   at com.acme.next.Loader.service(Loader.java:548)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
   at weblogic.servlet.internal.StubSecurityHelper
$ServletServiceAction.run(StubSecurityHelper.java:226)
   at weblogic.servlet.internal.StubSecurityHelper.invokeServlet
(StubSecurityHelper.java:124)
   at weblogic.servlet.internal.ServletStubImpl.execute
(ServletStubImpl.java:283)
   at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:
26)
   at weblogic.servlet.internal.FilterChainImpl.doFilter
(FilterChainImpl.java:42)
   at com.acme.next.FrameworkFilter.doFilter(FrameworkFilter.java:
564)
   at weblogic.servlet.internal.FilterChainImpl.doFilter
(FilterChainImpl.java:42)
   at weblogic.servlet.internal.WebAppServletContext
$ServletInvocationAction.run(WebAppServletContext.java:3368)
   at weblogic.security.acl.internal.AuthenticatedSubject.doAs
(AuthenticatedSubject.java:321)
   at weblogic.security.service.SecurityManager.runAs(Unknown Source)
   at weblogic.servlet.internal.WebAppServletContext.securedExecute
(WebAppServletContext.java:2117)
   at weblogic.servlet.internal.WebAppServletContext.execute
(WebAppServletContext.java:2023)
   at weblogic.servlet.internal.ServletRequestImpl.run
(ServletRequestImpl.java:1359)
   at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
   at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)
access: access allowed (java.io.FilePermission D:\bea\user_projects
\domains\Demo\com\acme\demo\NumberAddEvent.class read)
.
.
.

If I grant the following permissions to codeBase "http://acme.com/
scripting" it works!

   permission java.io.FilePermission "D:${/}Demo${/}Demo${/}APP-INF$
{/}classes${/}-", "read";
   permission java.io.FilePermission "D:${/}bea${/}user_projects${/}
domains${/}Demo${/}servers${/}AdminServer${/}tmp${/}_WL_user${/}Demo$
{/}xa8amf${/}APP-INF${/}lib${/}js.jar", "read";

The question is, why do I need to give codeBase "http://acme.com/
scripting"
these permissions? The script itself does not read any files.

   importPackage(java.lang);
   var demo = {};
   demo.add99 = function( changeNumberForm ) { }

It looks like some of the java code in the org.mozilla.javascript
package is
running with the permissions of codeBase "http://acme.com/scripting";
rather
than the permissions of the caller.

_______________________________________________
dev-tech-js-engine-rhino mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-js-engine-rhino






















					Reply via email to