[
https://issues.apache.org/jira/browse/FELIX-1363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12731900#action_12731900
]
Felix Meschberger commented on FELIX-1363:
------------------------------------------
Hmm, The problem is probably, that the AdminPermission class of the WebSphere
framework (Equinox) should not be used if the Felix library provides its on
implementation.
The reason is the servlet spec itself, which IIRC that web application class
loaders should first inspect the web applications for classes before going into
the parent class loader.
WebSphere in particular has a setting (on web application) level which allows
configuring whether to prefer parentloader-first (Java default) or
parentloader-last (preferred here). You should enable that configuration.
Another option, which is what we use in Apache Sling to be sure, is to have the
web application create its own classloader in which we load the framework and
the rest. That custom classloader implements the parentloader-last strategy and
as such would then use the Felix framework AdminPermission class instead of the
that of WebSphere.
Whatever: I don't think that this problem is something that the Felix framework
proper should care about inside its code.
Just my CHF.02
> Stack overflow on Java 2 Security evaluation of getLocation() in WebSphere
> ---------------------------------------------------------------------------
>
> Key: FELIX-1363
> URL: https://issues.apache.org/jira/browse/FELIX-1363
> Project: Felix
> Issue Type: Bug
> Components: Framework
> Affects Versions: felix-1.2.1
, felix-1.4.1, felix-1.8.0, felix-1.8.1
> Environment: WebSphere 6.1 with Java 2 Security enabled
> Reporter: Gerrit van Brakel
>
> When the Felix framework is used in an application in WebSphere, the Java 2
> Security permission evaluation of Felix.getLocation() causes a Stack Overflow.
>
> The Stack Overflow is caused by an incompatiblity between classes of the
> Felix framework and the framework classes present in WebSphere.
>
> When the permissions for Felix.getLocation() are evaluated, an
> AdminPermission object is created and evaluated. The AdminPermission
> permission object created is not the one supplied by the Felix framework, but
> one found higher on the classpath: the WebSphere/eclipse version of the
> AdminPermission class. This version of the class is incompatible with Felix,
> as it uses getLocation() in its evaluation.
> ways to work around or solve this problem:
> 1) disable Java 2 Security (not acceptable by company policy)
> 2) grant a global AllPermissions (not acceptable by company policy): by
> specifying global AllPermissions, the evaluation of permissions seems to be
> avoided
> 3) modify the Felix Framework in such a way that no permissions are
> set/evaluated for getLocation()
> 4) modify the Websphere / eclipse version of AdminPermission in such a way
> that no getLocation() is used in its evaluation
> A test for option 3 has been performed on Felix 1.2.1. If the permission test
> is removed from BundleImpl.getLocation() and Felix.getLocation(), the stack
> overflow does not appear. Of course the permission test is lost in the
> process.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
