[
https://issues.apache.org/jira/browse/FELIX-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16612533#comment-16612533
]
Christoph Nölle commented on FELIX-5910:
----------------------------------------
In general you are right, [~timothyjward]. Note however that here the issue is
not that SCR is on the call stack where it shouldn't, but rather that
ConfigAdmin is (although the root cause for this is in SCR).
> [ConfigAdmin] Set correct AccessControlContext when firing events
> -----------------------------------------------------------------
>
> Key: FELIX-5910
> URL: https://issues.apache.org/jira/browse/FELIX-5910
> Project: Felix
> Issue Type: Bug
> Components: Configuration Admin
> Affects Versions: configadmin-1.9.4
> Environment: - Felix fwk 6.0.0
> - Felix security 2.6.0
> - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT
> Reporter: Christoph Nölle
> Assignee: Carsten Ziegeler
> Priority: Major
> Fix For: configadmin-1.9.6
>
>
> ConfigAdmin requests a restricted set of permissions by means of a
> permissions.perm file, which must not restrict the permissions of other
> bundles to which it sends events. There is in fact a mechanism in place to
> prevent this, using the protection domain of the bundle, in the class
> ManagedServiceTracker (resolving the related issue
> https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread
> class does not use this mechanism; instead it explicitly sets an
> AccessControlContext based on its own protection domain, hence enforcing its
> own restricted set of permissions to the event listeners. Below are two
> examples of the resulting AccessControlExceptions I get... there is just one
> additional bundle in the stack trace, felix-scr, which has all permissions
> and can be ignored from the permissions point of view.
> By the way, removing the permissions.perm file from ConfigAdmin resolves the
> problem, confirming that the bug is indeed in ConfigAdmin.
> rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("java.lang.RuntimePermission" "getClassLoader")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
> at java.base/java.lang.Class.getClassLoader(Class.java:807)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
> at
> org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
> at
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
> at
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
> org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] :
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18,
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied
> ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
> at
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
> at
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
> at
> org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
> at
> org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
> at
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
> at
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
> at
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
> at
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
> at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
> at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
> at java.base/java.lang.Thread.run(Thread.java:844)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
