[jira] [Commented] (FELIX-5910) Set correct AccessControlContext when receiving configuration events

Thu, 13 Sep 2018 15:03:10 -0700 


    [ 
https://issues.apache.org/jira/browse/FELIX-5910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16614112#comment-16614112
 ] 

Carsten Ziegeler commented on FELIX-5910:
-----------------------------------------

[~cnoelle] I've committed a potential fix to SCR in rev 1840868. It would be 
great if you could give this a try. Thanks!

> Set correct AccessControlContext when receiving configuration events
> --------------------------------------------------------------------
>
>                 Key: FELIX-5910
>                 URL: https://issues.apache.org/jira/browse/FELIX-5910
>             Project: Felix
>          Issue Type: Bug
>          Components: Declarative Services (SCR)
>    Affects Versions: scr-2.1.6
>         Environment: - Felix fwk 6.0.0 
> - Felix security 2.6.0
> - Felix config admin 1.9.4 and 1.9.5-SNAPSHOT
>            Reporter: Christoph Nölle
>            Assignee: Carsten Ziegeler
>            Priority: Major
>             Fix For: scr-2.1.8
>
>
> ConfigAdmin requests a restricted set of permissions by means of a 
> permissions.perm file, which must not restrict the permissions of other 
> bundles to which it sends events. There is in fact a mechanism in place to 
> prevent this, using the protection domain of the bundle, in the class 
> ManagedServiceTracker (resolving the related issue 
> https://issues.apache.org/jira/browse/FELIX-4362). However, the UpdateThread 
> class does not use this mechanism; instead it explicitly sets an 
> AccessControlContext based on its own protection domain, hence enforcing its 
> own restricted set of permissions to the event listeners. Below are two 
> examples of the resulting AccessControlExceptions I get... there is just one 
> additional bundle in the stack trace, felix-scr, which has all permissions 
> and can be ignored from the permissions point of view. 
> By the way, removing the permissions.perm file from ConfigAdmin resolves the 
> problem, confirming that the bug is indeed in ConfigAdmin. 
> rg.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : 
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering 
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, 
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied 
> ("java.lang.RuntimePermission" "getClassLoader")
>  at 
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>  at 
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
>  at 
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
>  at 
> java.base/java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:2042)
>  at java.base/java.lang.Class.getClassLoader(Class.java:807)
>  at 
> org.apache.felix.scr.impl.inject.methods.BaseMethod.findMethod(BaseMethod.java:158)
>  at 
> org.apache.felix.scr.impl.inject.methods.BaseMethod.access$400(BaseMethod.java:41)
>  at 
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.resolve(BaseMethod.java:602)
>  at 
> org.apache.felix.scr.impl.inject.methods.BaseMethod$NotResolved.methodExists(BaseMethod.java:626)
>  at 
> org.apache.felix.scr.impl.inject.methods.BaseMethod.methodExists(BaseMethod.java:528)
>  at 
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:315)
>  at 
> org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:307)
>  at 
> org.apache.felix.scr.impl.manager.SingleComponentManager.invokeModifiedMethod(SingleComponentManager.java:810)
>  at 
> org.apache.felix.scr.impl.manager.SingleComponentManager.modify(SingleComponentManager.java:765)
>  at 
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:683)
>  at 
> org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:647)
>  at 
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:435)
>  at 
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
>  at 
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
>  at 
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
>  at 
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
>  at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
>  at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
>  at java.base/java.security.AccessController.doPrivileged(Native Method)
>  at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
>  at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
>  at java.base/java.lang.Thread.run(Thread.java:844)
> org.slf4j.osgi-over-slf4j[org.apache.felix.configadmin.1.9.4] : 
> [[org.osgi.service.cm.ConfigurationAdmin]]Unexpected problem delivering 
> configuration event to [org.osgi.service.cm.ConfigurationListener, id=18, 
> bundle=24/mvn:org.apache.felix/org.apache.felix.configadmin/1.9.4]
> java.security.AccessControlException: access denied 
> ("org.osgi.framework.ServicePermission" "java.lang.Runnable" "register")
>  at 
> java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>  at 
> java.base/java.security.AccessController.checkPermission(AccessController.java:895)
>  at 
> java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:335)
>  at 
> org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:322)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:891)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:877)
>  at 
> org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:128)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:944)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:727)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:661)
>  at 
> org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:427)
>  at 
> org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.configurationUpdated(ConfigurableComponentHolder.java:440)
>  at 
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configurationEvent(RegionConfigurationSupport.java:288)
>  at 
> org.apache.felix.scr.impl.manager.RegionConfigurationSupport$1.configurationEvent(RegionConfigurationSupport.java:91)
>  at 
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.sendEvent(ConfigurationManager.java:1667)
>  at 
> org.apache.felix.cm.impl.ConfigurationManager$FireConfigurationEvent.run(ConfigurationManager.java:1635)
>  at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:126)
>  at org.apache.felix.cm.impl.UpdateThread$1.run(UpdateThread.java:123)
>  at java.base/java.security.AccessController.doPrivileged(Native Method)
>  at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:122)
>  at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
>  at java.base/java.lang.Thread.run(Thread.java:844)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to