[ http://issues.apache.org/jira/browse/GERONIMO-586?page=comments#action_59546 ] John Sisson commented on GERONIMO-586: --------------------------------------
The GeronimoPolicy class has two constructors, one of them has a parameter root, or type Policy, but this is not used by SecurityServiceImpl. If SecurityServiceImpl is changed to pass the default system policy on the GeronimoPolicy constructor, Geronimo initialisation under a security manager gets a lot further, until it hits another problem with the GeronimoPolicy.getPermissions(..) method, which I will document in another comment. I am assuming that the GeronimoPolicy implementation should be behaving as a "delegating Policy provider" as described in Section 2.5 of the JACC spec. If this is the case, it should be documented on the Wiki / installation instructions (also see last paragraph of section 2.5). > Exceptions at startup if Geronimo started under security manager > ---------------------------------------------------------------- > > Key: GERONIMO-586 > URL: http://issues.apache.org/jira/browse/GERONIMO-586 > Project: Geronimo > Type: Bug > Environment: Windows XP > java version "1.4.2_06" > Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_06-b03) > Java HotSpot(TM) Client VM (build 1.4.2_06-b03, mixed mode) > Reporter: John Sisson > > If I start Geronimo under the Java Security Manager with everything enabled > in the policy file I get a number of exceptions when starting Geronimo. > For example, the policy file I used contained: > grant { > permission java.security.AllPermission; > }; > I started it used the following JVM parameters: > -Djava.security.manager > -Djava.security.policy==file:///D:/sample-java2.policy -Xdebug -Xnoagent > -Djava.compiler=NONE > -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005 -Xmx512m > -XX:MaxPermSize=128m > -Djava.rmi.server.RMIClassLoaderSpi=org.apache.geronimo.system.rmi.RMIClassLoaderSpiImpl" > > I shouldn't be having problems starting it with AllPermission. > Note that the java.security.debug property may assist with debugging: > http://java.sun.com/j2se/1.4.2/docs/guide/plugin/developer_guide/debugger.html#jsdp > John > 17:07:21,842 ERROR [GBeanInstanceState] Error while starting; GBean is not in > the FAILED state: objectName="geronimo.server:J2EEAppl > ication=null,J2EEModule=org/apache/geronimo/Server,J2EEServer=geronimo,j2eeType=JTAResource,name=HOWLTransactionLog" > java.security.AccessControlException: access denied > (java.lang.reflect.ReflectPermission suppressAccessChecks) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) > at > java.security.AccessController.checkPermission(AccessController.java:401) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) > at > java.lang.reflect.AccessibleObject.setAccessible(AccessibleObject.java:107) > at net.sf.cglib.core.ReflectUtils.newInstance(ReflectUtils.java:272) > at net.sf.cglib.core.ReflectUtils.newInstance(ReflectUtils.java:255) > at net.sf.cglib.core.ReflectUtils.newInstance(ReflectUtils.java:251) > at > net.sf.cglib.proxy.Enhancer.createUsingReflection(Enhancer.java:388) > at net.sf.cglib.proxy.Enhancer.nextInstance(Enhancer.java:366) > at > net.sf.cglib.core.AbstractClassGenerator.create(AbstractClassGenerator.java:200) > at net.sf.cglib.proxy.Enhancer.createHelper(Enhancer.java:330) > at net.sf.cglib.proxy.Enhancer.create(Enhancer.java:246) > at > org.apache.geronimo.kernel.proxy.ProxyManager$ManagedProxyFactory.createProxy(ProxyManager.java:94) > at > org.apache.geronimo.kernel.proxy.ProxyManager.createProxy(ProxyManager.java:49) > at > org.apache.geronimo.gbean.runtime.GBeanSingleReference.start(GBeanSingleReference.java:79) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:773) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:331) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:111) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:133) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:494) > at > org.apache.geronimo.kernel.Kernel.startRecursiveGBean(Kernel.java:348) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:141) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:494) > at > org.apache.geronimo.kernel.Kernel.startRecursiveGBean(Kernel.java:348) > at org.apache.geronimo.system.main.Daemon.main(Daemon.java:154) > 17:07:21,935 INFO [HttpServer] Statistics on = false for [EMAIL PROTECTED] > java.lang.ExceptionInInitializerError > at org.mortbay.http.HttpServer.doStart(HttpServer.java:671) > at org.mortbay.util.Container.start(Container.java:72) > at > org.apache.geronimo.jetty.JettyContainerImpl.doStart(JettyContainerImpl.java:159) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:841) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:331) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:111) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:133) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:494) > at > org.apache.geronimo.kernel.Kernel.startRecursiveGBean(Kernel.java:348) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:141) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:494) > at > org.apache.geronimo.kernel.Kernel.startRecursiveGBean(Kernel.java:348) > at org.apache.geronimo.system.main.Daemon.main(Daemon.java:154) > Caused by: java.security.AccessControlException: access denied > (java.util.PropertyPermission org.mortbay.http.Version.paranoid read) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) > at > java.security.AccessController.checkPermission(AccessController.java:401) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) > at > java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1276) > at java.lang.System.getProperty(System.java:573) > at java.lang.Boolean.getBoolean(Boolean.java:205) > at org.mortbay.http.Version.<clinit>(Version.java:32) > ... 13 more > 17:07:22,029 INFO [Daemon] Server shutdown begun > 17:07:22,029 INFO [Kernel] Starting kernel shutdown > 17:07:22,029 INFO [PersistentConfigurationList] Configuration list was not > saved. Kernel was never fully started. > 17:07:22,029 ERROR [GBeanInstance] Problem in doStop of > geronimo.boot:role=ConfigurationManager > org.apache.geronimo.kernel.InternalKernelException: Error while applying > pattern geronimo.config:* > at > org.apache.geronimo.kernel.jmx.JMXGBeanRegistry.listGBeans(JMXGBeanRegistry.java:118) > at org.apache.geronimo.kernel.Kernel.listGBeans(Kernel.java:363) > at > org.apache.geronimo.kernel.config.ConfigurationManagerImpl.doStop(ConfigurationManagerImpl.java:213) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.destroyInstance(GBeanInstance.java:976) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStop(GBeanInstanceState.java:402) > at > org.apache.geronimo.gbean.runtime.GBeanInstanceState.stop(GBeanInstanceState.java:203) > at > org.apache.geronimo.gbean.runtime.GBeanInstance.stop(GBeanInstance.java:502) > at > org.apache.geronimo.kernel.Kernel.shutdownConfigManager(Kernel.java:535) > at org.apache.geronimo.kernel.Kernel.shutdown(Kernel.java:499) > at org.apache.geronimo.system.main.Daemon$1.run(Daemon.java:122) > Caused by: java.security.AccessControlException: access denied > (javax.management.MBeanPermission -#-[-] queryNames) > java.security.AccessControlException: access denied > (javax.management.MBeanServerPermission releaseMBeanServer) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) > at > java.security.AccessController.checkPermission(AccessController.java:401) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) > at > javax.management.MBeanServerFactory.releaseMBeanServer(MBeanServerFactory.java:74) > at > org.apache.geronimo.kernel.jmx.JMXGBeanRegistry.stop(JMXGBeanRegistry.java:53) > at org.apache.geronimo.kernel.Kernel.shutdown(Kernel.java:501) > at org.apache.geronimo.system.main.Daemon$1.run(Daemon.java:122) > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:269) > at > java.security.AccessController.checkPermission(AccessController.java:401) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:524) > at mx4j.server.MX4JMBeanServer.queryNames(MX4JMBeanServer.java:1228) > at > org.apache.geronimo.kernel.jmx.JMXGBeanRegistry.listGBeans(JMXGBeanRegistry.java:116) > ... 9 more -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - If you want more information on JIRA, or have a bug to report see: http://www.atlassian.com/software/jira
