Problems with myfaces when java2 security is enabled
----------------------------------------------------
Key: MYFACES-1879
URL: https://issues.apache.org/jira/browse/MYFACES-1879
Project: MyFaces Core
Issue Type: Bug
Affects Versions: 1.2.3
Reporter: Michael Concini
When running MyFaces 1.2 on an application server with java2 security turned
on, a user can receive an AccessControlException from several locations within
the code, in some cases preventing the application from working in the
environment.
There are several places in the myfaces code that should be updated to include
a doPriv when java2 security is on. Specifically in locations where the code
is executing a call to Thread.currentThread().getContextClassLoader(), as well
as in the JspStateManagerImpl's deserializeView() method.
for example (in the classloader case):
if (System.getSecurityManager() != null) {
try {
Object cl = AccessController.doPrivileged(new
PrivilegedExceptionAction() {
public Object run() throws
PrivilegedActionException {
return
Thread.currentThread().getContextClassLoader();
}
});
return (ClassLoader) cl;
} catch (PrivilegedActionException pae) {
throw new FacesException(pae);
}
}else{
return Thread.currentThread().getContextClassLoader();
}
If its agreed that the change should be implemented, I'd be happy to perform
the changes myself and supply a patch. I also thought that it might make sense
to, at least for the ClassLoader lookup, create a method in ClassUtils called
getContextClassloader that could be called elsewhere for efficiency's sake.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
