[
https://issues.apache.org/jira/browse/MYFACES-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12608022#action_12608022
]
Michael Concini commented on MYFACES-1879:
------------------------------------------
Apologies for the style issue. I'll make sure to fix that for future patches
provided.
For this, I'm not 100% sure that it needed to be in a finally, but I wanted to
make sure the stream go closed out after we were done with it even in the
exception case.
+ }finally{
+ ois.close();
+ }
Thanks for catching that...I missed updating that line when I copied my changes
over for creating the diff . I'll have a new patch uploaded shortly with this
corrected.
return new Object[] {in.readObject(), in.readObject()};
appears to be ignoring the object computed above.
> Problems with myfaces when java2 security is enabled
> ----------------------------------------------------
>
> Key: MYFACES-1879
> URL: https://issues.apache.org/jira/browse/MYFACES-1879
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 1.2.3
> Reporter: Michael Concini
> Attachments: MYFACES-1879-core.patch, MYFACES-1879-shared.patch
>
>
> When running MyFaces 1.2 on an application server with java2 security turned
> on, a user can receive an AccessControlException from several locations
> within the code, in some cases preventing the application from working in the
> environment.
> There are several places in the myfaces code that should be updated to
> include a doPriv when java2 security is on. Specifically in locations where
> the code is executing a call to
> Thread.currentThread().getContextClassLoader(), as well as in the
> JspStateManagerImpl's deserializeView() method.
> for example (in the classloader case):
> if (System.getSecurityManager() != null) {
> try {
> Object cl = AccessController.doPrivileged(new
> PrivilegedExceptionAction() {
> public Object run() throws
> PrivilegedActionException {
> return
> Thread.currentThread().getContextClassLoader();
> }
> });
> return (ClassLoader) cl;
> } catch (PrivilegedActionException pae) {
> throw new FacesException(pae);
> }
> }else{
> return Thread.currentThread().getContextClassLoader();
> }
> If its agreed that the change should be implemented, I'd be happy to perform
> the changes myself and supply a patch. I also thought that it might make
> sense to, at least for the ClassLoader lookup, create a method in ClassUtils
> called getContextClassloader that could be called elsewhere for efficiency's
> sake.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
